From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED9EF3A641F for ; Tue, 5 May 2026 18:02:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778004140; cv=none; b=gaantYO3Zu/wPB5Bs0Qy8iedme3OpBCV073/WpV7V3Tnv+iU8mYkfvZaEU2nYoC1xh1UBI4YWwjw2BGFLGJwYDm4VZVFr1PbwIe9eyPrC+mqSzkE+Jz0XnzVTYnt6I2SNP0uqGxuKyG1bH+XuLu/nD4SllRr+JI96/GvSLwykUk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778004140; c=relaxed/simple; bh=viG8R2mDoAcZqggJnDOucgogWv5GnrN+eXMPLjcox5Y=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=BbUmfLvz0GDZAV7Wpp1HCVRl5xoc9bDbP/G86idlkSzjPA+96XC3w9a8guSca6hBBFsbJczFfZbwD8MEI0EWnr5dpSrnEmI3VzqFtKKfbNMmJh1CUo3W4TToEGafyhUDYjsIaURZena6chUDTUdOXIY08zUo31UtrwJYv8sV/O0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linuxfoundation.org; spf=pass smtp.mailfrom=linuxfoundation.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=MrI32tUO; arc=none smtp.client-ip=209.85.210.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linuxfoundation.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="MrI32tUO" Received: by mail-ot1-f49.google.com with SMTP id 46e09a7af769-7de7c57b52cso4717303a34.3 for ; Tue, 05 May 2026 11:02:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; t=1778004136; x=1778608936; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=lRuWquNC/y9Oi8holSmNss4ZLk/ie2nyH8NEoX7A+d8=; b=MrI32tUOFayYYZronul+lMX5SUKK3NqayA4+cdegrdHxQhM+YbbGwyjnD3CRwRnJ6M iaaoYwGm6zQlP08EuRB0pd2zAaITO3upa6tUmNiuEyF9PqSLu5tK9+YO4+DTDQJhssfb uUDT09HX1O+iC8xhvsGe4Q4KwL/w+9xi+SN0Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778004136; x=1778608936; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lRuWquNC/y9Oi8holSmNss4ZLk/ie2nyH8NEoX7A+d8=; b=LuLQ1iQIaxNMp/80h9GiPX9Ditb+wVWbZ1uzXNLdfC1Zm+8WfUDCvPUFJKAW1d71li Xxx/1Njv0dT2RhgI2b4dLwYLggBIIx7tQClN/gK4P4VVksPgt0lIMS9m/FNLA0LIdd6k xHQA9SfgBkvFLhY9jjpleR6U6tNg1fn5TLJngLMinA035lhMHV8PfJeesP0i6lZ/k0ht 1FTn71a26i+W459b9XiYMOVrxu+LIc5UGcsD8WbeBCVcNWL9E292df4t5D2tcckyf4jn kQFjExsoaxv7u3cpkuKblCJ/yIKU4xnW5BR17z5U/wdPM6ObqbL+d4iIa8sc7h/w6xsf 2z8A== X-Gm-Message-State: AOJu0YzLh13iNhQOQezMep4i6HyyQgQXrDCDbS1YITmFLIo7yPdF1vk8 7HCdJxZvuqcHbDtXCYcASKL7k4BqrE4tKSdWg/spYKMBGouBJge3g63ngHFYn7/l964= X-Gm-Gg: AeBDieshgRtFdHwA774o6PmMEBXjgV6cXoftl7oQ2UhubGxltyKX/xAhLgOienWaIji LU/Xr8ovi6/7oj606wTGGlgGmT7wDLK8Snz4XnKo0D08qYI6JafFl4mms3VFWV3qfCW3RJ9MYcr HkMDv5pAbZeKhuew+3UAZ+BvxP2tNdFEVBRh9ks2btph6T7rK8IY8MRkAkcdIWpf+yJvwGeJeOn QLC232rYLdc2kD/Z299ltBhHY+wSQt8JYzcfifEogw1H6fp2j/FIoV3lrxJ9Cw+M2NGuD6pLU9t P9HXNdk86Lmo8/zVtizze1lcCYy5IjHnLdPaFXHS/c2XO5AOBgBdCdYUQrtQXCV9jG3Q3x2MRHE ZT7lWBHY7If9xsAkmfXdr10HBPaeXhOp4JgYTau6wDdniI81nsZyA1gowgJuJsMCSpQKTXqn38I ulnsHCo93i2mPtJGxD0rjq63WTH8zj1vQ7+R04BJGDuQ== X-Received: by 2002:a05:6830:67c5:b0:7de:a2cc:9da2 with SMTP id 46e09a7af769-7dee13a4e13mr9224682a34.15.1778004135963; Tue, 05 May 2026 11:02:15 -0700 (PDT) Received: from [192.168.1.14] ([38.15.57.99]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7decac248d1sm10791568a34.15.2026.05.05.11.02.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 May 2026 11:02:14 -0700 (PDT) Message-ID: <052eafb8-03f9-48a7-a1b4-4c366f120d51@linuxfoundation.org> Date: Tue, 5 May 2026 12:02:13 -0600 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] usbip: vudc: Fix use after free bug in vudc_remove due to race condition To: Michael Bommarito , Valentina Manea , Shuah Khan , Greg Kroah-Hartman , linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Zheng Wang , Zheng Hacker , Shuah Khan References: <20230317100954.2626573-1-zyytlz.wz@163.com> <20260417163552.807548-1-michael.bommarito@gmail.com> Content-Language: en-US From: Shuah Khan In-Reply-To: <20260417163552.807548-1-michael.bommarito@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 4/17/26 10:35, Michael Bommarito wrote: > This patch follows up Zheng Wang's 2023 report of a use-after-free in > vudc_remove(). The original thread stalled on Shuah Khan's request for > runtime testing of the unplug/unbind path. This patch supplies that > testing and keeps Zheng's original fix shape. > > In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer(). > usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer(). > vudc_remove() can then free the containing struct vudc while the timer is > still pending or executing. > > KASAN confirms the race on an unpatched x86_64 QEMU guest with > CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop > that repeatedly writes a socket fd to usbip_sockfd, closes the socket > pair, and unbinds/rebinds usbip-vudc.0: > > BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0 > Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239 > Allocated by task 239: > vudc_probe+0x4d/0xaa0 > Freed by task 239: > kfree+0x18f/0x520 > device_release_driver_internal+0x388/0x540 > unbind_store+0xd9/0x100 > > This lands in the timer core rather than v_timer() itself because the > embedded timer_list is being walked after its containing struct vudc has > already been freed. The underlying lifetime bug is the same one Zheng > reported. > > With v_stop_timer() called from vudc_remove() and the timer deleted > synchronously, the same harness completed 5000 bind/unbind iterations > with no KASAN report. > > Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops") > Reported-by: Zheng Wang > Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/ > Signed-off-by: Michael Bommarito > --- > drivers/usb/usbip/vudc_dev.c | 1 + > drivers/usb/usbip/vudc_transfer.c | 3 ++- > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c > index 90383107b660..c5f079c5a1ea 100644 > --- a/drivers/usb/usbip/vudc_dev.c > +++ b/drivers/usb/usbip/vudc_dev.c > @@ -632,6 +632,7 @@ void vudc_remove(struct platform_device *pdev) > { > struct vudc *udc = platform_get_drvdata(pdev); > > + v_stop_timer(udc); > usb_del_gadget_udc(&udc->gadget); > cleanup_vudc_hw(udc); > kfree(udc); > diff --git a/drivers/usb/usbip/vudc_transfer.c b/drivers/usb/usbip/vudc_transfer.c > index a4f02ea3e3ef..d4ce85c4c6a2 100644 > --- a/drivers/usb/usbip/vudc_transfer.c > +++ b/drivers/usb/usbip/vudc_transfer.c > @@ -490,7 +490,8 @@ void v_stop_timer(struct vudc *udc) > { > struct transfer_timer *t = &udc->tr_timer; > > - /* timer itself will take care of stopping */ > + /* Delete the timer synchronously before teardown frees udc. */ > dev_dbg(&udc->pdev->dev, "timer stop"); > + timer_delete_sync(&t->timer); > t->state = VUDC_TR_STOPPED; > } Looks good to me. Acked-by: Shuah Khan thanks, -- Shuah