VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 4, 2026· Updated Apr 15, 2026

CVE-2025-71193

CVE-2025-71193

Description

In the Linux kernel, the following vulnerability has been resolved:

phy: qcom-qusb2: Fix NULL pointer dereference on early suspend

Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot:

Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1
[...]
CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT
Workqueue: pm pm_runtime_work
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]
lr : pm_generic_runtime_suspend+0x2c/0x44
[...]

Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks.

Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur.

Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in the Linux kernel's QUSB2 PHY driver can cause a crash during early suspend due to a race condition in runtime PM initialization.

Vulnerability

In the Linux kernel's QUSB2 PHY driver (phy-qcom-qusb2), a NULL pointer dereference can occur during early suspend. The root cause is a race condition where runtime PM is enabled before the QPHY instance is attached as driver data. This creates a small window where the runtime PM suspend callback (qusb2_phy_runtime_suspend) may execute and attempt to access driver data that is still NULL, leading to a kernel crash [1][2].

Exploitation

An attacker does not directly trigger this vulnerability; it is a race condition that occurs during normal system boot. The crash is sporadic and depends on timing between PM runtime enabling and the suspend callback. No special privileges or network access are required—the bug manifests in the kernel's PM framework during device initialization [1][2].

Impact

If the race is hit, the system experiences a kernel NULL pointer dereference, resulting in a panic or crash. This can cause denial of service (system unavailability) during boot, potentially rendering the device unusable until a reboot. The crash trace shows the failure occurs in qusb2_phy_runtime_suspend when trying to dereference a NULL pointer [1].

Mitigation

The fix reorders the initialization sequence: the QPHY instance is attached as driver data before enabling runtime PM, and pm_runtime_enable() is moved after pm_runtime_forbid() to close the race window. The patch also uses a devres-managed version to ensure symmetric cleanup during driver removal. The fix has been applied to the Linux kernel stable trees [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.