CVE-2025-38619 in Linux
الملخص
بحسب VulDB • 24/05/2026
Based on the kernel panic log provided, here is a detailed analysis of the crash, its root cause, and potential solutions.
### **1. Summary of the Crash** * **Type:** Kernel Panic (`Oops - BUG: Fatal exception in interrupt`). * **Trigger:** A `BUG()` or `WARN_ON()` condition was hit inside the kernel's list management code. * **Context:** The crash occurred in an **interrupt context** (specifically a softirq/tasklet) during DMA completion handling for a camera subsystem. * **Subsystem:** `ti_csi2rx` (Texas Instruments CSI2 Receiver driver).
---
### **2. Root Cause Analysis**
#### **Key Stack Trace Points:** ```text [ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P)
[ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4
[ 38.001419] udma_vchan_complete+0x1e0/0x344
```
1. **`__list_del_entry_valid_or_report`**: * This function is called when the kernel tries to remove a node from a doubly-linked list (`list_del`). * The `_valid_or_report` suffix indicates that the kernel detected that the list node being deleted was **not properly linked** (e.g., `prev` or `next` pointers were corrupted, or the node was already deleted). * This is a **list corruption** or **use-after-free** bug.
2. **`ti_csi2rx_dma_callback`**: * This is the DMA completion callback for the TI CSI2RX driver. * It is trying to clean up a buffer/vchan (virtual channel) by removing it from a list. * The crash happens because the list node is invalid at this point.
3. **`udma_vchan_complete`**: * This is the UDMA (Ultra DMA) virtual channel completion handler. * It calls the driver-specific callback (`ti_csi2rx_dma_callback`) after DMA transfer is done.
#### **Likely Scenarios:** 1. **Double Free / Double Delete:** * The buffer/vchan was already removed from the list (e.g., due to an error path or reset) and then removed again in the DMA callback. 2. **Race Condition:** * The driver or UDMA subsystem is modifying the list concurrently without proper locking. 3. **Corrupted Memory:** * The `vchan` or buffer structure was overwritten/corrupted before the DMA callback ran, leading to invalid `prev`/`next` pointers. 4. **Driver Bug in `ti_csi2rx`:** * The `ti_csi2rx` driver may not be handling DMA completion correctly, especially if the device is reset, powered down, or if there are multiple streams.
---
### **3. Affected Components** * **Driver:** `ti_csi2rx` (TI CSI2 Receiver driver). * **Subsystem:** UDMA (Ultra DMA) / VCHAN (Virtual Channel). * **Hardware:** Likely a TI SoC (e.g., AM62x, AM64x, J721e, J7200) with a CSI2RX IP.
---
### **4. Recommended Actions**
#### **A. Immediate Workarounds** 1. **Check for Known Issues:** * Search the Linux kernel mailing list (LKML) and TI E2E forums for `ti_csi2rx list_del` or `ti_csi2rx panic` bugs. This is a known class of issues in older kernels. 2. **Update Kernel:** * If you are on an older kernel (e.g., 5.10, 5.15), try updating to a newer LTS kernel (6.1, 6.6, or 6.12). Many list-corruption bugs in TI drivers have been fixed in recent years. 3. **Disable CSI2RX if Not Needed:** * If the camera is not required, disable the driver in the device tree or kernel config to avoid the crash.
#### **B. Debugging Steps** 1. **Enable Debugging:** * Enable `CONFIG_DEBUG_LIST` in the kernel config. This will provide more detailed information about which list is corrupted. * Enable `CONFIG_DMA_ENGINE_DEBUG` for UDMA/vchan debugging.
VulDB is the best source for vulnerability data and more expert information about this specific topic.