CVE-2025-68287

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths<br /> <br /> This patch addresses a race condition caused by unsynchronized<br /> execution of multiple call paths invoking `dwc3_remove_requests()`,<br /> leading to premature freeing of USB requests and subsequent crashes.<br /> <br /> Three distinct execution paths interact with `dwc3_remove_requests()`:<br /> Path 1:<br /> Triggered via `dwc3_gadget_reset_interrupt()` during USB reset<br /> handling. The call stack includes:<br /> - `dwc3_ep0_reset_state()`<br /> - `dwc3_ep0_stall_and_restart()`<br /> - `dwc3_ep0_out_start()`<br /> - `dwc3_remove_requests()`<br /> - `dwc3_gadget_del_and_unmap_request()`<br /> <br /> Path 2:<br /> Also initiated from `dwc3_gadget_reset_interrupt()`, but through<br /> `dwc3_stop_active_transfers()`. The call stack includes:<br /> - `dwc3_stop_active_transfers()`<br /> - `dwc3_remove_requests()`<br /> - `dwc3_gadget_del_and_unmap_request()`<br /> <br /> Path 3:<br /> Occurs independently during `adb root` execution, which triggers<br /> USB function unbind and bind operations. The sequence includes:<br /> - `gserial_disconnect()`<br /> - `usb_ep_disable()`<br /> - `dwc3_gadget_ep_disable()`<br /> - `dwc3_remove_requests()` with `-ESHUTDOWN` status<br /> <br /> Path 3 operates asynchronously and lacks synchronization with Paths<br /> 1 and 2. When Path 3 completes, it disables endpoints and frees &amp;#39;out&amp;#39;<br /> requests. If Paths 1 or 2 are still processing these requests,<br /> accessing freed memory leads to a crash due to use-after-free conditions.<br /> <br /> To fix this added check for request completion and skip processing<br /> if already completed and added the request status for ep0 while queue.