Re: [PATCH] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
From: Greg KH
Date: Mon May 18 2026 - 09:18:46 EST
On Thu, Apr 30, 2026 at 06:41:04PM +0300, SnailSploit | Kai Aizen wrote:
> From: "SnailSploit | Kai Aizen" <95986478+SnailSploit@xxxxxxxxxxxxxxxxxxxxxxxx>
>
> uvc_function_bind() walks &opts->extension_units twice without holding
> opts->lock:
>
> - directly, for the iExtension string-descriptor fixup loop;
> - indirectly, four times via uvc_copy_descriptors() (once per speed),
> where the helper iterates uvc->desc.extension_units (which aliases
> &opts->extension_units) to size and emit XU descriptors.
>
> The configfs side (uvcg_extension_make / uvcg_extension_drop, in
> drivers/usb/gadget/function/uvc_configfs.c) takes opts->lock around its
> list_add_tail / list_del operations. A privileged userspace process
> that holds the configfs subtree open and writes the gadget UDC name
> to bind the function while concurrently rmdir()'ing an extensions
> subdir can race uvcg_extension_drop() against the bind-time list walks
> and dereference a freed struct uvcg_extension.
>
> Hold opts->lock from the start of the XU string-descriptor fixup
> through the last uvc_copy_descriptors() call, releasing on the
> descriptor-error path via a new error_unlock label that drops the
> lock before falling through to the existing error label. This
> matches the locking discipline of the configfs callbacks and removes
> the only remaining unsynchronised reader of the XU list during bind.
>
> Reachability: only privileged processes that can mount configfs and
> write to gadget UDC files can trigger the race, so this is a
> correctness fix rather than a security boundary.
>
> Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: SnailSploit | Kai Aizen <95986478+SnailSploit@xxxxxxxxxxxxxxxxxxxxxxxx>
> ---
> drivers/usb/gadget/function/f_uvc.c | 28 +++++++++++++++++++++-------
> 1 file changed, 21 insertions(+), 7 deletions(-)
Did you send this twice?
Still need a real email address.
thanks,
greg k-h