CVE-2025-71193

Summary

In the Linux kernel, the following vulnerability has been resolved:

phy: qcom-qusb2: Fix NULL pointer dereference on early suspend

Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot:

Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1
[...]
CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT
Workqueue: pm pm_runtime_work
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]
lr : pm_generic_runtime_suspend+0x2c/0x44
[...]

Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks.

Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur.

Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux891a96f65ac3b12883ddbc6d1a9adf6e54dc903c < beba460a299150b5d8dcbe3474a8f4bdf0205180affected
LinuxLinux891a96f65ac3b12883ddbc6d1a9adf6e54dc903c < d50a9b7fd07296a1ab81c49ceba14cae3d31df86affected
LinuxLinux891a96f65ac3b12883ddbc6d1a9adf6e54dc903c < 4ac15caa27ff842b068a54f1c6a8ff8b31f658e7affected
LinuxLinux891a96f65ac3b12883ddbc6d1a9adf6e54dc903c < 1ca52c0983c34fca506921791202ed5bdafd5306affected
LinuxLinux4.17affected
LinuxLinux0 < 4.17unaffected
LinuxLinux6.6.122 <= 6.6.*unaffected
LinuxLinux6.12.67 <= 6.12.*unaffected
LinuxLinux6.18.7 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References