CVE-2025-68323

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: ucsi: fix use-after-free caused by uec-&gt;work<br /> <br /> The delayed work uec-&gt;work is scheduled in gaokun_ucsi_probe()<br /> but never properly canceled in gaokun_ucsi_remove(). This creates<br /> use-after-free scenarios where the ucsi and gaokun_ucsi structure<br /> are freed after ucsi_destroy() completes execution, while the<br /> gaokun_ucsi_register_worker() might be either currently executing<br /> or still pending in the work queue. The already-freed gaokun_ucsi<br /> or ucsi structure may then be accessed.<br /> <br /> Furthermore, the race window is 3 seconds, which is sufficiently<br /> long to make this bug easily reproducible. The following is the<br /> trace captured by KASAN:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630<br /> Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0<br /> ...<br /> Call trace:<br /> show_stack+0x18/0x24 (C)<br /> dump_stack_lvl+0x78/0x90<br /> print_report+0x114/0x580<br /> kasan_report+0xa4/0xf0<br /> __asan_report_store8_noabort+0x20/0x2c<br /> __run_timers+0x5ec/0x630<br /> run_timer_softirq+0xe8/0x1cc<br /> handle_softirqs+0x294/0x720<br /> __do_softirq+0x14/0x20<br /> ____do_softirq+0x10/0x1c<br /> call_on_irq_stack+0x30/0x48<br /> do_softirq_own_stack+0x1c/0x28<br /> __irq_exit_rcu+0x27c/0x364<br /> irq_exit_rcu+0x10/0x1c<br /> el1_interrupt+0x40/0x60<br /> el1h_64_irq_handler+0x18/0x24<br /> el1h_64_irq+0x6c/0x70<br /> arch_local_irq_enable+0x4/0x8 (P)<br /> do_idle+0x334/0x458<br /> cpu_startup_entry+0x60/0x70<br /> rest_init+0x158/0x174<br /> start_kernel+0x2f8/0x394<br /> __primary_switched+0x8c/0x94<br /> <br /> Allocated by task 72 on cpu 0 at 27.510341s:<br /> kasan_save_stack+0x2c/0x54<br /> kasan_save_track+0x24/0x5c<br /> kasan_save_alloc_info+0x40/0x54<br /> __kasan_kmalloc+0xa0/0xb8<br /> __kmalloc_node_track_caller_noprof+0x1c0/0x588<br /> devm_kmalloc+0x7c/0x1c8<br /> gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8<br /> really_probe+0x17c/0x5b8<br /> __driver_probe_device+0x158/0x2c4<br /> driver_probe_device+0x10c/0x264<br /> __device_attach_driver+0x168/0x2d0<br /> bus_for_each_drv+0x100/0x188<br /> __device_attach+0x174/0x368<br /> device_initial_probe+0x14/0x20<br /> bus_probe_device+0x120/0x150<br /> device_add+0xb3c/0x10fc<br /> __auxiliary_device_add+0x88/0x130<br /> ...<br /> <br /> Freed by task 73 on cpu 1 at 28.910627s:<br /> kasan_save_stack+0x2c/0x54<br /> kasan_save_track+0x24/0x5c<br /> __kasan_save_free_info+0x4c/0x74<br /> __kasan_slab_free+0x60/0x8c<br /> kfree+0xd4/0x410<br /> devres_release_all+0x140/0x1f0<br /> device_unbind_cleanup+0x20/0x190<br /> device_release_driver_internal+0x344/0x460<br /> device_release_driver+0x18/0x24<br /> bus_remove_device+0x198/0x274<br /> device_del+0x310/0xa84<br /> ...<br /> <br /> The buggy address belongs to the object at ffff00000ec28c00<br /> which belongs to the cache kmalloc-512 of size 512<br /> The buggy address is located 200 bytes inside of<br /> freed 512-byte region<br /> The buggy address belongs to the physical page:<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28<br /> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)<br /> page_type: f5(slab)<br /> raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000<br /> raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000<br /> head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000<br /> head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000<br /> head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff<br /> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt;ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ================================================================<br /> ---truncated---