fkie_cve-2022-49398
Vulnerability from fkie_nvd
Published
2025-02-26 07:01
Modified
2025-02-26 07:01
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback The list_for_each_entry_safe() macro saves the current item (n) and the item after (n+1), so that n can be safely removed without corrupting the list. However, when traversing the list and removing items using gadget giveback, the DWC3 lock is briefly released, allowing other routines to execute. There is a situation where, while items are being removed from the cancelled_list using dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable routine is running in parallel (due to UDC unbind). As the cleanup routine removes n, and the pullup disable removes n+1, once the cleanup retakes the DWC3 lock, it references a request who was already removed/handled. With list debug enabled, this leads to a panic. Ensure all instances of the macro are replaced where gadget giveback is used. Example call stack: Thread#1: __dwc3_gadget_ep_set_halt() - CLEAR HALT -> dwc3_gadget_ep_cleanup_cancelled_requests() ->list_for_each_entry_safe() ->dwc3_gadget_giveback(n) ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list] ->spin_unlock ->Thread#2 executes ... ->dwc3_gadget_giveback(n+1) ->Already removed! Thread#2: dwc3_gadget_pullup() ->waiting for dwc3 spin_lock ... ->Thread#1 released lock ->dwc3_stop_active_transfers() ->dwc3_remove_requests() ->fetches n+1 item from cancelled_list (n removed by Thread#1) ->dwc3_gadget_giveback() ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list] ->spin_unlock
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2424307cdf421ac72075a1384eae4e4199ab6457
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/26a7e6832afe9d9a991cfd9015177f083cf959cc
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bf594d1d0c1d7b895954018043536ffd327844f9
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback\n\nThe list_for_each_entry_safe() macro saves the current item (n) and\nthe item after (n+1), so that n can be safely removed without\ncorrupting the list.  However, when traversing the list and removing\nitems using gadget giveback, the DWC3 lock is briefly released,\nallowing other routines to execute.  There is a situation where, while\nitems are being removed from the cancelled_list using\ndwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable\nroutine is running in parallel (due to UDC unbind).  As the cleanup\nroutine removes n, and the pullup disable removes n+1, once the\ncleanup retakes the DWC3 lock, it references a request who was already\nremoved/handled.  With list debug enabled, this leads to a panic.\nEnsure all instances of the macro are replaced where gadget giveback\nis used.\n\nExample call stack:\n\nThread#1:\n__dwc3_gadget_ep_set_halt() - CLEAR HALT\n  -\u003e dwc3_gadget_ep_cleanup_cancelled_requests()\n    -\u003elist_for_each_entry_safe()\n    -\u003edwc3_gadget_giveback(n)\n      -\u003edwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]\n      -\u003espin_unlock\n      -\u003eThread#2 executes\n      ...\n    -\u003edwc3_gadget_giveback(n+1)\n      -\u003eAlready removed!\n\nThread#2:\ndwc3_gadget_pullup()\n  -\u003ewaiting for dwc3 spin_lock\n  ...\n  -\u003eThread#1 released lock\n  -\u003edwc3_stop_active_transfers()\n    -\u003edwc3_remove_requests()\n      -\u003efetches n+1 item from cancelled_list (n removed by Thread#1)\n      -\u003edwc3_gadget_giveback()\n        -\u003edwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]\n        -\u003espin_unlock"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: dwc3: gadget: Reemplazar list_for_each_entry_safe() si se usa giveback La macro list_for_each_entry_safe() guarda el elemento actual (n) y el elemento posterior (n+1), de modo que n se pueda eliminar de forma segura sin da\u00f1ar la lista. Sin embargo, al recorrer la lista y eliminar elementos usando gadget giveback, el bloqueo DWC3 se libera brevemente, lo que permite que se ejecuten otras rutinas. Existe una situaci\u00f3n en la que, mientras se eliminan elementos de la lista cancelada usando dwc3_gadget_ep_cleanup_cancelled_requests(), la rutina de desactivaci\u00f3n de pullup se ejecuta en paralelo (debido a la desvinculaci\u00f3n de UDC). A medida que la rutina de limpieza elimina n, y la desactivaci\u00f3n de pullup elimina n+1, una vez que la limpieza retoma el bloqueo DWC3, hace referencia a una solicitud que ya fue eliminada/gestionada. Con la depuraci\u00f3n de lista habilitada, esto genera un p\u00e1nico. Aseg\u00farese de que todas las instancias de la macro se reemplacen donde se use la devoluci\u00f3n de gadgets. Ejemplo de pila de llamadas:  Thread#1: __dwc3_gadget_ep_set_halt() - CLEAR HALT -\u0026gt; dwc3_gadget_ep_cleanup_cancelled_requests() -\u0026gt;list_for_each_entry_safe() -\u0026gt;dwc3_gadget_giveback(n) -\u0026gt;dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list] -\u0026gt;spin_unlock -\u0026gt;Thread#2 executes ... -\u0026gt;dwc3_gadget_giveback(n+1) -\u0026gt;Already removed! Thread#2: dwc3_gadget_pullup() -\u0026gt;waiting for dwc3 spin_lock ... -\u0026gt;Thread#1 released lock -\u0026gt;dwc3_stop_active_transfers() -\u0026gt;dwc3_remove_requests() -\u0026gt;fetches n+1 item from cancelled_list (n removed by Thread#1) -\u0026gt;dwc3_gadget_giveback() -\u0026gt;dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list] -\u0026gt;spin_unlock "
    }
  ],
  "id": "CVE-2022-49398",
  "lastModified": "2025-02-26T07:01:16.377",
  "metrics": {},
  "published": "2025-02-26T07:01:16.377",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2424307cdf421ac72075a1384eae4e4199ab6457"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/26a7e6832afe9d9a991cfd9015177f083cf959cc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/bf594d1d0c1d7b895954018043536ffd327844f9"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.