fkie_cve-2025-38010
Vulnerability from fkie_nvd
Published
2025-06-18 10:15
Modified
2025-06-18 13:46
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1db527f0cb8f677adadd4e28e5bc77aaf5d4e4c9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/628bec9ed68a2204184fc8230a2609075b08666e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b47158fb42959c417ff2662075c0d46fb783d5d1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ba25131b3c1ceec303839b2462586d7673788197
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: tegra: xusb: Use a bitmask for UTMI pad power state tracking\n\nThe current implementation uses bias_pad_enable as a reference count to\nmanage the shared bias pad for all UTMI PHYs. However, during system\nsuspension with connected USB devices, multiple power-down requests for\nthe UTMI pad result in a mismatch in the reference count, which in turn\nproduces warnings such as:\n\n[  237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170\n[  237.763103] Call trace:\n[  237.763104]  tegra186_utmi_pad_power_down+0x160/0x170\n[  237.763107]  tegra186_utmi_phy_power_off+0x10/0x30\n[  237.763110]  phy_power_off+0x48/0x100\n[  237.763113]  tegra_xusb_enter_elpg+0x204/0x500\n[  237.763119]  tegra_xusb_suspend+0x48/0x140\n[  237.763122]  platform_pm_suspend+0x2c/0xb0\n[  237.763125]  dpm_run_callback.isra.0+0x20/0xa0\n[  237.763127]  __device_suspend+0x118/0x330\n[  237.763129]  dpm_suspend+0x10c/0x1f0\n[  237.763130]  dpm_suspend_start+0x88/0xb0\n[  237.763132]  suspend_devices_and_enter+0x120/0x500\n[  237.763135]  pm_suspend+0x1ec/0x270\n\nThe root cause was traced back to the dynamic power-down changes\nintroduced in commit a30951d31b25 (\"xhci: tegra: USB2 pad power controls\"),\nwhere the UTMI pad was being powered down without verifying its current\nstate. This unbalanced behavior led to discrepancies in the reference\ncount.\n\nTo rectify this issue, this patch replaces the single reference counter\nwith a bitmask, renamed to utmi_pad_enabled. Each bit in the mask\ncorresponds to one of the four USB2 PHYs, allowing us to track each pad\u0027s\nenablement status individually.\n\nWith this change:\n  - The bias pad is powered on only when the mask is clear.\n  - Each UTMI pad is powered on or down based on its corresponding bit\n    in the mask, preventing redundant operations.\n  - The overall power state of the shared bias pad is maintained\n    correctly during suspend/resume cycles.\n\nThe mutex used to prevent race conditions during UTMI pad enable/disable\noperations has been moved from the tegra186_utmi_bias_pad_power_on/off\nfunctions to the parent functions tegra186_utmi_pad_power_on/down. This\nchange ensures that there are no race conditions when updating the bitmask."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: phy: tegra: xusb: utilizar una m\u00e1scara de bits para el seguimiento del estado de energ\u00eda del panel UTMI. La implementaci\u00f3n actual utiliza bias_pad_enable como un recuento de referencia para administrar el panel de polarizaci\u00f3n compartido para todos los PHY UTMI. Sin embargo, durante la suspensi\u00f3n del sistema con dispositivos USB conectados, varias solicitudes de apagado del panel UTMI resultan en una discrepancia en el recuento de referencia, lo que a su vez produce advertencias como: [ 237.762967] ADVERTENCIA: CPU: 10 PID: 1618 en tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Rastreo de llamadas: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 La causa ra\u00edz se remonta a los cambios de apagado din\u00e1mico introducidos en el commit a30951d31b25 (\"xhci: tegra: USB2 pad power controls\"), donde el pad UTMI se apagaba sin verificar su estado actual. Este comportamiento desequilibrado provoc\u00f3 discrepancias en el recuento de referencias. Para rectificar este problema, este parche reemplaza el contador de referencia \u00fanico con una m\u00e1scara de bits, renombrada como utmi_pad_enabled. Cada bit en la m\u00e1scara corresponde a uno de los cuatro PHY USB2, lo que nos permite rastrear el estado de habilitaci\u00f3n de cada pad individualmente. Con este cambio: - El pad de polarizaci\u00f3n se enciende solo cuando la m\u00e1scara est\u00e1 despejada. - Cada pad UTMI se enciende o apaga seg\u00fan su bit correspondiente en la m\u00e1scara, lo que evita operaciones redundantes. El estado general de energ\u00eda del pad de polarizaci\u00f3n compartido se mantiene correctamente durante los ciclos de suspensi\u00f3n/reinicio. El mutex utilizado para evitar condiciones de ejecuci\u00f3n durante las operaciones de activaci\u00f3n/desactivaci\u00f3n del pad UTMI se ha trasladado de las funciones tegra186_utmi_bias_pad_power_on/off a las funciones principales tegra186_utmi_pad_power_on/down. Este cambio garantiza que no se produzcan condiciones de ejecuci\u00f3n al actualizar la m\u00e1scara de bits."
    }
  ],
  "id": "CVE-2025-38010",
  "lastModified": "2025-06-18T13:46:52.973",
  "metrics": {},
  "published": "2025-06-18T10:15:32.283",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1db527f0cb8f677adadd4e28e5bc77aaf5d4e4c9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/628bec9ed68a2204184fc8230a2609075b08666e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b47158fb42959c417ff2662075c0d46fb783d5d1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ba25131b3c1ceec303839b2462586d7673788197"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.