{"id":"CVE-2022-49398","summary":"usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback\n\nThe list_for_each_entry_safe() macro saves the current item (n) and\nthe item after (n+1), so that n can be safely removed without\ncorrupting the list.  However, when traversing the list and removing\nitems using gadget giveback, the DWC3 lock is briefly released,\nallowing other routines to execute.  There is a situation where, while\nitems are being removed from the cancelled_list using\ndwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable\nroutine is running in parallel (due to UDC unbind).  As the cleanup\nroutine removes n, and the pullup disable removes n+1, once the\ncleanup retakes the DWC3 lock, it references a request who was already\nremoved/handled.  With list debug enabled, this leads to a panic.\nEnsure all instances of the macro are replaced where gadget giveback\nis used.\n\nExample call stack:\n\nThread#1:\n__dwc3_gadget_ep_set_halt() - CLEAR HALT\n  -\u003e dwc3_gadget_ep_cleanup_cancelled_requests()\n    -\u003elist_for_each_entry_safe()\n    -\u003edwc3_gadget_giveback(n)\n      -\u003edwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]\n      -\u003espin_unlock\n      -\u003eThread#2 executes\n      ...\n    -\u003edwc3_gadget_giveback(n+1)\n      -\u003eAlready removed!\n\nThread#2:\ndwc3_gadget_pullup()\n  -\u003ewaiting for dwc3 spin_lock\n  ...\n  -\u003eThread#1 released lock\n  -\u003edwc3_stop_active_transfers()\n    -\u003edwc3_remove_requests()\n      -\u003efetches n+1 item from cancelled_list (n removed by Thread#1)\n      -\u003edwc3_gadget_giveback()\n        -\u003edwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]\n        -\u003espin_unlock","modified":"2026-04-02T08:27:32.779648Z","published":"2025-02-26T02:12:27.141Z","related":["SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1194-1","SUSE-SU-2025:1241-1","SUSE-SU-2025:1263-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49398.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2424307cdf421ac72075a1384eae4e4199ab6457"},{"type":"WEB","url":"https://git.kernel.org/stable/c/26a7e6832afe9d9a991cfd9015177f083cf959cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf594d1d0c1d7b895954018043536ffd327844f9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49398.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49398"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d4f1afe5e896c18ae01099a85dab5e1a198bd2a8"},{"fixed":"1c6e5dc3b639c96e6839a8d1b8e951923fdfd34a"},{"fixed":"2424307cdf421ac72075a1384eae4e4199ab6457"},{"fixed":"26a7e6832afe9d9a991cfd9015177f083cf959cc"},{"fixed":"bf594d1d0c1d7b895954018043536ffd327844f9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"d7ff2e3ff0e09d57b43014fe26b13bb3c9677254"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49398.json"}}],"schema_version":"1.7.5"}