Linux Kernel USB PHY ISP1301 Device Reference Imbalance Vulnerability

A use-after-free vulnerability has been introduced in the Linux kernel USB PHY ISP1301 driver due to an improper handling of device references. The issue arises because the 'isp1301_get_client()' function only increments the reference count for I2C devices in the device tree (OF) case, leaving a gap for non-OF scenarios. This oversight can lead to a race condition, as the PHY driver may be unbound while its I2C device is still in use, potentially causing a use-after-free situation.

Impact

The vulnerability could lead to a use-after-free condition, allowing for potential memory corruption or exploitation scenarios commonly associated with such issues.

Reproduction

The vulnerability can be reproduced by using the USB PHY ISP1301 driver in a non-device tree environment. The 'isp1301_get_client()' function will not properly increment the reference count for the I2C device, leading to a reference imbalance. This can be observed by monitoring the device unbinding process while the I2C device is still being accessed, creating a race condition.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.