Linux Kernel Unbalanced Reference Count Vulnerability in USB Gadget Function

A vulnerability exists in the Linux kernel's USB gadget function 'f_subset', where the reference count management is flawed. The function 'geth_alloc()' increases the reference count, but 'geth_free()' does not decrease it. This oversight hinders the proper configuration of attributes through 'configfs' after the function has been unlinked. The issue has been addressed by modifying 'geth_free()' to correctly decrement the reference count, ensuring proper cleanup.

Impact

The vulnerability could lead to memory management issues, where the reference count does not accurately reflect the usage of allocated resources. This can cause problems such as memory leaks or premature deallocation, potentially leading to use-after-free vulnerabilities.

Reproduction

The vulnerability can be reproduced by allocating a USB function instance using 'geth_alloc_inst()', which increments the reference count. After unlinking the function, 'geth_free()' is called, but the reference count is not decremented, leaving the function in an inconsistent state. This can be observed by monitoring the reference count before and after the allocation and deallocation process.

Remediation

The vulnerability has been fixed in the Linux kernel stable tree. Users can upgrade to the latest version of the stable kernel to address this issue.