cve/published/2022/CVE-2022-48761.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48761: usb: xhci-plat: fix crash when suspend if remote wake enable

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: xhci-plat: fix crash when suspend if remote wake enable

 Crashed at i.mx8qm platform when suspend if enable remote wakeup

 Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
 Modules linked in:
 CPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12
 Hardware name: Freescale i.MX8QM MEK (DT)
 Workqueue: events_unbound async_run_entry_fn
 pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8
 lr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8
 sp : ffff80001394bbf0
 x29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578
 x26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000
 x23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001
 x20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000
 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
 x14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000
 x11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0
 x8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453
 x5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c
 x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620
 Call trace:
  xhci_disable_hub_port_wake.isra.62+0x60/0xf8
  xhci_suspend+0x58/0x510
  xhci_plat_suspend+0x50/0x78
  platform_pm_suspend+0x2c/0x78
  dpm_run_callback.isra.25+0x50/0xe8
  __device_suspend+0x108/0x3c0

 The basic flow:
 	1. run time suspend call xhci_suspend, xhci parent devices gate the clock.
         2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend
         3. xhci_suspend call xhci_disable_hub_port_wake, which access register,
 	   but clock already gated by run time suspend.

 This problem was hidden by power domain driver, which call run time resume before it.

 But the below commit remove it and make this issue happen.
 	commit c1df456d0f06e ("PM: domains: Don't runtime resume devices at genpd_prepare()")

 This patch call run time resume before suspend to make sure clock is on
 before access register.

 Testeb-by: Abel Vesa <abel.vesa@nxp.com>

 The Linux kernel CVE team has assigned CVE-2022-48761 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.96 with commit 20c51a4c52208f98e27308c456a1951778f41fa5
 	Fixed in 5.15.19 with commit d5755832a1e47f5d8773f0776e211ecd4e02da72
 	Fixed in 5.16.5 with commit 8b05ad29acb972850ad795fa850e814b2e758b83
 	Fixed in 5.17 with commit 9df478463d9feb90dae24f183383961cf123a0ec

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48761
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/host/xhci-plat.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/20c51a4c52208f98e27308c456a1951778f41fa5
 	https://git.kernel.org/stable/c/d5755832a1e47f5d8773f0776e211ecd4e02da72
 	https://git.kernel.org/stable/c/8b05ad29acb972850ad795fa850e814b2e758b83
 	https://git.kernel.org/stable/c/9df478463d9feb90dae24f183383961cf123a0ec
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48761: usb: xhci-plat: fix crash when suspend if remote wake enable

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: xhci-plat: fix crash when suspend if remote wake enable

	Crashed at i.mx8qm platform when suspend if enable remote wakeup

	Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
	Modules linked in:
	CPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12
	Hardware name: Freescale i.MX8QM MEK (DT)
	Workqueue: events_unbound async_run_entry_fn
	pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8
	lr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8
	sp : ffff80001394bbf0
	x29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578
	x26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000
	x23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001
	x20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000
	x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
	x14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000
	x11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0
	x8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453
	x5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c
	x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620
	Call trace:
	xhci_disable_hub_port_wake.isra.62+0x60/0xf8
	xhci_suspend+0x58/0x510
	xhci_plat_suspend+0x50/0x78
	platform_pm_suspend+0x2c/0x78
	dpm_run_callback.isra.25+0x50/0xe8
	__device_suspend+0x108/0x3c0

	The basic flow:
	1. run time suspend call xhci_suspend, xhci parent devices gate the clock.
	2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend
	3. xhci_suspend call xhci_disable_hub_port_wake, which access register,
	but clock already gated by run time suspend.

	This problem was hidden by power domain driver, which call run time resume before it.

	But the below commit remove it and make this issue happen.
	commit c1df456d0f06e ("PM: domains: Don't runtime resume devices at genpd_prepare()")

	This patch call run time resume before suspend to make sure clock is on
	before access register.

	Testeb-by: Abel Vesa <abel.vesa@nxp.com>

	The Linux kernel CVE team has assigned CVE-2022-48761 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.96 with commit 20c51a4c52208f98e27308c456a1951778f41fa5
	Fixed in 5.15.19 with commit d5755832a1e47f5d8773f0776e211ecd4e02da72
	Fixed in 5.16.5 with commit 8b05ad29acb972850ad795fa850e814b2e758b83
	Fixed in 5.17 with commit 9df478463d9feb90dae24f183383961cf123a0ec

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48761
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/host/xhci-plat.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/20c51a4c52208f98e27308c456a1951778f41fa5
	https://git.kernel.org/stable/c/d5755832a1e47f5d8773f0776e211ecd4e02da72
	https://git.kernel.org/stable/c/8b05ad29acb972850ad795fa850e814b2e758b83
	https://git.kernel.org/stable/c/9df478463d9feb90dae24f183383961cf123a0ec