From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ECB353358D6 for ; Fri, 8 May 2026 14:26:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250388; cv=none; b=TZz2pt9pdQK4KiAPPEgMDYYK7kdOf1W0UjWz8pEMr5Jnveb+hw7GBD+1vSugj3IdjSq3eVBMnNYkBtyk4r6vgQcriXztaXQj/15NLMVmWZL5KtqB2jyLqVI9qFad9InYffaaHiaHZJkCE7gF4/LpAJJqdAjKJ0y9/me74vA3IM8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250388; c=relaxed/simple; bh=ADJcb1al6rmpdLeVhlTKFZmjPLhOwb5JRIkz0jPeYMM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=gLv0zJqJHKRdCVOUJO2Qg5PC4ti6xYhEMxInHtWieXv91aTJBXqhkx5pHcZVm+0IP7vqjGYTL4LuZhwIpn85XaJ6gWqpuojx24wH9sv2mGT1L9scZv8N0zILr4BVk6/sBcMXrsjwsKLPI9MqRLsoOcl7NmB0ra+NQxmU/zYkZg8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=BCWWFbfG; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="BCWWFbfG" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D251C2BCB0; Fri, 8 May 2026 14:26:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250387; bh=ADJcb1al6rmpdLeVhlTKFZmjPLhOwb5JRIkz0jPeYMM=; h=From:To:Cc:Subject:Date:Reply-To:From; b=BCWWFbfG7FwKeRxrY6ms5DAJpu6WfulxvGis4dym792U6n0KyiQpoZNSZmhslD0r4 mJlXSIcXYaOrYk0i/Kmjpr4y24hjTr+GniEFWnNwlKsbgxhQSi+hPMLoKrCuzG/UgA jNcAHccymyNUJaWkKbUUVuLJlOD5x6lkFF8LAjJg= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43423: usb: gadget: f_ncm: Fix atomic context locking issue Date: Fri, 8 May 2026 16:22:32 +0200 Message-ID: <2026050848-CVE-2026-43423-5e6b@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2698; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=3P8Q3a/YJoZSVx02UyKVM6cMMnb7qM26XvjDELnC+KQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P9bcLzjjcWDhFSfG39c4fW547pnbMv/poUdu+50cp 87vj4te0xHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATsclhmB9j9sJzafiRit5X j56smXBeaseK494M8ywe7zr59lDp81tNL341HNbu1WywdwcA X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function inside an atomic context. Remove the struct net_device pointer from the f_ncm_opts structure to eliminate the contention. The connection state is now managed by a new boolean flag to preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). BUG: sleeping function called from invalid context Call Trace: dump_stack_lvl+0x83/0xc0 dump_stack+0x14/0x16 __might_resched+0x389/0x4c0 __might_sleep+0x8e/0x100 ... __mutex_lock+0x6f/0x1740 ... ncm_set_alt+0x209/0xa40 set_config+0x6b6/0xb40 composite_setup+0x734/0x2b40 ... The Linux kernel CVE team has assigned CVE-2026-43423 to this issue. Affected and fixed versions =========================== Issue introduced in 6.18.17 with commit b62076e780a2121903ecf9ffdfb89c64647cb7da and fixed in 6.18.19 with commit e533a44fb1b337d14f772585b67328bee2e0b5e3 Issue introduced in 6.19.7 with commit 188338c1827842f898761a939669cf345bdf07e2 and fixed in 6.19.9 with commit e95120b4b95ef1c16d8e94e201ae89f5e59e2612 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43423 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/gadget/function/f_ncm.c drivers/usb/gadget/function/u_ether_configfs.h drivers/usb/gadget/function/u_ncm.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e533a44fb1b337d14f772585b67328bee2e0b5e3 https://git.kernel.org/stable/c/e95120b4b95ef1c16d8e94e201ae89f5e59e2612 https://git.kernel.org/stable/c/0d6c8144ca4d93253de952a5ea0028c19ed7ab68