VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2025-40317

CVE-2025-40317

Description

In the Linux kernel, the following vulnerability has been resolved:

regmap: slimbus: fix bus_context pointer in regmap init calls

Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board:

Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c

The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two "Fixes" tags.

While at this, also correct the same argument in __regmap_init_slimbus().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, an incorrect bus_context pointer in regmap slimbus init causes a NULL pointer dereference, leading to system crash.

Vulnerability

Details

In the Linux kernel, a bug was introduced in the __devm_regmap_init_slimbus() function where an incorrect bus_context pointer was passed to the regmap initialization. Instead of using the slimbus device itself (&slimbus->dev), a different pointer was used, causing a NULL pointer dereference when subsequent regmap read/write operations attempt to use this context. This issue was exposed after commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") which started using devm_regmap_init_slimbus() instead of the non-devres version [1].

Exploitation

The vulnerability is triggered when an audio application, such as aplay, performs hardware parameter configuration on a supported codec like wcd934x. The call chain leads to slim_read() which attempts to use the corrupted bus context, resulting in a kernel paging request fault and a system crash. The attack requires local user access to the system to run audio playback, and the system must have the affected hardware and drivers.

Impact

An attacker with local privileges can cause a denial of service by triggering a kernel panic, making the system unavailable. The crash message shows an "Unable to handle kernel paging request" at a virtual address, indicating arbitrary memory access.

Mitigation

The fix is to correct the bus_context pointer to point to the slimbus device structure. Patches have been applied to the stable kernel trees [2][3][4]. Users are advised to update to the latest stable kernel version. The wcd934x codec is the only known user of the affected function, but other slimbus devices may also be vulnerable.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

8
c0f05129e573
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
02d3041caaa3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d979639f099c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
8143e4075d13
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
2664bfd8969d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a16e92f8d7dc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b65f3303349e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
434f7349a1f0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.