CVE-2022-48822

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: f_fs: Fix use-after-free for epfile<br /> <br /> Consider a case where ffs_func_eps_disable is called from<br /> ffs_func_disable as part of composition switch and at the<br /> same time ffs_epfile_release get called from userspace.<br /> ffs_epfile_release will free up the read buffer and call<br /> ffs_data_closed which in turn destroys ffs-&gt;epfiles and<br /> mark it as NULL. While this was happening the driver has<br /> already initialized the local epfile in ffs_func_eps_disable<br /> which is now freed and waiting to acquire the spinlock. Once<br /> spinlock is acquired the driver proceeds with the stale value<br /> of epfile and tries to free the already freed read buffer<br /> causing use-after-free.<br /> <br /> Following is the illustration of the race:<br /> <br /> CPU1 CPU2<br /> <br /> ffs_func_eps_disable<br /> epfiles (local copy)<br /> ffs_epfile_release<br /> ffs_data_closed<br /> if (last file closed)<br /> ffs_data_reset<br /> ffs_data_clear<br /> ffs_epfiles_destroy<br /> spin_lock<br /> dereference epfiles<br /> <br /> Fix this races by taking epfiles local copy &amp; assigning it under<br /> spinlock and if epfiles(local) is null then update it in ffs-&gt;epfiles<br /> then finally destroy it.<br /> Extending the scope further from the race, protecting the ep related<br /> structures, and concurrent accesses.