CVE-2025-38619 in Linuxالمعلومات

الملخص

بحسب VulDB • 24/05/2026

Based on the kernel panic log provided, here is a detailed analysis of the crash, its root cause, and potential solutions.

### **1. Summary of the Crash** * **Type:** Kernel Panic (`Oops - BUG: Fatal exception in interrupt`). * **Trigger:** A `BUG()` or `WARN_ON()` condition was hit inside the kernel's list management code. * **Context:** The crash occurred in an **interrupt context** (specifically a softirq/tasklet) during DMA completion handling for a camera subsystem. * **Subsystem:** `ti_csi2rx` (Texas Instruments CSI2 Receiver driver).

---

### **2. Root Cause Analysis**

#### **Key Stack Trace Points:** ```text [ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P)
[ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4
[ 38.001419] udma_vchan_complete+0x1e0/0x344
```

1. **`__list_del_entry_valid_or_report`**: * This function is called when the kernel tries to remove a node from a doubly-linked list (`list_del`). * The `_valid_or_report` suffix indicates that the kernel detected that the list node being deleted was **not properly linked** (e.g., `prev` or `next` pointers were corrupted, or the node was already deleted). * This is a **list corruption** or **use-after-free** bug.

2. **`ti_csi2rx_dma_callback`**: * This is the DMA completion callback for the TI CSI2RX driver. * It is trying to clean up a buffer/vchan (virtual channel) by removing it from a list. * The crash happens because the list node is invalid at this point.

3. **`udma_vchan_complete`**: * This is the UDMA (Ultra DMA) virtual channel completion handler. * It calls the driver-specific callback (`ti_csi2rx_dma_callback`) after DMA transfer is done.

#### **Likely Scenarios:** 1. **Double Free / Double Delete:** * The buffer/vchan was already removed from the list (e.g., due to an error path or reset) and then removed again in the DMA callback. 2. **Race Condition:** * The driver or UDMA subsystem is modifying the list concurrently without proper locking. 3. **Corrupted Memory:** * The `vchan` or buffer structure was overwritten/corrupted before the DMA callback ran, leading to invalid `prev`/`next` pointers. 4. **Driver Bug in `ti_csi2rx`:** * The `ti_csi2rx` driver may not be handling DMA completion correctly, especially if the device is reset, powered down, or if there are multiple streams.

---

### **3. Affected Components** * **Driver:** `ti_csi2rx` (TI CSI2 Receiver driver). * **Subsystem:** UDMA (Ultra DMA) / VCHAN (Virtual Channel). * **Hardware:** Likely a TI SoC (e.g., AM62x, AM64x, J721e, J7200) with a CSI2RX IP.

---

### **4. Recommended Actions**

#### **A. Immediate Workarounds** 1. **Check for Known Issues:** * Search the Linux kernel mailing list (LKML) and TI E2E forums for `ti_csi2rx list_del` or `ti_csi2rx panic` bugs. This is a known class of issues in older kernels. 2. **Update Kernel:** * If you are on an older kernel (e.g., 5.10, 5.15), try updating to a newer LTS kernel (6.1, 6.6, or 6.12). Many list-corruption bugs in TI drivers have been fixed in recent years. 3. **Disable CSI2RX if Not Needed:** * If the camera is not required, disable the driver in the device tree or kernel config to avoid the crash.

#### **B. Debugging Steps** 1. **Enable Debugging:** * Enable `CONFIG_DEBUG_LIST` in the kernel config. This will provide more detailed information about which list is corrupted. * Enable `CONFIG_DMA_ENGINE_DEBUG` for UDMA/vchan debugging.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

مسؤول

Linux

حجز

16/04/2025

إفشاء

22/08/2025

الاعتدال

تمت الموافقة

إدخال

VDB-321075

EPSS

0.00145

KEV

لا

النشاطات

منخفض جدًا

المصادر

Do you want to use VulDB in your project?

Use the official API to access entries easily!