tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

usb: gadget: uvc: fix NULL pointer dereference during unbind race

Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly
shutdown") introduced two stages of synchronization waits totaling 1500ms
in uvc_function_unbind() to prevent several types of kernel panics.
However, this timing-based approach is insufficient during power
management (PM) transitions.

When the PM subsystem starts freezing user space processes, the
wait_event_interruptible_timeout() is aborted early, which allows the
unbind thread to proceed and nullify the gadget pointer
(cdev->gadget = NULL):

[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()
[ 814.178583][ T3173] PM: suspend entry (deep)
[ 814.192487][ T3173] Freezing user space processes
[ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release

When the PM subsystem resumes or aborts the suspend and tasks are
restarted, the V4L2 release path is executed and attempts to access the
already nullified gadget pointer, triggering a kernel panic:

[ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake
[ 814.386727][ T3173] Restarting tasks ...
[ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
[ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4
[ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94
[ 814.404078][ T4558] Call trace:
[ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4
[ 814.404083][ T4558] usb_function_deactivate+0x54/0x94
[ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c
[ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac
[ 814.404095][ T4558] v4l2_release+0xcc/0x130

Address the race condition and NULL pointer dereference by:

1. State Synchronization (flag + mutex)
Introduce a 'func_unbound' flag in struct uvc_device. This allows
uvc_function_disconnect() to safely skip accessing the nullified
cdev->gadget pointer. As suggested by Alan Stern, this flag is protected
by a new mutex (uvc->lock) to ensure proper memory ordering and prevent
instruction reordering or speculative loads. This mutex is also used to
protect 'func_connected' for consistent state management.

2. Explicit Synchronization (completion)
Use a completion to synchronize uvc_function_unbind() with the
uvc_vdev_release() callback. This prevents Use-After-Free (UAF) by
ensuring struct uvc_device is freed after all video device resources
are released.

Fixes: b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly shutdown")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Link: https://patch.msgid.link/20260320065427.1374555-1-hhhuuu@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Jimmy Hu and committed by
Greg Kroah-Hartman eba2936b dd36014e

+43 -4
+36 -3
drivers/usb/gadget/function/f_uvc.c
··· 413 413 { 414 414 int ret; 415 415 416 + guard(mutex)(&uvc->lock); 417 + if (uvc->func_unbound) { 418 + dev_dbg(&uvc->vdev.dev, "skipping function deactivate (unbound)\n"); 419 + return; 420 + } 421 + 416 422 if ((ret = usb_function_deactivate(&uvc->func)) < 0) 417 423 uvcg_info(&uvc->func, "UVC disconnect failed with %d\n", ret); 418 424 } ··· 437 431 438 432 static DEVICE_ATTR_RO(function_name); 439 433 434 + static void uvc_vdev_release(struct video_device *vdev) 435 + { 436 + struct uvc_device *uvc = video_get_drvdata(vdev); 437 + 438 + /* Signal uvc_function_unbind() that the video device has been released */ 439 + if (uvc->vdev_release_done) 440 + complete(uvc->vdev_release_done); 441 + } 442 + 440 443 static int 441 444 uvc_register_video(struct uvc_device *uvc) 442 445 { ··· 458 443 uvc->vdev.v4l2_dev->dev = &cdev->gadget->dev; 459 444 uvc->vdev.fops = &uvc_v4l2_fops; 460 445 uvc->vdev.ioctl_ops = &uvc_v4l2_ioctl_ops; 461 - uvc->vdev.release = video_device_release_empty; 446 + uvc->vdev.release = uvc_vdev_release; 462 447 uvc->vdev.vfl_dir = VFL_DIR_TX; 463 448 uvc->vdev.lock = &uvc->video.mutex; 464 449 uvc->vdev.device_caps = V4L2_CAP_VIDEO_OUTPUT | V4L2_CAP_STREAMING; ··· 674 659 int ret = -EINVAL; 675 660 676 661 uvcg_info(f, "%s()\n", __func__); 662 + scoped_guard(mutex, &uvc->lock) 663 + uvc->func_unbound = false; 677 664 678 665 opts = fi_to_f_uvc_opts(f->fi); 679 666 /* Sanity check the streaming endpoint module parameters. */ ··· 1005 988 static void uvc_function_unbind(struct usb_configuration *c, 1006 989 struct usb_function *f) 1007 990 { 991 + DECLARE_COMPLETION_ONSTACK(vdev_release_done); 1008 992 struct usb_composite_dev *cdev = c->cdev; 1009 993 struct uvc_device *uvc = to_uvc(f); 1010 994 struct uvc_video *video = &uvc->video; 1011 995 long wait_ret = 1; 996 + bool connected; 1012 997 1013 998 uvcg_info(f, "%s()\n", __func__); 999 + scoped_guard(mutex, &uvc->lock) { 1000 + uvc->func_unbound = true; 1001 + uvc->vdev_release_done = &vdev_release_done; 1002 + connected = uvc->func_connected; 1003 + } 1014 1004 1015 1005 kthread_cancel_work_sync(&video->hw_submit); 1016 1006 ··· 1030 1006 * though the video device removal uevent. Allow some time for the 1031 1007 * application to close out before things get deleted. 1032 1008 */ 1033 - if (uvc->func_connected) { 1009 + if (connected) { 1034 1010 uvcg_dbg(f, "waiting for clean disconnect\n"); 1035 1011 wait_ret = wait_event_interruptible_timeout(uvc->func_connected_queue, 1036 1012 uvc->func_connected == false, msecs_to_jiffies(500)); ··· 1041 1017 video_unregister_device(&uvc->vdev); 1042 1018 v4l2_device_unregister(&uvc->v4l2_dev); 1043 1019 1044 - if (uvc->func_connected) { 1020 + scoped_guard(mutex, &uvc->lock) 1021 + connected = uvc->func_connected; 1022 + 1023 + if (connected) { 1045 1024 /* 1046 1025 * Wait for the release to occur to ensure there are no longer any 1047 1026 * pending operations that may cause panics when resources are cleaned ··· 1055 1028 uvc->func_connected == false, msecs_to_jiffies(1000)); 1056 1029 uvcg_dbg(f, "done waiting for release with ret: %ld\n", wait_ret); 1057 1030 } 1031 + 1032 + /* Wait for the video device to be released */ 1033 + wait_for_completion(&vdev_release_done); 1034 + uvc->vdev_release_done = NULL; 1058 1035 1059 1036 usb_ep_free_request(cdev->gadget->ep0, uvc->control_req); 1060 1037 kfree(uvc->control_buf); ··· 1078 1047 return ERR_PTR(-ENOMEM); 1079 1048 1080 1049 mutex_init(&uvc->video.mutex); 1050 + mutex_init(&uvc->lock); 1051 + uvc->func_unbound = true; 1081 1052 uvc->state = UVC_STATE_DISCONNECTED; 1082 1053 init_waitqueue_head(&uvc->func_connected_queue); 1083 1054 opts = fi_to_f_uvc_opts(fi);
+3
drivers/usb/gadget/function/uvc.h
··· 155 155 enum uvc_state state; 156 156 struct usb_function func; 157 157 struct uvc_video video; 158 + struct completion *vdev_release_done; 159 + struct mutex lock; /* protects func_unbound and func_connected */ 160 + bool func_unbound; 158 161 bool func_connected; 159 162 wait_queue_head_t func_connected_queue; 160 163
+4 -1
drivers/usb/gadget/function/uvc_v4l2.c
··· 574 574 if (sub->type < UVC_EVENT_FIRST || sub->type > UVC_EVENT_LAST) 575 575 return -EINVAL; 576 576 577 + guard(mutex)(&uvc->lock); 578 + 577 579 if (sub->type == UVC_EVENT_SETUP && uvc->func_connected) 578 580 return -EBUSY; 579 581 ··· 597 595 uvc_function_disconnect(uvc); 598 596 uvcg_video_disable(&uvc->video); 599 597 uvcg_free_buffers(&uvc->video.queue); 600 - uvc->func_connected = false; 598 + scoped_guard(mutex, &uvc->lock) 599 + uvc->func_connected = false; 601 600 wake_up_interruptible(&uvc->func_connected_queue); 602 601 } 603 602