CVE-2025-68287
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking dwc3_remove_requests(),
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with dwc3_remove_requests():
Path 1:
Triggered via dwc3_gadget_reset_interrupt() during USB reset
handling. The call stack includes:
dwc3_ep0_reset_state()dwc3_ep0_stall_and_restart()dwc3_ep0_out_start()dwc3_remove_requests()dwc3_gadget_del_and_unmap_request()
Path 2:
Also initiated from dwc3_gadget_reset_interrupt(), but through
dwc3_stop_active_transfers(). The call stack includes:
dwc3_stop_active_transfers()dwc3_remove_requests()dwc3_gadget_del_and_unmap_request()
Path 3:
Occurs independently during adb root execution, which triggers
USB function unbind and bind operations. The sequence includes:
gserial_disconnect()usb_ep_disable()dwc3_gadget_ep_disable()dwc3_remove_requests()with-ESHUTDOWNstatus
Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 72246da40f3719af3bfd104a2365b32537c27d83 < 467add9db13219101f14b6cc5477998b4aaa5fe2 | affected |
| Linux | Linux | 72246da40f3719af3bfd104a2365b32537c27d83 < 67192e8cb7f941b5bba91e4bb290683576ce1607 | affected |
| Linux | Linux | 72246da40f3719af3bfd104a2365b32537c27d83 < 47de14d741cc4057046c9e2f33df1f7828254e6c | affected |
| Linux | Linux | 72246da40f3719af3bfd104a2365b32537c27d83 < afc0e34f161ce61ad351303c46eb57bd44b8b090 | affected |
| Linux | Linux | 72246da40f3719af3bfd104a2365b32537c27d83 < 7cfb62888eba292fa35cd9ddbd28ce595f60e139 | affected |
| Linux | Linux | 72246da40f3719af3bfd104a2365b32537c27d83 < fa5eaf701e576880070b60922200557ae4aa54e1 | affected |
| Linux | Linux | 72246da40f3719af3bfd104a2365b32537c27d83 < e4037689a366743c4233966f0e74bc455820d316 | affected |
| Linux | Linux | 3.2 | affected |
| Linux | Linux | 0 < 3.2 | unaffected |
| Linux | Linux | 5.10.247 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.197 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.159 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.119 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.61 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.11 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2
- https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607
- https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c
- https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090
- https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139
- https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1
- https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.