Linux Kernel Net Device Lifecycle Management Vulnerability in USB Gadget Function

A vulnerability exists in the Linux kernel's USB gadget function, specifically in the ECM (Ethernet Control Model) implementation. The issue arises during the lifecycle management of the net_device, which is created when a function instance is initialized and registered under the gadget device's sysfs parent during the binding phase. When the function is unbound, the parent device is removed, but the net_device remains, leading to dangling syfs symlinks. This mismanagement can cause issues with sysfs topology and power management. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can lead to improper management of the net_device lifecycle, causing dangling sysfs symlinks and potential disruptions in sysfs topology and power management.

Reproduction

The vulnerability can be reproduced by binding a USB gadget function that uses the ECM implementation. After the function is unbound, the net_device will remain active while the parent gadget device is destroyed, creating a dangling symlink in the sysfs that points to a non-existent directory.

Remediation

The vulnerability has been addressed by modifying the ECM function to use the device_move() function, which reparents the net_device between the gadget device tree and the virtual device tree, ensuring proper management across bind and unbind cycles. This fix is available in the Linux kernel stable tree.