CVE-2026-53051

Summary

In the Linux kernel, the following vulnerability has been resolved:

PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on

When PERST# is deasserted twice (assert -> deassert -> assert -> deassert), a CBB (Control Backbone) timeout occurs at DBI register offset 0x8bc (PCIE_MISC_CONTROL_1_OFF). This happens because pci_epc_deinit_notify() and dw_pcie_ep_cleanup() are called before reset_control_deassert() powers on the controller core.

The call chain that causes the timeout:

pex_ep_event_pex_rst_deassert() pci_epc_deinit_notify() pci_epf_test_epc_deinit() pci_epf_test_clear_bar() pci_epc_clear_bar() dw_pcie_ep_clear_bar() __dw_pcie_ep_reset_bar() dw_pcie_dbi_ro_wr_en() <- Accesses 0x8bc DBI register reset_control_deassert(pcie->core_rst) <- Core powered on HERE

The DBI registers, including PCIE_MISC_CONTROL_1_OFF (0x8bc), are only accessible after the controller core is powered on via reset_control_deassert(pcie->core_rst). Accessing them before this point results in a CBB timeout because the hardware is not yet operational.

Fix this by moving pci_epc_deinit_notify() and dw_pcie_ep_cleanup() to after reset_control_deassert(pcie->core_rst), ensuring the controller is fully powered on before any DBI register accesses occur.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux72034050ccf4202cd6558b0afd2474f756ea3b9b < 010983063a806720b45778d191335f8ea864fea3affected
LinuxLinux40e2125381dc11379112485e3eefdd25c6df5375 < b059a41bdd5b202b2b9d7708403fb43c69689e53affected
LinuxLinux40e2125381dc11379112485e3eefdd25c6df5375 < ce899f9c019591b73ef84b9afa332ed53beece25affected
LinuxLinux40e2125381dc11379112485e3eefdd25c6df5375 < 34b3eef48d980cd37b876e128bbf314f69fb5d70affected
LinuxLinux70212c2300971506e986d95000d2745529cac9d7affected
LinuxLinux6.12.2 < 6.12.91affected
LinuxLinux6.11.11 < 6.12affected
LinuxLinux6.13affected
LinuxLinux0 < 6.13unaffected
LinuxLinux6.12.91 <= 6.12.*unaffected
LinuxLinux6.18.33 <= 6.18.*unaffected
LinuxLinux7.0.10 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References