Linux Kernel USB Gadget Function Fast Composition Switch Race Condition Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's USB gadget function, specifically within the 'f_fs' component. This issue arises during fast composition switching, where the 'ffs_ep0_write' and 'ffs_ep0_read' processes can enter a race condition. The problem occurs because 'ep0req' is freed by 'functionfs_unbind', which is not properly synchronized. As a result, 'ffs_ep0_write' can call 'ffs_ep0_queue_wait' without a NULL check, leading to a use-after-free scenario. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Remediation

The vulnerability has been addressed by serializing the execution of the conflicting functions with a mutex lock. Users should upgrade to the patched version of the Linux kernel where this fix is applied.