superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Michael Bommarito d96209626a usbip: vudc: Fix use after free bug in vudc_remove due to race condition 
This patch follows up Zheng Wang's 2023 report of a use-after-free in
vudc_remove(). The original thread stalled on Shuah Khan's request for
runtime testing of the unplug/unbind path. This patch supplies that
testing and keeps Zheng's original fix shape.

In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer().
usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer().
vudc_remove() can then free the containing struct vudc while the timer is
still pending or executing.

KASAN confirms the race on an unpatched x86_64 QEMU guest with
CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop
that repeatedly writes a socket fd to usbip_sockfd, closes the socket
pair, and unbinds/rebinds usbip-vudc.0:

  BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0
  Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239
  Allocated by task 239:
    vudc_probe+0x4d/0xaa0
  Freed by task 239:
    kfree+0x18f/0x520
    device_release_driver_internal+0x388/0x540
    unbind_store+0xd9/0x100

This lands in the timer core rather than v_timer() itself because the
embedded timer_list is being walked after its containing struct vudc has
already been freed. The underlying lifetime bug is the same one Zheng
reported.

With v_stop_timer() called from vudc_remove() and the timer deleted
synchronously, the same harness completed 5000 bind/unbind iterations
with no KASAN report.

Fixes: b6a0ca1118 ("usbip: vudc: Add UDC specific ops")
Cc: stable <stable@kernel.org>
Reported-by: Zheng Wang <zyytlz.wz@163.com>
Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2026-05-22 11:13:06 +02:00
..
accel accel/qaic: fix incorrect counter check in RAS message decode 2026-05-01 15:14:25 -06:00
accessibility
acpi Assorted arm64, ACPI and kselftest fixes for 7.1-rc2: 2026-05-01 16:32:42 -07:00
amba
android rust: allow `clippy::collapsible_if` globally 2026-04-30 23:21:31 +02:00
ata ata: pata_parport: switch to dynamic root device 2026-04-27 11:38:16 +02:00
atm net: remove unused ATM protocols and legacy ATM device drivers 2026-04-23 12:21:14 -07:00
auxdisplay
base regmap: sdw-mbq: Fix spelling mistake "undeferable" -> "undeferrable" 2026-04-27 06:48:16 +09:00
bcma
block ublk: fix use-after-free in ublk_cancel_cmd() 2026-05-08 06:44:42 -06:00
bluetooth Bluetooth: virtio_bt: validate rx pkt_type header length 2026-05-06 16:22:33 -04:00
bus Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
cache
cdrom cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() 2026-04-27 15:52:51 -06:00
cdx
char IPMI: Fix a number of issues that came up recently 2026-05-04 12:48:30 -07:00
clk clk: rk808: fix OF node reference imbalance 2026-04-28 20:55:53 -07:00
clocksource
comedi Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
connector
counter Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
cpufreq Devicetree updates for v7.1: 2026-04-17 14:09:02 -07:00
cpuidle powerpc updates for 7.1 2026-04-14 17:10:15 -07:00
crypto crypto: ccp - copy IV using skcipher ivsize 2026-04-16 17:37:03 +08:00
cxl CXL changes for v7.1 2026-04-17 15:52:58 -07:00
dax dax changes for 7.1 2026-04-21 14:12:01 -07:00
dca
devfreq PM / devfreq: tegra30-devfreq: add support for Tegra114 2026-04-04 03:15:39 +09:00
dibs
dio
dma dmaengine updates for v7.1 2026-04-17 10:29:01 -07:00
dma-buf drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
dpll dpll: export __dpll_pin_change_ntf() for use under dpll_lock 2026-04-30 11:37:39 +02:00
edac EDAC/versalnet: Fix device name memory leak 2026-05-05 14:49:48 +02:00
eisa
extcon
firewire
firmware efi/libstub: Synchronize instruction cache after kernel relocation 2026-04-29 08:56:16 +02:00
fpga
fsi
fwctl fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal 2026-04-10 11:21:06 -03:00
gnss
gpib Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
gpio gpio fixes for v7.1-rc1 2026-04-24 11:59:46 -07:00
gpu drm: Set old handle to NULL before prime swap in change_handle 2026-05-08 17:53:59 +10:00
greybus greybus: gb-beagleplay: bound bootloader receive buffering 2026-04-02 15:55:09 +02:00
hid Input updates for v7.1-rc0 2026-04-22 18:36:40 -07:00
hsi HSI: omap_ssi_port: remove depends on ARM 2026-04-02 22:33:44 +02:00
hte hte: tegra194: Add Tegra264 GTE support 2026-04-12 23:29:31 -07:00
hv drm fixes for 7.1-rc1 2026-04-24 11:44:52 -07:00
hwmon hwmon: (ads7871) Fix endianness bug in 16-bit register reads 2026-05-07 16:30:12 -07:00
hwspinlock hwspinlock: u8500: delete driver 2026-04-06 09:43:18 -05:00
hwtracing Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
i2c i2c: smbus: reject oversized block transfers in the common path 2026-05-07 10:59:07 +02:00
i3c i3c: mipi-i3c-hci: fix IBI payload length calculation for final status 2026-04-12 22:06:02 +02:00
idle
iio Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
infiniband RDMA/hns: Fix unlocked call to hns_roce_qp_remove() 2026-05-02 15:30:48 -03:00
input Input updates for v7.1-rc0 2026-04-22 18:36:40 -07:00
interconnect This pull request contains the interconnect changes for the 7.1-rc1 2026-04-07 10:06:50 +02:00
iommu iommu/amd: Fix precedence order in set_dte_passthrough() 2026-05-04 10:26:16 +02:00
ipack
irqchip Arm: 2026-04-17 07:18:03 -07:00
leds leds: class: Make led_remove_lookup() NULL-aware 2026-04-09 13:49:19 +01:00
macintosh
mailbox mailbox: mailbox-test: make data_ready a per-instance variable 2026-04-18 13:10:14 -05:00
mcb
md block-7.1-20260430 2026-05-01 11:26:15 -07:00
media media: qcom: camss: avoid format string warning 2026-04-27 08:41:22 +02:00
memory dma-mapping updates for Linux 7.0: 2026-04-17 11:12:42 -07:00
memstick
message
mfd MFD for v7.1 2026-04-20 11:31:01 -07:00
misc Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
mmc mmc: sdhci-msm: Fix the wrapped key handling 2026-04-10 10:29:58 +02:00
most most: usb: Use kzalloc_objs for endpoint address array 2026-04-02 17:06:09 +02:00
mtd mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW 2026-04-27 15:08:04 +02:00
mux Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
net Including fixes from Netfilter, IPsec, Bluetooth and WiFi. 2026-05-07 10:32:03 -07:00
nfc NFC: trf7970a: Ignore antenna noise when checking for RF field 2026-04-27 18:00:43 -07:00
ntb pci-v7.1-changes 2026-04-15 14:41:21 -07:00
nubus
nvdimm vfs-7.1-rc1.integrity 2026-04-13 10:40:26 -07:00
nvme nvme fixes for Linux 7.1 2026-04-27 15:47:21 -06:00
nvmem Linux 7.0-rc7 2026-04-06 09:04:53 +02:00
of memblock: updates for 7.0-rc1 2026-04-18 11:29:14 -07:00
opp
parisc parisc: Fix IRQ leak in LASI driver 2026-05-04 11:48:12 +02:00
parport parport: Remove completed item from to-do list 2026-04-02 17:05:56 +02:00
pci PCI: Initialize temporary device in new_id_store() 2026-05-08 15:50:06 -05:00
pcmcia PCMCIA fixes and cleanups for v7.1 2026-04-23 11:22:16 -07:00
peci
perf arm64 updates for 7.1: 2026-04-14 16:48:56 -07:00
phy phy-for-7.1 2026-04-17 10:22:08 -07:00
pinctrl Pin control changes for the v7.1 kernel cycle: 2026-04-18 16:59:09 -07:00
platform platform-drivers-x86 for v7.1-2 2026-05-07 08:46:27 -07:00
pmdomain pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() 2026-04-27 14:53:30 +02:00
pnp
power USB / Thunderbolt changes for 7.1-rc1 2026-04-19 08:47:40 -07:00
powercap powercap: intel_rapl: Consolidate PL4 and PMU support flags into rapl_defaults 2026-04-01 16:03:05 +02:00
pps pps: change pps_class to a const struct 2026-04-02 16:33:00 +02:00
ps3
ptp
pwm pwm: Two driver fixes 2026-04-23 08:37:07 -07:00
rapidio
ras
regulator regulator: qcom-rpmh: Fix index for pmh0101 ldo16 2026-05-06 21:26:30 +09:00
remoteproc rpmsg updates for v7.1 2026-04-17 14:18:55 -07:00
resctrl arm64 updates for 7.1 (second round): 2026-04-20 16:46:22 -07:00
reset reset: eyeq: drop device_set_of_node_from_dev() done by parent 2026-04-28 19:03:50 -07:00
rpmsg rpmsg: Constify buffer passed to send API 2026-04-06 09:37:51 -05:00
rtc RTC for 7.1 2026-04-25 16:39:03 -07:00
s390 s390/sclp: Remove SCLP_OFB Kconfig option 2026-04-28 14:45:02 +02:00
sbus
scsi SCSI fixes on 20260505 2026-05-05 14:38:31 -07:00
sh
siox
slimbus
soc rpmsg updates for v7.1 2026-04-17 14:18:55 -07:00
soundwire soundwire updates for 7.1 2026-04-17 10:16:53 -07:00
spi spi: ch341: correct company name in MODULE_DESCRIPTION 2026-05-06 23:09:33 +09:00
spmi
ssb
staging staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc 2026-05-04 11:36:47 +02:00
target Merge branch '7.1/scsi-queue' into 7.1/scsi-fixes 2026-04-26 21:15:04 -04:00
tc
tee soc: drivers for 7.1 2026-04-16 20:34:34 -07:00
thermal bitmap updates for v7.1 2026-04-14 08:55:18 -07:00
thunderbolt thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() 2026-05-11 11:32:03 +02:00
tty TTY/Serial changes for 7.1-rc1 2026-04-19 08:44:41 -07:00
ufs scsi: ufs: core: Fix bRefClkFreq write failure in HS-LSS mode 2026-04-21 20:58:06 -04:00
uio uio: replace deprecated mmap hook with mmap_prepare in uio_info 2026-04-05 13:53:44 -07:00
usb usbip: vudc: Fix use after free bug in vudc_remove due to race condition 2026-05-22 11:13:06 +02:00
vdpa vdpa: use generic driver_override infrastructure 2026-04-04 00:47:50 +02:00
vfio vfio/cdx: Consolidate MSI configured state onto cdx_irqs 2026-04-21 12:01:22 -06:00
vhost Including fixes from Netfilter. 2026-04-23 16:50:42 -07:00
video fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free 2026-05-04 10:35:55 +02:00
virt tsm for 7.1 2026-04-26 09:51:29 -07:00
virtio mm.git review status for linus..mm-stable 2026-04-15 12:59:16 -07:00
w1 w1: ds2490: drop redundant device reference 2026-04-03 10:55:12 +02:00
watchdog watchdog: ni903x_wdt: Convert to a platform driver 2026-04-07 21:06:59 +02:00
xen xen/privcmd: fix double free via VMA splitting 2026-04-23 15:32:59 +02:00
zorro
Kconfig net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00
Makefile net: remove ISDN subsystem and Bluetooth CMTP 2026-04-23 10:24:02 -07:00