In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: rndis: add spinlock for rndis response list
There's no lock for rndis response list. It could cause list corruption if there're two different listadd at the same time like below. It's better to add in rndisaddresponse / rndisfreeresponse / rndisgetnextresponse to prevent any race condition on response list.
[ 361.894299] [1: irq/191-dwc3:16979] list_add corruption. next->prev should be prev (ffffff80651764d0), but was ffffff883dc36f80. (next=ffffff80651764d0).
[ 361.904380] [1: irq/191-dwc3:16979] Call trace: [ 361.904391] [1: irq/191-dwc3:16979] _listaddvalid+0x74/0x90 [ 361.904401] [1: irq/191-dwc3:16979] rndismsgparser+0x168/0x8c0 [ 361.904409] [1: irq/191-dwc3:16979] rndiscommandcomplete+0x24/0x84 [ 361.904417] [1: irq/191-dwc3:16979] usbgadgetgivebackrequest+0x20/0xe4 [ 361.904426] [1: irq/191-dwc3:16979] dwc3gadgetgiveback+0x44/0x60 [ 361.904434] [1: irq/191-dwc3:16979] dwc3ep0completedata+0x1e8/0x3a0 [ 361.904442] [1: irq/191-dwc3:16979] dwc3ep0interrupt+0x29c/0x3dc [ 361.904450] [1: irq/191-dwc3:16979] dwc3processevententry+0x78/0x6cc [ 361.904457] [1: irq/191-dwc3:16979] dwc3processeventbuf+0xa0/0x1ec [ 361.904465] [1: irq/191-dwc3:16979] dwc3thread_interrupt+0x34/0x5c