CVE-2025-71193 Overview
A NULL pointer dereference vulnerability has been identified in the Linux kernel's Qualcomm QUSB2 PHY driver (phy-qcom-qusb2). The vulnerability occurs during the boot process when runtime power management (PM) is enabled before the QPHY instance is properly attached as driver data. This creates a race condition window where runtime PM callbacks may execute without valid driver data, resulting in a kernel crash.
Critical Impact
Systems using Qualcomm QUSB2 PHY hardware may experience sporadic kernel crashes during boot due to a NULL pointer dereference in the qusb2_phy_runtime_suspend() function, leading to system instability and denial of service conditions.
Affected Products
- Linux kernel versions with the phy-qcom-qusb2 driver
- Systems utilizing Qualcomm QUSB2 PHY hardware (common in ARM-based devices)
- Embedded systems and mobile devices with Qualcomm USB PHY components
Discovery Timeline
- 2026-02-04 - CVE CVE-2025-71193 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-71193
Vulnerability Analysis
This vulnerability represents a race condition in the driver initialization sequence that leads to a NULL pointer dereference. The root issue lies in the order of operations during driver probe: the code enables runtime PM before setting the driver data pointer that runtime PM callbacks depend on.
When the pm_runtime_enable() function is called, it makes the device eligible for runtime suspend operations. If the PM runtime workqueue (pm_runtime_work) schedules a suspend callback before platform_set_drvdata() completes, the qusb2_phy_runtime_suspend() function receives a NULL pointer when attempting to access the QPHY instance data structure.
The crash manifests at virtual address 0x00000000000000a1, indicating an attempt to dereference a NULL pointer with a small offset—consistent with accessing a structure member through a NULL base pointer.
Root Cause
The vulnerability stems from improper initialization ordering in the driver probe function. Runtime PM is enabled before the QPHY instance pointer is attached as driver data, creating a window where:
- pm_runtime_enable() allows runtime suspend scheduling
- The PM workqueue may trigger qusb2_phy_runtime_suspend()
- The callback attempts to retrieve driver data via dev_get_drvdata()
- Since platform_set_drvdata() hasn't been called yet, NULL is returned
- Dereferencing the NULL pointer causes a kernel panic
The fix involves reordering the initialization sequence to attach driver data before enabling runtime PM, and using devres-managed PM runtime functions for proper cleanup during driver removal.
Attack Vector
This vulnerability is primarily a reliability issue rather than a remotely exploitable security flaw. The attack vector involves:
The vulnerability is triggered during the normal boot process when the kernel initializes the QUSB2 PHY driver. The race condition window is small but can manifest sporadically, particularly on systems where the PM workqueue executes quickly after runtime PM is enabled.
An attacker with local access could potentially exploit timing conditions to trigger the crash, though practical exploitation would require precise control over kernel scheduling. The primary impact is denial of service through system crashes during boot or driver reinitialization.
Detection Methods for CVE-2025-71193
Indicators of Compromise
- Kernel panic messages referencing qusb2_phy_runtime_suspend in the call stack
- NULL pointer dereference errors at low virtual addresses (e.g., 0x00000000000000a1)
- System crashes during boot with workqueue references to pm pm_runtime_work
- Kernel log entries showing Unable to handle kernel NULL pointer dereference from CPU 0 during early boot
Detection Strategies
- Monitor kernel logs (dmesg) for NULL pointer dereference errors in the phy_qcom_qusb2 module
- Implement kernel crash dump analysis to identify crashes originating from the qusb2_phy_runtime_suspend function
- Deploy system stability monitoring to detect sporadic boot failures on affected hardware platforms
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture diagnostic information when crashes occur
- Monitor system availability metrics for devices using Qualcomm QUSB2 PHY hardware
- Review boot logs for any runtime PM-related warnings or errors from the PHY subsystem
How to Mitigate CVE-2025-71193
Immediate Actions Required
- Apply the kernel patches provided in the stable kernel releases
- Update Linux kernel to a patched version containing the fix
- For systems experiencing boot crashes, consider disabling runtime PM for the QUSB2 PHY driver as a temporary measure
Patch Information
The vulnerability has been addressed through multiple kernel patch commits that reorder the initialization sequence in the QUSB2 PHY driver. The patches ensure driver data is attached before runtime PM is enabled and use devres-managed functions for proper cleanup.
Available patches:
- Kernel Patch Commit 1ca52c0
- Kernel Patch Commit 4ac15ca
- Kernel Patch Commit beba460
- Kernel Patch Commit d50a9b7
Workarounds
- Disable runtime PM for the affected PHY driver by adding kernel boot parameters
- Build a custom kernel with the patches applied from the stable kernel repository
- For embedded systems, update the device tree or firmware to use alternative PHY configurations if available
# Temporary workaround: Disable runtime PM for QUSB2 PHY via sysfs
# Navigate to the device's power directory and disable runtime PM
echo "on" > /sys/bus/platform/drivers/qcom-qusb2-phy/*/power/control
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
