| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120822-CVE-2025-40317-5237@gregkh>
Date: Mon, 8 Dec 2025 09:47:41 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40317: regmap: slimbus: fix bus_context pointer in regmap init calls
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
regmap: slimbus: fix bus_context pointer in regmap init calls
Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in
wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap.
That commit breaks audio playback, for instance, on sdm845 Thundercomm
Dragonboard 845c board:
Unable to handle kernel paging request at virtual address ffff8000847cbad4
...
CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT
Hardware name: Thundercomm Dragonboard 845c (DT)
...
Call trace:
slim_xfer_msg+0x24/0x1ac [slimbus] (P)
slim_read+0x48/0x74 [slimbus]
regmap_slimbus_read+0x18/0x24 [regmap_slimbus]
_regmap_raw_read+0xe8/0x174
_regmap_bus_read+0x44/0x80
_regmap_read+0x60/0xd8
_regmap_update_bits+0xf4/0x140
_regmap_select_page+0xa8/0x124
_regmap_raw_write_impl+0x3b8/0x65c
_regmap_bus_raw_write+0x60/0x80
_regmap_write+0x58/0xc0
regmap_write+0x4c/0x80
wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]
snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]
__soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]
dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]
dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]
snd_pcm_hw_params+0x124/0x464 [snd_pcm]
snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]
snd_pcm_ioctl+0x34/0x4c [snd_pcm]
__arm64_sys_ioctl+0xac/0x104
invoke_syscall+0x48/0x104
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xec
el0t_64_sync_handler+0xa0/0xf0
el0t_64_sync+0x198/0x19c
The __devm_regmap_init_slimbus() started to be used instead of
__regmap_init_slimbus() after the commit mentioned above and turns out
the incorrect bus_context pointer (3rd argument) was used in
__devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal
to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or
the first user of devm_regmap_init_slimbus() but we should fix it till
the point where __devm_regmap_init_slimbus() was introduced therefore
two "Fixes" tags.
While at this, also correct the same argument in __regmap_init_slimbus().
The Linux kernel CVE team has assigned CVE-2025-40317 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.16 with commit 7d6f7fb053ad543da74119df3c4cd7bb46220471 and fixed in 5.4.302 with commit c0f05129e5734ff3fd14b2c242709314d9ca5433
Issue introduced in 4.16 with commit 7d6f7fb053ad543da74119df3c4cd7bb46220471 and fixed in 5.10.247 with commit 02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1
Issue introduced in 4.16 with commit 7d6f7fb053ad543da74119df3c4cd7bb46220471 and fixed in 5.15.197 with commit d979639f099c6e51f06ce4dd8d8e56364d6c17ba
Issue introduced in 4.16 with commit 7d6f7fb053ad543da74119df3c4cd7bb46220471 and fixed in 6.1.159 with commit 8143e4075d131c528540417a51966f6697be14eb
Issue introduced in 4.16 with commit 7d6f7fb053ad543da74119df3c4cd7bb46220471 and fixed in 6.6.117 with commit 2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c
Issue introduced in 4.16 with commit 7d6f7fb053ad543da74119df3c4cd7bb46220471 and fixed in 6.12.58 with commit a16e92f8d7dc7371e68f17a9926cb92d2244be7b
Issue introduced in 4.16 with commit 7d6f7fb053ad543da74119df3c4cd7bb46220471 and fixed in 6.17.8 with commit b65f3303349eaee333e47d2a99045aa12fa0c3a7
Issue introduced in 4.16 with commit 7d6f7fb053ad543da74119df3c4cd7bb46220471 and fixed in 6.18 with commit 434f7349a1f00618a620b316f091bd13a12bc8d2
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-40317
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/base/regmap/regmap-slimbus.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c0f05129e5734ff3fd14b2c242709314d9ca5433
https://git.kernel.org/stable/c/02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1
https://git.kernel.org/stable/c/d979639f099c6e51f06ce4dd8d8e56364d6c17ba
https://git.kernel.org/stable/c/8143e4075d131c528540417a51966f6697be14eb
https://git.kernel.org/stable/c/2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c
https://git.kernel.org/stable/c/a16e92f8d7dc7371e68f17a9926cb92d2244be7b
https://git.kernel.org/stable/c/b65f3303349eaee333e47d2a99045aa12fa0c3a7
https://git.kernel.org/stable/c/434f7349a1f00618a620b316f091bd13a12bc8d2
Powered by blists - more mailing lists