FKIE_CVE-2025-71193

Vulnerability from fkie_nvd - Published: 2026-02-04 17:16 - Updated: 2026-02-05 14:57
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot: ``` Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 [...] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT Workqueue: pm pm_runtime_work pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] lr : pm_generic_runtime_suspend+0x2c/0x44 [...] ``` Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks. Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur. Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qusb2: Fix NULL pointer dereference on early suspend\n\nEnabling runtime PM before attaching the QPHY instance as driver data\ncan lead to a NULL pointer dereference in runtime PM callbacks that\nexpect valid driver data. There is a small window where the suspend\ncallback may run after PM runtime enabling and before runtime forbid.\nThis causes a sporadic crash during boot:\n\n```\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a1\n[...]\nCPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT\nWorkqueue: pm pm_runtime_work\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]\nlr : pm_generic_runtime_suspend+0x2c/0x44\n[...]\n```\n\nAttach the QPHY instance as driver data before enabling runtime PM to\nprevent NULL pointer dereference in runtime PM callbacks.\n\nReorder pm_runtime_enable() and pm_runtime_forbid() to prevent a\nshort window where an unnecessary runtime suspend can occur.\n\nUse the devres-managed version to ensure PM runtime is symmetrically\ndisabled during driver removal for proper cleanup."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nphy: qcom-qusb2: Correcci\u00f3n de desreferencia de puntero NULL en suspensi\u00f3n temprana\n\nHabilitar PM en tiempo de ejecuci\u00f3n antes de adjuntar la instancia QPHY como datos del controlador puede llevar a una desreferencia de puntero NULL en las retrollamadas de PM en tiempo de ejecuci\u00f3n que esperan datos de controlador v\u00e1lidos. Hay una peque\u00f1a ventana donde la retrollamada de suspensi\u00f3n puede ejecutarse despu\u00e9s de la habilitaci\u00f3n de PM en tiempo de ejecuci\u00f3n y antes de la prohibici\u00f3n en tiempo de ejecuci\u00f3n. Esto causa un fallo espor\u00e1dico durante el arranque:\n\n```\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a1\n[...]\nCPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT\nWorkqueue: pm pm_runtime_work\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]\nlr : pm_generic_runtime_suspend+0x2c/0x44\n[...]\n```\n\nAdjuntar la instancia QPHY como datos del controlador antes de habilitar PM en tiempo de ejecuci\u00f3n para prevenir la desreferencia de puntero NULL en las retrollamadas de PM en tiempo de ejecuci\u00f3n.\n\nReordenar pm_runtime_enable() y pm_runtime_forbid() para prevenir una ventana corta donde puede ocurrir una suspensi\u00f3n en tiempo de ejecuci\u00f3n innecesaria.\n\nUsar la versi\u00f3n gestionada por devres para asegurar que PM en tiempo de ejecuci\u00f3n se deshabilite sim\u00e9tricamente durante la eliminaci\u00f3n del controlador para una limpieza adecuada."
    }
  ],
  "id": "CVE-2025-71193",
  "lastModified": "2026-02-05T14:57:34.297",
  "metrics": {},
  "published": "2026-02-04T17:16:11.193",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.