In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: fix memory double free when handle zero packet
829 if (request->complete) { 830 spinunlock(&privdev->lock); 831 usbgadgetgivebackrequest(&privep->endpoint, 832 request); 833 spinlock(&privdev->lock); 834 } 835 836 if (request->buf == privdev->zlpbuf) 837 cdns3gadgetepfreerequest(&priv_ep->endpoint, request);
Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usbgadgetgivebackrequest() will free this requestion. 836 condition is true, so cdns3gadgetepfree_request() free this request again.
Log:
[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3gadgetgiveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3gadgetgiveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3transfercompleted+0x438/0x5f8 [cdns3]
Add check at line 829, skip call usbgadgetgivebackrequest() if it is additional zero length packet request. Needn't call usbgadgetgivebackrequest() because it is allocated in this driver.