Linux Kernel Use-After-Free Vulnerability in USB PHY Freescale OTG Driver

A use-after-free vulnerability has been identified in the USB PHY Freescale OTG Transceiver driver within the Linux kernel. This issue arises when the device is removed, as the associated work item 'otg_event' may still be pending or executing. The 'fsl_otg_event()' function can then access memory that has already been freed, leading to a use-after-free condition. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for potential memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by binding a host controller to the OTG controller, which schedules the 'otg_event' work item. Then, remove the device using 'fsl_otg_remove()' before the delayed work has completed. This sequence creates a race condition where the 'fsl_otg' instance is freed while the delayed work is still accessing it, causing a use-after-free scenario.

Remediation

The vulnerability has been fixed by adding a call to 'disable_delayed_work_sync()' in the 'fsl_otg_remove()' function, ensuring that the delayed work is properly canceled and completed before the memory is deallocated.