Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
usb: musb: sunxi: Fix accessing an released usb phy
Commit 6ed05c68cbca (“usb: musb: sunxi: Explicitly release USB PHY on exit”) will cause that usb phy @glue->xceiv is accessed after released.
-
register platform driver @sunxi_musb_driver // get the usb phy @glue->xceiv sunxi_musb_probe() -> devm_usb_get_phy().
-
register and unregister platform driver @musb_driver musb_probe() -> sunxi_musb_init() use the phy here //the phy is released here musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()
-
register @musb_driver again musb_probe() -> sunxi_musb_init() use the phy here but the phy has been released at 2). …
Fixed by reverting the commit, namely, removing devm_usb_put_phy() from sunxi_musb_exit().
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , Oracle Linux 7 ELS , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS
- Affected packages:
- kernel @ 4.18.0 (+8 more)
In the Linux kernel, the following vulnerability has been resolved:
usb: musb: sunxi: Fix accessing an released usb phy
Commit 6ed05c68cbca (“usb: musb: sunxi: Explicitly release USB PHY on exit”) will cause that usb phy @glue->xceiv is accessed after released.
-
register platform driver @sunxi_musb_driver // get the usb phy @glue->xceiv sunxi_musb_probe() -> devm_usb_get_phy().
-
register and unregister platform driver @musb_driver musb_probe() -> sunxi_musb_init() use the phy here //the phy is released here musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()
-
register @musb_driver again musb_probe() -> sunxi_musb_init() use the phy here but the phy has been released at 2). …
Fixed by reverting the commit, namely, removing devm_usb_put_phy() from sunxi_musb_exit().