Описание
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking dwc3_remove_requests(),
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with dwc3_remove_requests():
Path 1:
Triggered via dwc3_gadget_reset_interrupt() during USB reset
handling. The call stack includes:
dwc3_ep0_reset_state()dwc3_ep0_stall_and_restart()dwc3_ep0_out_start()dwc3_remove_requests()dwc3_gadget_del_and_unmap_request()Path 2: Also initiated fromdwc3_gadget_reset_interrupt(), but throughdwc3_stop_active_transfers(). The call stack includes:dwc3_stop_active_transfers()dwc3_remove_requests()dwc3_gadget_del_and_unmap_request()Path 3: Occurs independently duringadb rootexecution, which triggers USB function unbind and bind operations. The sequence includes:gserial_disconnect()usb_ep_disable()dwc3_gadget_ep_disable()dwc3_remove_requests()with-ESHUTDOWNstatus Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue.
A use-after-free vulnerability was found in the DWC3 USB controller driver in the Linux kernel. Multiple unsynchronized execution paths can invoke dwc3_remove_requests() concurrently, leading to premature freeing of USB requests. When one path frees requests while another is still processing them, a use-after-free crash occurs.
Отчет
This affects systems with DWC3-based USB controllers, commonly found in ARM SoCs. The race is triggered by USB reset events concurrent with function unbind operations (e.g., during adb root).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2026:0453 | 12.01.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:0793 | 19.01.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:0793 | 19.01.2026 |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | kernel | Fixed | RHSA-2026:0576 | 14.01.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
7 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function u...
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
In the Linux kernel, the following vulnerability has been resolved: u ...
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB funct...
EPSS
7 High
CVSS3