Linux Kernel USB Gadget u_serial Race Condition Vulnerability in TTY Wakeup

A race condition vulnerability has been identified in the Linux kernel's USB gadget u_serial functionality. This issue arises when the function gs_start_io() invokes either gs_start_rx() or gs_start_tx(). These functions temporarily release the port_lock for usb_ep_queue(), creating a window where gs_close() and gserial_disconnect() can interfere by clearing port.tty and port_usb. The vulnerability has been addressed by using a null-safe TTY Port helper function to properly wake up the TTY.

Impact

Exploitation of this vulnerability can lead to a null pointer dereference, causing a crash or instability in the system.

Reproduction

The vulnerability can be reproduced by establishing a connection that triggers gserial_connect(), which locks the port. Then, while this lock is held, initiate gs_close() to clear the TTY and USB port references. Once gs_close() has completed, gs_start_rx() can be called again, which will attempt to wake up the TTY, leading to a null pointer dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.