lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025121635-CVE-2025-68282-641e@gregkh>
Date: Tue, 16 Dec 2025 16:06:36 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-68282: usb: gadget: udc: fix use-after-free in usb_gadget_state_work

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: udc: fix use-after-free in usb_gadget_state_work

A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:

  BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
  Workqueue: events usb_gadget_state_work

The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().

Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.

This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.

The Linux kernel CVE team has assigned CVE-2025-68282 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.12 with commit 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 and fixed in 6.1.159 with commit c12a0c3ef815ddd67e47f9c819f9fe822fed5467
	Issue introduced in 3.12 with commit 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 and fixed in 6.6.119 with commit f02a412c0a18f02f0f91b0a3d9788315a721b7fd
	Issue introduced in 3.12 with commit 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 and fixed in 6.12.61 with commit 10014310193cf6736c1aeb4105c5f4a0818d0c65
	Issue introduced in 3.12 with commit 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 and fixed in 6.17.11 with commit 3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9
	Issue introduced in 3.12 with commit 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 and fixed in 6.18 with commit baeb66fbd4201d1c4325074e78b1f557dff89b5b

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-68282
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/usb/gadget/udc/core.c
	include/linux/usb/gadget.h


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c12a0c3ef815ddd67e47f9c819f9fe822fed5467
	https://git.kernel.org/stable/c/f02a412c0a18f02f0f91b0a3d9788315a721b7fd
	https://git.kernel.org/stable/c/10014310193cf6736c1aeb4105c5f4a0818d0c65
	https://git.kernel.org/stable/c/3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9
	https://git.kernel.org/stable/c/baeb66fbd4201d1c4325074e78b1f557dff89b5b

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ