stm32: usb: Infinite while loop in Interrupt Handler

Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.

Zephyr version: 7823374e872 release: Zephyr 4.1.0

Build with: west -v build --pristine -b nucleo_h753zi -d stm32h753_mass_storage_ramdisk samples/subsys/usb/mass -- -DEXTRA_DTC_OVERLAY_FILE="ramdisk.overlay" -DCONFIG_APP_MSC_STORAGE_RAM=y

Additional Details:

usb_write function performs k_yield in case of ret == -EAGAIN

// from subsys/usb/device/usb_device.c

int usb_write(uint8_t ep, const uint8_t *data, uint32_t data_len, uint32_t *bytes_ret)
{
    int tries = CONFIG_USB_NUMOF_EP_WRITE_RETRIES;
    int ret;

    do {
        ret = usb_dc_ep_write(ep, data, data_len, bytes_ret);
        if (ret == -EAGAIN) {
            LOG_WRN("Failed to write endpoint buffer 0x%02x", ep);
            k_yield();
        }

    } while (ret == -EAGAIN && tries--);

    return ret;
}

It is possible to call this k_yield from an interrupt handler. Example backtrace:

+bt
#0  z_priq_dumb_yield (pq=<optimized out>) at zephyr/kernel/include/priority_q.h:146
#1  runq_yield () at zephyr/kernel/sched.c:93
#2  z_impl_k_yield () at zephyr/kernel/sched.c:1056
#3  0x08002ec0 in k_yield ()
    at zephyr/stm32h753_mass_storage_ramdisk/zephyr/include/generated/zephyr/syscalls/kernel.h:184
#4  usb_write (ep=<optimized out>, data=data@entry=0x2400261f <csw> "USBS\001\001\001\001\020", data_len=data_len@entry=13, bytes_ret=bytes_ret@entry=0x0)
    at zephyr/subsys/usb/device/usb_device.c:1396
#5  0x08003d22 in sendCSW () at zephyr/subsys/usb/device/class/msc.c:288
#6  0x080048f4 in mass_storage_bulk_out (ep=<optimized out>, ep_status=<optimized out>)
    at zephyr/subsys/usb/device/class/msc.c:804
#7  0x080098e8 in HAL_PCD_DataOutStageCallback (hpcd=<optimized out>, epnum=<optimized out>)
    at zephyr/drivers/usb/device/usb_dc_stm32.c:1263
#8  0x0800ba8e in PCD_EP_OutXfrComplete_int (epnum=1, hpcd=0x24001a7c <usb_dc_stm32_state>)
    at modules/hal/stm32/stm32cube/stm32h7xx/drivers/src/stm32h7xx_hal_pcd.c:2291
#9  HAL_PCD_IRQHandler (hpcd=0x24001a7c <usb_dc_stm32_state>) at modules/hal/stm32/stm32cube/stm32h7xx/drivers/src/stm32h7xx_hal_pcd.c:1128
#10 0x08007c1a in _isr_wrapper () at zephyr/arch/arm/core/cortex_m/isr_wrapper.c:77
#11 <signal handler called>
#12 __ISB () at modules/hal/cmsis/CMSIS/Core/Include/cmsis_gcc.h:260
#13 arch_irq_unlock (key=0) at zephyr/include/zephyr/arch/arm/asm_inline_gcc.h:90
#14 arch_swap (key=0) at zephyr/arch/arm/include/cortex_m/kernel_arch_func.h:92
#15 z_swap_irqlock (key=0) at zephyr/kernel/include/kswap.h:207
#16 0x0800d134 in z_swap (key=..., lock=0x2404d671 <slice_expired>) at zephyr/kernel/include/kswap.h:218
#17 0x0800c99a in z_impl_k_sem_take (sem=sem@entry=0x2400198c <shell_uart_mpsc_buffer+40>, timeout=...) at zephyr/kernel/sem.c:158
#18 0x0800e85a in k_sem_take (timeout=..., sem=0x2400198c <shell_uart_mpsc_buffer+40>) at zephyr/stm32h753_mass_storage_ramdisk/zephyr/include/generated/zephyr/syscalls/kernel.h:1102
#19 mpsc_pbuf_alloc (buffer=buffer@entry=0x24001964 <shell_uart_mpsc_buffer>, wlen=wlen@entry=12, timeout=...) at zephyr/lib/os/mpsc_pbuf.c:385
#20 0x0800fc70 in copy_to_pbuffer (timeout=<optimized out>, msg=0x240006c0 <buf32+792>, mpsc_buffer=0x24001964 <shell_uart_mpsc_buffer>) at zephyr/subsys/shell/shell_log_backend.c:133
#21 process (backend=0x8013c7c <shell_uart_backend>, msg=0x240006c0 <buf32+792>) at zephyr/subsys/shell/shell_log_backend.c:242
#22 0x08001910 in log_backend_msg_process (msg=0x240006c0 <buf32+792>, backend=0x8013c7c <shell_uart_backend>) at zephyr/include/zephyr/logging/log_backend.h:182
#23 msg_process (msg=<optimized out>) at zephyr/subsys/logging/log_core.c:510
#24 z_impl_log_process () at zephyr/subsys/logging/log_core.c:566
#25 z_impl_log_process () at zephyr/subsys/logging/log_core.c:550
#26 0x08001a1c in log_process () at zephyr/stm32h753_mass_storage_ramdisk/zephyr/include/generated/zephyr/syscalls/log_ctrl.h:57
#27 log_process_thread_func (dummy1=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>) at zephyr/subsys/logging/log_core.c:965
#28 0x08001522 in z_thread_entry (entry=0x80019c9 <log_process_thread_func>, p1=0x0, p2=0x0, p3=0x0) at zephyr/lib/os/thread_entry.c:48
#29 0xaaaaaaaa in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Here usb_write (#4) gets caller from an interrupt handler (#10).

Implementation of k_yield (#3) in z_impl_k_yield (#2) explicitly asserts that it should not be caller from an isr:
__ASSERT(!arch_is_in_isr(), "");

// from zephyr/kernel/sched.c

void z_impl_k_yield(void)
{
    __ASSERT(!arch_is_in_isr(), "");

    SYS_PORT_TRACING_FUNC(k_thread, yield);

    k_spinlock_key_t key = k_spin_lock(&_sched_spinlock);

    runq_yield();

    update_cache(1);
    z_swap(&_sched_spinlock, key);
}

Patches

main: #104390

For more information

If you have any questions or comments about this advisory:

Open an issue in zephyr
Email us at Zephyr-vulnerabilities

embargo: 2025-12-26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

stm32: usb: Infinite while loop in Interrupt Handler

Package

Affected versions

Patched versions

Description

Patches

For more information

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Loop with Unreachable Exit Condition ('Infinite Loop')

Credits