CVE-2025-22011 in Linux
Summary
by MITRE • 04/08/2025
In the Linux kernel, the following vulnerability has been resolved:
ARM: dts: bcm2711: Fix xHCI power-domain
During s2idle tests on the Raspberry CM4 the VPU firmware always crashes on xHCI power-domain resume:
root@raspberrypi:/sys/power# echo freeze > state [ 70.724347] xhci_suspend finished
[ 70.727730] xhci_plat_suspend finished
[ 70.755624] bcm2835-power bcm2835-power: Power grafx off
[ 70.761127] USB: Set power to 0
[ 74.653040] USB: Failed to set power to 1 (-110)
This seems to be caused because of the mixed usage of raspberrypi-power and bcm2835-power at the same time. So avoid the usage of the VPU firmware power-domain driver, which prevents the VPU crash.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/19/2025
This vulnerability affects the Linux kernel's handling of power management for USB controllers on ARM-based Raspberry Pi Compute Module 4 systems. The issue manifests during s2idle suspend/resume operations when the xHCI USB controller attempts to restore power to the USB subsystem. The root cause stems from conflicting power domain management between two competing drivers: the raspberrypi-power driver and the bcm2835-power driver. When the system enters suspend state and later resumes, the xHCI controller's power-domain resume operation fails, resulting in a -110 error code which corresponds to ETIMEDOUT in the Linux kernel's error handling. This specific error indicates that the power management subsystem cannot properly establish communication with the power domain controller within the expected timeout period, leading to a complete failure in USB power restoration.
The technical flaw occurs at the Device Tree Specification (DTS) level where the power domain configuration for the bcm2711 SoC incorrectly references multiple power management drivers simultaneously. This creates a race condition and resource contention scenario where both drivers attempt to control the same power domain resources, specifically the VPU (VideoCore Processing Unit) power domain that manages USB controller power states. The vulnerability is classified as a power management configuration error that violates proper device tree driver initialization sequences, making it susceptible to CWE-691: Insufficient Control Flow Management and CWE-399: Resource Management Errors. The issue specifically impacts ARM-based systems using the bcm2711 SoC architecture, where the Raspberry Pi Compute Module 4 utilizes the bcm2835-power driver for hardware control while the VPU firmware attempts to manage power states through its own power-domain interface.
The operational impact of this vulnerability is significant for embedded systems and single-board computers running Linux kernel versions containing this flaw. During system resume operations from s2idle states, users experience complete USB functionality failures, rendering all USB devices non-responsive until a system reboot occurs. This affects critical system operations including network connectivity, storage device access, peripheral input/output operations, and any USB-dependent services. The vulnerability also introduces potential system instability, as the failed power management operation may cause kernel oops or panic conditions in extreme cases. From an attacker perspective, this represents a denial-of-service vector that could be exploited to disrupt system operations, particularly in embedded IoT devices or industrial control systems where USB peripherals are essential for operation. The issue aligns with ATT&CK technique T1490: Inhibit System Recovery, as it prevents proper system state restoration and can lead to complete system unresponsiveness.
The mitigation strategy involves modifying the Device Tree Source files to eliminate the conflicting power domain references and ensure that only one power management driver controls the USB power domain resources. Specifically, the solution requires removing the VPU firmware power-domain driver references from the xHCI power domain configuration, allowing the bcm2835-power driver to manage all power state transitions exclusively. System administrators should update their kernel configurations to use the patched Device Tree files and ensure that all Raspberry Pi systems running affected kernel versions receive the necessary firmware updates. Additionally, implementing proper power domain initialization sequences and avoiding mixed driver usage patterns in device tree configurations will prevent similar issues in other ARM-based systems. Organizations should conduct thorough testing of suspend/resume operations after applying the fix to verify that USB functionality returns to normal operation and that no additional power management conflicts arise from the configuration changes.