MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2026-01-27 12:47:24 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
linux-yocto/include/linux/usb
History
Jimmy Hu baeb66fbd4 usb: gadget: udc: fix use-after-free in usb_gadget_state_work 
A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:

  BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
  Workqueue: events usb_gadget_state_work

The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().

Commit 399a45e523 ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.

This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.

Fixes: 5702f75375 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue")
Cc: stable <stable@kernel.org>
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Link: https://patch.msgid.link/20251023054945.233861-1-hhhuuu@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-10-28 15:46:02 +01:00
..
audio-v2.h
audio-v3.h
audio.h
c67x00.h
ccid.h
cdc_ncm.h
cdc-wdm.h
cdc.h
ch9.h
chipidea.h
composite.h
ehci_def.h
ehci_pdriver.h
ehci-dbgp.h
ezusb.h
func_utils.h
functionfs.h
g_hid.h
gadget_configfs.h
gadget.h usb: gadget: udc: fix use-after-free in usb_gadget_state_work 2025-10-28 15:46:02 +01:00
hcd.h workqueue: BH workqueue conversions for v6.9 2024-03-11 13:05:19 -07:00
input.h
iowarrior.h
irda.h
isp116x.h
isp1301.h
isp1362.h
ljca.h
m66592.h
mctp-usb.h
midi-v2.h
musb-ux500.h
musb.h
net2280.h
of.h
ohci_pdriver.h
onboard_dev.h
otg-fsm.h
otg.h
pd_ado.h
pd_bdo.h
pd_ext_sdb.h
pd_vdo.h
pd.h
phy_companion.h
phy.h
quirks.h
r8a66597.h
r8152.h r8152: add vendor/device ID pair for Dell Alienware AW1022z 2025-02-10 17:57:35 -08:00
renesas_usbhs.h
rndis_host.h
role.h usb: roles: fix include/linux/usb/role.h compile issue 2022-01-25 18:30:15 +01:00
rzv2m_usb3drd.h
serial.h
sl811.h
storage.h
tcpci.h usb: typec: tcpci: use GENMASK() for TCPC_TRANSMIT register fields 2024-08-07 12:49:30 +02:00
tcpm.h
tegra_usb_phy.h
typec_altmode.h
typec_dp.h
typec_mux.h
typec_retimer.h
typec_tbt.h
typec.h
uas.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ulpi.h usb: ulpi: Remove unused otg_ulpi_create 2025-03-03 10:23:35 +01:00
usb_phy_generic.h
usb338x.h
usbio.h
usbnet.h
uvc.h
webusb.h
xhci-dbgp.h
xhci-sideband.h