Commit baeb66fb authored by Jimmy Hu's avatar Jimmy Hu Committed by Greg Kroah-Hartman
Browse files

usb: gadget: udc: fix use-after-free in usb_gadget_state_work 



A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:

  BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
  Workqueue: events usb_gadget_state_work

The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().

Commit 399a45e5 ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.

This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.

Fixes: 5702f753 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue")
Cc: stable <stable@kernel.org>
Signed-off-by: default avatarJimmy Hu <hhhuuu@google.com>
Link: https://patch.msgid.link/20251023054945.233861-1-hhhuuu@google.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent eb9ac779

drivers/usb/gadget/udc/core.c

+16 −1
Original line number Diff line number Diff line
@@ -1126,8 +1126,13 @@ static void usb_gadget_state_work(struct work_struct *work) 
void usb_gadget_set_state(struct usb_gadget *gadget,

		enum usb_device_state state)

{

	unsigned long flags;



	spin_lock_irqsave(&gadget->state_lock, flags);

	gadget->state = state;

	if (!gadget->teardown)

		schedule_work(&gadget->work);

	spin_unlock_irqrestore(&gadget->state_lock, flags);

	trace_usb_gadget_set_state(gadget, 0);

}

EXPORT_SYMBOL_GPL(usb_gadget_set_state);
@@ -1361,6 +1366,8 @@ static void usb_udc_nop_release(struct device *dev) 
void usb_initialize_gadget(struct device *parent, struct usb_gadget *gadget,

		void (*release)(struct device *dev))

{

	spin_lock_init(&gadget->state_lock);

	gadget->teardown = false;

	INIT_WORK(&gadget->work, usb_gadget_state_work);

	gadget->dev.parent = parent;
@@ -1535,6 +1542,7 @@ EXPORT_SYMBOL_GPL(usb_add_gadget_udc); 
void usb_del_gadget(struct usb_gadget *gadget)

{

	struct usb_udc *udc = gadget->udc;

	unsigned long flags;



	if (!udc)

		return;
@@ -1548,6 +1556,13 @@ void usb_del_gadget(struct usb_gadget *gadget) 
	kobject_uevent(&udc->dev.kobj, KOBJ_REMOVE);

	sysfs_remove_link(&udc->dev.kobj, "gadget");

	device_del(&gadget->dev);

	/*

	 * Set the teardown flag before flushing the work to prevent new work

	 * from being scheduled while we are cleaning up.

	 */

	spin_lock_irqsave(&gadget->state_lock, flags);

	gadget->teardown = true;

	spin_unlock_irqrestore(&gadget->state_lock, flags);

	flush_work(&gadget->work);

	ida_free(&gadget_id_numbers, gadget->id_number);

	cancel_work_sync(&udc->vbus_work);

include/linux/usb/gadget.h

+5 −0
Original line number Diff line number Diff line
@@ -376,6 +376,9 @@ struct usb_gadget_ops { 
 *	can handle. The UDC must support this and all slower speeds and lower

 *	number of lanes.

 * @state: the state we are now (attached, suspended, configured, etc)

 * @state_lock: Spinlock protecting the `state` and `teardown` members.

 * @teardown: True if the device is undergoing teardown, used to prevent

 *	new work from being scheduled during cleanup.

 * @name: Identifies the controller hardware type.  Used in diagnostics

 *	and sometimes configuration.

 * @dev: Driver model state for this abstract device.
@@ -451,6 +454,8 @@ struct usb_gadget { 
	enum usb_ssp_rate		max_ssp_rate;



	enum usb_device_state		state;

	spinlock_t			state_lock;

	bool				teardown;

	const char			*name;

	struct device			dev;

	unsigned			isoch_delay;