Linux Kernel Cdns3 Driver NCM Gadget Deadlock Vulnerability

A deadlock vulnerability has been identified in the Linux kernel's cdns3 driver when using the NCM gadget. This issue, similar to one previously fixed in the cdnsp driver, can be triggered under PREEMPT_RT by heavy network traffic, such as using iperf with bidirectional mode over an NCM Ethernet link. The deadlock arises because the threaded interrupt handler is preempted by a softirq, with both being protected by the same spinlock. The vulnerability has been resolved by disabling the softirq during the threaded interrupt handler.

Impact

Exploitation of this vulnerability leads to a deadlock condition, causing the system to become unresponsive or to hang indefinitely.

Reproduction

To reproduce this vulnerability, use a Linux kernel with the cdns3 driver and PREEMPT_RT enabled. Generate heavy network traffic over an NCM Ethernet link, which can be done using the iperf tool in bidirectional mode. This will trigger the deadlock condition by interfering with the threaded interrupt handler and softirq, both of which are controlled by the same spinlock.

Remediation

The vulnerability has been fixed in the official Linux kernel repository. Users should upgrade to the latest version where this fix is applied.