Linux Kernel Thunderbolt Double Dequeue Vulnerability in Configuration Request Handling

A vulnerability in the Linux kernel's Thunderbolt implementation allows for a double dequeue of configuration requests, leading to a general protection fault. This issue arises when the 'tb_cfg_request_work' function is scheduled twice for the same request, causing 'tb_cfg_request_dequeue' to be executed multiple times. The flaw results in a double removal from the request queue, indicated by a poisoned list reference. The vulnerability affects Linux kernel versions 6.6.65 and prior.

Impact

Exploitation of this vulnerability causes a general protection fault, likely due to a non-canonical address, leading to a crash of the affected device.

Reproduction

The vulnerability can be reproduced by scheduling the 'tb_cfg_request_work' function twice for the same configuration request. This can occur when 'tb_cfg_request' is called while a previous request is still being processed, causing the request to be dequeued twice. The resulting double removal from the request queue triggers a general protection fault, crashing the device.

Remediation

Users can upgrade to Linux kernel versions through 6.6.65 to address this vulnerability.