Home

Description

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: fix state inconsistency on gadget init failure When cdns3_gadget_start() fails, the DRD hardware is left in gadget mode while software state remains INACTIVE, creating hardware/software state inconsistency. When switching to host mode via sysfs: echo host > /sys/class/usb_role/13180000.usb-role-switch/role The role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error, so cdns_role_stop() skips cleanup because state is still INACTIVE. This violates the DRD controller design specification (Figure22), which requires returning to idle state before switching roles. This leads to a synchronous external abort in xhci_gen_setup() when setting up the host controller: [ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19 [ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget [ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed ... [ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller [ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP [ 1301.382485] pc : xhci_gen_setup+0xa4/0x408 [ 1301.393391] backtrace: ... xhci_gen_setup+0xa4/0x408 <-- CRASH xhci_plat_setup+0x44/0x58 usb_add_hcd+0x284/0x678 ... cdns_role_set+0x9c/0xbc <-- Role switch Fix by calling cdns_drd_gadget_off() in the error path to properly clean up the DRD gadget state.

PUBLISHED Reserved 2026-03-09 | Published 2026-05-01 | Updated 2026-05-01 | Assigner Linux

Product status

Default status
unaffected

7733f6c32e36ff9d7adadf40001039bf219b1cbe (git) before fb7110a052467098967284ef14d306810b354937
affected

7733f6c32e36ff9d7adadf40001039bf219b1cbe (git) before 9b1d301fbae837bf6979a19030b81d869bb15f7a
affected

7733f6c32e36ff9d7adadf40001039bf219b1cbe (git) before cfca84f5986afceb63a3adf39d4a98e915aebbc2
affected

7733f6c32e36ff9d7adadf40001039bf219b1cbe (git) before c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47f
affected

7733f6c32e36ff9d7adadf40001039bf219b1cbe (git) before 5a85599ca4d2584d89dc69f4fc49303b75a42338
affected

7733f6c32e36ff9d7adadf40001039bf219b1cbe (git) before b490f0e477d26d29ed51e5dc47e3b9bd31bcb49f
affected

7733f6c32e36ff9d7adadf40001039bf219b1cbe (git) before c32f8748d70c8fc77676ad92ed76cede17bf2c48
affected

Default status
affected

5.4
affected

Any version before 5.4
unaffected

5.15.203 (semver)
unaffected

6.1.168 (semver)
unaffected

6.6.134 (semver)
unaffected

6.12.81 (semver)
unaffected

6.18.22 (semver)
unaffected

6.19.12 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/fb7110a052467098967284ef14d306810b354937

git.kernel.org/...c/9b1d301fbae837bf6979a19030b81d869bb15f7a

git.kernel.org/...c/cfca84f5986afceb63a3adf39d4a98e915aebbc2

git.kernel.org/...c/c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47f

git.kernel.org/...c/5a85599ca4d2584d89dc69f4fc49303b75a42338

git.kernel.org/...c/b490f0e477d26d29ed51e5dc47e3b9bd31bcb49f

git.kernel.org/...c/c32f8748d70c8fc77676ad92ed76cede17bf2c48

cve.org (CVE-2026-31754)

nvd.nist.gov (CVE-2026-31754)

Download JSON