CVE-2023-54159
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: mtu3: fix kernel panic at qmu transfer done irq handler
When handle qmu transfer irq, it will unlock @mtu->lock before give back request, if another thread handle disconnect event at the same time, and try to disable ep, it may lock @mtu->lock and free qmu ring, then qmu irq hanlder may get a NULL gpd, avoid the KE by checking gpd's value before handling it.
e.g. qmu done irq on cpu0 thread running on cpu1
qmu_done_tx() handle gpd [0] mtu3_requ_complete() mtu3_gadget_ep_disable() unlock @mtu->lock give back request lock @mtu->lock mtu3_ep_disable() mtu3_gpd_ring_free() unlock @mtu->lock lock @mtu->lock get next gpd [1]
[1]: goto [0] to handle next gpd, and next gpd may be NULL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel panic in the Linux kernel's MediaTek USB3 (mtu3) driver when a QMU transfer IRQ handler accesses a freed GPD ring after a concurrent endpoint disable.
Vulnerability
CVE-2023-54159 is a race condition in the Linux kernel's MediaTek USB3 (mtu3) gadget driver that can cause a kernel panic (NULL pointer dereference) during QMU (Queue Manager Unit) transfer completion handling. The root cause is a missing NULL check on the GPD (General Purpose Descriptor) pointer after the driver releases the @mtu->lock spinlock to give back a USB request. If a concurrent thread disables the endpoint and frees the GPD ring while the lock is released, the IRQ handler may dereference a NULL or freed GPD on the next iteration [1][2].
Exploitation
Exploitation
Exploitation requires a local attacker with the ability to trigger both a USB gadget disconnect (or endpoint disable) and a simultaneous QMU transfer completion interrupt. The race window is narrow but deterministic: the IRQ handler on one CPU releases the lock, allowing a second CPU to disable the endpoint and free the ring, after which the handler re-acquires the lock and attempts to process the next GPD [0] again [1][3]. No special privileges beyond access to the USB gadget subsystem are needed.
Impact
A successful exploit results in a kernel NULL pointer dereference, leading to a system crash (denial of service). In some configurations, an attacker might leverage the use-after-free to achieve arbitrary code execution, though the primary impact is a local denial-of-service condition [1][4]."] [4].
Mitigation
The fix, merged into the Linux kernel stable branches, adds a NULL check on the GPD pointer before processing it in the QMU done handler [1][2][3][4]. Users should update to a kernel containing the commit f26273428657 or any of the backported versions. No workaround is available; the vulnerability is patched in all maintained stable kernels.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
726ca30516b2c012936502a9cee53a7a88027f26273428657b636aff94a673a7d4959560ad28f4091ea7eVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/012936502a9cb7b0604e85bb961eb15e2bb40dd9nvd
- git.kernel.org/stable/c/26ca30516b2c49dd04c134cbdf122311c538df98nvd
- git.kernel.org/stable/c/3a7d4959560a2ee493ef222e3b63d359365f41ecnvd
- git.kernel.org/stable/c/b636aff94a67be46582d4321d11743f1a10cc2c1nvd
- git.kernel.org/stable/c/d28f4091ea7ec3510fd6a3c6d433234e7a2bef14nvd
- git.kernel.org/stable/c/ee53a7a88027cea765c68f3b00a50b8f58d6f786nvd
- git.kernel.org/stable/c/f26273428657ef4ca74740e578ae45a3be492f6fnvd
News mentions
0No linked articles in our index yet.