cve/published/2024/CVE-2024-26919.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26919: usb: ulpi: Fix debugfs directory leak

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: ulpi: Fix debugfs directory leak

 The ULPI per-device debugfs root is named after the ulpi device's
 parent, but ulpi_unregister_interface tries to remove a debugfs
 directory named after the ulpi device itself. This results in the
 directory sticking around and preventing subsequent (deferred) probes
 from succeeding. Change the directory name to match the ulpi device.

 The Linux kernel CVE team has assigned CVE-2024-26919 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit bd0a0a024f2a41e7cc8eadb9862f82c45884b69c and fixed in 6.1.79 with commit d31b886ed6a5095214062ee4fb55037eb930adb6
 	Issue introduced in 5.18 with commit bd0a0a024f2a41e7cc8eadb9862f82c45884b69c and fixed in 6.6.18 with commit 330d22aba17a4d30a56f007d0f51291d7e00862b
 	Issue introduced in 5.18 with commit bd0a0a024f2a41e7cc8eadb9862f82c45884b69c and fixed in 6.7.6 with commit 33713945cc92ea9c4a1a9479d5c1b7acb7fc4df3
 	Issue introduced in 5.18 with commit bd0a0a024f2a41e7cc8eadb9862f82c45884b69c and fixed in 6.8 with commit 3caf2b2ad7334ef35f55b95f3e1b138c6f77b368

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26919
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/common/ulpi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d31b886ed6a5095214062ee4fb55037eb930adb6
 	https://git.kernel.org/stable/c/330d22aba17a4d30a56f007d0f51291d7e00862b
 	https://git.kernel.org/stable/c/33713945cc92ea9c4a1a9479d5c1b7acb7fc4df3
 	https://git.kernel.org/stable/c/3caf2b2ad7334ef35f55b95f3e1b138c6f77b368
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26919: usb: ulpi: Fix debugfs directory leak

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: ulpi: Fix debugfs directory leak

	The ULPI per-device debugfs root is named after the ulpi device's
	parent, but ulpi_unregister_interface tries to remove a debugfs
	directory named after the ulpi device itself. This results in the
	directory sticking around and preventing subsequent (deferred) probes
	from succeeding. Change the directory name to match the ulpi device.

	The Linux kernel CVE team has assigned CVE-2024-26919 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit bd0a0a024f2a41e7cc8eadb9862f82c45884b69c and fixed in 6.1.79 with commit d31b886ed6a5095214062ee4fb55037eb930adb6
	Issue introduced in 5.18 with commit bd0a0a024f2a41e7cc8eadb9862f82c45884b69c and fixed in 6.6.18 with commit 330d22aba17a4d30a56f007d0f51291d7e00862b
	Issue introduced in 5.18 with commit bd0a0a024f2a41e7cc8eadb9862f82c45884b69c and fixed in 6.7.6 with commit 33713945cc92ea9c4a1a9479d5c1b7acb7fc4df3
	Issue introduced in 5.18 with commit bd0a0a024f2a41e7cc8eadb9862f82c45884b69c and fixed in 6.8 with commit 3caf2b2ad7334ef35f55b95f3e1b138c6f77b368

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26919
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/common/ulpi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d31b886ed6a5095214062ee4fb55037eb930adb6
	https://git.kernel.org/stable/c/330d22aba17a4d30a56f007d0f51291d7e00862b
	https://git.kernel.org/stable/c/33713945cc92ea9c4a1a9479d5c1b7acb7fc4df3
	https://git.kernel.org/stable/c/3caf2b2ad7334ef35f55b95f3e1b138c6f77b368