Linux Kernel DWC3 USB Driver Device Endpoint Command Timeout Vulnerability

A vulnerability in the Linux kernel's DWC3 USB driver can lead to a kernel panic. This issue arises from endpoint command timeouts that are rarely observed but can occur during rapid connect/disconnect test cases. When 'panic_on_warn' is enabled, these timeouts trigger a warning that causes a kernel panic. If 'panic_on_warn' is disabled, the warnings result in unnecessary call trace prints. The vulnerability is particularly relevant on Exynos platforms, where control transfers from a previous connection may not be completed before a disconnection is initiated, causing timeouts while processing USB_ENDPOINT_HALT feature requests from the host.

Impact

The vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by performing fast, software-controlled connect and disconnect operations on a device using the DWC3 USB driver. This can be done through a script or program that rapidly connects and disconnects the USB device, simulating a high-speed test case. The issue will manifest as a kernel panic if 'panic_on_warn' is enabled, or as a warning call trace if 'panic_on_warn' is disabled.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. Instructions for downloading the patched version can be found in the Linux kernel documentation.