CVE-2025-68327

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: renesas_usbhs: Fix synchronous external abort on unbind<br /> <br /> A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is<br /> executed after the configuration sequence described above:<br /> <br /> modprobe usb_f_ecm<br /> modprobe libcomposite<br /> modprobe configfs<br /> cd /sys/kernel/config/usb_gadget<br /> mkdir -p g1<br /> cd g1<br /> echo "0x1d6b" &gt; idVendor<br /> echo "0x0104" &gt; idProduct<br /> mkdir -p strings/0x409<br /> echo "0123456789" &gt; strings/0x409/serialnumber<br /> echo "Renesas." &gt; strings/0x409/manufacturer<br /> echo "Ethernet Gadget" &gt; strings/0x409/product<br /> mkdir -p functions/ecm.usb0<br /> mkdir -p configs/c.1<br /> mkdir -p configs/c.1/strings/0x409<br /> echo "ECM" &gt; configs/c.1/strings/0x409/configuration<br /> <br /> if [ ! -L configs/c.1/ecm.usb0 ]; then<br /> ln -s functions/ecm.usb0 configs/c.1<br /> fi<br /> <br /> echo 11e20000.usb &gt; UDC<br /> echo 11e20000.usb &gt; /sys/bus/platform/drivers/renesas_usbhs/unbind<br /> <br /> The displayed trace is as follows:<br /> <br /> Internal error: synchronous external abort: 0000000096000010 [#1] SMP<br /> CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT<br /> Tainted: [M]=MACHINE_CHECK<br /> Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)<br /> pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]<br /> lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]<br /> sp : ffff8000838b3920<br /> x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000<br /> x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810<br /> x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000<br /> x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020<br /> x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344<br /> x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000<br /> x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418<br /> x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d<br /> x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000<br /> x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80<br /> Call trace:<br /> usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)<br /> usbhsg_pullup+0x4c/0x7c [renesas_usbhs]<br /> usb_gadget_disconnect_locked+0x48/0xd4<br /> gadget_unbind_driver+0x44/0x114<br /> device_remove+0x4c/0x80<br /> device_release_driver_internal+0x1c8/0x224<br /> device_release_driver+0x18/0x24<br /> bus_remove_device+0xcc/0x10c<br /> device_del+0x14c/0x404<br /> usb_del_gadget+0x88/0xc0<br /> usb_del_gadget_udc+0x18/0x30<br /> usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]<br /> usbhs_mod_remove+0x20/0x30 [renesas_usbhs]<br /> usbhs_remove+0x98/0xdc [renesas_usbhs]<br /> platform_remove+0x20/0x30<br /> device_remove+0x4c/0x80<br /> device_release_driver_internal+0x1c8/0x224<br /> device_driver_detach+0x18/0x24<br /> unbind_store+0xb4/0xb8<br /> drv_attr_store+0x24/0x38<br /> sysfs_kf_write+0x7c/0x94<br /> kernfs_fop_write_iter+0x128/0x1b8<br /> vfs_write+0x2ac/0x350<br /> ksys_write+0x68/0xfc<br /> __arm64_sys_write+0x1c/0x28<br /> invoke_syscall+0x48/0x110<br /> el0_svc_common.constprop.0+0xc0/0xe0<br /> do_el0_svc+0x1c/0x28<br /> el0_svc+0x34/0xf0<br /> el0t_64_sync_handler+0xa0/0xe4<br /> el0t_64_sync+0x198/0x19c<br /> Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)<br /> ---[ end trace 0000000000000000 ]---<br /> note: sh[188] exited with irqs disabled<br /> note: sh[188] exited with preempt_count 1<br /> <br /> The issue occurs because usbhs_sys_function_pullup(), which accesses the IP<br /> registers, is executed after the USBHS clocks have been disabled. The<br /> problem is reproducible on the Renesas RZ/G3S SoC starting with the<br /> addition of module stop in the clock enable/disable APIs. With module stop<br /> functionality enabled, a bus error is expected if a master accesses a<br /> module whose clock has been stopped and module stop activated.<br /> <br /> Disable the IP clocks at the end of remove.