From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE145477E3F for ; Thu, 30 Apr 2026 17:56:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777571809; cv=none; b=gqkQeG3mT3F9pxh2JB7cGkbCCaKOw5C9nQx5Jbm6Fbh6j7hCokf6I8SRH0SW/RPUjHMJnK/ZPfYmWIHxcv3smOt3fCbNZ+nyixyEbb1n1RV3I39kJSD856M5v6csgR42l9T7Gg6BHWl1HdXMbIaQHSw/bFZggd6ogA5ejvvfzA4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777571809; c=relaxed/simple; bh=9spNfy5mYjSbXGFonhvO2PAbckrLShrX0goMofh2LrA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=l+qedN1bEsX0OmjJJbcgVfYo/ZoBPhADTyMz9q1CZy6Iq/+JwJzAyh7sbrOHfq1NQPF/dML7XzbZbKvPn+ORPk2KH8kHtCyAWQb1nH3Gpny/y//vsBC99lCQQfjX5HYfCmLAyKtF0MElMwV/T8nlrrKOuMJb3nthtarW2hkFDmk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DCODzT6c; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DCODzT6c" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-488ba840146so10272505e9.1 for ; Thu, 30 Apr 2026 10:56:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777571806; x=1778176606; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=LOoGOmEGcJMWKqKQxy0dOYEQAgzeeW+X/nrMaPWt9b8=; b=DCODzT6cG8ZbkdYIYnd8xZU64MNmg7P/I84rKCEpAstL+kA28g47aJb65zBSQrOBkU aUBaZMyDdmUs2P6LuR/p4q+m3TMU3Xqg4bFccGXL9RKjhvtgltS42ccdtBfrJjLwZ0Co CcZlsfTkUglbOlJWw+tJhRiGLX2zuncsRExIjkZzovqon7CpGrLP/Oamonp3a6hGuMrM VbJYhuTVejPnnG76CysWPD95wI8YxDvyFQkcQRvXAKJiBGybbZVCRL88oeLb++mZ67AA VCd/vmZ9+Oe3Yn6CqajQD+MQXb76UslgzdsYl/QikzzFNYe0T328CMUYWBJ8IhtEgdRi 4PUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777571806; x=1778176606; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=LOoGOmEGcJMWKqKQxy0dOYEQAgzeeW+X/nrMaPWt9b8=; b=VPAdWlgKh5spOO0Ctli3eKFEURqhOOv87JtWY1TdXaaTApRNrLlfD1gN0xDNIAV7Ni OI0dZ+liSq9vKI9MHZqojcn1kuf8G8uWQ0PzNDQeMN/o57nJqBwdiTtOkepBMqdtcHxq KmqTI72mFsY0JX/jkJRteCIWBuodaiWNbeopWkuYLtYSCSe5lGOUnqgU0VHeqrXMLOUN uB/QAcpOgblkTPekqsopufLC3yxwq77UOBDPXfC+9/AvDOaPQUs6E9Na6m5T9khAVanj 5lHNDoxsQ1XWfCVJk/WhUIehD0AVN8y8z1rMjII0nQ7IqNR55RphGiVtZVLvPkxFe02P n/Tw== X-Gm-Message-State: AOJu0Ywy8oR7SiXb/PvptUNT6XhtPt638UUO59o1MHW45NKHo+JpBRKm yJpKXUGKCvIoM89bdD8XhlXjp60aLuFrAvoSNV9APsKNByiHEPRFtTAbkRTedqIzG/LAew== X-Gm-Gg: AeBDietbFPgf4dLesMcAnBI5kflS41VGFMHgv3pPoWUNLP3T5mbrysIrGMRhTH3SlPG lD7apK6OR4pe8IFlhjnmpairk3HNrOef9ub/4QgmIb5Dumj8aohqyH6QGNsYNpNrUxJayLo1xAC f1ynBcY6f5qXINE80S5KrEBcpYqksBjzPD7AXCYEmfkvmqTcNWqZA+USNj7Ga3t4c66fnt0BTW4 JFRwsjEFL6ah73kpKl/S9HJ5QV83Wxtf0tIXnO5XTtTylWAOHeZr+LamgNGM/Cnay9PuULUHZU/ 9m7PYDy+tiFxFAWjgpjkCs8/x0fhM6K9c9oEQGYG998OR6xHOU1dpT3DdqL73KhxHu58TuU8Thv wkE5Aez/TYLmmKqrbC64xZYNeJJZg+hIARTbsziZZ92OU8+qgxQxImb2Vwy4UI6lSp3jpxsQMhC xfEeec07zwq7+s9h0Eydhb6ptXIqzwWXX601Ti74DDpvHB4Qroorox95X50RghRVj59twakOfbk xLa9brveiuTLkrUTmxwm8M/qSiw4SACNaB7BA== X-Received: by 2002:a05:600c:1991:b0:488:79a3:f04c with SMTP id 5b1f17b1804b1-48a8445fc76mr58580445e9.27.1777571806038; Thu, 30 Apr 2026 10:56:46 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:f9d2:9c9e:9a42:5d91]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a8d1a4186sm1109915e9.11.2026.04.30.10.56.44 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 10:56:45 -0700 (PDT) From: Kai Aizen To: linux-usb@vger.kernel.org Cc: laurent.pinchart@ideasonboard.com, balbi@kernel.org, gregkh@linuxfoundation.org, w@1wt.eu, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Kai Aizen Subject: [PATCH v2] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind Date: Thu, 30 Apr 2026 20:56:43 +0300 Message-ID: <20260430175643.67120-1-kai.aizen.dev@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit uvc_function_bind() walks &opts->extension_units twice without holding opts->lock: - directly, for the iExtension string-descriptor fixup loop; - indirectly, four times via uvc_copy_descriptors() (once per speed), where the helper iterates uvc->desc.extension_units (which aliases &opts->extension_units) to size and emit XU descriptors. The configfs side (uvcg_extension_make / uvcg_extension_drop, in drivers/usb/gadget/function/uvc_configfs.c) takes opts->lock around its list_add_tail / list_del operations. A privileged userspace process that holds the configfs subtree open and writes the gadget UDC name to bind the function while concurrently rmdir()'ing an extensions subdir can race uvcg_extension_drop() against the bind-time list walks and dereference a freed struct uvcg_extension. Hold opts->lock from the start of the XU string-descriptor fixup through the last uvc_copy_descriptors() call, releasing on the descriptor-error path via a new error_unlock label that drops the lock before falling through to the existing error label. This matches the locking discipline of the configfs callbacks and removes the only remaining unsynchronised reader of the XU list during bind. Reachability: only privileged processes that can mount configfs and write to gadget UDC files can trigger the race, so this is a correctness fix rather than a security boundary. Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs") Cc: stable@vger.kernel.org Signed-off-by: Kai Aizen --- v2: fix From/Signed-off-by to use real name and email address. Drop paulelder@kernel.org (address bounced). --- drivers/usb/gadget/function/f_uvc.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index 8d404d883..73dc7e428 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -768,6 +768,16 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) uvc_hs_streaming_ep.bEndpointAddress = uvc->video.ep->address; uvc_ss_streaming_ep.bEndpointAddress = uvc->video.ep->address; + /* + * Hold opts->lock across both the XU string-descriptor fixup below and + * the descriptor-copy block further down. Without this, configfs + * uvcg_extension_drop() (which takes opts->lock) can race with the + * list_for_each_entry() walks here and inside uvc_copy_descriptors(), + * leading to a UAF on a freed struct uvcg_extension. See + * drivers/usb/gadget/function/uvc_configfs.c::uvcg_extension_drop(). + */ + mutex_lock(&opts->lock); + /* * XUs can have an arbitrary string descriptor describing them. If they * have one pick up the ID. @@ -785,7 +795,7 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) ARRAY_SIZE(uvc_en_us_strings)); if (IS_ERR(us)) { ret = PTR_ERR(us); - goto error; + goto error_unlock; } uvc_iad.iFunction = opts->iad_index ? cdev->usb_strings[opts->iad_index].id : @@ -799,14 +809,14 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) /* Allocate interface IDs. */ if ((ret = usb_interface_id(c, f)) < 0) - goto error; + goto error_unlock; uvc_iad.bFirstInterface = ret; uvc_control_intf.bInterfaceNumber = ret; uvc->control_intf = ret; opts->control_interface = ret; if ((ret = usb_interface_id(c, f)) < 0) - goto error; + goto error_unlock; uvc_streaming_intf_alt0.bInterfaceNumber = ret; uvc_streaming_intf_alt1.bInterfaceNumber = ret; uvc->streaming_intf = ret; @@ -817,30 +827,32 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) if (IS_ERR(f->fs_descriptors)) { ret = PTR_ERR(f->fs_descriptors); f->fs_descriptors = NULL; - goto error; + goto error_unlock; } f->hs_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_HIGH); if (IS_ERR(f->hs_descriptors)) { ret = PTR_ERR(f->hs_descriptors); f->hs_descriptors = NULL; - goto error; + goto error_unlock; } f->ss_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER); if (IS_ERR(f->ss_descriptors)) { ret = PTR_ERR(f->ss_descriptors); f->ss_descriptors = NULL; - goto error; + goto error_unlock; } f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS); if (IS_ERR(f->ssp_descriptors)) { ret = PTR_ERR(f->ssp_descriptors); f->ssp_descriptors = NULL; - goto error; + goto error_unlock; } + mutex_unlock(&opts->lock); + /* Preallocate control endpoint request. */ uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL); uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL); @@ -872,6 +884,8 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) return 0; +error_unlock: + mutex_unlock(&opts->lock); v4l2_error: v4l2_device_unregister(&uvc->v4l2_dev); error: -- 2.43.0