Linux Kernel DWC3 Gadget Denial-of-Service Vulnerability via Improper List Management

A denial-of-service vulnerability has been identified in the Linux kernel's DWC3 USB controller driver. The issue arises from the improper use of the 'list_for_each_entry_safe()' macro when handling gadget requests. This macro is intended to safely remove items from a list without corrupting its structure. However, in this case, the DWC3 lock is temporarily released, allowing other processes to interfere. Specifically, while the 'cancelled_list' is being cleaned up, a parallel routine can disrupt the process by referencing already-removed items, leading to a system panic when list debugging is enabled.

Impact

Exploitation of this vulnerability causes a system panic, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by invoking the 'dwc3_gadget_ep_cleanup_cancelled_requests()' function, which uses 'list_for_each_entry_safe()' to traverse and remove items from the 'cancelled_list'. This operation can be interrupted by the 'dwc3_gadget_pullup()' function, which runs concurrently and disrupts the cleanup process by accessing already-removed items. The resulting conflict causes a panic, especially with list debugging enabled.