Linux Kernel USB Type-C TCPM Driver Deadlock Vulnerability

A deadlock vulnerability has been identified in the Linux kernel's USB Type-C TCPM (Type-C Port Management) driver, specifically within the DisplayPort Alt Mode handling. The issue arises from a state check in the 'tcpm_queue_vdm_unlocked' function, which is not properly protected. This creates a small window where the Alt Mode driver can mistakenly believe the TCPM is ready and attempt to acquire a lock. Meanwhile, the TCPM is holding the lock and changing its state, leading to a deadlock. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a deadlock condition, where the DisplayPort Alt Mode driver and the TCPM driver block each other, potentially causing system instability or disruption of USB Type-C functionalities.

Reproduction

The vulnerability can be reproduced by triggering the DisplayPort Alt Mode driver to request a lock from the TCPM driver while the TCPM is in the process of unregistering the Alt Mode. This can be done by initiating a DisplayPort Alt Mode session, which prompts the Alt Mode driver to acquire the TCPM lock. If the TCPM simultaneously changes its state and holds the lock, a deadlock occurs, blocking the unregistration process.

Remediation

The vulnerability has been addressed by modifying the 'tcpm_queue_vdm_unlocked' function to queue work for 'tcpm_queue_vdm_work', which can safely perform the state check while holding the TCPM lock, preventing the deadlock. Users should apply the latest patches available in the Linux kernel to mitigate this issue.