From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 01A9C41B359 for ; Wed, 4 Feb 2026 16:04:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770221100; cv=none; b=iY/BNriAYauYmnKLctIT2rOcbbGQVcGPkg3m4bc97ARksU4PtIAN2BiqwgVCiMsrQvZdB70xtuQycCz6F6v6zUTTdHlOf0S+ebQMzOEQfYTqr8Q9lAWl/JX7FYiZsgrkd4JKRizq+h+yOzB6qWuIrgyWzOAneRrDrXKCOya2gEg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770221100; c=relaxed/simple; bh=e9dWNO6y9zOLIla1/Fq+9bs03j+KDYeXQpMdWJFMypA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=nwLg8J2vFoUedKBtk/114bG1e9FXR4ylYwa5MMUCRFC3aP22XufrEW8d+ur0aUgDNZaNM7sNJFQjF515u30rE6mL3H11GWYLIEM4zaltyYZ+yD7jbzz2qG/oBS+Cw7/dKeOfD3lEZCQvigfUf+yapI19E8sYINWZ318ahZVSabA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=AKqJAETv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="AKqJAETv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 33846C4CEF7; Wed, 4 Feb 2026 16:04:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1770221099; bh=e9dWNO6y9zOLIla1/Fq+9bs03j+KDYeXQpMdWJFMypA=; h=From:To:Cc:Subject:Date:Reply-To:From; b=AKqJAETv3VfGrfXiP8nCIUgCtI3BK4gCoceC6xA5eomelNeZ+RwVXc+PwJAtKFY4z mSesoYvSEQwCu6GdvZJLmR9Uy5HvlNwwTj2JwS062YiD9a5jAR8RnNYYZ8v9KUWE19 B6aL76N80NWPB1QqMV48iRhxe67Ir75tYIcPF0n4= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2025-71193: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Date: Wed, 4 Feb 2026 17:04:40 +0100 Message-ID: <2026020439-CVE-2025-71193-288d@gregkh> X-Mailer: git-send-email 2.53.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3337; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=LCSyVjzLXjOahZNkAi/EyZ4K8jt+GZfaSAPxzKy4i4c=; b=owGbwMvMwCRo6H6F97bub03G02pJDJnNeeLbuB65xB0Vu1sb7yh95KxZfTVXi82vXUWrjQ/r3 Vu/nHNNRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAExkRhnDgjNdJZeMHoXG13hv 2fxfqmyH/JzywwwLJvw4e3XbZs2fG0o0Qic6K3y+o1NsDwA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot: ``` Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 [...] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT Workqueue: pm pm_runtime_work pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] lr : pm_generic_runtime_suspend+0x2c/0x44 [...] ``` Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks. Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur. Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup. The Linux kernel CVE team has assigned CVE-2025-71193 to this issue. Affected and fixed versions =========================== Issue introduced in 4.17 with commit 891a96f65ac3b12883ddbc6d1a9adf6e54dc903c and fixed in 6.6.122 with commit beba460a299150b5d8dcbe3474a8f4bdf0205180 Issue introduced in 4.17 with commit 891a96f65ac3b12883ddbc6d1a9adf6e54dc903c and fixed in 6.12.67 with commit d50a9b7fd07296a1ab81c49ceba14cae3d31df86 Issue introduced in 4.17 with commit 891a96f65ac3b12883ddbc6d1a9adf6e54dc903c and fixed in 6.18.7 with commit 4ac15caa27ff842b068a54f1c6a8ff8b31f658e7 Issue introduced in 4.17 with commit 891a96f65ac3b12883ddbc6d1a9adf6e54dc903c and fixed in 6.19-rc6 with commit 1ca52c0983c34fca506921791202ed5bdafd5306 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71193 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/phy/qualcomm/phy-qcom-qusb2.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180 https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86 https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7 https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306