CVE-2026-43342: usb: gadget: f_rndis: Protect RNDIS options with mutex

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_rndis: Protect RNDIS options with mutex

The class/subclass/protocol options are suspectible to race conditions
as they can be accessed concurrently through configfs.

Use existing mutex to protect these options. This issue was identified
during code inspection.

The Linux kernel CVE team has assigned CVE-2026-43342 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.14 with commit 73517cf49bd449122b615d2b7a6bb835f02252e5 and fixed in 5.10.253 with commit 0a75d97c53477a59c0aa1c65f69038c719f9c5b8
	Issue introduced in 4.14 with commit 73517cf49bd449122b615d2b7a6bb835f02252e5 and fixed in 5.15.203 with commit c1b3d5b0acb194efe20fc5864ee03439fa7bd45c
	Issue introduced in 4.14 with commit 73517cf49bd449122b615d2b7a6bb835f02252e5 and fixed in 6.1.168 with commit 65b7dbf80a1627667c241fff7c1c224f3118014f
	Issue introduced in 4.14 with commit 73517cf49bd449122b615d2b7a6bb835f02252e5 and fixed in 6.6.134 with commit cb5316b37288ab8791584e32f114c4f41ad45b67
	Issue introduced in 4.14 with commit 73517cf49bd449122b615d2b7a6bb835f02252e5 and fixed in 6.12.81 with commit 7d8fa3b8783ab95a46e20d97fbeeede719b2efda
	Issue introduced in 4.14 with commit 73517cf49bd449122b615d2b7a6bb835f02252e5 and fixed in 6.18.22 with commit 446f1842cda929c40d4697722bfdcfb334bc9692
	Issue introduced in 4.14 with commit 73517cf49bd449122b615d2b7a6bb835f02252e5 and fixed in 6.19.12 with commit 209decd3f7901df9842b83f2540dc8685e344a07
	Issue introduced in 4.14 with commit 73517cf49bd449122b615d2b7a6bb835f02252e5 and fixed in 7.0 with commit 8d8c68b1fc06ece60cf43e1306ff0f4ac121547e

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43342
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/usb/gadget/function/f_rndis.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/0a75d97c53477a59c0aa1c65f69038c719f9c5b8
	https://git.kernel.org/stable/c/c1b3d5b0acb194efe20fc5864ee03439fa7bd45c
	https://git.kernel.org/stable/c/65b7dbf80a1627667c241fff7c1c224f3118014f
	https://git.kernel.org/stable/c/cb5316b37288ab8791584e32f114c4f41ad45b67
	https://git.kernel.org/stable/c/7d8fa3b8783ab95a46e20d97fbeeede719b2efda
	https://git.kernel.org/stable/c/446f1842cda929c40d4697722bfdcfb334bc9692
	https://git.kernel.org/stable/c/209decd3f7901df9842b83f2540dc8685e344a07
	https://git.kernel.org/stable/c/8d8c68b1fc06ece60cf43e1306ff0f4ac121547e