Description
In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix NULL pointer dereference in rpmsg callback

A NULL pointer dereference was observed on Hawi at boot when the DSP
sends a glink message before fastrpc_rpmsg_probe() has completed
initialization:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
pc : _raw_spin_lock_irqsave+0x34/0x8c
lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
...
Call trace:
_raw_spin_lock_irqsave+0x34/0x8c (P)
fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
qcom_glink_native_rx+0x538/0x6a4
qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]

The faulting address 0x178 corresponds to the lock variable inside
struct fastrpc_channel_ctx, confirming that cctx is NULL when
fastrpc_rpmsg_callback() attempts to take the spinlock.

There are two issues here. First, dev_set_drvdata() is called before
spin_lock_init() and idr_init(), leaving a window where the callback
can retrieve a valid cctx pointer but operate on an uninitialized
spinlock. Second, the rpmsg channel becomes live as soon as the driver
is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
is called at all, resulting in dev_get_drvdata() returning NULL.

Fix both issues by moving all cctx initialization ahead of
dev_set_drvdata() so the structure is fully initialized before it
becomes visible to the callback, and add a NULL check in
fastrpc_rpmsg_callback() as a guard against any remaining window.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, a NULL pointer dereference in the fastrpc rpmsg callback can cause a kernel panic. The fault occurs when the DSP sends a GLINK message before fastrpc_rpmsg_probe has finished initializing, leaving the context structure uninitialized and the lock variable pointing to a NULL pointer. A kernel panic disables system availability, resulting in a local denial of service.

Affected Systems

Any Linux kernel image that includes the fastrpc module and the rpmsg interface is affected. The vulnerability applies to all kernel releases built with the fastrpc driver prior to the commit that reorders initialization and adds a NULL guard. No explicit version range is listed, so all current releases that have not applied the patch are potentially impacted.

Risk and Exploitability

The exploit requires an ability to send GLINK messages to the kernel before fastrpc has completed initialization, which is a local condition typically associated with control over the DSP subsystem. This is inferred from the description that the DSP sends a message at boot before the probe finishes. No EPSS score is available, the vulnerability is not listed in CISA's KEV catalog, and the impact is a kernel panic that can be leveraged to bring the system down. The risk is therefore high for devices where an attacker can influence the DSP or trigger GLINK traffic before driver start-up.

Generated by OpenCVE AI on June 25, 2026 at 12:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that reorders fastrpc initialization and adds a NULL guard.
  • If an immediate kernel update is not feasible, disable or delay loading of the fastrpc and GLINK modules until after the DSP subsystem reports readiness.
  • In environments where the DSP subsystem can be driven by external parties, enforce access controls on GLINK channels to restrict pre‑initialization messages.

Generated by OpenCVE AI on June 25, 2026 at 12:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 12:15:00 +0000


Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window.
Title misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-04T11:50:56.161Z

Reserved: 2026-06-09T07:44:35.388Z

Link: CVE-2026-53158

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53158 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses