5.5

CVE-2026-53158

misc: fastrpc: Fix NULL pointer dereference in rpmsg callback

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix NULL pointer dereference in rpmsg callback

A NULL pointer dereference was observed on Hawi at boot when the DSP
sends a glink message before fastrpc_rpmsg_probe() has completed
initialization:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
  pc : _raw_spin_lock_irqsave+0x34/0x8c
  lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
  ...
  Call trace:
   _raw_spin_lock_irqsave+0x34/0x8c (P)
   fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
   qcom_glink_native_rx+0x538/0x6a4
   qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]

The faulting address 0x178 corresponds to the lock variable inside
struct fastrpc_channel_ctx, confirming that cctx is NULL when
fastrpc_rpmsg_callback() attempts to take the spinlock.

There are two issues here. First, dev_set_drvdata() is called before
spin_lock_init() and idr_init(), leaving a window where the callback
can retrieve a valid cctx pointer but operate on an uninitialized
spinlock. Second, the rpmsg channel becomes live as soon as the driver
is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
is called at all, resulting in dev_get_drvdata() returning NULL.

Fix both issues by moving all cctx initialization ahead of
dev_set_drvdata() so the structure is fully initialized before it
becomes visible to the callback, and add a NULL check in
fastrpc_rpmsg_callback() as a guard against any remaining window.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.1 < 5.10.260
LinuxLinux Kernel Version >= 5.11 < 5.15.211
LinuxLinux Kernel Version >= 5.16 < 6.1.177
LinuxLinux Kernel Version >= 6.2 < 6.6.143
LinuxLinux Kernel Version >= 6.7 < 6.12.94
LinuxLinux Kernel Version >= 6.13 < 6.18.36
LinuxLinux Kernel Version >= 6.19 < 7.0.13
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
LinuxLinux Kernel Version7.1 Updaterc3
LinuxLinux Kernel Version7.1 Updaterc4
LinuxLinux Kernel Version7.1 Updaterc5
LinuxLinux Kernel Version7.1 Updaterc6
LinuxLinux Kernel Version7.1 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/8fb4a23df5b7c02929b62e5dbc270ec7c42b8134
Patch
https://git.kernel.org/stable/c/4bfdf0a9855df55e9e031ca6a25b855820590c70
Patch
https://git.kernel.org/stable/c/d5de9cb5355db36438edc621dde3673e3f235767
Patch
https://git.kernel.org/stable/c/d77583ca33299fede0c194744ef2284e7ba5b763
Patch
https://git.kernel.org/stable/c/5401fb4fe10fac6134c308495df18ed74aebb9c4
Patch
https://git.kernel.org/stable/c/0d8c64511fd45690c5326f013710efcb4f73a97e
Patch
https://git.kernel.org/stable/c/150bf6f1193c69252580c19d3b3cd631ddce61d7
Patch
https://git.kernel.org/stable/c/a3d91218ccca1e990bfb737b5a6da23f0afba22b
Patch