Linux Kernel NULL Pointer Dereference Vulnerability in USB Type-C TCPCI Handling

A NULL pointer dereference vulnerability has been identified in the Linux kernel's USB Type-C TCPCI (Type-C Port Controller Interface) handling. This issue arises in the interrupt handler for TCPCI ports that share an interrupt request (IRQ). When the second port's interrupt handler is triggered before the first port has fully registered, it can attempt to access a NULL pointer, leading to a kernel crash. The vulnerability has been observed in the NXP i.MX93 11X11 EVK board.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced on a system with two Type-C ports sharing a single IRQ. After the first port completes its registration, an interrupt may be triggered. If this occurs just as the second port finishes requesting its IRQ, the interrupt handler for the second port will execute first. This handler will attempt to access the TCPCI data for the second port, which has not been properly initialized yet, resulting in a NULL pointer dereference. The issue can be observed in the kernel logs, where the NULL pointer dereference and subsequent crash are recorded.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest stable version where this issue has been fixed.