CVE-2025-39674: 
Linux Debian vulnerability analysis and mitigation

A null pointer dereference vulnerability was discovered in the Linux kernel's SCSI UFS driver (CVE-2025-39674). The issue affects the ESI (Enhanced System Interrupt) configuration in the UFS-QCOM driver, which is a performance optimization feature providing dedicated interrupts per MCQ hardware queue. The vulnerability was disclosed on September 5, 2025 (NVD).

The vulnerability occurs when platformdevicemsiinitandallocirqs() in ufsqcomconfigesi() fails (returns -EINVAL) but the code uses _free() macro for automatic cleanup to free MSI resources that were never successfully allocated. This leads to a null pointer dereference at virtual address 0x0000000000000008. The issue specifically affects the ESI/MSI feature, which is an optional performance optimization feature for UFS MCQ (NVD).

The vulnerability results in a kernel null pointer dereference which can cause system crashes and denial of service conditions. Since ESI is an optional feature, UFS MCQ functionality should still work without it, though potentially with reduced performance (NVD).

The fix involves restructuring the ESI configuration to attempt MSI allocation first, before any other resource allocation, and implementing explicit cleanup instead of using the __free() macro to avoid cleanup of unallocated resources. The fix has been tested on SM8750 platform with MCQ enabled, both with and without Platform ESI support (NVD).