Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.
Product status
45fe3b8e5342cd1ce307099459c74011d8e01986 (git) before ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1
45fe3b8e5342cd1ce307099459c74011d8e01986 (git) before 5f65c8ad8c7292ed7e3716343fcd590a51818cc3
45fe3b8e5342cd1ce307099459c74011d8e01986 (git) before 380353c3a92be7d928e6f973bd065c5b79755ac3
45fe3b8e5342cd1ce307099459c74011d8e01986 (git) before a8366263b7e5b663d7fb489d3a9ba1e2600049a6
45fe3b8e5342cd1ce307099459c74011d8e01986 (git) before 08228941436047bdcd35a612c1aec0912a29d8cd
2.6.27
Any version before 2.6.27
6.1.158 (semver)
6.6.114 (semver)
6.12.55 (semver)
6.17.5 (semver)
6.18-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/ef81226bb1f8b6e761cd0b53d2696e9c1bc955d1
git.kernel.org/...c/5f65c8ad8c7292ed7e3716343fcd590a51818cc3
git.kernel.org/...c/380353c3a92be7d928e6f973bd065c5b79755ac3
git.kernel.org/...c/a8366263b7e5b663d7fb489d3a9ba1e2600049a6
git.kernel.org/...c/08228941436047bdcd35a612c1aec0912a29d8cd
