CVE-2026-43327

Summary

In the Linux kernel, the following vulnerability has been resolved:

USB: dummy-hcd: Fix locking/synchronization error

Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind.

These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first.

The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented.

The fix is to increment dum->callback_usage before calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 < 6350c7dd33ab481ef41c931a238361490c32d15caffected
LinuxLinux7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 < cc97fb5969177cccce2e23b31298df220fc7570daffected
LinuxLinux7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 < 218886b2ef2dea7627d3700ab0abaf4bf9d1161faffected
LinuxLinux7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 < 791966f85b439b261bf19865cf1c07c065ffb4b4affected
LinuxLinux7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 < 805b1833d6ed6da5086e610578a28e71bb54fbbbaffected
LinuxLinux7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 < efbd9441f1e769a7aae1813d497cec09cbdff031affected
LinuxLinux7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 < 69ab97a693251d6a6093e630060a3c744fd58524affected
LinuxLinux7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 < 616a63ff495df12863692ab3f9f7b84e3fa7a66daffected
LinuxLinux7b416b9dac6ede26d4ca0c1a88b448b543623ff3affected
LinuxLinux8590bc1da625dd4a589eac0fc3aa3cf4f400424daffected
LinuxLinuxa867d5b932ac4911d3f8a1e63505061b0c81f889affected
LinuxLinuxe84b4a008365b7edbd842a063ae28d040a98db25affected
LinuxLinuxe39b17143a5b5aac81f066d455e5d3a9877eb3aeaffected
LinuxLinux4f8ae1fcb0dfbb72a7678f81bf01fb7fc85c6715affected
LinuxLinux3.2.97 < 3.3affected
LinuxLinux3.16.52 < 3.17affected
LinuxLinux4.1.46 < 4.2affected
LinuxLinux4.4.92 < 4.5affected
LinuxLinux4.9.55 < 4.10affected
LinuxLinux4.13.6 < 4.14affected
LinuxLinux4.14affected
LinuxLinux0 < 4.14unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.134 <= 6.6.*unaffected
LinuxLinux6.12.81 <= 6.12.*unaffected
LinuxLinux6.18.22 <= 6.18.*unaffected
LinuxLinux6.19.12 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References