CVE-2025-68781

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal<br /> <br /> The delayed work item otg_event is initialized in fsl_otg_conf() and<br /> scheduled under two conditions:<br /> 1. When a host controller binds to the OTG controller.<br /> 2. When the USB ID pin state changes (cable insertion/removal).<br /> <br /> A race condition occurs when the device is removed via fsl_otg_remove():<br /> the fsl_otg instance may be freed while the delayed work is still pending<br /> or executing. This leads to use-after-free when the work function<br /> fsl_otg_event() accesses the already freed memory.<br /> <br /> The problematic scenario:<br /> <br /> (detach thread) | (delayed work)<br /> fsl_otg_remove() |<br /> kfree(fsl_otg_dev) //FREE| fsl_otg_event()<br /> | og = container_of(...) //USE<br /> | og-&gt; //USE<br /> <br /> Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()<br /> before deallocating the fsl_otg structure. This ensures the delayed work<br /> is properly canceled and completes execution prior to memory deallocation.<br /> <br /> This bug was identified through static analysis.