Linux Kernel CDNS3 USB Driver Role Switching Vulnerability During Resume

A vulnerability in the Linux kernel's CDNS3 USB driver can lead to a NULL pointer dereference when switching roles during the resume process. This issue occurs because the host mode's resume operation expects the XHCI-HCD device to be probed, but this probing is deferred while the system is resuming. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability causes a kernel panic due to an unhandled NULL pointer dereference, which can lead to a system crash.

Reproduction

To reproduce this vulnerability, switch the USB role to host mode while the system is suspended. When the system resumes, the CDNS3 driver will attempt to activate the host role, leading to a NULL pointer dereference because the XHCI-HCD device has not been properly initialized.

Remediation

The vulnerability has been addressed in a patch that skips the resume operation for a newly assigned role if a switch occurs during the resume process. After the resume sequence is complete, the XHCI-HCD device can be probed if the host mode is active.