CVE-2023-53054

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc2: fix a devres leak in hw_enable upon suspend resume

Each time the platform goes to low power, PM suspend / resume routines call: __dwc2_lowlevel_hw_enable -> devm_add_action_or_reset(). This adds a new devres each time. This may also happen at runtime, as dwc2_lowlevel_hw_enable() can be called from udc_start().

This can be seen with tracing:

  • echo 1 > /sys/kernel/debug/tracing/events/dev/devres_log/enable
  • go to low power
  • cat /sys/kernel/debug/tracing/trace

A new "ADD" entry is found upon each low power cycle: … devres_log: 49000000.usb-otg ADD 82a13bba devm_action_release (8 bytes) … devres_log: 49000000.usb-otg ADD 49889daf devm_action_release (8 bytes) …

A second issue is addressed here:

  • regulator_bulk_enable() is called upon each PM cycle (suspend/resume).
  • regulator_bulk_disable() never gets called.

So the reference count for these regulators constantly increase, by one upon each low power cycle, due to missing regulator_bulk_disable() call in __dwc2_lowlevel_hw_disable().

The original fix that introduced the devm_add_action_or_reset() call, fixed an issue during probe, that happens due to other errors in dwc2_driver_probe() -> dwc2_core_reset(). Then the probe fails without disabling regulators, when dr_mode == USB_DR_MODE_PERIPHERAL.

Rather fix the error path: disable all the low level hardware in the error path, by using the "hsotg->ll_hw_enabled" flag. Checking dr_mode has been introduced to avoid a dual call to dwc2_lowlevel_hw_disable(). "ll_hw_enabled" should achieve the same (and is used currently in the remove() routine).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux33a06f1300a79cfd461cea0268f05e969d4f34ec < 1f01027c51eb16145e8e07fafea3ca07ef102d06affected
LinuxLinux33a06f1300a79cfd461cea0268f05e969d4f34ec < cba76e1fb896b573f09f51aa299223276a77bc90affected
LinuxLinux33a06f1300a79cfd461cea0268f05e969d4f34ec < ffb8ab6f87bd28d700ab5c20d9d3a7e75067630daffected
LinuxLinux33a06f1300a79cfd461cea0268f05e969d4f34ec < 6485fc381b6528b6f547ee1ff10bdbcbe31a6e4caffected
LinuxLinux33a06f1300a79cfd461cea0268f05e969d4f34ec < f747313249b74f323ddf841a9c8db14d989f296aaffected
LinuxLinuxc95e1f67b9a84479d1a6d2e9b123a1553af2a75eaffected
LinuxLinux7d2a4749e1589295c69183f7d79d5b62664b34d6affected
LinuxLinux8a8841b9f3eb1f46e3fc6d56a9b9299c53f4f86faffected
LinuxLinuxfa7fd9ba18533e9aa5f718a06de3deb522a4b587affected
LinuxLinuxb2c2b88b049684b89776036f9a03fcc2d1bb3c22affected
LinuxLinuxe7c4b79d70a70b4b7b0a04c640238a2ef0a7a8c8affected
LinuxLinux88dcd13872b11bd60e6d4cb6317821e1d367e524affected
LinuxLinux4.4.233 < 4.5affected
LinuxLinux4.9.233 < 4.10affected
LinuxLinux4.14.194 < 4.15affected
LinuxLinux4.19.140 < 4.20affected
LinuxLinux5.4.59 < 5.5affected
LinuxLinux5.7.16 < 5.8affected
LinuxLinux5.8.2 < 5.9affected
LinuxLinux5.9affected
LinuxLinux0 < 5.9unaffected
LinuxLinux5.10.177 <= 5.10.*unaffected
LinuxLinux5.15.105 <= 5.15.*unaffected
LinuxLinux6.1.22 <= 6.1.*unaffected
LinuxLinux6.2.9 <= 6.2.*unaffected
LinuxLinux6.3 <= *unaffected

Weaknesses

References