CVE-2025-68282

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: udc: fix use-after-free in usbgadgetstate_work

A race condition during gadget teardown can lead to a use-after-free in usbgadgetstate_work(), as reported by KASAN:

BUG: KASAN: invalid-access in sysfsnotify+0x2c/0xd0 Workqueue: events usbgadgetstatework

The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usbgadgetsetstate() and schedule gadget->work at any time during the cleanup process in usbdel_gadget().

Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after device removal") attempted to fix this by moving flushwork() to after devicedel(). However, this does not fully solve the race, as a new work item can still be scheduled after flush_work() completes but before the gadget's memory is freed, leading to the same use-after-free.

This patch fixes the race condition robustly by introducing a 'teardown' flag and a 'statelock' spinlock to the usbgadget struct. The flag is set during cleanup in usbdelgadget() before calling flushwork() to prevent any new work from being scheduled once cleanup has commenced. The scheduling site, usbgadgetsetstate(), now checks this flag under the lock before queueing the work, thus safely closing the race window.