ghsa-w69j-ppp7-83pp
Vulnerability from github
Published
2025-04-01 18:30
Modified
2025-04-01 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

acpi: typec: ucsi: Introduce a ->poll_cci method

For the ACPI backend of UCSI the UCSI "registers" are just a memory copy of the register values in an opregion. The ACPI implementation in the BIOS ensures that the opregion contents are synced to the embedded controller and it ensures that the registers (in particular CCI) are synced back to the opregion on notifications. While there is an ACPI call that syncs the actual registers to the opregion there is rarely a need to do this and on some ACPI implementations it actually breaks in various interesting ways.

The only reason to force a sync from the embedded controller is to poll CCI while notifications are disabled. Only the ucsi core knows if this is the case and guessing based on the current command is suboptimal, i.e. leading to the following spurious assertion splat:

WARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] CPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1 Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023 Workqueue: events_long ucsi_init_work [typec_ucsi] RIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi] Call Trace: ucsi_init_work+0x3c/0xac0 [typec_ucsi] process_one_work+0x179/0x330 worker_thread+0x252/0x390 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30

Thus introduce a ->poll_cci() method that works like ->read_cci() with an additional forced sync and document that this should be used when polling with notifications disabled. For all other backends that presumably don't have this issue use the same implementation for both methods.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21902"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:20Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: typec: ucsi: Introduce a -\u003epoll_cci method\n\nFor the ACPI backend of UCSI the UCSI \"registers\" are just a memory copy\nof the register values in an opregion. The ACPI implementation in the\nBIOS ensures that the opregion contents are synced to the embedded\ncontroller and it ensures that the registers (in particular CCI) are\nsynced back to the opregion on notifications. While there is an ACPI call\nthat syncs the actual registers to the opregion there is rarely a need to\ndo this and on some ACPI implementations it actually breaks in various\ninteresting ways.\n\nThe only reason to force a sync from the embedded controller is to poll\nCCI while notifications are disabled. Only the ucsi core knows if this\nis the case and guessing based on the current command is suboptimal, i.e.\nleading to the following spurious assertion splat:\n\nWARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x86_64 #1\nHardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023\nWorkqueue: events_long ucsi_init_work [typec_ucsi]\nRIP: 0010:ucsi_reset_ppm+0x1b4/0x1c0 [typec_ucsi]\nCall Trace:\n \u003cTASK\u003e\n ucsi_init_work+0x3c/0xac0 [typec_ucsi]\n process_one_work+0x179/0x330\n worker_thread+0x252/0x390\n kthread+0xd2/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nThus introduce a -\u003epoll_cci() method that works like -\u003eread_cci() with an\nadditional forced sync and document that this should be used when polling\nwith notifications disabled. For all other backends that presumably don\u0027t\nhave this issue use the same implementation for both methods.",
  "id": "GHSA-w69j-ppp7-83pp",
  "modified": "2025-04-01T18:30:50Z",
  "published": "2025-04-01T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21902"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/012b98cdb54c7d47743ee7fc402fa23f2d90529a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1aec5c9066965ac0984e385bbc31455ae31cbffc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/976e7e9bdc7719a023a4ecccd2e3daec9ab20a40"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.