Linux Kernel usbnet Component Kevent Workqueue Management Vulnerability

A vulnerability in the Linux kernel's usbnet component can lead to a use-after-free error. This issue arises when the usbnet device is unregistered before a scheduled kevent in the global workqueue has completed, causing 'free active object (kevent)' errors. The problem is exacerbated because the ndo_stop() function, which would normally cancel the kevent, is not executed if the device is not active. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause a use-after-free condition, where an active kevent is prematurely freed, potentially leading to memory corruption or other unintended behavior.

Reproduction

To reproduce this vulnerability, probe a usbnet device which will schedule a kevent in the global workqueue. Then, unregister the usbnet device before the kevent has been processed. If the device is not active, the ndo_stop() function will not be called to cancel the kevent, leading to the 'free active object (kevent)' error.

Remediation

The vulnerability has been addressed by modifying the usbnet_disconnect() function to cancel the kevent before calling free_netdev(). Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.