Linux kernel and device drivers for NXP i.MX platforms
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Xu Yang" <xu.yang_2@oss.nxp.com>
Cc: imx@lists.linux.dev, Frank.Li@kernel.org
Subject: Re: [PATCH v2] usb: gadget: f_uac1_legacy: remove broken string configfs attributes
Date: Mon, 13 Jul 2026 06:17:26 +0000	[thread overview]
Message-ID: <20260713061726.A7DD31F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713060845.3759673-1-xu.yang_2@oss.nxp.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing bounds checking on integer configfs attributes leads to ZERO_SIZE_PTR dereference and kernel crash.
- [High] Permanent memory and request leak when the USB host changes alternate settings.
--

--- Patch [1]: [PATCH v2] usb: gadget: f_uac1_legacy: remove broken string configfs attributes ---
commit 4b8c64c0b84575a689f911f2adeef96bb30cecea
Author: Xu Yang <xu.yang_2@nxp.com>

usb: gadget: f_uac1_legacy: remove broken string configfs attributes

The UAC1_STR_ATTRIBUTE macro defines configfs show/store handlers for
the fn_play, fn_cap, and fn_cntl string options. The store function
contains an inverted null check on the kstrndup() return value. This
patch removes the UAC1_STR_ATTRIBUTE macro and the three attributes it
generated, as they have been broken and unused for many years.

Link: https://lore.kernel.org/linux-usb/20260625113154.1954813-1-xu.yang_2@oss.nxp.com/

> diff --git a/drivers/usb/gadget/function/f_uac1_legacy.c b/drivers/usb/gadget/function/f_uac1_legacy.c
> index 5d201a2e30e7f..3f52099a4fdd5 100644
> --- a/drivers/usb/gadget/function/f_uac1_legacy.c
> +++ b/drivers/usb/gadget/function/f_uac1_legacy.c
> @@ -888,60 +888,10 @@ UAC1_INT_ATTRIBUTE(req_buf_size);
>  UAC1_INT_ATTRIBUTE(req_count);
>  UAC1_INT_ATTRIBUTE(audio_buf_size);

[Severity: High]
This isn't a bug introduced by this patch, but does this lack of bounds
checking allow audio_buf_size to be set to 0?

If a user with configfs access sets audio_buf_size to 0, it appears
f_audio_buffer_alloc() will call kzalloc(0) which returns ZERO_SIZE_PTR:

drivers/usb/gadget/function/f_uac1_legacy.c:f_audio_buffer_alloc() {
	...
	copy_buf->buf = kzalloc(buf_size, GFP_ATOMIC);
	if (!copy_buf->buf) {
	...
}

This bypasses the NULL check. Later, when an audio out packet is received,
f_audio_out_ep_complete() attempts to memcpy the incoming data:

drivers/usb/gadget/function/f_uac1_legacy.c:f_audio_out_ep_complete() {
	...
	memcpy(copy_buf->buf + copy_buf->actual, req->buf, req->actual);
	...
}

Can this copy into the ZERO_SIZE_PTR address cause an immediate kernel panic?

> -#define UAC1_STR_ATTRIBUTE(name)					\
> -static ssize_t f_uac1_opts_##name##_show(struct config_item *item,	\

[ ... ]

> @@ -956,12 +906,6 @@ static void f_audio_free_inst(struct usb_function_instance *f)
>  	struct f_uac1_legacy_opts *opts;
>  
>  	opts = container_of(f, struct f_uac1_legacy_opts, func_inst);
> -	if (opts->fn_play_alloc)
> -		kfree(opts->fn_play);
> -	if (opts->fn_cap_alloc)
> -		kfree(opts->fn_cap);
> -	if (opts->fn_cntl_alloc)
> -		kfree(opts->fn_cntl);
>  	kfree(opts);
>  }

[Severity: High]
This is a pre-existing issue, but does f_audio_disable() leak memory and USB
requests when the host changes alternate settings?

When the USB host selects alternate setting 1, f_audio_set_alt() allocates
requests and buffers:

drivers/usb/gadget/function/f_uac1_legacy.c:f_audio_set_alt() {
	...
	req = usb_ep_alloc_request(out_ep, GFP_ATOMIC);
	if (req) {
		req->buf = kzalloc(req_buf_size, GFP_ATOMIC);
	...
}

However, the disable callback appears to be empty and fails to free these
resources:

drivers/usb/gadget/function/f_uac1_legacy.c:f_audio_disable() {
	return;
}

Could an untrusted USB host trigger this repeatedly by changing the alternate
setting back and forth, exhausting device memory?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260713060845.3759673-1-xu.yang_2@oss.nxp.com?part=1

      reply	other threads:[~2026-07-13  6:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-13  6:08 [PATCH v2] usb: gadget: f_uac1_legacy: remove broken string configfs attributes Xu Yang
2026-07-13  6:17 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260713061726.A7DD31F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=imx@lists.linux.dev \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=xu.yang_2@oss.nxp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox