CVE-2025-38010
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38010
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38010.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-38010
- Downstream
- Related
- Published
- 2025-06-18T09:28:20Z
- Modified
- 2025-10-16T01:14:24.856817Z
- Summary
- phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking
The current implementation uses biaspadenable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as:
[ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186utmipadpowerdown+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186utmipadpowerdown+0x160/0x170 [ 237.763107] tegra186utmiphypoweroff+0x10/0x30 [ 237.763110] phypoweroff+0x48/0x100 [ 237.763113] tegraxusbenterelpg+0x204/0x500 [ 237.763119] tegraxusbsuspend+0x48/0x140 [ 237.763122] platformpmsuspend+0x2c/0xb0 [ 237.763125] dpmruncallback.isra.0+0x20/0xa0 [ 237.763127] _devicesuspend+0x118/0x330 [ 237.763129] dpmsuspend+0x10c/0x1f0 [ 237.763130] dpmsuspendstart+0x88/0xb0 [ 237.763132] suspenddevicesandenter+0x120/0x500 [ 237.763135] pmsuspend+0x1ec/0x270
The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count.
To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmipadenabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually.
With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles.
The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186utmibiaspadpoweron/off functions to the parent functions tegra186utmipadpower_on/down. This change ensures that there are no race conditions when updating the bitmask.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1db527f0cb8f677adadd4e28e5bc77aaf5d4e4c9
- https://git.kernel.org/stable/c/628bec9ed68a2204184fc8230a2609075b08666e
- https://git.kernel.org/stable/c/b47158fb42959c417ff2662075c0d46fb783d5d1
- https://git.kernel.org/stable/c/ba25131b3c1ceec303839b2462586d7673788197
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda30951d31b250bf3479c00e93646b6cc6fb42a56Fixedba25131b3c1ceec303839b2462586d7673788197
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda30951d31b250bf3479c00e93646b6cc6fb42a56Fixed1db527f0cb8f677adadd4e28e5bc77aaf5d4e4c9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda30951d31b250bf3479c00e93646b6cc6fb42a56Fixed628bec9ed68a2204184fc8230a2609075b08666e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda30951d31b250bf3479c00e93646b6cc6fb42a56Fixedb47158fb42959c417ff2662075c0d46fb783d5d1