Linux Kernel USB DWC3 Race Condition Vulnerability in Request Handling

A race condition vulnerability has been identified in the Linux kernel's USB DesignWare Controller 3 (DWC3) driver. This vulnerability arises from the concurrent execution of multiple call paths that invoke 'dwc3_remove_requests()', leading to the premature freeing of USB requests. As a result, this unsynchronized execution can cause crashes by creating use-after-free conditions. The vulnerability is present in the stable version of the Linux kernel.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to a crash of the affected system.

Reproduction

The vulnerability can be reproduced by triggering the 'dwc3_remove_requests()' function through three different execution paths. The first two paths are initiated by the 'dwc3_gadget_reset_interrupt()' function, which handles USB reset operations. The first path involves resetting the EP0 state and removing requests, while the second path stops active transfers and also removes requests. The third path occurs independently during 'adb root' execution, which unbinds and re-binds USB functions. This path disables endpoints and frees 'out' requests, creating a race condition with the first two paths if they are still processing those requests.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading can be found in the official Linux kernel documentation.