CVE-2026-31754

In the Linux kernel, the following vulnerability has been resolved:

usb: cdns3: gadget: fix state inconsistency on gadget init failure

When cdns3gadgetstart() fails, the DRD hardware is left in gadget mode while software state remains INACTIVE, creating hardware/software state inconsistency.

When switching to host mode via sysfs: echo host > /sys/class/usb_role/13180000.usb-role-switch/role

The role state is not set to CDNSROLESTATEACTIVE due to the error, so cdnsrole_stop() skips cleanup because state is still INACTIVE. This violates the DRD controller design specification (Figure22), which requires returning to idle state before switching roles.

This leads to a synchronous external abort in xhcigensetup() when setting up the host controller:

[ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19 [ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget [ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed ... [ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller [ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP [ 1301.382485] pc : xhcigensetup+0xa4/0x408 [ 1301.393391] backtrace: ... xhcigensetup+0xa4/0x408 <-- CRASH xhciplatsetup+0x44/0x58 usbaddhcd+0x284/0x678 ... cdnsroleset+0x9c/0xbc <-- Role switch

Fix by calling cdnsdrdgadget_off() in the error path to properly clean up the DRD gadget state.