misc: fastrpc: Fix NULL pointer dereference in rpmsg callback

Summary

CVE	CVE-2026-53158
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-25 09:16:33 UTC
Updated	2026-06-25 09:16:33 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window.

Risk And Classification

EPSS: 0.001680000 probability, percentile 0.063460000 (date 2026-06-25)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected f6f9279f2bf0e37e2f1fb119d8832b8568536a04 8fb4a23df5b7c02929b62e5dbc270ec7c42b8134 git	Not specified
CNA	Linux	Linux	affected f6f9279f2bf0e37e2f1fb119d8832b8568536a04 4bfdf0a9855df55e9e031ca6a25b855820590c70 git	Not specified
CNA	Linux	Linux	affected f6f9279f2bf0e37e2f1fb119d8832b8568536a04 d5de9cb5355db36438edc621dde3673e3f235767 git	Not specified
CNA	Linux	Linux	affected f6f9279f2bf0e37e2f1fb119d8832b8568536a04 d77583ca33299fede0c194744ef2284e7ba5b763 git	Not specified
CNA	Linux	Linux	affected f6f9279f2bf0e37e2f1fb119d8832b8568536a04 5401fb4fe10fac6134c308495df18ed74aebb9c4 git	Not specified
CNA	Linux	Linux	affected 5.1	Not specified
CNA	Linux	Linux	unaffected 5.1 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.143 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.94 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.36 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.13 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/4bfdf0a9855df55e9e031ca6a25b855820590c70	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d77583ca33299fede0c194744ef2284e7ba5b763	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d5de9cb5355db36438edc621dde3673e3f235767	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8fb4a23df5b7c02929b62e5dbc270ec7c42b8134	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/5401fb4fe10fac6134c308495df18ed74aebb9c4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.