CVE-2026-31726

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: uvc: fix NULL pointer dereference during unbind race<br /> <br /> Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly<br /> shutdown") introduced two stages of synchronization waits totaling 1500ms<br /> in uvc_function_unbind() to prevent several types of kernel panics.<br /> However, this timing-based approach is insufficient during power<br /> management (PM) transitions.<br /> <br /> When the PM subsystem starts freezing user space processes, the<br /> wait_event_interruptible_timeout() is aborted early, which allows the<br /> unbind thread to proceed and nullify the gadget pointer<br /> (cdev-&gt;gadget = NULL):<br /> <br /> [ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()<br /> [ 814.178583][ T3173] PM: suspend entry (deep)<br /> [ 814.192487][ T3173] Freezing user space processes<br /> [ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release<br /> <br /> When the PM subsystem resumes or aborts the suspend and tasks are<br /> restarted, the V4L2 release path is executed and attempts to access the<br /> already nullified gadget pointer, triggering a kernel panic:<br /> <br /> [ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake<br /> [ 814.386727][ T3173] Restarting tasks ...<br /> [ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030<br /> [ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4<br /> [ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94<br /> [ 814.404078][ T4558] Call trace:<br /> [ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4<br /> [ 814.404083][ T4558] usb_function_deactivate+0x54/0x94<br /> [ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c<br /> [ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac<br /> [ 814.404095][ T4558] v4l2_release+0xcc/0x130<br /> <br /> Address the race condition and NULL pointer dereference by:<br /> <br /> 1. State Synchronization (flag + mutex)<br /> Introduce a &amp;#39;func_unbound&amp;#39; flag in struct uvc_device. This allows<br /> uvc_function_disconnect() to safely skip accessing the nullified<br /> cdev-&gt;gadget pointer. As suggested by Alan Stern, this flag is protected<br /> by a new mutex (uvc-&gt;lock) to ensure proper memory ordering and prevent<br /> instruction reordering or speculative loads. This mutex is also used to<br /> protect &amp;#39;func_connected&amp;#39; for consistent state management.<br /> <br /> 2. Explicit Synchronization (completion)<br /> Use a completion to synchronize uvc_function_unbind() with the<br /> uvc_vdev_release() callback. This prevents Use-After-Free (UAF) by<br /> ensuring struct uvc_device is freed after all video device resources<br /> are released.