cve/published/2025/CVE-2025-21878.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21878: i2c: npcm: disable interrupt enable bit before devm_request_irq

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 i2c: npcm: disable interrupt enable bit before devm_request_irq

 The customer reports that there is a soft lockup issue related to
 the i2c driver. After checking, the i2c module was doing a tx transfer
 and the bmc machine reboots in the middle of the i2c transaction, the i2c
 module keeps the status without being reset.

 Due to such an i2c module status, the i2c irq handler keeps getting
 triggered since the i2c irq handler is registered in the kernel booting
 process after the bmc machine is doing a warm rebooting.
 The continuous triggering is stopped by the soft lockup watchdog timer.

 Disable the interrupt enable bit in the i2c module before calling
 devm_request_irq to fix this issue since the i2c relative status bit
 is read-only.

 Here is the soft lockup log.
 [   28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]
 [   28.183351] Modules linked in:
 [   28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1
 [   28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 [   28.208128] pc : __do_softirq+0xb0/0x368
 [   28.212055] lr : __do_softirq+0x70/0x368
 [   28.215972] sp : ffffff8035ebca00
 [   28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780
 [   28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0
 [   28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b
 [   28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff
 [   28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000
 [   28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2
 [   28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250
 [   28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434
 [   28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198
 [   28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40
 [   28.290611] Call trace:
 [   28.293052]  __do_softirq+0xb0/0x368
 [   28.296625]  __irq_exit_rcu+0xe0/0x100
 [   28.300374]  irq_exit+0x14/0x20
 [   28.303513]  handle_domain_irq+0x68/0x90
 [   28.307440]  gic_handle_irq+0x78/0xb0
 [   28.311098]  call_on_irq_stack+0x20/0x38
 [   28.315019]  do_interrupt_handler+0x54/0x5c
 [   28.319199]  el1_interrupt+0x2c/0x4c
 [   28.322777]  el1h_64_irq_handler+0x14/0x20
 [   28.326872]  el1h_64_irq+0x74/0x78
 [   28.330269]  __setup_irq+0x454/0x780
 [   28.333841]  request_threaded_irq+0xd0/0x1b4
 [   28.338107]  devm_request_threaded_irq+0x84/0x100
 [   28.342809]  npcm_i2c_probe_bus+0x188/0x3d0
 [   28.346990]  platform_probe+0x6c/0xc4
 [   28.350653]  really_probe+0xcc/0x45c
 [   28.354227]  __driver_probe_device+0x8c/0x160
 [   28.358578]  driver_probe_device+0x44/0xe0
 [   28.362670]  __driver_attach+0x124/0x1d0
 [   28.366589]  bus_for_each_dev+0x7c/0xe0
 [   28.370426]  driver_attach+0x28/0x30
 [   28.373997]  bus_add_driver+0x124/0x240
 [   28.377830]  driver_register+0x7c/0x124
 [   28.381662]  __platform_driver_register+0x2c/0x34
 [   28.386362]  npcm_i2c_init+0x3c/0x5c
 [   28.389937]  do_one_initcall+0x74/0x230
 [   28.393768]  kernel_init_freeable+0x24c/0x2b4
 [   28.398126]  kernel_init+0x28/0x130
 [   28.401614]  ret_from_fork+0x10/0x20
 [   28.405189] Kernel panic - not syncing: softlockup: hung tasks
 [   28.411011] SMP: stopping secondary CPUs
 [   28.414933] Kernel Offset: disabled
 [   28.418412] CPU features: 0x00000000,00000802
 [   28.427644] Rebooting in 20 seconds..

 The Linux kernel CVE team has assigned CVE-2025-21878 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 5.10.235 with commit f32d7b4dc6e791523c70e83049645dcba2a2aa33
 	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 5.15.179 with commit e3aea1dba97d31eceed7b622000af0406988b9c8
 	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.1.130 with commit 545b563eb00d0576775da4011b3f7ffefc9e8c60
 	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.6.81 with commit 1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9
 	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.12.18 with commit 12d0e39916705b68d2d8ba20a8e35d1d27afc260
 	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.13.6 with commit 846e371631c57365eeb89e5db1ab0f344169af93
 	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.14 with commit dd1998e243f5fa25d348a384ba0b6c84d980f2b2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21878
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/i2c/busses/i2c-npcm7xx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f32d7b4dc6e791523c70e83049645dcba2a2aa33
 	https://git.kernel.org/stable/c/e3aea1dba97d31eceed7b622000af0406988b9c8
 	https://git.kernel.org/stable/c/545b563eb00d0576775da4011b3f7ffefc9e8c60
 	https://git.kernel.org/stable/c/1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9
 	https://git.kernel.org/stable/c/12d0e39916705b68d2d8ba20a8e35d1d27afc260
 	https://git.kernel.org/stable/c/846e371631c57365eeb89e5db1ab0f344169af93
 	https://git.kernel.org/stable/c/dd1998e243f5fa25d348a384ba0b6c84d980f2b2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21878: i2c: npcm: disable interrupt enable bit before devm_request_irq

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	i2c: npcm: disable interrupt enable bit before devm_request_irq

	The customer reports that there is a soft lockup issue related to
	the i2c driver. After checking, the i2c module was doing a tx transfer
	and the bmc machine reboots in the middle of the i2c transaction, the i2c
	module keeps the status without being reset.

	Due to such an i2c module status, the i2c irq handler keeps getting
	triggered since the i2c irq handler is registered in the kernel booting
	process after the bmc machine is doing a warm rebooting.
	The continuous triggering is stopped by the soft lockup watchdog timer.

	Disable the interrupt enable bit in the i2c module before calling
	devm_request_irq to fix this issue since the i2c relative status bit
	is read-only.

	Here is the soft lockup log.
	[ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]
	[ 28.183351] Modules linked in:
	[ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1
	[ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	[ 28.208128] pc : __do_softirq+0xb0/0x368
	[ 28.212055] lr : __do_softirq+0x70/0x368
	[ 28.215972] sp : ffffff8035ebca00
	[ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780
	[ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0
	[ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b
	[ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff
	[ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000
	[ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2
	[ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250
	[ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434
	[ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198
	[ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40
	[ 28.290611] Call trace:
	[ 28.293052] __do_softirq+0xb0/0x368
	[ 28.296625] __irq_exit_rcu+0xe0/0x100
	[ 28.300374] irq_exit+0x14/0x20
	[ 28.303513] handle_domain_irq+0x68/0x90
	[ 28.307440] gic_handle_irq+0x78/0xb0
	[ 28.311098] call_on_irq_stack+0x20/0x38
	[ 28.315019] do_interrupt_handler+0x54/0x5c
	[ 28.319199] el1_interrupt+0x2c/0x4c
	[ 28.322777] el1h_64_irq_handler+0x14/0x20
	[ 28.326872] el1h_64_irq+0x74/0x78
	[ 28.330269] __setup_irq+0x454/0x780
	[ 28.333841] request_threaded_irq+0xd0/0x1b4
	[ 28.338107] devm_request_threaded_irq+0x84/0x100
	[ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0
	[ 28.346990] platform_probe+0x6c/0xc4
	[ 28.350653] really_probe+0xcc/0x45c
	[ 28.354227] __driver_probe_device+0x8c/0x160
	[ 28.358578] driver_probe_device+0x44/0xe0
	[ 28.362670] __driver_attach+0x124/0x1d0
	[ 28.366589] bus_for_each_dev+0x7c/0xe0
	[ 28.370426] driver_attach+0x28/0x30
	[ 28.373997] bus_add_driver+0x124/0x240
	[ 28.377830] driver_register+0x7c/0x124
	[ 28.381662] __platform_driver_register+0x2c/0x34
	[ 28.386362] npcm_i2c_init+0x3c/0x5c
	[ 28.389937] do_one_initcall+0x74/0x230
	[ 28.393768] kernel_init_freeable+0x24c/0x2b4
	[ 28.398126] kernel_init+0x28/0x130
	[ 28.401614] ret_from_fork+0x10/0x20
	[ 28.405189] Kernel panic - not syncing: softlockup: hung tasks
	[ 28.411011] SMP: stopping secondary CPUs
	[ 28.414933] Kernel Offset: disabled
	[ 28.418412] CPU features: 0x00000000,00000802
	[ 28.427644] Rebooting in 20 seconds..

	The Linux kernel CVE team has assigned CVE-2025-21878 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 5.10.235 with commit f32d7b4dc6e791523c70e83049645dcba2a2aa33
	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 5.15.179 with commit e3aea1dba97d31eceed7b622000af0406988b9c8
	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.1.130 with commit 545b563eb00d0576775da4011b3f7ffefc9e8c60
	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.6.81 with commit 1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9
	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.12.18 with commit 12d0e39916705b68d2d8ba20a8e35d1d27afc260
	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.13.6 with commit 846e371631c57365eeb89e5db1ab0f344169af93
	Issue introduced in 5.8 with commit 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 and fixed in 6.14 with commit dd1998e243f5fa25d348a384ba0b6c84d980f2b2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21878
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/i2c/busses/i2c-npcm7xx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f32d7b4dc6e791523c70e83049645dcba2a2aa33
	https://git.kernel.org/stable/c/e3aea1dba97d31eceed7b622000af0406988b9c8
	https://git.kernel.org/stable/c/545b563eb00d0576775da4011b3f7ffefc9e8c60
	https://git.kernel.org/stable/c/1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9
	https://git.kernel.org/stable/c/12d0e39916705b68d2d8ba20a8e35d1d27afc260
	https://git.kernel.org/stable/c/846e371631c57365eeb89e5db1ab0f344169af93
	https://git.kernel.org/stable/c/dd1998e243f5fa25d348a384ba0b6c84d980f2b2