Linux Kernel USB Gadget f_rndis Net_Device Lifecycle Management Vulnerability

A vulnerability exists in the Linux kernel's USB gadget function for RNDIS (Remote Network Driver Interface Specification) that relates to the management of the net_device lifecycle. When the RNDIS function is unbound from its parent gadget device, the net_device remains active, leading to dangling symlinks in the sysfs. This issue can cause confusion and potential errors in device management, as the system believes the device is still present when it has been removed. The vulnerability arises because the net_device is not properly reparented during the unbinding process, which is crucial for maintaining an accurate representation of device states and ensuring proper power management.

Impact

The vulnerability can lead to improper device management, causing sysfs to have incorrect information about the state of the USB gadget, which could disrupt power management and device lifecycle operations.

Reproduction

To reproduce this vulnerability, bind a USB gadget function that uses RNDIS. After the function is bound, unbind it. The net_device associated with the RNDIS function will remain active, but its parent gadget device will be destroyed, creating a dangling symlink in the sysfs that points to a non-existent device. This can be verified by checking the sysfs class net directory for the USB gadget, which will show a symlink that leads to a device path that no longer exists.

Remediation

The vulnerability has been addressed by modifying the RNDIS gadget function to use the device_move() function. This change reparents the net_device between the gadget device tree and the virtual device tree during the bind and unbind cycles, ensuring that the sysfs topology is correct and that power management is handled properly.