Linux Kernel USB Gadget UDC Use-After-Free Vulnerability in State Management

A use-after-free vulnerability has been identified in the USB gadget subsystem of the Linux kernel, specifically within the USB Device Controller (UDC) handling. This issue arises from a race condition during the teardown process of a USB gadget, where an interrupt can prematurely trigger state changes and schedule work before the gadget is fully cleaned up. Although a previous commit attempted to address this by reorganizing the cleanup sequence, it inadvertently left a window for new work to be scheduled after the flush operation but before the gadget's memory was released, causing the use-after-free condition. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where memory is accessed after it has been freed, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by creating a USB gadget and then rapidly triggering state changes through interrupts before the gadget is fully removed. This can be done by scheduling work that interacts with the USB gadget's state during the cleanup process, exploiting the timing of the operations to create a race condition.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the latest version can be found on the official Linux kernel website.