Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths[EOL][EOL]This patch addresses a race condition caused by unsynchronized[EOL]execution of multiple call paths invoking `dwc3_remove_requests()`,[EOL]leading to premature freeing of USB requests and subsequent crashes.[EOL][EOL]Three distinct execution paths interact with `dwc3_remove_requests()`:[EOL]Path 1:[EOL]Triggered via `dwc3_gadget_reset_interrupt()` during USB reset[EOL]handling. The call stack includes:[EOL]- `dwc3_ep0_reset_state()`[EOL]- `dwc3_ep0_stall_and_restart()`[EOL]- `dwc3_ep0_out_start()`[EOL]- `dwc3_remove_requests()`[EOL]- `dwc3_gadget_del_and_unmap_request()`[EOL][EOL]Path 2:[EOL]Also initiated from `dwc3_gadget_reset_interrupt()`, but through[EOL]`dwc3_stop_active_transfers()`. The call stack includes:[EOL]- `dwc3_stop_active_transfers()`[EOL]- `dwc3_remove_requests()`[EOL]- `dwc3_gadget_del_and_unmap_request()`[EOL][EOL]Path 3:[EOL]Occurs independently during `adb root` execution, which triggers[EOL]USB function unbind and bind operations. The sequence includes:[EOL]- `gserial_disconnect()`[EOL]- `usb_ep_disable()`[EOL]- `dwc3_gadget_ep_disable()`[EOL]- `dwc3_remove_requests()` with `-ESHUTDOWN` status[EOL][EOL]Path 3 operates asynchronously and lacks synchronization with Paths[EOL]1 and 2. When Path 3 completes, it disables endpoints and frees 'out'[EOL]requests. If Paths 1 or 2 are still processing these requests,[EOL]accessing freed memory leads to a crash due to use-after-free conditions.[EOL][EOL]To fix this added check for request completion and skip processing[EOL]if already completed and added the request status for ep0 while queue.