ghsa-rmcq-qm8v-8r2p
Vulnerability from github
Published
2025-12-16 15:30
Modified
2025-12-16 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)

According to UFS specifications, the power-off sequence for a UFS device includes:

  • Sending an SSU command with Power_Condition=3 and await a response.

  • Asserting RST_N low.

  • Turning off REF_CLK.

  • Turning off VCC.

  • Turning off VCCQ/VCCQ2.

As part of ufs shutdown, after the SSU command completion, asserting hardware reset (HWRST) triggers the device firmware to wake up and execute its reset routine. This routine initializes hardware blocks and takes a few milliseconds to complete. During this time, the ICCQ draws a large current.

This large ICCQ current may cause issues for the regulator which is supplying power to UFS, because the turn off request from UFS driver to the regulator framework will be immediately followed by low power mode(LPM) request by regulator framework. This is done by framework because UFS which is the only client is requesting for disable. So if the rail is still in the process of shutting down while ICCQ exceeds LPM current thresholds, and LPM mode is activated in hardware during this state, it may trigger an overcurrent protection (OCP) fault in the regulator.

To prevent this, a 10ms delay is added after asserting HWRST. This allows the reset operation to complete while power rails remain active and in high-power mode.

Currently there is no way for Host to query whether the reset is completed or not and hence this the delay is based on experiments with Qualcomm UFS controllers across multiple UFS vendors.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-68236"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T14:15:58Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3)\n\nAccording to UFS specifications, the power-off sequence for a UFS device\nincludes:\n\n - Sending an SSU command with Power_Condition=3 and await a response.\n\n - Asserting RST_N low.\n\n - Turning off REF_CLK.\n\n - Turning off VCC.\n\n - Turning off VCCQ/VCCQ2.\n\nAs part of ufs shutdown, after the SSU command completion, asserting\nhardware reset (HWRST) triggers the device firmware to wake up and\nexecute its reset routine. This routine initializes hardware blocks and\ntakes a few milliseconds to complete. During this time, the ICCQ draws a\nlarge current.\n\nThis large ICCQ current may cause issues for the regulator which is\nsupplying power to UFS, because the turn off request from UFS driver to\nthe regulator framework will be immediately followed by low power\nmode(LPM) request by regulator framework. This is done by framework\nbecause UFS which is the only client is requesting for disable. So if\nthe rail is still in the process of shutting down while ICCQ exceeds LPM\ncurrent thresholds, and LPM mode is activated in hardware during this\nstate, it may trigger an overcurrent protection (OCP) fault in the\nregulator.\n\nTo prevent this, a 10ms delay is added after asserting HWRST. This\nallows the reset operation to complete while power rails remain active\nand in high-power mode.\n\nCurrently there is no way for Host to query whether the reset is\ncompleted or not and hence this the delay is based on experiments with\nQualcomm UFS controllers across multiple UFS vendors.",
  "id": "GHSA-rmcq-qm8v-8r2p",
  "modified": "2025-12-16T15:30:46Z",
  "published": "2025-12-16T15:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68236"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5127be409c6c3815c4a7d8f6d88043e44f9b9543"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b712f234a74c1f5ce70b5d7aec3fc2499c258141"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.