CVE-2022-50558
Description
In the Linux kernel, the following vulnerability has been resolved:
regmap-irq: Use the new num_config_regs property in regmap_add_irq_chip_fwnode
Commit faa87ce9196d ("regmap-irq: Introduce config registers for irq types") added the num_config_regs, then commit 9edd4f5aee84 ("regmap-irq: Deprecate type registers and virtual registers") suggested to replace num_type_reg with it. However, regmap_add_irq_chip_fwnode wasn't modified to use the new property. Later on, commit 255a03bb1bb3 ("ASoC: wcd9335: Convert irq chip to config regs") removed the old num_type_reg property from the WCD9335 driver's struct regmap_irq_chip, causing a null pointer dereference in regmap_irq_set_type when it tried to index d->type_buf as it was never allocated in regmap_add_irq_chip_fwnode:
[ 39.199374] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 39.200006] Call trace: [ 39.200014] regmap_irq_set_type+0x84/0x1c0 [ 39.200026] __irq_set_trigger+0x60/0x1c0 [ 39.200040] __setup_irq+0x2f4/0x78c [ 39.200051] request_threaded_irq+0xe8/0x1a0
Use num_config_regs in regmap_add_irq_chip_fwnode instead of num_type_reg, and fall back to it if num_config_regs isn't defined to maintain backward compatibility.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel regmap-irq: missing use of num_config_regs causes null pointer dereference when allocating irq config buffers.
Vulnerability
Overview
The Linux kernel's regmap-irq subsystem suffers from a NULL pointer dereference vulnerability. The root cause is that the function regmap_add_irq_chip_fwnode was not updated to use the num_config_regs property introduced in commit faa87ce9196d, and instead continued relying on the deprecated num_type_reg field. When a driver (e.g., ASoC wcd9335) removed the old num_type_reg from its struct regmap_irq_chip, the allocation for the internal d->type_buf buffer was skipped, leading to a kernel crash [1].
Exploitation and
Trigger
The vulnerability is triggered when the kernel attempts to configure an IRQ type via regmap_irq_set_type, which indexes into the unallocated d->type_buf pointer. This occurs during normal IRQ setup, such as when a driver calls request_threaded_irq after the regmap IRQ chip registration. No special privileges or unusual attack surface are required — it can be hit simply by loading the affected driver and using the associated hardware.
Impact
An attacker with the ability to trigger IRQ setup on a system using a vulnerable driver (like the wcd9335 audio codec) can cause a kernel NULL pointer dereference, leading to a denial of service (system crash or hang). The crash trace shows an Oops in regmap_irq_set_type with a NULL pointer access at address 0.
Mitigation
The fix has been applied in the Linux kernel stable tree, commit 57bb34330c0f [1]. The patch changes regmap_add_irq_chip_fwnode to use num_config_regs and falls back to num_type_reg for backward compatibility. Users should update their kernel to a version containing this commit (e.g., 5.10.x or later stable releases) to avoid the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
357bb34330c0f961db32e52f484498d1fb35dVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.