{"id":"CVE-2024-50104","summary":"ASoC: qcom: sdm845: add missing soundwire runtime stream alloc","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: sdm845: add missing soundwire runtime stream alloc\n\nDuring the migration of Soundwire runtime stream allocation from\nthe Qualcomm Soundwire controller to SoC's soundcard drivers the sdm845\nsoundcard was forgotten.\n\nAt this point any playback attempt or audio daemon startup, for instance\non sdm845-db845c (Qualcomm RB3 board), will result in stream pointer\nNULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000020\n Mem abort info:\n   ESR = 0x0000000096000004\n   EC = 0x25: DABT (current EL), IL = 32 bits\n   SET = 0, FnV = 0\n   EA = 0, S1PTW = 0\n   FSC = 0x04: level 0 translation fault\n Data abort info:\n   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101ecf000\n [0000000000000020] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n Modules linked in: ...\n CPU: 5 UID: 0 PID: 1198 Comm: aplay\n Not tainted 6.12.0-rc2-qcomlt-arm64-00059-g9d78f315a362-dirty #18\n Hardware name: Thundercomm Dragonboard 845c (DT)\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n lr : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n sp : ffff80008a2035c0\n x29: ffff80008a2035c0 x28: ffff80008a203978 x27: 0000000000000000\n x26: 00000000000000c0 x25: 0000000000000000 x24: ffff1676025f4800\n x23: ffff167600ff1cb8 x22: ffff167600ff1c98 x21: 0000000000000003\n x20: ffff167607316000 x19: ffff167604e64e80 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffcec265074160 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff167600ff1cec\n x5 : ffffcec22cfa2010 x4 : 0000000000000000 x3 : 0000000000000003\n x2 : ffff167613f836c0 x1 : 0000000000000000 x0 : ffff16761feb60b8\n Call trace:\n  sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n  wsa881x_hw_params+0x68/0x80 [snd_soc_wsa881x]\n  snd_soc_dai_hw_params+0x3c/0xa4\n  __soc_pcm_hw_params+0x230/0x660\n  dpcm_be_dai_hw_params+0x1d0/0x3f8\n  dpcm_fe_dai_hw_params+0x98/0x268\n  snd_pcm_hw_params+0x124/0x460\n  snd_pcm_common_ioctl+0x998/0x16e8\n  snd_pcm_ioctl+0x34/0x58\n  __arm64_sys_ioctl+0xac/0xf8\n  invoke_syscall+0x48/0x104\n  el0_svc_common.constprop.0+0x40/0xe0\n  do_el0_svc+0x1c/0x28\n  el0_svc+0x34/0xe0\n  el0t_64_sync_handler+0x120/0x12c\n  el0t_64_sync+0x190/0x194\n Code: aa0403fb f9418400 9100e000 9400102f (f8420f22)\n ---[ end trace 0000000000000000 ]---\n\n0000000000006108 \u003csdw_stream_add_slave\u003e:\n    6108:       d503233f        paciasp\n    610c:       a9b97bfd        stp     x29, x30, [sp, #-112]!\n    6110:       910003fd        mov     x29, sp\n    6114:       a90153f3        stp     x19, x20, [sp, #16]\n    6118:       a9025bf5        stp     x21, x22, [sp, #32]\n    611c:       aa0103f6        mov     x22, x1\n    6120:       2a0303f5        mov     w21, w3\n    6124:       a90363f7        stp     x23, x24, [sp, #48]\n    6128:       aa0003f8        mov     x24, x0\n    612c:       aa0203f7        mov     x23, x2\n    6130:       a9046bf9        stp     x25, x26, [sp, #64]\n    6134:       aa0403f9        mov     x25, x4        \u003c-- x4 copied to x25\n    6138:       a90573fb        stp     x27, x28, [sp, #80]\n    613c:       aa0403fb        mov     x27, x4\n    6140:       f9418400        ldr     x0, [x0, #776]\n    6144:       9100e000        add     x0, x0, #0x38\n    6148:       94000000        bl      0 \u003cmutex_lock\u003e\n    614c:       f8420f22        ldr     x2, [x25, #32]!  \u003c-- offset 0x44\n    ^^^\nThis is 0x6108 + offset 0x44 from the beginning of sdw_stream_add_slave()\nwhere data abort happens.\nwsa881x_hw_params() is called with stream = NULL and passes it further\nin register x4 (5th argu\n---truncated---","modified":"2026-03-20T12:39:35.117848Z","published":"2024-11-05T17:10:39.471Z","related":["USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50104.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/d0e806b0cc6260b59c65e606034a63145169c04c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fc34d36879f87e5a3813fb66655b8bdb90c7b0d8"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50104.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50104"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"15c7fab0e0477d7d7185eac574ca43c15b59b015"},{"fixed":"fc34d36879f87e5a3813fb66655b8bdb90c7b0d8"},{"fixed":"d0e806b0cc6260b59c65e606034a63145169c04c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50104.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}