GHSA-WQF4-5Q2Q-7334

Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-02-04 18:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

phy: qcom-qusb2: Fix NULL pointer dereference on early suspend

Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot:

Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1
[...]
CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT
Workqueue: pm pm_runtime_work
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]
lr : pm_generic_runtime_suspend+0x2c/0x44
[...]

Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks.

Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur.

Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-71193"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-04T17:16:11Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qusb2: Fix NULL pointer dereference on early suspend\n\nEnabling runtime PM before attaching the QPHY instance as driver data\ncan lead to a NULL pointer dereference in runtime PM callbacks that\nexpect valid driver data. There is a small window where the suspend\ncallback may run after PM runtime enabling and before runtime forbid.\nThis causes a sporadic crash during boot:\n\n```\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a1\n[...]\nCPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT\nWorkqueue: pm pm_runtime_work\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]\nlr : pm_generic_runtime_suspend+0x2c/0x44\n[...]\n```\n\nAttach the QPHY instance as driver data before enabling runtime PM to\nprevent NULL pointer dereference in runtime PM callbacks.\n\nReorder pm_runtime_enable() and pm_runtime_forbid() to prevent a\nshort window where an unnecessary runtime suspend can occur.\n\nUse the devres-managed version to ensure PM runtime is symmetrically\ndisabled during driver removal for proper cleanup.",
  "id": "GHSA-wqf4-5q2q-7334",
  "modified": "2026-02-04T18:30:42Z",
  "published": "2026-02-04T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71193"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.