Multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets. Successful exploitation requires USB over IP daemon (usbipd) to be running. Upstream patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22076557b07c12086eeb16b8ce2b0b735f7a27e7 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c171654caa875919be3c533d3518da8be5be966e
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1588621]
References: http://seclists.org/oss-sec/2018/q2/165
Note: Currently no Red Hat products are enabling USB-over-IP subsystem, thus no Red Hat products are vulnerable to these flaws.