CVE-2022-49398 (GCVE-0-2022-49398)
Vulnerability from cvelistv5
Published
2025-02-26 02:12
Modified
2025-05-04 12:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback The list_for_each_entry_safe() macro saves the current item (n) and the item after (n+1), so that n can be safely removed without corrupting the list. However, when traversing the list and removing items using gadget giveback, the DWC3 lock is briefly released, allowing other routines to execute. There is a situation where, while items are being removed from the cancelled_list using dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable routine is running in parallel (due to UDC unbind). As the cleanup routine removes n, and the pullup disable removes n+1, once the cleanup retakes the DWC3 lock, it references a request who was already removed/handled. With list debug enabled, this leads to a panic. Ensure all instances of the macro are replaced where gadget giveback is used. Example call stack: Thread#1: __dwc3_gadget_ep_set_halt() - CLEAR HALT -> dwc3_gadget_ep_cleanup_cancelled_requests() ->list_for_each_entry_safe() ->dwc3_gadget_giveback(n) ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list] ->spin_unlock ->Thread#2 executes ... ->dwc3_gadget_giveback(n+1) ->Already removed! Thread#2: dwc3_gadget_pullup() ->waiting for dwc3 spin_lock ... ->Thread#1 released lock ->dwc3_stop_active_transfers() ->dwc3_remove_requests() ->fetches n+1 item from cancelled_list (n removed by Thread#1) ->dwc3_gadget_giveback() ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list] ->spin_unlock
Impacted products
Vendor Product Version
Linux Linux Version: d4f1afe5e896c18ae01099a85dab5e1a198bd2a8
Version: d4f1afe5e896c18ae01099a85dab5e1a198bd2a8
Version: d4f1afe5e896c18ae01099a85dab5e1a198bd2a8
Version: d4f1afe5e896c18ae01099a85dab5e1a198bd2a8
Version: d7ff2e3ff0e09d57b43014fe26b13bb3c9677254
Create a notification for this product.
   Linux Linux Version: 5.0
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a",
              "status": "affected",
              "version": "d4f1afe5e896c18ae01099a85dab5e1a198bd2a8",
              "versionType": "git"
            },
            {
              "lessThan": "2424307cdf421ac72075a1384eae4e4199ab6457",
              "status": "affected",
              "version": "d4f1afe5e896c18ae01099a85dab5e1a198bd2a8",
              "versionType": "git"
            },
            {
              "lessThan": "26a7e6832afe9d9a991cfd9015177f083cf959cc",
              "status": "affected",
              "version": "d4f1afe5e896c18ae01099a85dab5e1a198bd2a8",
              "versionType": "git"
            },
            {
              "lessThan": "bf594d1d0c1d7b895954018043536ffd327844f9",
              "status": "affected",
              "version": "d4f1afe5e896c18ae01099a85dab5e1a198bd2a8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d7ff2e3ff0e09d57b43014fe26b13bb3c9677254",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.47",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.47",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.15",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.4",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.57",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback\n\nThe list_for_each_entry_safe() macro saves the current item (n) and\nthe item after (n+1), so that n can be safely removed without\ncorrupting the list.  However, when traversing the list and removing\nitems using gadget giveback, the DWC3 lock is briefly released,\nallowing other routines to execute.  There is a situation where, while\nitems are being removed from the cancelled_list using\ndwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable\nroutine is running in parallel (due to UDC unbind).  As the cleanup\nroutine removes n, and the pullup disable removes n+1, once the\ncleanup retakes the DWC3 lock, it references a request who was already\nremoved/handled.  With list debug enabled, this leads to a panic.\nEnsure all instances of the macro are replaced where gadget giveback\nis used.\n\nExample call stack:\n\nThread#1:\n__dwc3_gadget_ep_set_halt() - CLEAR HALT\n  -\u003e dwc3_gadget_ep_cleanup_cancelled_requests()\n    -\u003elist_for_each_entry_safe()\n    -\u003edwc3_gadget_giveback(n)\n      -\u003edwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]\n      -\u003espin_unlock\n      -\u003eThread#2 executes\n      ...\n    -\u003edwc3_gadget_giveback(n+1)\n      -\u003eAlready removed!\n\nThread#2:\ndwc3_gadget_pullup()\n  -\u003ewaiting for dwc3 spin_lock\n  ...\n  -\u003eThread#1 released lock\n  -\u003edwc3_stop_active_transfers()\n    -\u003edwc3_remove_requests()\n      -\u003efetches n+1 item from cancelled_list (n removed by Thread#1)\n      -\u003edwc3_gadget_giveback()\n        -\u003edwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]\n        -\u003espin_unlock"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:44:36.334Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2424307cdf421ac72075a1384eae4e4199ab6457"
        },
        {
          "url": "https://git.kernel.org/stable/c/26a7e6832afe9d9a991cfd9015177f083cf959cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf594d1d0c1d7b895954018043536ffd327844f9"
        }
      ],
      "title": "usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49398",
    "datePublished": "2025-02-26T02:12:27.141Z",
    "dateReserved": "2025-02-26T02:08:31.563Z",
    "dateUpdated": "2025-05-04T12:44:36.334Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…