From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 481BB2DFA5B for ; Thu, 30 Apr 2026 15:27:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777562830; cv=none; b=PINJYni62jEhjhYMRxvIxZatF+1i+d20Z9WN6gUk4ttxPVSU6JQPDCaC2ijc5PR1KfWwaXY/YYk0gIP7bxEt6GdUrDFVi2CnL00QOK1UOTh8FXqOJfp9SahzMD5QmH3vEFEhEQaapnNMnuZMapDy4G1mSuNkojxq19DYm06P/Xk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777562830; c=relaxed/simple; bh=Xm4FEazpY1d55SvwIO4bAfwbtbgoqCSlA2mZfkuu6ME=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Z12H3xmKIZsF14nh+pN2Sv3dJxLT31yIvO3tOrRXrKfUFx3aKVE0+hgipMu6/vrAFnF2BCxBTMyU3rze8oYKJqfGguwrnAtdybt648138GCad336RW6aXy85/+GNfE51ECDyM3q/14LsFt02UdZFhPobbM+Og5+drNQRs3sAMLQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZyzOHaYK; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZyzOHaYK" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-48a563e4ef7so10798535e9.0 for ; Thu, 30 Apr 2026 08:27:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777562825; x=1778167625; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+qcWerMpQDAoEvXfjALo/ClX/15Aw2GMj+ACfo5gS4o=; b=ZyzOHaYK3fcy7RzZmnbI9g0DNZyCJhYVJ2zS+Vx8x4t+24fSw7Edm7RXLxoRnuYsTZ FFNQmxAjSJZgT8AwFJXc40Vx6HEdoQBOnbM2JhHHIyXaiIp1awILrm+bHbKCxc1M4e4n bmuBPvq4NShYRbj1Pf0OgUrEL84/hRt7n751ma8G4XNUbuCuvxu+SOZ5HwMgego2zszl hdt9/VOHcJDudX3AN5+ohUuRnhrQHKkCPjDYK/+b1qM+kq6R55uI+vSb3Wn7J9qDcG9g 17k2O3hTsKRObYXir5g6O7Fml58ulwknxvlxR5uDGBvgjql9VOGv5IyKkkR++NrGeoqR RP7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777562825; x=1778167625; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+qcWerMpQDAoEvXfjALo/ClX/15Aw2GMj+ACfo5gS4o=; b=kutcfwJ3oRj4hqjJJHFQvaW1t6A1aiZCyV8DRajcxq8yHYzbz4i9Nol2wKL8ruvcyg LPsG8f/4isZK5hw5lLkMlWxgYOliJRIg36yvH0hmXHiFG84zmTaIf90FCXP5UeK/327y +yoeaDwC9xdKNooMoBLNMDG2+gpjoxvU8BQNfrkNI/Y6MR1yiL6T+ZDQWVyKCTMfJV8h j3s4/OhmqYPopGRqfOowBGw3O+yUY43cP9HrNgES4hGordNIWCcae0h/MivsaFjYgYRV o4gzoKGpXERIPUhlx+Etsimwqv1Z7pam0AoFe198l69JOTOnjG8Sbny5JvyDavXPWd2g Z4xA== X-Forwarded-Encrypted: i=1; AFNElJ8Ih2a69hVL5Abk4Uu+XGFQ1TQSIEqLKawK8YDbGbiSYeBDXFZWpR6wNm0FyD4Zx3sw+31emBDMN7OnUwE=@vger.kernel.org X-Gm-Message-State: AOJu0YxPDVzY7c19Z3iGBoWr5u87dkLut1yEEGidVIlOrLb0cjxFnL3R sO65og6FT/EXHeYK8lDz9Zl+7B3roiiOuDacrXEMGw41q7bQqelMBPKn X-Gm-Gg: AeBDiesaJJMf4ANmxR7XNoUTqbPc40rF5EUPl3vTjP+Iesw/1/Cm0kXhc7TM0DlpFGz xxng6MM7Rq2mKKImODiNCSR1HjSgVSk6Gau4UXLxv3SzF4J35REHZlcxV197nHVhOaLAHFFJ9m1 7FgIM0RlLZlZr2HYuzskGlvsnzoskjlJayBhfiupO+gUpkvJkvMi+uQbgtjmJBJ0Wq29N+fmI5q ytUqVa31GF7dNHTSCQf81gqq1ei1QbgKzxPyqXzLq2dS8mUxmi6Hjfc+bGv8kb8GHfHEMzw918q HqAyq/M397O9E+tIf3PTWeK6ERmFcMk927nCiXORmPej/pZ+BkUlxcANBOFuVromkrrobLrez3o rbFY6hKjdRr9BtRSUFxFNCbegAfb1hFFj36eBELfVCLTKXJUKbrDwYjZ9vp3b9HthRqWX0v+68i ACsa3cYOg5JuaUqFNj81DBiFxLmfaz7u0nOdeu3iK8M1oDC05DO2wm/ZZNmBGYAuUlymP0xPa5m W0Rmzjb08eFODayHH4UhZSwMsqsu9gSdJPG5DquMTU1AE1f X-Received: by 2002:a05:600c:3e10:b0:488:ffb1:494c with SMTP id 5b1f17b1804b1-48a84456732mr55948825e9.12.1777562824666; Thu, 30 Apr 2026 08:27:04 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:a0c9:1d35:8283:f96b]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a820c71f2sm109433045e9.5.2026.04.30.08.27.03 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 08:27:04 -0700 (PDT) From: "SnailSploit | Kai Aizen" X-Google-Original-From: SnailSploit | Kai Aizen <95986478+SnailSploit@users.noreply.github.com> To: linux-usb@vger.kernel.org Cc: laurent.pinchart@ideasonboard.com, paulelder@kernel.org, balbi@kernel.org, gregkh@linuxfoundation.org, w@1wt.eu, linux-kernel@vger.kernel.org, stable@vger.kernel.org, "SnailSploit | Kai Aizen" <95986478+SnailSploit@users.noreply.github.com> Subject: [PATCH] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind Date: Thu, 30 Apr 2026 18:27:02 +0300 Message-ID: <20260430152702.60771-1-95986478+SnailSploit@users.noreply.github.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: "SnailSploit | Kai Aizen" <95986478+SnailSploit@users.noreply.github.com> uvc_function_bind() walks &opts->extension_units twice without holding opts->lock: - directly, for the iExtension string-descriptor fixup loop; - indirectly, four times via uvc_copy_descriptors() (once per speed), where the helper iterates uvc->desc.extension_units (which aliases &opts->extension_units) to size and emit XU descriptors. The configfs side (uvcg_extension_make / uvcg_extension_drop, in drivers/usb/gadget/function/uvc_configfs.c) takes opts->lock around its list_add_tail / list_del operations. A privileged userspace process that holds the configfs subtree open and writes the gadget UDC name to bind the function while concurrently rmdir()'ing an extensions subdir can race uvcg_extension_drop() against the bind-time list walks and dereference a freed struct uvcg_extension. Hold opts->lock from the start of the XU string-descriptor fixup through the last uvc_copy_descriptors() call, releasing on the descriptor-error path via a new error_unlock label that drops the lock before falling through to the existing error label. This matches the locking discipline of the configfs callbacks and removes the only remaining unsynchronised reader of the XU list during bind. Reachability: only privileged processes that can mount configfs and write to gadget UDC files can trigger the race, so this is a correctness fix rather than a security boundary. Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs") Cc: stable@vger.kernel.org Signed-off-by: SnailSploit | Kai Aizen <95986478+SnailSploit@users.noreply.github.com> --- drivers/usb/gadget/function/f_uvc.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index 8d404d883..73dc7e428 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -768,6 +768,16 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) uvc_hs_streaming_ep.bEndpointAddress = uvc->video.ep->address; uvc_ss_streaming_ep.bEndpointAddress = uvc->video.ep->address; + /* + * Hold opts->lock across both the XU string-descriptor fixup below and + * the descriptor-copy block further down. Without this, configfs + * uvcg_extension_drop() (which takes opts->lock) can race with the + * list_for_each_entry() walks here and inside uvc_copy_descriptors(), + * leading to a UAF on a freed struct uvcg_extension. See + * drivers/usb/gadget/function/uvc_configfs.c::uvcg_extension_drop(). + */ + mutex_lock(&opts->lock); + /* * XUs can have an arbitrary string descriptor describing them. If they * have one pick up the ID. @@ -785,7 +795,7 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) ARRAY_SIZE(uvc_en_us_strings)); if (IS_ERR(us)) { ret = PTR_ERR(us); - goto error; + goto error_unlock; } uvc_iad.iFunction = opts->iad_index ? cdev->usb_strings[opts->iad_index].id : @@ -799,14 +809,14 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) /* Allocate interface IDs. */ if ((ret = usb_interface_id(c, f)) < 0) - goto error; + goto error_unlock; uvc_iad.bFirstInterface = ret; uvc_control_intf.bInterfaceNumber = ret; uvc->control_intf = ret; opts->control_interface = ret; if ((ret = usb_interface_id(c, f)) < 0) - goto error; + goto error_unlock; uvc_streaming_intf_alt0.bInterfaceNumber = ret; uvc_streaming_intf_alt1.bInterfaceNumber = ret; uvc->streaming_intf = ret; @@ -817,30 +827,32 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) if (IS_ERR(f->fs_descriptors)) { ret = PTR_ERR(f->fs_descriptors); f->fs_descriptors = NULL; - goto error; + goto error_unlock; } f->hs_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_HIGH); if (IS_ERR(f->hs_descriptors)) { ret = PTR_ERR(f->hs_descriptors); f->hs_descriptors = NULL; - goto error; + goto error_unlock; } f->ss_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER); if (IS_ERR(f->ss_descriptors)) { ret = PTR_ERR(f->ss_descriptors); f->ss_descriptors = NULL; - goto error; + goto error_unlock; } f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS); if (IS_ERR(f->ssp_descriptors)) { ret = PTR_ERR(f->ssp_descriptors); f->ssp_descriptors = NULL; - goto error; + goto error_unlock; } + mutex_unlock(&opts->lock); + /* Preallocate control endpoint request. */ uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL); uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL); @@ -872,6 +884,8 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f) return 0; +error_unlock: + mutex_unlock(&opts->lock); v4l2_error: v4l2_device_unregister(&uvc->v4l2_dev); error: -- 2.43.0