CVE-2021-47436

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: musb: dsps: Fix the probe error path

Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after initializing musb") has inverted the calls to dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without updating correctly the error path. dsps_create_musb_pdev() allocates and registers a new platform device which must be unregistered and freed with platform_device_unregister(), and this is missing upon dsps_setup_optional_vbus_irq() error.

While on the master branch it seems not to trigger any issue, I observed a kernel crash because of a NULL pointer dereference with a v5.10.70 stable kernel where the patch mentioned above was backported. With this kernel version, -EPROBE_DEFER is returned the first time dsps_setup_optional_vbus_irq() is called which triggers the probe to error out without unregistering the platform device. Unfortunately, on the Beagle Bone Black Wireless, the platform device still living in the system is being used by the USB Ethernet gadget driver, which during the boot phase triggers the crash.

My limited knowledge of the musb world prevents me to revert this commit which was sent to silence a robot warning which, as far as I understand, does not make sense. The goal of this patch was to prevent an IRQ to fire before the platform device being registered. I think this cannot ever happen due to the fact that enabling the interrupts is done by the ->enable() callback of the platform musb device, and this platform device must be already registered in order for the core or any other user to use this callback.

Hence, I decided to fix the error path, which might prevent future errors on mainline kernels while also fixing older ones.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5269937d1483d3159d5b51907346e4f4b13ef079 < 5ed60a430fb5f3d93e7fef66264daef466b4d10caffected
LinuxLinuxffc825049ed2e8c849d318e987fd5073e0be462f < e923bce31ffefe4f60edfc6b84f62d4a858f3676affected
LinuxLinux9a4a6805294fa7d2653e82972bdaf9e3e1f3d3c9 < 9ab5d539bc975b8dcde86eca1b58d836b657732eaffected
LinuxLinux8de01a896c1bc14b6b65b8d26013626597a45eda < 9d89e287116796bf987cc48f5c8632ef3048f8ebaffected
LinuxLinux72bb3eafcfdd156713a3ea0c9c95d536bd6e6e55 < ff9249aab39820be11b6975a10d94253b7d426fcaffected
LinuxLinux7c75bde329d7e2a93cf86a5c15c61f96f1446cdc < c2115b2b16421d93d4993f3fe4c520e91d6fe801affected
LinuxLinuxf5b4df24b4209cc3b9ccc768897415be18807e46affected
LinuxLinux5.13.19 < 5.14affected
LinuxLinux4.14.247 < 4.14.252affected
LinuxLinux4.19.207 < 4.19.213affected
LinuxLinux5.4.148 < 5.4.155affected
LinuxLinux5.10.67 < 5.10.75affected
LinuxLinux5.14.6 < 5.14.14affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References