CVE-2025-39674

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: ufs-qcom: Fix ESI null pointer dereference<br /> <br /> ESI/MSI is a performance optimization feature that provides dedicated<br /> interrupts per MCQ hardware queue. This is optional feature and UFS MCQ<br /> should work with and without ESI feature.<br /> <br /> Commit e46a28cea29a ("scsi: ufs: qcom: Remove the MSI descriptor abuse")<br /> brings a regression in ESI (Enhanced System Interrupt) configuration that<br /> causes a null pointer dereference when Platform MSI allocation fails.<br /> <br /> The issue occurs in when platform_device_msi_init_and_alloc_irqs() in<br /> ufs_qcom_config_esi() fails (returns -EINVAL) but the current code uses<br /> __free() macro for automatic cleanup free MSI resources that were never<br /> successfully allocated.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual<br /> address 0000000000000008<br /> <br /> Call trace:<br /> mutex_lock+0xc/0x54 (P)<br /> platform_device_msi_free_irqs_all+0x1c/0x40<br /> ufs_qcom_config_esi+0x1d0/0x220 [ufs_qcom]<br /> ufshcd_config_mcq+0x28/0x104<br /> ufshcd_init+0xa3c/0xf40<br /> ufshcd_pltfrm_init+0x504/0x7d4<br /> ufs_qcom_probe+0x20/0x58 [ufs_qcom]<br /> <br /> Fix by restructuring the ESI configuration to try MSI allocation first,<br /> before any other resource allocation and instead use explicit cleanup<br /> instead of __free() macro to avoid cleanup of unallocated resources.<br /> <br /> Tested on SM8750 platform with MCQ enabled, both with and without<br /> Platform ESI support.