CVE-2022-49755
usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being freed up from functionfs_unbind. Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex).
Reserved 2025-03-27 | Published 2025-03-27 | Updated 2025-05-04 | Assigner Linuxgit.kernel.org/...c/facf353c9e8d7885b686d9a4b173d4e0af6441d2
git.kernel.org/...c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4
git.kernel.org/...c/a8d40942df074f4ebcb9bd3413596d92f323b064
git.kernel.org/...c/6dd9ea05534f323668db94fcc2726c7a84547e78
git.kernel.org/...c/ae8e136bcaae96163b5821984de1036efc9abb1a
git.kernel.org/...c/6aee197b7fbcd61596a78b47d553f2f99111f217
git.kernel.org/...c/6a19da111057f69214b97c62fb0ac59023970850
Support options
