CVE-2021-47272: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL There exists a possible scenario in which dwc3_gadget_init() can fail: during during host -> peripheral mode switch in dwc3_set_mode(), and a pending gadget driver fails to bind. Then, if the DRD undergoes another mode switch from peripheral->host the resulting dwc3_gadget_exit() will attempt to reference an invalid and dangling dwc->gadget pointer as well as call dma_free_coherent() on unmapped DMA pointers. The exact scenario can be reproduced as follows: - Start DWC3 in peripheral mode - Configure ConfigFS gadget with FunctionFS instance (or use g_ffs) - Run FunctionFS userspace application (open EPs, write descriptors, etc) - Bind gadget driver to DWC3's UDC - Switch DWC3 to host mode => dwc3_gadget_exit() is called. usb_del_gadget() will put the ConfigFS driver instance on the gadget_driver_pending_list - Stop FunctionFS application (closes the ep files) - Switch DWC3 to peripheral mode => dwc3_gadget_init() fails as usb_add_gadget() calls check_pending_gadget_drivers() and attempts to rebind the UDC to the ConfigFS gadget but fails with -19 (-ENODEV) because the FFS instance is not in FFS_ACTIVE state (userspace has not re-opened and written the descriptors yet, i.e. desc_ready!=0). - Switch DWC3 back to host mode => dwc3_gadget_exit() is called again, but this time dwc->gadget is invalid. Although it can be argued that userspace should take responsibility for ensuring that the FunctionFS application be ready prior to allowing the composite driver bind to the UDC, failure to do so should not result in a panic from the kernel driver. Fix this by setting dwc->gadget to NULL in the failure path of dwc3_gadget_init() and add a check to dwc3_gadget_exit() to bail out unless the gadget pointer is valid.
AI Analysis
Technical Summary
CVE-2021-47272 is a vulnerability in the Linux kernel's USB driver subsystem, specifically affecting the DesignWare Core USB3 (dwc3) gadget driver. The issue arises during mode switching between host and peripheral modes in the dwc3_set_mode() function. When switching from host to peripheral mode, if the gadget driver fails to bind properly (for example, due to a FunctionFS userspace application not being ready), the dwc3_gadget_init() function fails but does not correctly reset the dwc->gadget pointer. Subsequently, if the device switches back to host mode, dwc3_gadget_exit() attempts to reference this invalid and dangling dwc->gadget pointer and calls dma_free_coherent() on unmapped DMA pointers. This can lead to a kernel panic or system crash. The vulnerability stems from improper handling of the gadget pointer state during failure scenarios in the gadget initialization and exit routines. The root cause is that userspace applications (such as FunctionFS) may not be ready or properly synchronized with the kernel gadget driver lifecycle, but the kernel driver does not gracefully handle this condition, leading to unsafe memory operations. The fix involves setting dwc->gadget to NULL on failure paths in dwc3_gadget_init() and adding a validity check in dwc3_gadget_exit() to prevent dereferencing invalid pointers. This vulnerability is relevant for Linux kernel versions containing the affected dwc3 gadget driver code and impacts systems using the DesignWare USB3 controller in gadget mode, particularly those relying on FunctionFS or similar USB gadget frameworks.
Potential Impact
For European organizations, the impact of CVE-2021-47272 depends largely on the deployment of Linux systems utilizing the DesignWare USB3 controller in gadget mode. This vulnerability can cause kernel panics or system crashes during USB mode switching, potentially leading to denial of service (DoS) conditions. Systems that rely on USB gadget functionality for peripheral emulation, embedded devices, or specialized USB functions may experience instability or downtime. This can disrupt critical operations, especially in industrial control systems, telecommunications equipment, or embedded Linux devices common in sectors like manufacturing, healthcare, and transportation. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting system crashes can cause operational interruptions and require manual intervention to recover. The lack of known exploits in the wild reduces immediate risk, but organizations should be aware that attackers could leverage this flaw for targeted DoS attacks. The impact on confidentiality and integrity is low, but availability impact is medium to high depending on the criticality of affected systems.
Mitigation Recommendations
To mitigate CVE-2021-47272, European organizations should: 1) Apply the latest Linux kernel updates that include the patch fixing this vulnerability, ensuring that dwc->gadget pointer handling is corrected. 2) Review and improve the synchronization between userspace USB gadget applications (e.g., FunctionFS) and the kernel gadget driver lifecycle to prevent binding failures during mode switches. 3) Implement monitoring to detect kernel panics or USB subsystem errors related to dwc3 gadget mode transitions. 4) For embedded or specialized devices using the DesignWare USB3 controller, coordinate with hardware vendors to confirm firmware and kernel versions are patched. 5) Where possible, limit or control USB mode switching operations to reduce exposure to the failure scenario. 6) Conduct testing of USB gadget functionality after patching to ensure stability and correct behavior. These steps go beyond generic advice by focusing on the specific driver and userspace interaction issues that cause the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2021-47272: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL There exists a possible scenario in which dwc3_gadget_init() can fail: during during host -> peripheral mode switch in dwc3_set_mode(), and a pending gadget driver fails to bind. Then, if the DRD undergoes another mode switch from peripheral->host the resulting dwc3_gadget_exit() will attempt to reference an invalid and dangling dwc->gadget pointer as well as call dma_free_coherent() on unmapped DMA pointers. The exact scenario can be reproduced as follows: - Start DWC3 in peripheral mode - Configure ConfigFS gadget with FunctionFS instance (or use g_ffs) - Run FunctionFS userspace application (open EPs, write descriptors, etc) - Bind gadget driver to DWC3's UDC - Switch DWC3 to host mode => dwc3_gadget_exit() is called. usb_del_gadget() will put the ConfigFS driver instance on the gadget_driver_pending_list - Stop FunctionFS application (closes the ep files) - Switch DWC3 to peripheral mode => dwc3_gadget_init() fails as usb_add_gadget() calls check_pending_gadget_drivers() and attempts to rebind the UDC to the ConfigFS gadget but fails with -19 (-ENODEV) because the FFS instance is not in FFS_ACTIVE state (userspace has not re-opened and written the descriptors yet, i.e. desc_ready!=0). - Switch DWC3 back to host mode => dwc3_gadget_exit() is called again, but this time dwc->gadget is invalid. Although it can be argued that userspace should take responsibility for ensuring that the FunctionFS application be ready prior to allowing the composite driver bind to the UDC, failure to do so should not result in a panic from the kernel driver. Fix this by setting dwc->gadget to NULL in the failure path of dwc3_gadget_init() and add a check to dwc3_gadget_exit() to bail out unless the gadget pointer is valid.
AI-Powered Analysis
Technical Analysis
CVE-2021-47272 is a vulnerability in the Linux kernel's USB driver subsystem, specifically affecting the DesignWare Core USB3 (dwc3) gadget driver. The issue arises during mode switching between host and peripheral modes in the dwc3_set_mode() function. When switching from host to peripheral mode, if the gadget driver fails to bind properly (for example, due to a FunctionFS userspace application not being ready), the dwc3_gadget_init() function fails but does not correctly reset the dwc->gadget pointer. Subsequently, if the device switches back to host mode, dwc3_gadget_exit() attempts to reference this invalid and dangling dwc->gadget pointer and calls dma_free_coherent() on unmapped DMA pointers. This can lead to a kernel panic or system crash. The vulnerability stems from improper handling of the gadget pointer state during failure scenarios in the gadget initialization and exit routines. The root cause is that userspace applications (such as FunctionFS) may not be ready or properly synchronized with the kernel gadget driver lifecycle, but the kernel driver does not gracefully handle this condition, leading to unsafe memory operations. The fix involves setting dwc->gadget to NULL on failure paths in dwc3_gadget_init() and adding a validity check in dwc3_gadget_exit() to prevent dereferencing invalid pointers. This vulnerability is relevant for Linux kernel versions containing the affected dwc3 gadget driver code and impacts systems using the DesignWare USB3 controller in gadget mode, particularly those relying on FunctionFS or similar USB gadget frameworks.
Potential Impact
For European organizations, the impact of CVE-2021-47272 depends largely on the deployment of Linux systems utilizing the DesignWare USB3 controller in gadget mode. This vulnerability can cause kernel panics or system crashes during USB mode switching, potentially leading to denial of service (DoS) conditions. Systems that rely on USB gadget functionality for peripheral emulation, embedded devices, or specialized USB functions may experience instability or downtime. This can disrupt critical operations, especially in industrial control systems, telecommunications equipment, or embedded Linux devices common in sectors like manufacturing, healthcare, and transportation. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting system crashes can cause operational interruptions and require manual intervention to recover. The lack of known exploits in the wild reduces immediate risk, but organizations should be aware that attackers could leverage this flaw for targeted DoS attacks. The impact on confidentiality and integrity is low, but availability impact is medium to high depending on the criticality of affected systems.
Mitigation Recommendations
To mitigate CVE-2021-47272, European organizations should: 1) Apply the latest Linux kernel updates that include the patch fixing this vulnerability, ensuring that dwc->gadget pointer handling is corrected. 2) Review and improve the synchronization between userspace USB gadget applications (e.g., FunctionFS) and the kernel gadget driver lifecycle to prevent binding failures during mode switches. 3) Implement monitoring to detect kernel panics or USB subsystem errors related to dwc3 gadget mode transitions. 4) For embedded or specialized devices using the DesignWare USB3 controller, coordinate with hardware vendors to confirm firmware and kernel versions are patched. 5) Where possible, limit or control USB mode switching operations to reduce exposure to the failure scenario. 6) Conduct testing of USB gadget functionality after patching to ensure stability and correct behavior. These steps go beyond generic advice by focusing on the specific driver and userspace interaction issues that cause the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T13:27:52.127Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea284
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 12:21:05 PM
Last updated: 8/8/2025, 6:54:24 AM
Views: 11
Related Threats
CVE-2025-8790: Improper Authorization in Portabilis i-Educar
MediumCVE-2025-8789: Authorization Bypass in Portabilis i-Educar
MediumCVE-2025-8788: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-8787: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-8786: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.