Home

Description

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-16 | Updated 2025-12-16 | Assigner Linux

Product status

Default status
unaffected

72246da40f3719af3bfd104a2365b32537c27d83 (git) before 467add9db13219101f14b6cc5477998b4aaa5fe2
affected

72246da40f3719af3bfd104a2365b32537c27d83 (git) before 67192e8cb7f941b5bba91e4bb290683576ce1607
affected

72246da40f3719af3bfd104a2365b32537c27d83 (git) before 47de14d741cc4057046c9e2f33df1f7828254e6c
affected

72246da40f3719af3bfd104a2365b32537c27d83 (git) before afc0e34f161ce61ad351303c46eb57bd44b8b090
affected

72246da40f3719af3bfd104a2365b32537c27d83 (git) before 7cfb62888eba292fa35cd9ddbd28ce595f60e139
affected

72246da40f3719af3bfd104a2365b32537c27d83 (git) before fa5eaf701e576880070b60922200557ae4aa54e1
affected

72246da40f3719af3bfd104a2365b32537c27d83 (git) before e4037689a366743c4233966f0e74bc455820d316
affected

Default status
affected

3.2
affected

Any version before 3.2
unaffected

5.10.247 (semver)
unaffected

5.15.197 (semver)
unaffected

6.1.159 (semver)
unaffected

6.6.119 (semver)
unaffected

6.12.61 (semver)
unaffected

6.17.11 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/467add9db13219101f14b6cc5477998b4aaa5fe2

git.kernel.org/...c/67192e8cb7f941b5bba91e4bb290683576ce1607

git.kernel.org/...c/47de14d741cc4057046c9e2f33df1f7828254e6c

git.kernel.org/...c/afc0e34f161ce61ad351303c46eb57bd44b8b090

git.kernel.org/...c/7cfb62888eba292fa35cd9ddbd28ce595f60e139

git.kernel.org/...c/fa5eaf701e576880070b60922200557ae4aa54e1

git.kernel.org/...c/e4037689a366743c4233966f0e74bc455820d316

cve.org (CVE-2025-68287)

nvd.nist.gov (CVE-2025-68287)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.