Message-ID: <2025091551-CVE-2025-39801-00f9@gregkh>
Date: Mon, 15 Sep 2025 14:36:51 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39801: usb: dwc3: Remove WARN_ON for device endpoint command timeouts

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: Remove WARN_ON for device endpoint command timeouts

This commit addresses a rarely observed endpoint command timeout
which causes kernel panic due to warn when 'panic_on_warn' is enabled
and unnecessary call trace prints when 'panic_on_warn' is disabled.
It is seen during fast software-controlled connect/disconnect testcases.
The following is one such endpoint command timeout that we observed:

1. Connect
   =======
->dwc3_thread_interrupt
 ->dwc3_ep0_interrupt
  ->configfs_composite_setup
   ->composite_setup
    ->usb_ep_queue
     ->dwc3_gadget_ep0_queue
      ->__dwc3_gadget_ep0_queue
       ->__dwc3_ep0_do_control_data
        ->dwc3_send_gadget_ep_cmd

2. Disconnect
   ==========
->dwc3_thread_interrupt
 ->dwc3_gadget_disconnect_interrupt
  ->dwc3_ep0_reset_state
   ->dwc3_ep0_end_control_data
    ->dwc3_send_gadget_ep_cmd

In the issue scenario, in Exynos platforms, we observed that control
transfers for the previous connect have not yet been completed and end
transfer command sent as a part of the disconnect sequence and
processing of USB_ENDPOINT_HALT feature request from the host timeout.
This maybe an expected scenario since the controller is processing EP
commands sent as a part of the previous connect. It maybe better to
remove WARN_ON in all places where device endpoint commands are sent to
avoid unnecessary kernel panic due to warn.

The Linux kernel CVE team has assigned CVE-2025-39801 to this issue.


Affected and fixed versions
===========================

	Fixed in 5.15.190 with commit dfe40159eec6ca63b40133bfa783eee2e3ed829f
	Fixed in 6.1.149 with commit 5a1a847d841505dba2bd85602daf5c218e1d85b8
	Fixed in 6.6.103 with commit 84c95dbf5bece56086cdb65a64162af35158bdd9
	Fixed in 6.12.44 with commit f49697dfba2915a9ff36f94604eb76fa61413929
	Fixed in 6.16.4 with commit db27482b9db340402e05d4e9b75352bbaca51af2
	Fixed in 6.17-rc3 with commit 45eae113dccaf8e502090ecf5b3d9e9b805add6f

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-39801
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/usb/dwc3/ep0.c
	drivers/usb/dwc3/gadget.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/dfe40159eec6ca63b40133bfa783eee2e3ed829f
	https://git.kernel.org/stable/c/5a1a847d841505dba2bd85602daf5c218e1d85b8
	https://git.kernel.org/stable/c/84c95dbf5bece56086cdb65a64162af35158bdd9
	https://git.kernel.org/stable/c/f49697dfba2915a9ff36f94604eb76fa61413929
	https://git.kernel.org/stable/c/db27482b9db340402e05d4e9b75352bbaca51af2
	https://git.kernel.org/stable/c/45eae113dccaf8e502090ecf5b3d9e9b805add6f

Powered by blists - more mailing lists