CVE-2021-47272

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc-&gt;gadget is NULL<br /> <br /> There exists a possible scenario in which dwc3_gadget_init() can fail:<br /> during during host -&gt; peripheral mode switch in dwc3_set_mode(), and<br /> a pending gadget driver fails to bind. Then, if the DRD undergoes<br /> another mode switch from peripheral-&gt;host the resulting<br /> dwc3_gadget_exit() will attempt to reference an invalid and dangling<br /> dwc-&gt;gadget pointer as well as call dma_free_coherent() on unmapped<br /> DMA pointers.<br /> <br /> The exact scenario can be reproduced as follows:<br /> - Start DWC3 in peripheral mode<br /> - Configure ConfigFS gadget with FunctionFS instance (or use g_ffs)<br /> - Run FunctionFS userspace application (open EPs, write descriptors, etc)<br /> - Bind gadget driver to DWC3&amp;#39;s UDC<br /> - Switch DWC3 to host mode<br /> =&gt; dwc3_gadget_exit() is called. usb_del_gadget() will put the<br /> ConfigFS driver instance on the gadget_driver_pending_list<br /> - Stop FunctionFS application (closes the ep files)<br /> - Switch DWC3 to peripheral mode<br /> =&gt; dwc3_gadget_init() fails as usb_add_gadget() calls<br /> check_pending_gadget_drivers() and attempts to rebind the UDC<br /> to the ConfigFS gadget but fails with -19 (-ENODEV) because the<br /> FFS instance is not in FFS_ACTIVE state (userspace has not<br /> re-opened and written the descriptors yet, i.e. desc_ready!=0).<br /> - Switch DWC3 back to host mode<br /> =&gt; dwc3_gadget_exit() is called again, but this time dwc-&gt;gadget<br /> is invalid.<br /> <br /> Although it can be argued that userspace should take responsibility<br /> for ensuring that the FunctionFS application be ready prior to<br /> allowing the composite driver bind to the UDC, failure to do so<br /> should not result in a panic from the kernel driver.<br /> <br /> Fix this by setting dwc-&gt;gadget to NULL in the failure path of<br /> dwc3_gadget_init() and add a check to dwc3_gadget_exit() to bail out<br /> unless the gadget pointer is valid.