CVE-2025-40094

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_acm: Refactor bind path to use __free()<br /> <br /> After an bind/unbind cycle, the acm-&gt;notify_req is left stale. If a<br /> subsequent bind fails, the unified error label attempts to free this<br /> stale request, leading to a NULL pointer dereference when accessing<br /> ep-&gt;ops-&gt;free_request.<br /> <br /> Refactor the error handling in the bind path to use the __free()<br /> automatic cleanup mechanism.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020<br /> Call trace:<br /> usb_ep_free_request+0x2c/0xec<br /> gs_free_req+0x30/0x44<br /> acm_bind+0x1b8/0x1f4<br /> usb_add_function+0xcc/0x1f0<br /> configfs_composite_bind+0x468/0x588<br /> gadget_bind_driver+0x104/0x270<br /> really_probe+0x190/0x374<br /> __driver_probe_device+0xa0/0x12c<br /> driver_probe_device+0x3c/0x218<br /> __device_attach_driver+0x14c/0x188<br /> bus_for_each_drv+0x10c/0x168<br /> __device_attach+0xfc/0x198<br /> device_initial_probe+0x14/0x24<br /> bus_probe_device+0x94/0x11c<br /> device_add+0x268/0x48c<br /> usb_add_gadget+0x198/0x28c<br /> dwc3_gadget_init+0x700/0x858<br /> __dwc3_set_mode+0x3cc/0x664<br /> process_scheduled_works+0x1d8/0x488<br /> worker_thread+0x244/0x334<br /> kthread+0x114/0x1bc<br /> ret_from_fork+0x10/0x20