CVE-2025-21685 - Race Condition in Linux Kernel’s Lenovo Yoga Tab2 Pro Fast Charger Driver (Quick Fix Explained)

A dangerous race condition (CVE-2025-21685) in the Linux kernel’s Lenovo Yoga Tab2 Pro 138 Fast Charger driver could let attackers crash your device — or even run code — due to a NULL pointer dereference when probing serial devices. Maintainers have already patched the flaw; below, we break down the problem, the fix, and how you can protect your systems.

1. What is CVE-2025-21685?

CVE-2025-21685 is a security vulnerability in the Linux kernel affecting the lenovo-yoga-tab2-pro-138-fastcharger driver module found under platform/x86. The problem lies in how the serial device is initialized: the driver set up and enabled the serial device before telling the kernel what functions to call for incoming data. That led to a classic “race condition” — the kernel could try to call a function pointer that hadn’t been set yet, leading to a crash.

There was a mix-up in the order of initialization steps for the UART serial port

- Attackers could potentially exploit this to crash the kernel or gain code execution, although in practice it’s most likely to just cause a denial-of-service

The vulnerable code is in the function

static int yt2_138_fc_serdev_probe(struct serdev_device *serdev)

_Vulnerable order:_

int ret;

ret = devm_serdev_device_open(dev, serdev); // <-- 1. OPEN SERIAL DEVICE
if (ret)
    return ret;

serdev_device_set_client_ops(serdev, &yt2_138_fc_serdev_ops); // <-- 2. SET OPS

What’s wrong?

It needs a “client ops” structure like this

static const struct serdev_device_ops yt2_138_fc_serdev_ops = {
    .receive_buf = yt2_138_fc_receive_buf,
    .write_wakeup = yt2_138_fc_write_wakeup,
    // ... other callbacks ...
};

But if serdev->ops is still NULL during operation, the kernel crashes.

_Patched order:_

serdev_device_set_client_ops(serdev, &yt2_138_fc_serdev_ops); // <-- 1. SET OPS
ret = devm_serdev_device_open(dev, serdev); // <-- 2. OPEN SERIAL DEVICE
if (ret)
    return ret;

THEN, open and enable the device

Why?
Once the serial device is enabled, data (including interrupts and DMA requests) can start arriving at any moment. If the function pointers are not ready, the kernel dereferences a NULL pointer.

Here is what the relevant patch looks like

-        ret = devm_serdev_device_open(dev, serdev);
-        if (ret)
-            return ret;
-
-        serdev_device_set_client_ops(serdev, &yt2_138_fc_serdev_ops);
+        serdev_device_set_client_ops(serdev, &yt2_138_fc_serdev_ops);
+        ret = devm_serdev_device_open(dev, serdev);
+        if (ret)
+            return ret;

#### Official Patch

4. Related Bugs

This is very similar to an earlier issue fixed in commit 5e700b384ec1 for the Chrome OS Embedded Controller driver (cros_ec_uart), showing how easy it is to overlook this initialization order.

How could an attacker exploit this?

- DOS Attack: Craft repeated serial data interruptions during boot/init, causing kernel crashes (not remote, but could be triggered by a malicious device or a rogue driver)
- Privilege Escalation: In theory, if other uninitialized function pointers are ever accidentally called, it may be possible to engineer code execution (complex and not reported in the wild)

This race occurs mainly at driver initialization time, so random crashes or "Oops" are the primary risk.

6. References

- Linux Kernel Patch for CVE-2025-21685
- Chrome OS Serdev Race Fix (5e700b384ec1)
- serdev API Documentation
- CVE Status at cve.mitre.org

7. How to Fix

- Update your kernel to a version that includes this patch (mainline and distributions’ update cycles may vary)

Not using a Lenovo Yoga Tab2 Pro 138?

This bug only affects systems with this device and driver, but the concept (initialization order in serdev drivers) is a common pitfall for Linux device driver developers.

8. Summary & Takeaways

This race condition is a classic example of how small mistakes in initialization order can cause security vulnerabilities even in trusted drivers. Follow the safest order: *initialize pointers first; enable devices later*. Luck or attacker timing can turn a minor oversight into a kernel crash or worse!

If you use the affected Linux driver, patch immediately! Otherwise, be aware for similar bugs in other kernel modules.

Stay safe and keep your systems patched!

*This post is exclusive content based on kernel code review and public advisories. For security professionals and Linux devs, always check upstream and distribution patches for the latest security updates.*

Timeline

Published on: 02/09/2025 12:15:29 UTC
Last modified on: 02/11/2025 16:11:19 UTC