Linux Kernel USB CDNS3 Gadget State Inconsistency Vulnerability

A vulnerability in the Linux kernel's USB CDNS3 gadget driver can lead to a hardware/software state inconsistency. When the function 'cdns3_gadget_start()' fails, the Direct Role Device (DRD) hardware remains in gadget mode while the software state is set to INACTIVE. This discrepancy violates the DRD controller design specification, which requires returning to an idle state before switching roles. As a result, an error occurs when the host controller is being set up, leading to a synchronous external abort and a crash.

Impact

The vulnerability causes a crash by creating a hardware/software state inconsistency that violates the DRD controller design specification. This inconsistency leads to a synchronous external abort when the host controller is being set up, causing the xHCI Host Controller to crash.

Reproduction

The vulnerability can be reproduced by initiating the CDNS3 gadget and forcing a failure in the 'cdns3_gadget_start()' function. This can be done by switching the USB role to host mode via the sysfs interface, which will trigger the error and create the state inconsistency. Once the gadget fails to start, the role switch will not be cleaned up properly, leading to the described crash when the host controller is set up.

Remediation

The vulnerability has been addressed in a patch that is available in the Linux kernel stable tree. Instructions for applying the patch can be found in the Linux kernel Git repository.