CVE-2026-43412: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start

Linux kernel CVE announcements
 help / color / mirror / Atom feed

* CVE-2026-43412: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
@ 2026-05-08 14:22 Greg Kroah-Hartman
  0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2026-05-08 14:22 UTC (permalink / raw)
  To: linux-cve-announce; +Cc: Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start

During ADSP stop and start, the kernel crashes due to the order in which
ASoC components are removed.

On ADSP stop, the q6apm-audio .remove callback unloads topology and removes
PCM runtimes during ASoC teardown. This deletes the RTDs that contain the
q6apm DAI components before their removal pass runs, leaving those
components still linked to the card and causing crashes on the next rebind.

Fix this by ensuring that all dependent (child) components are removed
first, and the q6apm component is removed last.

[   48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
[   48.114763] Mem abort info:
[   48.117650]   ESR = 0x0000000096000004
[   48.121526]   EC = 0x25: DABT (current EL), IL = 32 bits
[   48.127010]   SET = 0, FnV = 0
[   48.130172]   EA = 0, S1PTW = 0
[   48.133415]   FSC = 0x04: level 0 translation fault
[   48.138446] Data abort info:
[   48.141422]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[   48.147079]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   48.152354]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000
[   48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000
[   48.171530] Internal error: Oops: 0000000096000004 [#1]  SMP
[   48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core
[   48.177444]  coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6
[   48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT
[   48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT)
[   48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]
[   48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   48.330825] pc : mutex_lock+0xc/0x54
[   48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core]
[   48.340794] sp : ffff800084ddb7b0
[   48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00
[   48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098
[   48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0
[   48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff
[   48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f
[   48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673
[   48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001
[   48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000
[   48.402854] x5 : 0000000000000000 x4 : 0000000000000028 x3 : ffff000ef397a698
[   48.410180] x2 : ffff00009a2aadc0 x1 : 0000000000000000 x0 : 00000000000000d0
[   48.417506] Call trace:
[   48.420025]  mutex_lock+0xc/0x54 (P)
[   48.423712]  snd_soc_dapm_shutdown+0x44/0xbc [snd_soc_core]
[   48.429447]  soc_cleanup_card_resources+0x30/0x2c0 [snd_soc_core]
[   48.435719]  snd_soc_bind_card+0x4dc/0xcc0 [snd_soc_core]
[   48.441278]  snd_soc_add_component+0x27c/0x2c8 [snd_soc_core]
[   48.447192]  snd_soc_register_component+0x9c/0xf4 [snd_soc_core]
[   48.453371]  devm_snd_soc_register_component+0x64/0xc4 [snd_soc_core]
[   48.459994]  apm_probe+0xb4/0x110 [snd_q6apm]
[   48.464479]  apr_device_probe+0x24/0x40 [apr]
[   48.468964]  really_probe+0xbc/0x298
[   48.472651]  __driver_probe_device+0x78/0x12c
[   48.477132]  driver_probe_device+0x40/0x160
[   48.481435]  __device_attach_driver+0xb8/0x134
[   48.486011]  bus_for_each_drv+0x80/0xdc
[   48.489964]  __device_attach+0xa8/0x1b0
[   48.493916]  device_initial_probe+0x50/0x54
[   48.498219]  bus_probe_device+0x38/0xa0
[   48.502170]  device_add+0x590/0x760
[   48.505761]  device_register+0x20/0x30
[   48.509623]  of_register_apr_devices+0x1d8/0x318 [apr]
[   48.514905]  apr_pd_status+0x2c/0x54 [apr]
[   48.519114]  pdr_notifier_work+0x8c/0xe0 [pdr_interface]
[   48.524570]  process_one_work+0x150/0x294
[   48.528692]  worker_thread+0x2d8/0x3d8
[   48.532551]  kthread+0x130/0x204
[   48.535874]  ret_from_fork+0x10/0x20
[   48.539559] Code: d65f03c0 d5384102 d503201f d2800001 (c8e17c02)
[   48.545823] ---[ end trace 0000000000000000 ]---

The Linux kernel CVE team has assigned CVE-2026-43412 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.16 with commit 5477518b8a0e8a45239646acd80c9bafc4401522 and fixed in 6.1.167 with commit 94bda21adb2a51f69366b847b4d80dfe50bd9fb9
	Issue introduced in 5.16 with commit 5477518b8a0e8a45239646acd80c9bafc4401522 and fixed in 6.6.130 with commit a8e9cab16771b15160465783507496dc83742d8e
	Issue introduced in 5.16 with commit 5477518b8a0e8a45239646acd80c9bafc4401522 and fixed in 6.12.78 with commit 0da170b9e600da6930cfb8352e4cc036db3b6159
	Issue introduced in 5.16 with commit 5477518b8a0e8a45239646acd80c9bafc4401522 and fixed in 6.18.19 with commit 22b05abb17e3c6ef45035141fe3d26f815ff9d30
	Issue introduced in 5.16 with commit 5477518b8a0e8a45239646acd80c9bafc4401522 and fixed in 6.19.9 with commit 897f32cab7945f4662a50b3841ba31c6c3204876
	Issue introduced in 5.16 with commit 5477518b8a0e8a45239646acd80c9bafc4401522 and fixed in 7.0 with commit d6db827b430bdcca3976cebca7bd69cca03cde2c

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43412
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	sound/soc/qcom/qdsp6/q6apm-dai.c
	sound/soc/qcom/qdsp6/q6apm-lpass-dais.c
	sound/soc/qcom/qdsp6/q6apm.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/94bda21adb2a51f69366b847b4d80dfe50bd9fb9
	https://git.kernel.org/stable/c/a8e9cab16771b15160465783507496dc83742d8e
	https://git.kernel.org/stable/c/0da170b9e600da6930cfb8352e4cc036db3b6159
	https://git.kernel.org/stable/c/22b05abb17e3c6ef45035141fe3d26f815ff9d30
	https://git.kernel.org/stable/c/897f32cab7945f4662a50b3841ba31c6c3204876
	https://git.kernel.org/stable/c/d6db827b430bdcca3976cebca7bd69cca03cde2c

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-05-08 14:24 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 14:22 CVE-2026-43412: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox