Jack Pham

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A possible scenario exists where `dwc3 gadget init()` can fail during a host to peripheral mode switch in `dwc3 set mode()`, and a pending gadget driver fails to bind. If the DRD undergoes another mode switch from peripheral to host, `dwc3 gadget exit()` will attempt to reference an invalid and dangling `dwc->gadget` pointer and call `dma free coherent()` on unmapped DMA pointers. The issue can be reproduced by starting DWC3 in peripheral mode, configuring ConfigFS gadget with FunctionFS instance, running FunctionFS userspace application, binding gadget driver to DWC3's UDC, switching to host mode, stopping FunctionFS application, switching to peripheral mode, and then back to host mode. Although userspace should ensure the FunctionFS application is ready before allowing the composite driver to bind to the UDC, failure to do so should not result in a panic from the kernel driver. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability has been resolved in the Linux kernel related to the usb: dwc3: gadget. The issue arises when the gadget structure is freed before freeing the endpoints, resulting in a dangling pointer situation. This occurs because the endpoints created in dwc3 gadget init endpoints() have their dep->endpoint.ep list members chained off the list head anchored at dwc->gadget->ep list. When dwc->gadget is freed, the first dwc3 ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3 ep at the tail of the list. The dwc3 gadget free endpoints() that follows will result in a use-after-free when it calls list del(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown callback for dwc3") also exposes this as a panic during shutdown. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.