| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-46691: usb: typec: ucsi: Move unregister out of atomic section |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| usb: typec: ucsi: Move unregister out of atomic section |
| |
| Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock |
| non-sleeping")' moved the pmic_glink client list under a spinlock, as it |
| is accessed by the rpmsg/glink callback, which in turn is invoked from |
| IRQ context. |
| |
| This means that ucsi_unregister() is now called from atomic context, |
| which isn't feasible as it's expecting a sleepable context. An effort is |
| under way to get GLINK to invoke its callbacks in a sleepable context, |
| but until then lets schedule the unregistration. |
| |
| A side effect of this is that ucsi_unregister() can now happen |
| after the remote processor, and thereby the communication link with it, is |
| gone. pmic_glink_send() is amended with a check to avoid the resulting NULL |
| pointer dereference. |
| This does however result in the user being informed about this error by |
| the following entry in the kernel log: |
| |
| ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5 |
| |
| The Linux kernel CVE team has assigned CVE-2024-46691 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.10 with commit 9329933699b32d467a99befa20415c4b2172389a and fixed in 6.10.8 with commit 095b0001aefddcd9361097c971b7debc84e72714 |
| Issue introduced in 6.10 with commit 9329933699b32d467a99befa20415c4b2172389a and fixed in 6.11 with commit 11bb2ffb679399f99041540cf662409905179e3a |
| Issue introduced in 6.6.33 with commit fbadcde1572f6b00e1e343d8b24ec8bf7f3ec08d |
| Issue introduced in 6.8.12 with commit 8d62ab7d89a4906385ea8c11a4b2475578bec0f0 |
| Issue introduced in 6.9.3 with commit bd54d7c8e76d235b4a70be3a545eb13f5ac531e4 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-46691 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/soc/qcom/pmic_glink.c |
| drivers/usb/typec/ucsi/ucsi_glink.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/095b0001aefddcd9361097c971b7debc84e72714 |
| https://git.kernel.org/stable/c/11bb2ffb679399f99041540cf662409905179e3a |
