CVE-2022-49398 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback
The list_for_each_entry_safe() macro saves the current item (n) and the item after (n+1), so that n can be safely removed without corrupting the list. However, when traversing the list and removing items using gadget giveback, the DWC3 lock is briefly released, allowing other routines to execute. There is a situation where, while items are being removed from the cancelled_list using dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable routine is running in parallel (due to UDC unbind). As the cleanup routine removes n, and the pullup disable removes n+1, once the cleanup retakes the DWC3 lock, it references a request who was already removed/handled. With list debug enabled, this leads to a panic. Ensure all instances of the macro are replaced where gadget giveback is used.
Example call stack:
Thread#1: __dwc3_gadget_ep_set_halt() - CLEAR HALT -> dwc3_gadget_ep_cleanup_cancelled_requests() ->list_for_each_entry_safe() ->dwc3_gadget_giveback(n) ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]
->spin_unlock ->Thread#2 executes ... ->dwc3_gadget_giveback(n+1) ->Already removed!
Thread#2: dwc3_gadget_pullup() ->waiting for dwc3 spin_lock ... ->Thread#1 released lock ->dwc3_stop_active_transfers() ->dwc3_remove_requests() ->fetches n+1 item from cancelled_list (n removed by Thread#1) ->dwc3_gadget_giveback() ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list]
->spin_unlock
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/21/2025
The vulnerability CVE-2022-49398 affects the Linux kernel's USB Device Controller Driver for Designware USB 3.0 (DWC3) gadget implementation. This security flaw resides in the handling of USB endpoint request cleanup operations during gadget halt operations and pullup disable routines. The issue manifests when the list_for_each_entry_safe() macro is used in conjunction with gadget giveback operations, creating a race condition that can lead to system panic and potential denial of service. The vulnerability is classified under CWE-367, representing a Time-of-Check to Time-of-Use (TOCTOU) flaw, where the state of data changes between when it is checked and when it is used. The problem occurs specifically in the dwc3_gadget_ep_cleanup_cancelled_requests() function, where the DWC3 lock is temporarily released during the giveback process, allowing concurrent execution paths that can corrupt the request list structure.
The technical implementation of this vulnerability stems from the improper use of list traversal macros in a multi-threaded environment. When the USB gadget driver processes endpoint halt commands, it must clean up cancelled requests from the cancelled_list. The list_for_each_entry_safe() macro is designed to safely traverse and remove items from a list by maintaining references to both current and next elements. However, during the gadget giveback process, the DWC3 spin lock is released to allow other routines to execute, creating an opportunity for concurrent access. The race condition occurs when Thread#1 removes an item from the cancelled_list while Thread#2 concurrently processes the next item, leading to a scenario where Thread#1 attempts to access memory that has already been freed. This creates a classic use-after-free condition that can result in kernel memory corruption and system instability.
The operational impact of CVE-2022-49398 extends beyond simple system crashes to potentially enable privilege escalation and denial of service attacks within embedded systems and devices that rely on USB gadget functionality. Systems utilizing DWC3 USB controllers for device mode operations, including USB OTG devices, embedded systems, and IoT appliances, are at risk when running affected kernel versions. The vulnerability can be triggered through normal USB gadget operations involving endpoint halt commands and device unbinding scenarios, making it particularly dangerous in production environments where USB connectivity is critical. From an ATT&CK framework perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1499.004 (Network Denial of Service) as it can be exploited to cause system instability and service disruption. The vulnerability affects the kernel's integrity and availability, potentially allowing attackers to disrupt USB communication or gain elevated privileges through exploitation of the memory corruption.
Mitigation strategies for CVE-2022-49398 involve patching the Linux kernel to replace all instances of list_for_each_entry_safe() with appropriate locking mechanisms when gadget giveback operations are involved. The fix requires modifying the dwc3_gadget_ep_cleanup_cancelled_requests() function to ensure that the DWC3 lock remains acquired throughout the entire cleanup process, preventing concurrent access from other execution paths. System administrators should prioritize applying kernel updates from their respective distributions, particularly versions that include the patch addressing this specific vulnerability. Organizations should also implement monitoring for USB gadget operations and establish procedures to detect unusual system behavior that might indicate exploitation attempts. Additionally, the vulnerability highlights the importance of proper lock management in kernel drivers and demonstrates the critical need for thorough testing of concurrent access scenarios in USB device controllers. The fix aligns with security best practices for kernel development and emphasizes the need for careful consideration of lock scope in multi-threaded environments where resource cleanup operations can create race conditions.