From: Adrian Korwel <adriank20047@gmail.com>
To: linux-usb@vger.kernel.org
Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org,
heikki.krogerus@linux.intel.com,
Adrian Korwel <adriank20047@gmail.com>
Subject: [PATCH 2/4] usb: gadget: f_uac1_legacy: fix use-after-free caused by bound guard
Date: Mon, 25 May 2026 15:24:10 -0500 [thread overview]
Message-ID: <20260525202414.602-4-adriank20047@gmail.com> (raw)
In-Reply-To: <20260525202414.602-1-adriank20047@gmail.com>
f_audio_bind() guards gaudio_setup() with an 'audio_opts->bound' flag
to prevent re-initialization on repeated bind attempts. However the
fail: error path unconditionally calls gaudio_cleanup(). On repeated
bind attempts after failure, this closes file handles that were opened
in a previous bind invocation and already freed by RCU, causing a
use-after-free detected by KASAN:
BUG: KASAN: slab-use-after-free in filp_flush+0x23/0x1b0
Read of size 8 at addr ffff88810d5523a8 by task bash/306
...
gaudio_cleanup+0x59/0x100
f_audio_bind+0x4b0/0x590
Fix by removing the bound guard and calling gaudio_setup()
unconditionally in f_audio_bind(), making setup and cleanup a matched
pair within each bind invocation. Remove the now-unused 'bound' field
from struct f_uac1_legacy_opts.
Fixes: d355339eecd9 ("usb: gadget: function: make current f_uac1 implementation legacy")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
---
drivers/usb/gadget/function/f_uac1_legacy.c | 11 ++++-------
drivers/usb/gadget/function/u_uac1_legacy.h | 1 -
2 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/usb/gadget/function/f_uac1_legacy.c b/drivers/usb/gadget/function/f_uac1_legacy.c
index 5d201a2e30e7..6ad4b16769b7 100644
--- a/drivers/usb/gadget/function/f_uac1_legacy.c
+++ b/drivers/usb/gadget/function/f_uac1_legacy.c
@@ -735,13 +735,10 @@ f_audio_bind(struct usb_configuration *c, struct usb_function *f)
audio_opts = container_of(f->fi, struct f_uac1_legacy_opts, func_inst);
audio->card.gadget = c->cdev->gadget;
- /* set up ASLA audio devices */
- if (!audio_opts->bound) {
- status = gaudio_setup(&audio->card);
- if (status < 0)
- return status;
- audio_opts->bound = true;
- }
+ /* set up ALSA audio devices */
+ status = gaudio_setup(&audio->card);
+ if (status < 0)
+ return status;
us = usb_gstrings_attach(cdev, uac1_strings, ARRAY_SIZE(strings_uac1));
if (IS_ERR(us))
return PTR_ERR(us);
diff --git a/drivers/usb/gadget/function/u_uac1_legacy.h b/drivers/usb/gadget/function/u_uac1_legacy.h
index b5df9bcbbeba..fd22fd37fe53 100644
--- a/drivers/usb/gadget/function/u_uac1_legacy.h
+++ b/drivers/usb/gadget/function/u_uac1_legacy.h
@@ -61,7 +61,6 @@ struct f_uac1_legacy_opts {
char *fn_play;
char *fn_cap;
char *fn_cntl;
- unsigned bound:1;
unsigned fn_play_alloc:1;
unsigned fn_cap_alloc:1;
unsigned fn_cntl_alloc:1;
--
2.43.0
next prev parent reply other threads:[~2026-05-25 20:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 4:33 [PATCH v2] usb: gadget: f_uac1_legacy: fix use-after-free in gaudio_open_snd_dev() Adrian Korwel
2026-05-25 5:56 ` Greg KH
2026-05-25 14:30 ` Adrian Korwel
2026-05-25 14:33 ` Adrian Korwel
2026-05-25 14:34 ` Adrian Korwel
2026-05-25 14:36 ` Adrian Korwel
2026-05-25 14:37 ` Adrian Korwel
2026-05-25 19:08 ` Greg KH
2026-05-25 20:24 ` [PATCH 1/4] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Adrian Korwel
2026-05-25 20:24 ` [PATCH 1/4] usb: gadget: f_uac1_legacy: fix file handle leaks in gaudio_open_snd_dev() Adrian Korwel
2026-05-25 20:24 ` [PATCH 2/4] " Adrian Korwel
2026-05-25 20:24 ` Adrian Korwel [this message]
2026-05-25 20:24 ` [PATCH 3/4] usb: gadget: f_uac1_legacy: cancel work in f_audio_disable() Adrian Korwel
2026-05-25 20:24 ` [PATCH 3/4] usb: gadget: f_uac1_legacy: fix use-after-free caused by bound guard Adrian Korwel
2026-05-25 20:24 ` [PATCH 4/4] usb: gadget: f_uac1_legacy: cancel work in f_audio_disable() Adrian Korwel
2026-05-25 20:24 ` [PATCH 4/4] usb: typec: thunderbolt: cancel work before altmode is removed Adrian Korwel
2026-05-25 20:26 ` [PATCH 1/4] usb: gadget: f_uac1_legacy: fix file handle leaks in gaudio_open_snd_dev() Adrian Korwel
2026-05-25 20:26 ` [PATCH 2/4] usb: gadget: f_uac1_legacy: fix use-after-free caused by bound guard Adrian Korwel
2026-05-25 20:26 ` [PATCH 3/4] usb: gadget: f_uac1_legacy: cancel work in f_audio_disable() Adrian Korwel
2026-05-25 20:26 ` [PATCH 4/4] usb: typec: thunderbolt: cancel work before altmode is removed Adrian Korwel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525202414.602-4-adriank20047@gmail.com \
--to=adriank20047@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=heikki.krogerus@linux.intel.com \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox