VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45874

CVE-2026-45874

Description

In the Linux kernel, the following vulnerability has been resolved:

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

During the probe the refclk_pad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in the devicetree node. But in imx_hsio_configure_clk_pad() this pointer is unconditionally used which could result in a NULL pointer dereference. So check the pointer before to use it.

Affected products

1

Patches

8
a771b386cb6c

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas RichardJan 14, 2026Fixed in 6.12.75via kernel-cna
commit
1 file changed · +1 2
  • drivers/phy/freescale/phy-fsl-imx8qm-hsio.c+1 2 modified
    diff --git a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
index 977d21d753a59a..279b8ac7822df7 100644
--- a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
+++ b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
@@ -251,7 +251,7 @@ static void imx_hsio_configure_clk_pad(struct phy *phy)
 	struct imx_hsio_lane *lane = phy_get_drvdata(phy);
 	struct imx_hsio_priv *priv = lane->priv;
 
-	if (strncmp(priv->refclk_pad, "output", 6) == 0) {
+	if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0) {
 		pll = true;
 		regmap_update_bits(priv->misc, HSIO_CTRL0,
 				   HSIO_IOB_A_0_TXOE | HSIO_IOB_A_0_M1M0_MASK,
-- 
cgit 1.3-korg
dd8b9ba3d970

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas RichardJan 14, 2026Fixed in 6.18.14via kernel-cna
commit
1 file changed · +1 2
  • drivers/phy/freescale/phy-fsl-imx8qm-hsio.c+1 2 modified
    diff --git a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
index 977d21d753a59a..279b8ac7822df7 100644
--- a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
+++ b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
@@ -251,7 +251,7 @@ static void imx_hsio_configure_clk_pad(struct phy *phy)
 	struct imx_hsio_lane *lane = phy_get_drvdata(phy);
 	struct imx_hsio_priv *priv = lane->priv;
 
-	if (strncmp(priv->refclk_pad, "output", 6) == 0) {
+	if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0) {
 		pll = true;
 		regmap_update_bits(priv->misc, HSIO_CTRL0,
 				   HSIO_IOB_A_0_TXOE | HSIO_IOB_A_0_M1M0_MASK,
-- 
cgit 1.3-korg
4dd5d4c0361a

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas RichardJan 14, 2026Fixed in 7.0via kernel-cna
commit
1 file changed · +1 2
  • drivers/phy/freescale/phy-fsl-imx8qm-hsio.c+1 2 modified
    diff --git a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
index 977d21d753a59a..279b8ac7822df7 100644
--- a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
+++ b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
@@ -251,7 +251,7 @@ static void imx_hsio_configure_clk_pad(struct phy *phy)
 	struct imx_hsio_lane *lane = phy_get_drvdata(phy);
 	struct imx_hsio_priv *priv = lane->priv;
 
-	if (strncmp(priv->refclk_pad, "output", 6) == 0) {
+	if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0) {
 		pll = true;
 		regmap_update_bits(priv->misc, HSIO_CTRL0,
 				   HSIO_IOB_A_0_TXOE | HSIO_IOB_A_0_M1M0_MASK,
-- 
cgit 1.3-korg
8d29e81e9cde

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThomas RichardJan 14, 2026Fixed in 6.19.4via kernel-cna
commit
1 file changed · +1 2
  • drivers/phy/freescale/phy-fsl-imx8qm-hsio.c+1 2 modified
    diff --git a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
index 977d21d753a59a..279b8ac7822df7 100644
--- a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
+++ b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
@@ -251,7 +251,7 @@ static void imx_hsio_configure_clk_pad(struct phy *phy)
 	struct imx_hsio_lane *lane = phy_get_drvdata(phy);
 	struct imx_hsio_priv *priv = lane->priv;
 
-	if (strncmp(priv->refclk_pad, "output", 6) == 0) {
+	if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0) {
 		pll = true;
 		regmap_update_bits(priv->misc, HSIO_CTRL0,
 				   HSIO_IOB_A_0_TXOE | HSIO_IOB_A_0_M1M0_MASK,
-- 
cgit 1.3-korg
4dd5d4c0361a

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThomas RichardJan 14, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/phy/freescale/phy-fsl-imx8qm-hsio.c+1 2 modified
    diff --git a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
index 977d21d753a59a..279b8ac7822df7 100644
--- a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
+++ b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
@@ -251,7 +251,7 @@ static void imx_hsio_configure_clk_pad(struct phy *phy)
 	struct imx_hsio_lane *lane = phy_get_drvdata(phy);
 	struct imx_hsio_priv *priv = lane->priv;
 
-	if (strncmp(priv->refclk_pad, "output", 6) == 0) {
+	if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0) {
 		pll = true;
 		regmap_update_bits(priv->misc, HSIO_CTRL0,
 				   HSIO_IOB_A_0_TXOE | HSIO_IOB_A_0_M1M0_MASK,
-- 
cgit 1.3-korg
a771b386cb6c

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThomas RichardJan 14, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/phy/freescale/phy-fsl-imx8qm-hsio.c+1 2 modified
    diff --git a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
index 977d21d753a59a..279b8ac7822df7 100644
--- a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
+++ b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
@@ -251,7 +251,7 @@ static void imx_hsio_configure_clk_pad(struct phy *phy)
 	struct imx_hsio_lane *lane = phy_get_drvdata(phy);
 	struct imx_hsio_priv *priv = lane->priv;
 
-	if (strncmp(priv->refclk_pad, "output", 6) == 0) {
+	if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0) {
 		pll = true;
 		regmap_update_bits(priv->misc, HSIO_CTRL0,
 				   HSIO_IOB_A_0_TXOE | HSIO_IOB_A_0_M1M0_MASK,
-- 
cgit 1.3-korg
8d29e81e9cde

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThomas RichardJan 14, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/phy/freescale/phy-fsl-imx8qm-hsio.c+1 2 modified
    diff --git a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
index 977d21d753a59a..279b8ac7822df7 100644
--- a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
+++ b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
@@ -251,7 +251,7 @@ static void imx_hsio_configure_clk_pad(struct phy *phy)
 	struct imx_hsio_lane *lane = phy_get_drvdata(phy);
 	struct imx_hsio_priv *priv = lane->priv;
 
-	if (strncmp(priv->refclk_pad, "output", 6) == 0) {
+	if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0) {
 		pll = true;
 		regmap_update_bits(priv->misc, HSIO_CTRL0,
 				   HSIO_IOB_A_0_TXOE | HSIO_IOB_A_0_M1M0_MASK,
-- 
cgit 1.3-korg
dd8b9ba3d970

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThomas RichardJan 14, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/phy/freescale/phy-fsl-imx8qm-hsio.c+1 2 modified
    diff --git a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
index 977d21d753a59a..279b8ac7822df7 100644
--- a/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
+++ b/drivers/phy/freescale/phy-fsl-imx8qm-hsio.c
@@ -251,7 +251,7 @@ static void imx_hsio_configure_clk_pad(struct phy *phy)
 	struct imx_hsio_lane *lane = phy_get_drvdata(phy);
 	struct imx_hsio_priv *priv = lane->priv;
 
-	if (strncmp(priv->refclk_pad, "output", 6) == 0) {
+	if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0) {
 		pll = true;
 		regmap_update_bits(priv->misc, HSIO_CTRL0,
 				   HSIO_IOB_A_0_TXOE | HSIO_IOB_A_0_M1M0_MASK,
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing NULL pointer check before dereferencing `priv->refclk_pad` in `imx_hsio_configure_clk_pad()` when the `fsl,refclk-pad-mode` device tree property is absent."

Attack vector

An attacker who can control the device tree (e.g., via a crafted DT overlay or by booting on a system whose board DT lacks the `fsl,refclk-pad-mode` property) can trigger a NULL pointer dereference. During probe, when `fsl,refclk-pad-mode` is absent, `refclk_pad` is set to NULL. Later, `imx_hsio_configure_clk_pad()` unconditionally passes this NULL pointer to `strncmp()`, causing a kernel crash. No special privileges beyond the ability to influence the device tree are required.

Affected code

The vulnerability is in the function `imx_hsio_configure_clk_pad()` within `drivers/phy/freescale/phy-fsl-imx8qm-hsio.c` [patch_id=2661802]. The `priv->refclk_pad` pointer is dereferenced in a `strncmp()` call without a prior NULL check.

What the fix does

The patch adds a NULL guard before the `strncmp()` call, changing the condition from `if (strncmp(priv->refclk_pad, "output", 6) == 0)` to `if (priv->refclk_pad && strncmp(priv->refclk_pad, "output", 6) == 0)` [patch_id=2661802]. This ensures that when `refclk_pad` is NULL (because the `fsl,refclk-pad-mode` property was not defined in the device tree), the `strncmp()` is skipped entirely, preventing the NULL pointer dereference.

Preconditions

  • configThe device tree node for the HSIO PHY must not define the 'fsl,refclk-pad-mode' property, causing refclk_pad to be set to NULL during probe.
  • inputThe system must boot and the driver must call imx_hsio_configure_clk_pad() after probe.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.