Linux Kernel USB Dummy-HCD Driver Interrupt Synchronization Error

A synchronization error has been fixed in the Linux kernel's dummy-hcd USB driver. This issue arose because the emulated 'interrupts enabled' flag and the corresponding synchronization code were not properly timed. The problem was that the emulated interrupt-disable was applied too late, after the driver had been unbound, allowing potential races where callback handlers could still be executing. Several commits attempted to address this by reorganizing the timing of the synchronization, but the issue persisted. The latest fix moves the synchronization back to the appropriate point in the process, ensuring that it occurs after interrupts are disabled and before the driver is unbound.

Impact

The vulnerability could lead to race conditions where callback handlers are executed after the driver has been unbound, potentially causing undefined behavior or crashes.

Reproduction

The vulnerability can be reproduced by using the dummy-hcd USB driver and unbinding a gadget driver while there are still active callback handlers. This can be done by emulating USB gadget operations that trigger callbacks, such as setting up a gadget driver and then unbinding it before all callbacks have completed.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree to address this issue.