CVE-2025-40314

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget<br /> <br /> In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget<br /> structure (pdev-&gt;gadget) was freed before its endpoints.<br /> The endpoints are linked via the ep_list in the gadget structure.<br /> Freeing the gadget first leaves dangling pointers in the endpoint list.<br /> When the endpoints are subsequently freed, this results in a use-after-free.<br /> <br /> Fix:<br /> By separating the usb_del_gadget_udc() operation into distinct "del" and<br /> "put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the<br /> final release of the gadget structure with usb_put_gadget().<br /> <br /> A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure<br /> only after freeing endpoints").