Linux Kernel QMU Transfer IRQ Handler Null Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's USB MTU3 driver can lead to a kernel panic. This issue occurs when the QMU transfer interrupt handler unlocks a mutex before returning a request. If another thread simultaneously processes a disconnect event and disables the endpoint, it can interfere with the mutex and free the QMU ring. Consequently, the interrupt handler may receive a NULL pointer, leading to a crash. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by handling a QMU transfer interrupt while another thread is processing a disconnect event and disabling the corresponding endpoint. This sequence of actions can create a race condition, causing the interrupt handler to receive a NULL pointer and trigger a kernel panic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.