CVE-2025-21902

In the Linux kernel, the following vulnerability has been resolved:

acpi: typec: ucsi: Introduce a ->poll_cci method

For the ACPI backend of UCSI the UCSI "registers" are just a memory copy of the register values in an opregion. The ACPI implementation in the BIOS ensures that the opregion contents are synced to the embedded controller and it ensures that the registers (in particular CCI) are synced back to the opregion on notifications. While there is an ACPI call that syncs the actual registers to the opregion there is rarely a need to do this and on some ACPI implementations it actually breaks in various interesting ways.

The only reason to force a sync from the embedded controller is to poll CCI while notifications are disabled. Only the ucsi core knows if this is the case and guessing based on the current command is suboptimal, i.e. leading to the following spurious assertion splat:

WARNING: CPU: 3 PID: 76 at drivers/usb/typec/ucsi/ucsi.c:1388 ucsiresetppm+0x1b4/0x1c0 [typecucsi] CPU: 3 UID: 0 PID: 76 Comm: kworker/3:0 Not tainted 6.12.11-200.fc41.x8664 #1 Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN45WW 03/17/2023 Workqueue: eventslong ucsiinitwork [typecucsi] RIP: 0010:ucsiresetppm+0x1b4/0x1c0 [typecucsi] Call Trace: <TASK> ucsiinitwork+0x3c/0xac0 [typecucsi] processonework+0x179/0x330 workerthread+0x252/0x390 kthread+0xd2/0x100 retfromfork+0x34/0x50 retfromforkasm+0x1a/0x30 </TASK>

Thus introduce a ->pollcci() method that works like ->readcci() with an additional forced sync and document that this should be used when polling with notifications disabled. For all other backends that presumably don't have this issue use the same implementation for both methods.