Linux Kernel NULL Pointer Dereference Vulnerability in QCOM QUSB2 PHY Driver

A vulnerability in the Linux kernel's QCOM QUSB2 PHY driver can lead to a NULL pointer dereference. This issue arises when runtime power management (PM) is enabled before the QPHY instance is attached as driver data. As a result, PM callbacks that rely on valid driver data can cause a sporadic crash during boot, with the system unable to handle the NULL pointer dereference. The problem occurs because there is a brief window where the suspend callback can execute after PM runtime is enabled and before it is forbidden, leading to a crash.

Impact

The vulnerability causes a sporadic crash during the boot process, where the kernel fails to handle a NULL pointer dereference, disrupting system initialization and potentially leading to a complete system failure.

Reproduction

To reproduce this vulnerability, enable runtime power management for the QCOM QUSB2 PHY driver before the QPHY instance is set as driver data. This can create a situation where the suspend callback is triggered while the driver data is still invalid, causing a NULL pointer dereference. The issue can be observed as a crash during the boot process, where the kernel logs indicate a failure to handle a NULL pointer dereference at a specific virtual address, along with details about the CPU, process ID, and the workqueue involved.

Remediation

The vulnerability has been addressed by modifying the driver to attach the QPHY instance as driver data before enabling runtime power management. This change prevents the NULL pointer dereference in PM callbacks. Additionally, the order of the PM runtime enable and forbid commands has been adjusted to eliminate the brief window where an unnecessary runtime suspend could occur. The updated driver version should be used to ensure proper handling of power management and to avoid this vulnerability.