Linux Kernel USB PHY Driver Reference Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's USB PHY (physical layer) driver for Tegra XUSB. This issue arises in dual-role ports where the PHY device reference is not properly managed. When the port device is destroyed, its associated driver is also removed, but the reference in the USB PHY device remains. This oversight can lead to a use-after-free condition, which is detectable by the Kernel Address Sanitizer (KASAN).

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, potentially allowing for memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using a dual-role USB port with the Tegra XUSB controller. When the port device is unregistered, the driver reference for the associated USB PHY device is not cleared. This can be observed by monitoring the USB PHY device's driver reference before and after the port device is destroyed.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree.