Bug 2464374 (CVE-2026-31756) - CVE-2026-31756 kernel: usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
Summary: CVE-2026-31756 kernel: usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dw...
Keywords:
Status: NEW
Alias: CVE-2026-31756
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 15:03 UTC by OSIDB Bzimport
Modified: 2026-05-01 22:27 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:03:06 UTC 
In the Linux kernel, the following vulnerability has been resolved:

usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()

dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,
which expects hsotg->lock to be held since it does spin_unlock/spin_lock
around the gadget driver callback invocation.

However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()
without holding the lock. This leads to:
 - spin_unlock on a lock that is not held (undefined behavior)
 - The lock remaining held after dwc2_gadget_exit_clock_gating() returns,
   causing a deadlock when spin_lock_irqsave() is called later in the
   same function.

Fix this by acquiring hsotg->lock before calling
dwc2_gadget_exit_clock_gating() and releasing it afterwards, which
satisfies the locking requirement of the call_gadget() macro.
Comment 1 Keith Grant 2026-05-01 22:23:11 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050144-CVE-2026-31756-87ec@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.