CVE-2025-40315

Vulnerability

Overview

A race condition exists in the Linux kernel's USB gadget f_fs (FunctionFS) driver. When ffs_func_eps_enable() executes concurrently with ffs_data_reset(), the function ffs_data_clear() (called by ffs_data_reset()) sets the ffs->epfiles pointer to NULL before resetting ffs->eps_count to 0. This can lead to a NULL pointer dereference when ffs_func_eps_enable() subsequently accesses epfile->ep after a successful usb_ep_enable() call [1][2][3][4].

Attack

Vector and Prerequisites

The vulnerability is triggered by a race condition between two kernel threads or operations: one that enables USB endpoints via ffs_func_eps_enable() and another that resets the FunctionFS data via ffs_data_reset(). An attacker would need to be able to trigger these concurrent perform a USB function enable operation and a functionfs data reset, which typically requires local access to the system or the ability to send specific USB control requests. The race window is narrow but can lead to a crash [1][2][3].

Impact

If the race is won, the kernel will dereference a NULL pointer, resulting in a system crash (kernel oops or panic). This constitutes a denial-of-service (DoS) vulnerability. There is no indication of memory corruption or privilege escalation from this bug [1][2][3][4].

Mitigation

The fix adds a NULL pointer check for ffs->epfiles within ffs_func_eps_enable() after acquiring the ffs->eps_lock spinlock spinlock. This ensures that if epfiles` is NULL (due to a concurrent reset), the function returns an appropriate error code instead of dereferencing the NULL pointer. The patch has been applied to the stable kernel trees as commits [1], [2], [3], and [4] for different kernel versions [1][2][3][4].