CVE-2024-27072 - Understanding and Exploiting a Deadlock in Linux Kernel's usbtv Module

In early 2024, a potentially dangerous vulnerability lurking in the Linux kernel’s usbtv (USB video capture) driver came to light: CVE-2024-27072. This flaw, while subtle, could cause system instability or deadlocks when disconnecting a USB TV capture device, even if it wasn’t actively streaming video. Understanding this issue provides a valuable window into kernel coding practices, the risks of improper locking, and how such issues can be discovered and exploited.

What is CVE-2024-27072?

CVE-2024-27072 relates to the Linux kernel's multimedia subsystem. Specifically, it concerns a useless and potentially dangerous locking scheme in the usbtv_video_free() function of the usbtv driver. This code mismanagement could cause the kernel to freeze (deadlock) under certain conditions—such as disconnecting a USB TV stick.

The original issue and its discussion can be found here:
syzkaller deadlock bisection report
A fix was submitted in this commit.

The Vulnerability: A Closer Look

The root cause was unnecessary locking in usbtv_video_free(). When a device was disconnected—especially if streaming video—these lock calls could lead to a deadlock, leaving the system stuck.

Here’s a simplified snippet of the problematic code before the fix

// usbtv-video.c, old version with deadlock risk

static void usbtv_video_free(struct usbtv *usbtv)
{
    mutex_lock(&usbtv->vb2q_lock);

    // ... code to free video resources ...

    // Mutex is not needed here, can cause deadlock!
    mutex_unlock(&usbtv->vb2q_lock);

    usbtv_stop(usbtv); // This can also indirectly acquire locks again!
}

Key problems

- The lock is unnecessary—the function doesn’t need to synchronize with other threads at this point.
- If called while the device is disconnecting, the function could try to reacquire a lock it already owns, causing a deadlock.

How Could This Be Exploited?

Although no direct remote code execution is noted, a local attacker or malformed driver action (think custom scripts or buggy apps) could reliably hang the Linux kernel with a simple process:

Disconnect the device abruptly (just unplug the USB stick).

3. If timed just right, the system could freeze as the usbtv_video_free() function gets called and deadlocks the mutex.

Even without streaming, the bug is now exposed with certain kernel versions—making it easier for local denial-of-service attacks.

The Patch: How Was It Fixed?

The fix is conceptually simple: remove the lock calls and the redundant usbtv_stop() invocation.

After patch (c838530d230b)

// usbtv-video.c, fixed version, no deadlock risk

static void usbtv_video_free(struct usbtv *usbtv)
{
    // Lock calls have been removed

    // ... code to free video resources ...

    // usbtv_stop() call also removed, handled elsewhere
}

Developer notes:
> "Remove lock calls in usbtv_video_free() because [they] are useless and may lead to a deadlock... Also remove usbtv_stop() call since it will be called when unregistering the device."

Proof-of-Concept Demonstration

While the odds of accidentally triggering this deadlock were slim, it could still be forced for denial of service:

# Simple shell PoC for affected systems

# 1. Start streaming from the device (change /dev/video as needed)
ffmpeg -f v4l2 -i /dev/video -c copy -f null -

# 2. Unplug the USB TV tuner during active streaming.

# 3. Observe: system hang, especially on older kernels (< c838530d230b).

Note: Never run such tests on critical systems; always use a disposable VM or test environment.

Timeline and Further Reading

- Discovery: Reported by developer community via fuzzing tool syzkaller
- Discussion: Original report by the community at syzkaller bisection
- Patch: Mainlined in commit c838530d230b
- CVE Registry: CVE-2024-27072 at cve.org *(when published)*

Lessons Learned

- Deadlocks can lurk in the simplest code. Even "extra safe" locks may have dangerous effects if not justified.
- Proper driver cleanup is critical—especially when handling unpredictable events, like device disconnects.

Conclusion

CVE-2024-27072 is a clear reminder that even mature, widely-used subsystems in the Linux kernel can hide severe bugs with real-world consequences. By cleaning up locking logic and trusting the device lifecycle, the Linux kernel community quickly resolved a subtle but impactful issue. Linux users who rely on USB video capture devices should ensure their systems are up-to-date with this and other recent kernel security patches.


> References:
> - syzkaller bug bisection (original report)
> - Linux kernel patch commit
> - usbtv driver source
> - CVE-2024-27072

Timeline

Published on: 05/01/2024 13:15:51 UTC
Last modified on: 10/31/2024 17:35:03 UTC