CVE-2024-56687: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix hardware lockup on first Rx endpoint request There is a possibility that a request's callback could be invoked from usb_ep_queue() (call trace below, supplemented with missing calls): req->complete from usb_gadget_giveback_request (drivers/usb/gadget/udc/core.c:999) usb_gadget_giveback_request from musb_g_giveback (drivers/usb/musb/musb_gadget.c:147) musb_g_giveback from rxstate (drivers/usb/musb/musb_gadget.c:784) rxstate from musb_ep_restart (drivers/usb/musb/musb_gadget.c:1169) musb_ep_restart from musb_ep_restart_resume_work (drivers/usb/musb/musb_gadget.c:1176) musb_ep_restart_resume_work from musb_queue_resume_work (drivers/usb/musb/musb_core.c:2279) musb_queue_resume_work from musb_gadget_queue (drivers/usb/musb/musb_gadget.c:1241) musb_gadget_queue from usb_ep_queue (drivers/usb/gadget/udc/core.c:300) According to the docstring of usb_ep_queue(), this should not happen: "Note that @req's ->complete() callback must never be called from within usb_ep_queue() as that can create deadlock situations." In fact, a hardware lockup might occur in the following sequence: 1. The gadget is initialized using musb_gadget_enable(). 2. Meanwhile, a packet arrives, and the RXPKTRDY flag is set, raising an interrupt. 3. If IRQs are enabled, the interrupt is handled, but musb_g_rx() finds an empty queue (next_request() returns NULL). The interrupt flag has already been cleared by the glue layer handler, but the RXPKTRDY flag remains set. 4. The first request is enqueued using usb_ep_queue(), leading to the call of req->complete(), as shown in the call trace above. 5. If the callback enables IRQs and another packet is waiting, step (3) repeats. The request queue is empty because usb_g_giveback() removes the request before invoking the callback. 6. The endpoint remains locked up, as the interrupt triggered by hardware setting the RXPKTRDY flag has been handled, but the flag itself remains set. For this scenario to occur, it is only necessary for IRQs to be enabled at some point during the complete callback. This happens with the USB Ethernet gadget, whose rx_complete() callback calls netif_rx(). If called in the task context, netif_rx() disables the bottom halves (BHs). When the BHs are re-enabled, IRQs are also enabled to allow soft IRQs to be processed. The gadget itself is initialized at module load (or at boot if built-in), but the first request is enqueued when the network interface is brought up, triggering rx_complete() in the task context via ioctl(). If a packet arrives while the interface is down, it can prevent the interface from receiving any further packets from the USB host. The situation is quite complicated with many parties involved. This particular issue can be resolved in several possible ways: 1. Ensure that callbacks never enable IRQs. This would be difficult to enforce, as discovering how netif_rx() interacts with interrupts was already quite challenging and u_ether is not the only function driver. Similar "bugs" could be hidden in other drivers as well. 2. Disable MUSB interrupts in musb_g_giveback() before calling the callback and re-enable them afterwars (by calling musb_{dis,en}able_interrupts(), for example). This would ensure that MUSB interrupts are not handled during the callback, even if IRQs are enabled. In fact, it would allow IRQs to be enabled when releasing the lock. However, this feels like an inelegant hack. 3. Modify the interrupt handler to clear the RXPKTRDY flag if the request queue is empty. While this approach also feels like a hack, it wastes CPU time by attempting to handle incoming packets when the software is not ready to process them. 4. Flush the Rx FIFO instead of calling rxstate() in musb_ep_restart(). This ensures that the hardware can receive packets when there is at least one request in the queue. Once I ---truncated---
AI Analysis
Technical Summary
CVE-2024-56687 is a vulnerability in the Linux kernel's USB subsystem, specifically affecting the musb (Mentor USB) gadget driver. The flaw arises from improper handling of USB endpoint request callbacks within the usb_ep_queue() function. According to the Linux kernel documentation, the callback function (req->complete) must never be called from within usb_ep_queue() to avoid deadlock situations. However, in this vulnerability, the callback can be invoked directly from usb_ep_queue(), leading to a hardware lockup scenario. The issue manifests when the USB gadget is initialized and a packet arrives while the request queue is empty. The RXPKTRDY hardware flag remains set even after the interrupt is handled, causing the endpoint to lock up and preventing further packet reception. This is particularly problematic for USB Ethernet gadgets, where the rx_complete() callback triggers network packet processing that can enable interrupts during the callback, perpetuating the lockup. The root cause is the interaction between interrupt handling and request queue management, which leads to a deadlock and hardware endpoint lockup. Several remediation approaches are discussed, including disabling interrupts during callbacks, modifying interrupt handlers to clear hardware flags, or flushing the Rx FIFO to ensure hardware readiness. The vulnerability affects Linux kernel versions identified by the commit hash baebdf48c360080710f80699eea3affbb13d6c65 and is relevant for systems using the musb USB gadget driver, often embedded devices or systems relying on USB Ethernet gadgets. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-56687 could be significant in environments where Linux-based embedded systems or devices using the musb USB gadget driver are deployed. This includes industrial control systems, IoT devices, network appliances, and specialized hardware that rely on USB Ethernet gadgets for connectivity. The hardware lockup caused by this vulnerability can lead to denial of service conditions on affected devices, disrupting network communications and potentially halting critical operations. In sectors such as manufacturing, telecommunications, healthcare, and transportation, where embedded Linux devices are common, this could result in operational downtime and loss of productivity. Furthermore, the inability to receive further USB packets might complicate remote management or updates, increasing maintenance costs and response times. Although no direct data breach or privilege escalation is indicated, the availability impact alone can be critical in time-sensitive or safety-critical applications. The complexity of the issue and its dependence on specific hardware and driver configurations mean that the threat is more acute in specialized deployments rather than general-purpose computing environments.
Mitigation Recommendations
Mitigation requires applying the patch or update from the Linux kernel maintainers that addresses this issue by correcting the callback invocation and interrupt handling logic. Organizations should: 1) Identify all Linux systems using the musb USB gadget driver, particularly those employing USB Ethernet gadgets. 2) Update the Linux kernel to a version that includes the fix for CVE-2024-56687 or apply backported patches if available. 3) For embedded devices where kernel updates are challenging, consider disabling or replacing the affected USB gadget functionality if feasible. 4) Monitor device logs for symptoms of USB endpoint lockups or network interface failures indicative of this issue. 5) Implement network segmentation and redundancy to mitigate the impact of device unavailability. 6) Engage with device vendors to ensure firmware or kernel updates are provided promptly. 7) Avoid enabling IRQs within USB request callbacks in custom drivers or modules to prevent similar issues. These steps go beyond generic advice by focusing on the specific driver and hardware interaction causing the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2024-56687: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix hardware lockup on first Rx endpoint request There is a possibility that a request's callback could be invoked from usb_ep_queue() (call trace below, supplemented with missing calls): req->complete from usb_gadget_giveback_request (drivers/usb/gadget/udc/core.c:999) usb_gadget_giveback_request from musb_g_giveback (drivers/usb/musb/musb_gadget.c:147) musb_g_giveback from rxstate (drivers/usb/musb/musb_gadget.c:784) rxstate from musb_ep_restart (drivers/usb/musb/musb_gadget.c:1169) musb_ep_restart from musb_ep_restart_resume_work (drivers/usb/musb/musb_gadget.c:1176) musb_ep_restart_resume_work from musb_queue_resume_work (drivers/usb/musb/musb_core.c:2279) musb_queue_resume_work from musb_gadget_queue (drivers/usb/musb/musb_gadget.c:1241) musb_gadget_queue from usb_ep_queue (drivers/usb/gadget/udc/core.c:300) According to the docstring of usb_ep_queue(), this should not happen: "Note that @req's ->complete() callback must never be called from within usb_ep_queue() as that can create deadlock situations." In fact, a hardware lockup might occur in the following sequence: 1. The gadget is initialized using musb_gadget_enable(). 2. Meanwhile, a packet arrives, and the RXPKTRDY flag is set, raising an interrupt. 3. If IRQs are enabled, the interrupt is handled, but musb_g_rx() finds an empty queue (next_request() returns NULL). The interrupt flag has already been cleared by the glue layer handler, but the RXPKTRDY flag remains set. 4. The first request is enqueued using usb_ep_queue(), leading to the call of req->complete(), as shown in the call trace above. 5. If the callback enables IRQs and another packet is waiting, step (3) repeats. The request queue is empty because usb_g_giveback() removes the request before invoking the callback. 6. The endpoint remains locked up, as the interrupt triggered by hardware setting the RXPKTRDY flag has been handled, but the flag itself remains set. For this scenario to occur, it is only necessary for IRQs to be enabled at some point during the complete callback. This happens with the USB Ethernet gadget, whose rx_complete() callback calls netif_rx(). If called in the task context, netif_rx() disables the bottom halves (BHs). When the BHs are re-enabled, IRQs are also enabled to allow soft IRQs to be processed. The gadget itself is initialized at module load (or at boot if built-in), but the first request is enqueued when the network interface is brought up, triggering rx_complete() in the task context via ioctl(). If a packet arrives while the interface is down, it can prevent the interface from receiving any further packets from the USB host. The situation is quite complicated with many parties involved. This particular issue can be resolved in several possible ways: 1. Ensure that callbacks never enable IRQs. This would be difficult to enforce, as discovering how netif_rx() interacts with interrupts was already quite challenging and u_ether is not the only function driver. Similar "bugs" could be hidden in other drivers as well. 2. Disable MUSB interrupts in musb_g_giveback() before calling the callback and re-enable them afterwars (by calling musb_{dis,en}able_interrupts(), for example). This would ensure that MUSB interrupts are not handled during the callback, even if IRQs are enabled. In fact, it would allow IRQs to be enabled when releasing the lock. However, this feels like an inelegant hack. 3. Modify the interrupt handler to clear the RXPKTRDY flag if the request queue is empty. While this approach also feels like a hack, it wastes CPU time by attempting to handle incoming packets when the software is not ready to process them. 4. Flush the Rx FIFO instead of calling rxstate() in musb_ep_restart(). This ensures that the hardware can receive packets when there is at least one request in the queue. Once I ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-56687 is a vulnerability in the Linux kernel's USB subsystem, specifically affecting the musb (Mentor USB) gadget driver. The flaw arises from improper handling of USB endpoint request callbacks within the usb_ep_queue() function. According to the Linux kernel documentation, the callback function (req->complete) must never be called from within usb_ep_queue() to avoid deadlock situations. However, in this vulnerability, the callback can be invoked directly from usb_ep_queue(), leading to a hardware lockup scenario. The issue manifests when the USB gadget is initialized and a packet arrives while the request queue is empty. The RXPKTRDY hardware flag remains set even after the interrupt is handled, causing the endpoint to lock up and preventing further packet reception. This is particularly problematic for USB Ethernet gadgets, where the rx_complete() callback triggers network packet processing that can enable interrupts during the callback, perpetuating the lockup. The root cause is the interaction between interrupt handling and request queue management, which leads to a deadlock and hardware endpoint lockup. Several remediation approaches are discussed, including disabling interrupts during callbacks, modifying interrupt handlers to clear hardware flags, or flushing the Rx FIFO to ensure hardware readiness. The vulnerability affects Linux kernel versions identified by the commit hash baebdf48c360080710f80699eea3affbb13d6c65 and is relevant for systems using the musb USB gadget driver, often embedded devices or systems relying on USB Ethernet gadgets. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-56687 could be significant in environments where Linux-based embedded systems or devices using the musb USB gadget driver are deployed. This includes industrial control systems, IoT devices, network appliances, and specialized hardware that rely on USB Ethernet gadgets for connectivity. The hardware lockup caused by this vulnerability can lead to denial of service conditions on affected devices, disrupting network communications and potentially halting critical operations. In sectors such as manufacturing, telecommunications, healthcare, and transportation, where embedded Linux devices are common, this could result in operational downtime and loss of productivity. Furthermore, the inability to receive further USB packets might complicate remote management or updates, increasing maintenance costs and response times. Although no direct data breach or privilege escalation is indicated, the availability impact alone can be critical in time-sensitive or safety-critical applications. The complexity of the issue and its dependence on specific hardware and driver configurations mean that the threat is more acute in specialized deployments rather than general-purpose computing environments.
Mitigation Recommendations
Mitigation requires applying the patch or update from the Linux kernel maintainers that addresses this issue by correcting the callback invocation and interrupt handling logic. Organizations should: 1) Identify all Linux systems using the musb USB gadget driver, particularly those employing USB Ethernet gadgets. 2) Update the Linux kernel to a version that includes the fix for CVE-2024-56687 or apply backported patches if available. 3) For embedded devices where kernel updates are challenging, consider disabling or replacing the affected USB gadget functionality if feasible. 4) Monitor device logs for symptoms of USB endpoint lockups or network interface failures indicative of this issue. 5) Implement network segmentation and redundancy to mitigate the impact of device unavailability. 6) Engage with device vendors to ensure firmware or kernel updates are provided promptly. 7) Avoid enabling IRQs within USB request callbacks in custom drivers or modules to prevent similar issues. These steps go beyond generic advice by focusing on the specific driver and hardware interaction causing the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.847Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde53d
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 6:55:55 AM
Last updated: 7/27/2025, 6:19:05 AM
Views: 9
Related Threats
CVE-2025-7384: CWE-502 Deserialization of Untrusted Data in crmperks Database for Contact Form 7, WPforms, Elementor forms
CriticalCVE-2025-8491: CWE-352 Cross-Site Request Forgery (CSRF) in nikelschubert Easy restaurant menu manager
MediumCVE-2025-0818: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ninjateam File Manager Pro – Filester
MediumCVE-2025-8901: Out of bounds write in Google Chrome
HighCVE-2025-8882: Use after free in Google Chrome
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.