CVE-2025-37781

In the Linux kernel, the following vulnerability has been resolved:

i2c: cros-ec-tunnel: defer probe if parent EC is not present

When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent device will not be found, leading to NULL pointer dereference.

That can also be reproduced by unbinding the controller driver and then loading i2c-cros-ec-tunnel module (or binding the device).

[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 271.998215] #PF: supervisor read access in kernel mode [ 272.003351] #PF: errorcode(0x0000) - not-present page [ 272.008485] PGD 0 P4D 0 [ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI [ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5 [ 272.030312] Tainted: [S]=CPUOUTOFSPEC [ 272.034233] Hardware name: HP Berknip/Berknip, BIOS GoogleBerknip.13434.356.0 05/17/2021 [ 272.042400] RIP: 0010:eci2cprobe+0x2b/0x1c0 [i2ccrosectunnel] [ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9 [ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282 [ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000 [ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00 [ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000 [ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000 [ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10 [ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000 [ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0 [ 272.129155] Call Trace: [ 272.131606] <TASK> [ 272.133709] ? acpidevpmattach+0xdd/0x110 [ 272.137985] platformprobe+0x69/0xa0 [ 272.141652] reallyprobe+0x152/0x310 [ 272.145318] _driverprobedevice+0x77/0x110 [ 272.149678] driverprobedevice+0x1e/0x190 [ 272.153864] _driverattach+0x10b/0x1e0 [ 272.157790] ? driverattach+0x20/0x20 [ 272.161542] busforeachdev+0x107/0x150 [ 272.165553] busadddriver+0x15d/0x270 [ 272.169392] driverregister+0x65/0x110 [ 272.173232] ? cleanupmodule+0xa80/0xa80 [i2ccrosectunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698] [ 272.182617] dooneinitcall+0x110/0x350 [ 272.186543] ? securitykernfsinitsecurity+0x49/0xd0 [ 272.191682] ? _kernfsnewnode+0x1b9/0x240 [ 272.195954] ? securitykernfsinitsecurity+0x49/0xd0 [ 272.201093] ? _kernfsnewnode+0x1b9/0x240 [ 272.205365] ? kernfslinksibling+0x105/0x130 [ 272.209810] ? kernfsnextdescendantpost+0x1c/0xa0 [ 272.214773] ? kernfsactivate+0x57/0x70 [ 272.218699] ? kernfsaddone+0x118/0x160 [ 272.222710] ? _kernfscreatefile+0x71/0xa0 [ 272.227069] ? sysfsaddbinfilemodens+0xd6/0x110 [ 272.232033] ? internalcreategroup+0x453/0x4a0 [ 272.236651] ? _vunmaprangenoflush+0x214/0x2d0 [ 272.241355] ? _freefrozenpages+0x1dc/0x420 [ 272.245799] ? freevmapareanoflush+0x10a/0x1c0 [ 272.250505] ? loadmodule+0x1509/0x16f0 [ 272.254431] doinitmodule+0x60/0x230 [ 272.258181] _sesysfinitmodule+0x27a/0x370 [ 272.262627] dosyscall64+0x6a/0xf0 [ 272.266206] ? dosyscall64+0x76/0xf0 [ 272.269956] ? irqentryexittousermode+0x79/0x90 [ 272.274836] entrySYSCALL64afterhwframe+0x55/0x5d [ 272.279887] RIP: 0033:0x7b9309168d39 [ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8 [ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIGRAX: 000 ---truncated---