In the Linux kernel, the following vulnerability has been resolved:

USB: gadget: Fix use-after-free during usb config switch

In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free).

The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior.

Analysis as follows:

(1) write /config/usb_gadget/g1/UDC "none"

getherdisconnect+0x2c/0x1f8 rndisdisable+0x4c/0x74 compositedisconnect+0x74/0xb0 configfscompositedisconnect+0x60/0x7c usbgadgetdisconnect+0x70/0x124 usbgadgetunregisterdriver+0xc8/0x1d8 gadgetdevdescUDCstore+0xec/0x1e4

(2) rm /config/usb_gadget/g1/configs/b.1/f1

rndisderegister+0x28/0x54 rndisfree+0x44/0x7c usbputfunction+0x14/0x1c configusbcfgunlink+0xc4/0xe0 configfsunlink+0x124/0x1c8 vfs_unlink+0x114/0x1dc

(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4

panic+0x1fc/0x3d0 dopagefault+0xa8/0x46c domemabort+0x3c/0xac el1synchandler+0x40/0x78 0xffffff801138f880 rndisclose+0x28/0x34 ethstop+0x74/0x110 devclosemany+0x48/0x194 rollbackregisteredmany+0x118/0x814 unregisternetdev+0x20/0x30 gethercleanup+0x1c/0x38 rndisattrrelease+0xc/0x14 krefput+0x74/0xb8 configfsrmdir+0x314/0x374

If gadget->ops->pullup() return an error, function rndis_close() will be

called, then it will causes a use-after-free problem.