Linux Kernel NULL Pointer Dereference Vulnerability in USB Gadget ACM Function

A vulnerability in the Linux kernel's USB gadget ACM function can lead to a NULL pointer dereference. This issue occurs after a bind/unbind cycle, where the notification request is left in a stale state. If a subsequent bind operation fails, the error handling attempts to free the stale request, causing a NULL pointer dereference when accessing the endpoint's request free operation. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the affected component or system.

Reproduction

The vulnerability can be reproduced by binding a USB gadget function that uses the ACM protocol, such as through the ConfigFS interface. After the function is bound, it can be unbound and then bound again. If the second bind operation fails, the error handling will attempt to free a request that is no longer valid, causing a NULL pointer dereference.

Remediation

The vulnerability has been addressed by refactoring the error handling in the bind process to use the automatic cleanup mechanism, which properly frees requests without leaving stale pointers. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.