CVE-2022-49398

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: Replace listforeachentrysafe() if using giveback

The listforeachentrysafe() macro saves the current item (n) and the item after (n+1), so that n can be safely removed without corrupting the list. However, when traversing the list and removing items using gadget giveback, the DWC3 lock is briefly released, allowing other routines to execute. There is a situation where, while items are being removed from the cancelledlist using dwc3gadgetepcleanupcancelledrequests(), the pullup disable routine is running in parallel (due to UDC unbind). As the cleanup routine removes n, and the pullup disable removes n+1, once the cleanup retakes the DWC3 lock, it references a request who was already removed/handled. With list debug enabled, this leads to a panic. Ensure all instances of the macro are replaced where gadget giveback is used.

Example call stack:

Thread#1: __dwc3gadgetepsethalt() - CLEAR HALT -> dwc3gadgetepcleanupcancelledrequests() ->listforeachentrysafe() ->dwc3gadgetgiveback(n) ->dwc3gadgetdelandunmaprequest()- n deleted[cancelledlist] ->spinunlock ->Thread#2 executes ... ->dwc3gadgetgiveback(n+1) ->Already removed!

Thread#2: dwc3gadgetpullup() ->waiting for dwc3 spinlock ... ->Thread#1 released lock ->dwc3stopactivetransfers() ->dwc3removerequests() ->fetches n+1 item from cancelledlist (n removed by Thread#1) ->dwc3gadgetgiveback() ->dwc3gadgetdelandunmaprequest()- n+1 deleted[cancelledlist] ->spinunlock