Updated: 2025-12-01 03:17:18.067469
Description:
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix hang in usb_kill_urb by adding memory barriers The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received. The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions: CPU 0 CPU 1 ---------------------------- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is: write urb->reject, then read urb->use_count; whereas the overall pattern of accesses on CPU 1 is: write urb->use_count, then read urb->reject. This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb(). The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb(). The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect. This patch adds the necessary memory barriers.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.1 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.1 | HIGH | Already Fixed | 2025-09-23 20:50:01 | Fixed in kernel-5.14.0-88.el9 | |
| CentOS 6 ELS | kernel | 2.6.32 | 7.1 | HIGH | Released | CLSA-2025:1761139764 | 2025-11-10 18:49:38 | Ignored due to low severity |
| CentOS 7 ELS | kernel | 3.10.0 | 7.1 | HIGH | Released | CLSA-2025:1759431860 | 2025-10-15 23:00:26 | Ignored due to low severity |
| CentOS 8.4 ELS | kernel | 4.18.0 | 7.1 | HIGH | Released | CLSA-2024:1727690947 | 2024-09-30 10:46:51 | |
| CentOS 8.5 ELS | kernel | 4.18.0 | 7.1 | HIGH | Released | CLSA-2024:1727690025 | 2024-09-30 10:46:52 | |
| CentOS Stream 8 ELS | kernel | 4.18.0 | 7.1 | HIGH | Released | CLSA-2024:1727815919 | 2024-10-01 17:27:27 | |
| CloudLinux 6 ELS | kernel | 2.6.32 | 7.1 | HIGH | Needs Triage | 2025-09-20 05:40:08 | Ignored due to low severity | |
| CloudLinux 7 ELS | kernel | 3.10.0 | 7.1 | HIGH | Ignored | 2025-09-23 10:24:10 | Postponed until request or high risk detected | |
| Oracle Linux 6 ELS | kernel | 2.6.32 | 7.1 | HIGH | Released | CLSA-2025:1761074747 | 2025-10-21 21:33:15 | Ignored due to low severity |
| Oracle Linux 7 ELS | kernel | 3.10.0 | 7.1 | HIGH | Released | CLSA-2025:1759431869 | 2025-10-02 23:04:08 |