Executive Summary

This vulnerability exists in the Linux kernel's USB dwc2 gadget driver. Specifically, the function dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating() without holding the required lock (hsotg->lock). The dwc2_gadget_exit_clock_gating() function internally calls a macro that expects this lock to be held because it performs spin_unlock and spin_lock operations around a gadget driver callback.

Because the lock is not held when dwc2_gadget_exit_clock_gating() is called, it causes undefined behavior by attempting to spin_unlock a lock that is not held. Additionally, the lock remains held after the function returns, which leads to a deadlock when the same lock is later requested again in the same function.

The fix involves acquiring the lock before calling dwc2_gadget_exit_clock_gating() and releasing it afterwards, ensuring proper lock handling and preventing deadlocks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause undefined behavior and deadlocks in the Linux kernel's USB gadget driver. Specifically, it may lead to system instability or crashes when the affected function is executed, as the improper locking can cause the kernel to hang or become unresponsive.

Such deadlocks can affect the availability and reliability of USB device functionality on affected systems, potentially disrupting normal operations that depend on USB communication.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is caused by a spin_lock/unlock mismatch in the Linux kernel's dwc2 USB gadget driver. To mitigate this vulnerability, you should update your Linux kernel to a version where this issue is fixed.

Specifically, ensure that the kernel includes the fix that acquires the hsotg->lock before calling dwc2_gadget_exit_clock_gating() and releases it afterwards, which prevents deadlocks and undefined behavior.

If updating the kernel is not immediately possible, consider avoiding use of the affected USB gadget functionality until a patched kernel is applied.

Useful 0 Not Useful 0