Linux Kernel UCSI ACPI Command Completion Timeout Vulnerability

A vulnerability in the Linux kernel's USB Type-C UCSI ACPI implementation has been addressed by reverting a previous change that improperly adjusted the command completion timeout. The timeout was originally increased from 5 seconds to 60 seconds to accommodate alternate mode discovery issues. However, after switching to polled mode, the timeout was reduced to 1 second, causing problems with certain hardware configurations, particularly with Lenovo ThinkPad X1 Yoga Gen 7 laptops connected to LG 27UL850-W monitors via Type-C. The incorrect timeout led to errors in monitor connection status handling, which were resolved by restoring the timeout to 5 seconds.

Impact

The vulnerability could cause a NULL pointer dereference error or a timeout error when managing monitor connections over USB Type-C, disrupting the expected functionality of connected displays.

Reproduction

The vulnerability can be reproduced by connecting a Lenovo ThinkPad X1 Yoga Gen 7 to an LG 27UL850-W monitor via Type-C. If the monitor is connected at boot, a 'PPM init failed (-110)' error is logged, and the Type-C interface appears empty. Unplugging the monitor triggers a NULL pointer dereference error. If the monitor is connected after boot, a 'GET_CONNECTOR_STATUS failed (-110)' error is logged instead.

Remediation

Users can apply the latest Linux kernel updates, which include the necessary fix, to address this vulnerability.