Linux USB
 help / color / mirror / Atom feed
* [PATCH v2 0/2] USB: gadget: fix mm lifetime use-after-free in async read paths
@ 2026-06-01  6:44 Gabriel Prostitis via B4 Relay
  2026-06-01  6:44 ` [PATCH v2 1/2] USB: gadget: ffs: fix mm lifetime handling Gabriel Prostitis via B4 Relay
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Gabriel Prostitis via B4 Relay @ 2026-06-01  6:44 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-usb, linux-kernel, Alan Stern

There is a use-after-free in the USB gadget FunctionFS and legacy
GadgetFS asynchronous read paths. Both implementations store
current->mm in per-request state without taking a reference, and
later use it in a workqueue context via kthread_use_mm().

If the submitting task exits before the USB request completes,
the stored mm_struct may be freed while a pending request still
references it, leading to a use-after-free.

The issue affects:

- FunctionFS: drivers/usb/gadget/function/f_fs.c
- GadgetFS legacy: drivers/usb/gadget/legacy/inode.c

Fix this by taking a reference to mm_struct with mmgrab() when
queueing the request and releasing it with mmdrop() after
completion. Before using the saved mm_struct, acquire a temporary 
reference with mmget_not_zero() to ensure it is still alive.

The issue can be triggered by submitting asynchronous reads on
OUT endpoints (e.g. via io_uring for FunctionFS) and exiting the
submitting task before completion. This may result in memory
corruption in the address space of another process if the freed
mm_struct is reclaimed during the race window.

KASAN reports confirm use-after-free in the workqueue completion
path when accessing the stale mm_struct.

Signed-off-by: Gabriel Prostitis <prostitisgabriel@gmail.com>
---
Changes in v2:
- Fix swapped lines in drivers/usb/gadget/legacy/inode.c
- Link to v1: https://patch.msgid.link/20260531-mm-uaf-fix-v1-0-91571cc6ca46@gmail.com

To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: linux-kernel@vger.kernel.org

---
Gabriel Prostitis (2):
      USB: gadget: ffs: fix mm lifetime handling
      USB: gadget: inode: fix mm lifetime handling

 drivers/usb/gadget/function/f_fs.c | 27 ++++++++++++++++++++-------
 drivers/usb/gadget/legacy/inode.c  | 17 +++++++++++++----
 2 files changed, 33 insertions(+), 11 deletions(-)
---
base-commit: 22d91cef94b5b86cff0d68ebfce7741740672704
change-id: 20260531-mm-uaf-fix-91d9dacac692

Best regards,
--  
Gabriel Prostitis <prostitisgabriel@gmail.com>



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-01  5:40 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-01  6:44 [PATCH v2 0/2] USB: gadget: fix mm lifetime use-after-free in async read paths Gabriel Prostitis via B4 Relay
2026-06-01  6:44 ` [PATCH v2 1/2] USB: gadget: ffs: fix mm lifetime handling Gabriel Prostitis via B4 Relay
2026-06-01  6:44 ` [PATCH v2 2/2] USB: gadget: inode: " Gabriel Prostitis via B4 Relay
2026-06-30 15:02 ` [PATCH v2 0/2] USB: gadget: fix mm lifetime use-after-free in async read paths Gabriel Prostitis
2026-07-01  5:40   ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox