Bug 2344536 (CVE-2025-21685) - CVE-2025-21685 kernel: platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: fix serdev race
Summary: CVE-2025-21685 kernel: platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: f...
Keywords:
Status: NEW
Alias: CVE-2025-21685
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-09 12:01 UTC by OSIDB Bzimport
Modified: 2025-02-10 04:50 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-09 12:01:07 UTC 
In the Linux kernel, the following vulnerability has been resolved:

platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: fix serdev race

The yt2_1380_fc_serdev_probe() function calls devm_serdev_device_open()
before setting the client ops via serdev_device_set_client_ops(). This
ordering can trigger a NULL pointer dereference in the serdev controller's
receive_buf handler, as it assumes serdev->ops is valid when
SERPORT_ACTIVE is set.

This is similar to the issue fixed in commit 5e700b384ec1
("platform/chrome: cros_ec_uart: properly fix race condition") where
devm_serdev_device_open() was called before fully initializing the
device.

Fix the race by ensuring client ops are set before enabling the port via
devm_serdev_device_open().

Note, serdev_device_set_baudrate() and serdev_device_set_flow_control()
calls should be after the devm_serdev_device_open() call.
Comment 1 Avinash Hanwate 2025-02-10 04:42:50 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025020931-CVE-2025-21685-d720@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.