ghsa-qpf8-9prm-q8fm
Vulnerability from github
Published
2025-10-21 12:31
Modified
2025-10-21 12:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback

The list_for_each_entry_safe() macro saves the current item (n) and the item after (n+1), so that n can be safely removed without corrupting the list. However, when traversing the list and removing items using gadget giveback, the DWC3 lock is briefly released, allowing other routines to execute. There is a situation where, while items are being removed from the cancelled_list using dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable routine is running in parallel (due to UDC unbind). As the cleanup routine removes n, and the pullup disable removes n+1, once the cleanup retakes the DWC3 lock, it references a request who was already removed/handled. With list debug enabled, this leads to a panic. Ensure all instances of the macro are replaced where gadget giveback is used.

Example call stack:

Thread#1: __dwc3_gadget_ep_set_halt() - CLEAR HALT -> dwc3_gadget_ep_cleanup_cancelled_requests() ->list_for_each_entry_safe() ->dwc3_gadget_giveback(n) ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list] ->spin_unlock ->Thread#2 executes ... ->dwc3_gadget_giveback(n+1) ->Already removed!

Thread#2: dwc3_gadget_pullup() ->waiting for dwc3 spin_lock ... ->Thread#1 released lock ->dwc3_stop_active_transfers() ->dwc3_remove_requests() ->fetches n+1 item from cancelled_list (n removed by Thread#1) ->dwc3_gadget_giveback() ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list] ->spin_unlock

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49398"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback\n\nThe list_for_each_entry_safe() macro saves the current item (n) and\nthe item after (n+1), so that n can be safely removed without\ncorrupting the list.  However, when traversing the list and removing\nitems using gadget giveback, the DWC3 lock is briefly released,\nallowing other routines to execute.  There is a situation where, while\nitems are being removed from the cancelled_list using\ndwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable\nroutine is running in parallel (due to UDC unbind).  As the cleanup\nroutine removes n, and the pullup disable removes n+1, once the\ncleanup retakes the DWC3 lock, it references a request who was already\nremoved/handled.  With list debug enabled, this leads to a panic.\nEnsure all instances of the macro are replaced where gadget giveback\nis used.\n\nExample call stack:\n\nThread#1:\n__dwc3_gadget_ep_set_halt() - CLEAR HALT\n  -\u003e dwc3_gadget_ep_cleanup_cancelled_requests()\n    -\u003elist_for_each_entry_safe()\n    -\u003edwc3_gadget_giveback(n)\n      -\u003edwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]\n      -\u003espin_unlock\n      -\u003eThread#2 executes\n      ...\n    -\u003edwc3_gadget_giveback(n+1)\n      -\u003eAlready removed!\n\nThread#2:\ndwc3_gadget_pullup()\n  -\u003ewaiting for dwc3 spin_lock\n  ...\n  -\u003eThread#1 released lock\n  -\u003edwc3_stop_active_transfers()\n    -\u003edwc3_remove_requests()\n      -\u003efetches n+1 item from cancelled_list (n removed by Thread#1)\n      -\u003edwc3_gadget_giveback()\n        -\u003edwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]\n        -\u003espin_unlock",
  "id": "GHSA-qpf8-9prm-q8fm",
  "modified": "2025-10-21T12:31:25Z",
  "published": "2025-10-21T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49398"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2424307cdf421ac72075a1384eae4e4199ab6457"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26a7e6832afe9d9a991cfd9015177f083cf959cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf594d1d0c1d7b895954018043536ffd327844f9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.