cve/published/2025/CVE-2025-37840.mbox

From bippy-1.2.0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@kernel.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2025-37840: mtd: rawnand: brcmnand: fix PM resume warning

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

mtd: rawnand: brcmnand: fix PM resume warning

Fixed warning on PM resume as shown below caused due to uninitialized
struct nand_operation that checks chip select field :
WARN_ON(op->cs >= nanddev_ntargets(&chip->base)

[   14.588522] ------------[ cut here ]------------
[   14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8
[   14.588553] Modules linked in: bdc udc_core
[   14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G        W          6.14.0-rc4-g5394eea10651 #16
[   14.588590] Tainted: [W]=WARN
[   14.588593] Hardware name: Broadcom STB (Flattened Device Tree)
[   14.588598] Call trace:
[   14.588604]  dump_backtrace from show_stack+0x18/0x1c
[   14.588622]  r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c
[   14.588625]  show_stack from dump_stack_lvl+0x70/0x7c
[   14.588639]  dump_stack_lvl from dump_stack+0x18/0x1c
[   14.588653]  r5:c08d40b0 r4:c1003cb0
[   14.588656]  dump_stack from __warn+0x84/0xe4
[   14.588668]  __warn from warn_slowpath_fmt+0x18c/0x194
[   14.588678]  r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000
[   14.588681]  warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8
[   14.588695]  r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048
[   14.588697]  nand_reset_op from brcmnand_resume+0x13c/0x150
[   14.588714]  r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040
[   14.588717]  brcmnand_resume from platform_pm_resume+0x34/0x54
[   14.588735]  r5:00000010 r4:c0840a50
[   14.588738]  platform_pm_resume from dpm_run_callback+0x5c/0x14c
[   14.588757]  dpm_run_callback from device_resume+0xc0/0x324
[   14.588776]  r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010
[   14.588779]  device_resume from dpm_resume+0x130/0x160
[   14.588799]  r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0
[   14.588802]  dpm_resume from dpm_resume_end+0x14/0x20
[   14.588822]  r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414
[   14.588826]  r4:00000010
[   14.588828]  dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8
[   14.588848]  r5:c228a414 r4:00000000
[   14.588851]  suspend_devices_and_enter from pm_suspend+0x228/0x2bc
[   14.588868]  r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000
[   14.588871]  r4:00000003
[   14.588874]  pm_suspend from state_store+0x74/0xd0
[   14.588889]  r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003
[   14.588892]  state_store from kobj_attr_store+0x1c/0x28
[   14.588913]  r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250
[   14.588916]  kobj_attr_store from sysfs_kf_write+0x40/0x4c
[   14.588936]  r5:c3502900 r4:c0d92a48
[   14.588939]  sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0
[   14.588956]  r5:c3502900 r4:c3501f40
[   14.588960]  kernfs_fop_write_iter from vfs_write+0x250/0x420
[   14.588980]  r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00
[   14.588983]  r4:c042a88c
[   14.588987]  vfs_write from ksys_write+0x74/0xe4
[   14.589005]  r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00
[   14.589008]  r4:c34f7f00
[   14.589011]  ksys_write from sys_write+0x10/0x14
[   14.589029]  r7:00000004 r6:004421c0 r5:00443398 r4:00000004
[   14.589032]  sys_write from ret_fast_syscall+0x0/0x5c
[   14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)
[   14.589050] 9fa0:                   00000004 00443398 00000004 00443398 00000004 00000001
[   14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78
[   14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8
[   14.589065] ---[ end trace 0000000000000000 ]---

The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when
doing PM resume operation in compliance with the controller support for single
die nand chip. Switching from nand_reset_op() to nand_reset() implies more
than just setting the cs field op->cs, it also reconfigures the data interface
(ie. the timings). Tested and confirmed the NAND chip is in sync timing wise
with host after the fix.

The Linux kernel CVE team has assigned CVE-2025-37840 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 5.4.293 with commit 6f567c6a5250e3531cfd9c7ff254ecc2650464fa
	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 5.10.237 with commit 8775581e1c48e1bdd04a893d6f6bbe5128ad0ea7
	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 5.15.181 with commit fbcb584efa5cd912ff8a151d67b8fe22f4162a85
	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 6.1.135 with commit 9dd161f707ecb7db38e5f529e979a5b6eb565b2d
	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 6.6.88 with commit 9bd51723ab51580e077c91d494c37e80703b8524
	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 6.12.24 with commit 7266066b9469f04ed1d4c0fdddaea1425835eb55
	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 6.13.12 with commit c2eb3cffb0d972c5503e4d48921971c81def0fe5
	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 6.14.3 with commit 659b1f29f3e2fd5d751fdf35c5526d1f1c9b3dd2
	Issue introduced in 4.16 with commit 97d90da8a886949f09bb4754843fb0b504956ad2 and fixed in 6.15 with commit ddc210cf8b8a8be68051ad958bf3e2cef6b681c2

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37840
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/mtd/nand/raw/brcmnand/brcmnand.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/6f567c6a5250e3531cfd9c7ff254ecc2650464fa
	https://git.kernel.org/stable/c/8775581e1c48e1bdd04a893d6f6bbe5128ad0ea7
	https://git.kernel.org/stable/c/fbcb584efa5cd912ff8a151d67b8fe22f4162a85
	https://git.kernel.org/stable/c/9dd161f707ecb7db38e5f529e979a5b6eb565b2d
	https://git.kernel.org/stable/c/9bd51723ab51580e077c91d494c37e80703b8524
	https://git.kernel.org/stable/c/7266066b9469f04ed1d4c0fdddaea1425835eb55
	https://git.kernel.org/stable/c/c2eb3cffb0d972c5503e4d48921971c81def0fe5
	https://git.kernel.org/stable/c/659b1f29f3e2fd5d751fdf35c5526d1f1c9b3dd2
	https://git.kernel.org/stable/c/ddc210cf8b8a8be68051ad958bf3e2cef6b681c2