{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-46986","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-27T18:42:55.946Z","datePublished":"2024-02-28T08:13:14.082Z","dateUpdated":"2025-05-04T07:01:46.315Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:01:46.315Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Free gadget structure only after freeing endpoints\n\nAs part of commit e81a7018d93a (\"usb: dwc3: allocate gadget structure\ndynamically\") the dwc3_gadget_release() was added which will free\nthe dwc->gadget structure upon the device's removal when\nusb_del_gadget_udc() is called in dwc3_gadget_exit().\n\nHowever, simply freeing the gadget results a dangling pointer\nsituation: the endpoints created in dwc3_gadget_init_endpoints()\nhave their dep->endpoint.ep_list members chained off the list_head\nanchored at dwc->gadget->ep_list.  Thus when dwc->gadget is freed,\nthe first dwc3_ep in the list now has a dangling prev pointer and\nlikewise for the next pointer of the dwc3_ep at the tail of the list.\nThe dwc3_gadget_free_endpoints() that follows will result in a\nuse-after-free when it calls list_del().\n\nThis was caught by enabling KASAN and performing a driver unbind.\nThe recent commit 568262bf5492 (\"usb: dwc3: core: Add shutdown\ncallback for dwc3\") also exposes this as a panic during shutdown.\n\nThere are a few possibilities to fix this.  One could be to perform\na list_del() of the gadget->ep_list itself which removes it from\nthe rest of the dwc3_ep chain.\n\nAnother approach is what this patch does, by splitting up the\nusb_del_gadget_udc() call into its separate \"del\" and \"put\"\ncomponents.  This allows dwc3_gadget_free_endpoints() to be\ncalled before the gadget is finally freed with usb_put_gadget()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/dwc3/gadget.c"],"versions":[{"version":"e81a7018d93a7de31a3f121c9a7eecd0a5ec58b0","lessThan":"1ea775021282d90e1d08d696b7ab54aa75d688e5","status":"affected","versionType":"git"},{"version":"e81a7018d93a7de31a3f121c9a7eecd0a5ec58b0","lessThan":"bc0cdd72493236fb72b390ad38ce581e353c143c","status":"affected","versionType":"git"},{"version":"e81a7018d93a7de31a3f121c9a7eecd0a5ec58b0","lessThan":"b4b8e9601d7ee8806d2687f081a42485d27674a1","status":"affected","versionType":"git"},{"version":"e81a7018d93a7de31a3f121c9a7eecd0a5ec58b0","lessThan":"bb9c74a5bd1462499fe5ccb1e3c5ac40dcfa9139","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/dwc3/gadget.c"],"versions":[{"version":"5.10","status":"affected"},{"version":"0","lessThan":"5.10","status":"unaffected","versionType":"semver"},{"version":"5.10.38","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.11.22","lessThanOrEqual":"5.11.*","status":"unaffected","versionType":"semver"},{"version":"5.12.5","lessThanOrEqual":"5.12.*","status":"unaffected","versionType":"semver"},{"version":"5.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"5.10.38"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"5.11.22"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"5.12.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10","versionEndExcluding":"5.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1ea775021282d90e1d08d696b7ab54aa75d688e5"},{"url":"https://git.kernel.org/stable/c/bc0cdd72493236fb72b390ad38ce581e353c143c"},{"url":"https://git.kernel.org/stable/c/b4b8e9601d7ee8806d2687f081a42485d27674a1"},{"url":"https://git.kernel.org/stable/c/bb9c74a5bd1462499fe5ccb1e3c5ac40dcfa9139"}],"title":"usb: dwc3: gadget: Free gadget structure only after freeing endpoints","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:24:37.910Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/1ea775021282d90e1d08d696b7ab54aa75d688e5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/bc0cdd72493236fb72b390ad38ce581e353c143c","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b4b8e9601d7ee8806d2687f081a42485d27674a1","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/bb9c74a5bd1462499fe5ccb1e3c5ac40dcfa9139","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-46986","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:01:05.321895Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:33:39.499Z"}}]}}