CVE-2025-68327

In the Linux kernel, the following vulnerability has been resolved:

usb: renesas_usbhs: Fix synchronous external abort on unbind

A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is executed after the configuration sequence described above:

modprobe usbfecm modprobe libcomposite modprobe configfs cd /sys/kernel/config/usb_gadget mkdir -p g1 cd g1 echo "0x1d6b" > idVendor echo "0x0104" > idProduct mkdir -p strings/0x409 echo "0123456789" > strings/0x409/serialnumber echo "Renesas." > strings/0x409/manufacturer echo "Ethernet Gadget" > strings/0x409/product mkdir -p functions/ecm.usb0 mkdir -p configs/c.1 mkdir -p configs/c.1/strings/0x409 echo "ECM" > configs/c.1/strings/0x409/configuration

if [ ! -L configs/c.1/ecm.usb0 ]; then ln -s functions/ecm.usb0 configs/c.1 fi

echo 11e20000.usb > UDC echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind

The displayed trace is as follows:

Internal error: synchronous external abort: 0000000096000010 [#1] SMP CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT Tainted: [M]=MACHINECHECK Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usbhssysfunctionpullup+0x10/0x40 [renesasusbhs] lr : usbhsgupdatepullup+0x3c/0x68 [renesasusbhs] sp : ffff8000838b3920 x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810 x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000 x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020 x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344 x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000 x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80 Call trace: usbhssysfunctionpullup+0x10/0x40 [renesasusbhs] (P) usbhsgpullup+0x4c/0x7c [renesasusbhs] usbgadgetdisconnectlocked+0x48/0xd4 gadgetunbinddriver+0x44/0x114 deviceremove+0x4c/0x80 devicereleasedriverinternal+0x1c8/0x224 devicereleasedriver+0x18/0x24 busremovedevice+0xcc/0x10c devicedel+0x14c/0x404 usbdelgadget+0x88/0xc0 usbdelgadgetudc+0x18/0x30 usbhsmodgadgetremove+0x24/0x44 [renesasusbhs] usbhsmodremove+0x20/0x30 [renesasusbhs] usbhsremove+0x98/0xdc [renesasusbhs] platformremove+0x20/0x30 deviceremove+0x4c/0x80 devicereleasedriverinternal+0x1c8/0x224 devicedriverdetach+0x18/0x24 unbindstore+0xb4/0xb8 drvattrstore+0x24/0x38 sysfskfwrite+0x7c/0x94 kernfsfopwriteiter+0x128/0x1b8 vfswrite+0x2ac/0x350 ksys_write+0x68/0xfc __arm64syswrite+0x1c/0x28 invokesyscall+0x48/0x110 el0svccommon.constprop.0+0xc0/0xe0 doel0svc+0x1c/0x28 el0svc+0x34/0xf0 el0t64synchandler+0xa0/0xe4 el0t64sync+0x198/0x19c Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021) ---[ end trace 0000000000000000 ]--- note: sh[188] exited with irqs disabled note: sh[188] exited with preemptcount 1

The issue occurs because usbhssysfunction_pullup(), which accesses the IP registers, is executed after the USBHS clocks have been disabled. The problem is reproducible on the Renesas RZ/G3S SoC starting with the addition of module stop in the clock enable/disable APIs. With module stop functionality enabled, a bus error is expected if a master accesses a module whose clock has been stopped and module stop activated.

Disable the IP clocks at the end of remove.