CVE-2024-36977

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3: Wait unconditionally after issuing EndXfer command<br /> <br /> Currently all controller IP/revisions except DWC3_usb3 &gt;= 310a<br /> wait 1ms unconditionally for ENDXFER completion when IOC is not<br /> set. This is because DWC_usb3 controller revisions &gt;= 3.10a<br /> supports GUCTL2[14: Rst_actbitlater] bit which allows polling<br /> CMDACT bit to know whether ENDXFER command is completed.<br /> <br /> Consider a case where an IN request was queued, and parallelly<br /> soft_disconnect was called (due to ffs_epfile_release). This<br /> eventually calls stop_active_transfer with IOC cleared, hence<br /> send_gadget_ep_cmd() skips waiting for CMDACT cleared during<br /> EndXfer. For DWC3 controllers with revisions &gt;= 310a, we don&amp;#39;t<br /> forcefully wait for 1ms either, and we proceed by unmapping the<br /> requests. If ENDXFER didn&amp;#39;t complete by this time, it leads to<br /> SMMU faults since the controller would still be accessing those<br /> requests.<br /> <br /> Fix this by ensuring ENDXFER completion by adding 1ms delay in<br /> __dwc3_stop_active_transfer() unconditionally.