<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/next/linux-next.git/drivers/usb/gadget/function, branch master</title>
<subtitle>The linux-next integration testing tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=master</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/'/>
<updated>2026-07-08T11:32:16+00:00</updated>
<entry>
<title>usb: gadget: function: rndis: add length check for header</title>
<updated>2026-07-08T11:32:16+00:00</updated>
<author>
<name>Griffin Kroah-Hartman</name>
<email>griffin@kroah.com</email>
</author>
<published>2026-07-08T11:08:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=21b5bf155435008e0fb0736795289788e63d426f'/>
<id>urn:sha1:21b5bf155435008e0fb0736795289788e63d426f</id>
<content type='text'>
Add a length check for the rndis header in rndis_rm_hdr, to ensure that
MessageType, MessageLength, DataOffset, and DataLength fields are
present before they are accessed.

Assisted-by: gkh_clanker_2000
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Griffin Kroah-Hartman &lt;griffin@kroah.com&gt;
Link: https://patch.msgid.link/20260708-usb-gadget-rndis-v1-2-e77e026dcc6a@kroah.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: function: rndis: add length check to response query</title>
<updated>2026-07-08T11:32:14+00:00</updated>
<author>
<name>Griffin Kroah-Hartman</name>
<email>griffin@kroah.com</email>
</author>
<published>2026-07-08T11:08:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=95f90eea070837f7c72207d5520f805bdefc3bc5'/>
<id>urn:sha1:95f90eea070837f7c72207d5520f805bdefc3bc5</id>
<content type='text'>
Add variable representations for BufLength and BufOffset in
rndis_query_response(), and perform a length check on them.

This is identical to how rndis_set_response() handles these parameters.

Assisted-by: gkh_clanker_2000
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Griffin Kroah-Hartman &lt;griffin@kroah.com&gt;
Link: https://patch.msgid.link/20260708-usb-gadget-rndis-v1-1-e77e026dcc6a@kroah.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: f_printer: take kref only for successful open</title>
<updated>2026-07-08T11:29:57+00:00</updated>
<author>
<name>Xu Rao</name>
<email>raoxu@uniontech.com</email>
</author>
<published>2026-06-26T06:46:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=30adce93d5c4a5a1ec29d9249e3fdfcc391d406b'/>
<id>urn:sha1:30adce93d5c4a5a1ec29d9249e3fdfcc391d406b</id>
<content type='text'>
printer_open() returns -EBUSY when the character device is already
open, but it increments dev-&gt;kref regardless of the return value. VFS
does not call -&gt;release() for a failed open, so every rejected second
open permanently leaks one reference.

Move kref_get() into the successful-open branch.

Fixes: e8d5f92b8d30 ("usb: gadget: function: printer: fix use-after-free in __lock_acquire")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Xu Rao &lt;raoxu@uniontech.com&gt;
Link: https://patch.msgid.link/80295742B820DA9B+20260626064617.4090626-1-raoxu@uniontech.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Tie read_buffer lifetime to ffs_epfile</title>
<updated>2026-06-25T14:24:00+00:00</updated>
<author>
<name>Neill Kapron</name>
<email>nkapron@google.com</email>
</author>
<published>2026-06-19T04:06:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=8bdcf96eb135aebacac319667f87db034fb38406'/>
<id>urn:sha1:8bdcf96eb135aebacac319667f87db034fb38406</id>
<content type='text'>
Currently, ffs_epfile_release unconditionally frees the endpoint's
read_buffer when a file descriptor is closed. If userspace explicitly
opens the endpoint multiple times and closes one, the read_buffer is
destroyed. This can lead to silent data loss if other file descriptors
are still actively reading from the endpoint.

By tying the lifetime of the read_buffer to the ffs_epfile structure itself
(which is destroyed when the functionfs instance is torn down in
ffs_epfiles_destroy), we eliminate the brittle dependency on open/release
calls while correctly matching the conceptual lifetime of unread data on
the hardware endpoint.

Fixes: 9353afbbfa7b ("usb: gadget: f_fs: buffer data from ‘oversized’ OUT requests")
Cc: stable &lt;stable@kernel.org&gt;
Assisted-by: Antigravity:gemini-3.1-pro
Signed-off-by: Neill Kapron &lt;nkapron@google.com&gt;
Link: https://patch.msgid.link/20260619040609.4010746-3-nkapron@google.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Initialize epfile-&gt;in early to fix endpoint direction checks</title>
<updated>2026-06-25T14:23:51+00:00</updated>
<author>
<name>Neill Kapron</name>
<email>nkapron@google.com</email>
</author>
<published>2026-06-19T04:06:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=82cfd4739011bdc7e87b5d585703427e89ddfaa5'/>
<id>urn:sha1:82cfd4739011bdc7e87b5d585703427e89ddfaa5</id>
<content type='text'>
When parsing endpoint descriptors, ffs_data_got_descs() generates the
eps_addrmap which contains the endpoint direction. However, epfile-&gt;in
was previously only populated in ffs_func_eps_enable() which executes
upon USB host connection. As a result, early userspace ioctls like
FUNCTIONFS_DMABUF_ATTACH that run before the host connects would see
epfile-&gt;in as 0, leading to incorrect DMA directions.

By moving the initialization to ffs_epfiles_create(), epfile-&gt;in is
accurate before userspace opens the endpoint files.

Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
Cc: stable &lt;stable@kernel.org&gt;
Assisted-by: Antigravity:gemini-3.1-pro
Signed-off-by: Neill Kapron &lt;nkapron@google.com&gt;
Link: https://patch.msgid.link/20260619040609.4010746-2-nkapron@google.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: initialize reset_work at allocation time</title>
<updated>2026-06-25T14:12:32+00:00</updated>
<author>
<name>Tyler Baker</name>
<email>tyler.baker@oss.qualcomm.com</email>
</author>
<published>2026-06-09T19:36:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=3137b243c93982fe3460335e12f9247739766e10'/>
<id>urn:sha1:3137b243c93982fe3460335e12f9247739766e10</id>
<content type='text'>
ffs_fs_kill_sb() unconditionally calls cancel_work_sync() on
ffs-&gt;reset_work when a functionfs instance is unmounted:

	ffs_data_reset(ffs);
	cancel_work_sync(&amp;ffs-&gt;reset_work);

However ffs-&gt;reset_work is only ever initialized via INIT_WORK() in
ffs_func_set_alt() and ffs_func_disable(), and only on the
FFS_DEACTIVATED path. That state is reached solely by ffs_data_closed()
when the instance is mounted with the "no_disconnect" option, so for the
common case (no "no_disconnect", or mounted and unmounted without ever
being deactivated) reset_work is never initialized.

ffs_data_new() allocates the ffs_data with kzalloc_obj() and does not
initialize reset_work, and ffs_data_reset()/ffs_data_clear() do not touch
it either, so reset_work.func is left NULL. cancel_work_sync() on such a
work then trips the WARN_ON(!work-&gt;func) guard in __flush_work():

  WARNING: kernel/workqueue.c:4301 at __flush_work+0x330/0x360, CPU#3: umount
  Call trace:
   __flush_work
   cancel_work_sync
   ffs_fs_kill_sb [usb_f_fs]
   deactivate_locked_super
   deactivate_super
   cleanup_mnt
   __cleanup_mnt
   task_work_run
   exit_to_user_mode_loop
   el0_svc

On older kernels cancel_work_sync() on a zero-initialized work struct was
a silent no-op, which hid the missing initialization.

Initialize reset_work once in ffs_data_new() so it is always valid for
the lifetime of the ffs_data, and drop the now-redundant INIT_WORK()
calls from the two deactivation paths.

Fixes: 18d6b32fca38 ("usb: gadget: f_fs: add "no_disconnect" mode")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Tyler Baker &lt;tyler.baker@oss.qualcomm.com&gt;
Cc: Loic Poulain &lt;loic.poulain@oss.qualcomm.com&gt;
Cc: Dmitry Baryshkov &lt;dmitry.baryshkov@oss.qualcomm.com&gt;
Cc: Srinivas Kandagatla &lt;srinivas.kandagatla@oss.qualcomm.com&gt;
Tested-by: Loic Poulain &lt;loic.poulain@oss.qualcomm.com&gt;
Reviewed-by: Peter Chen &lt;peter.chen@kernel.org&gt;
Acked-by: Michał Nazarewicz &lt;mina86@mina86.com&gt;
Link: https://patch.msgid.link/20260609193635.2284430-1-tyler.baker@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: Fix DMA fence leak</title>
<updated>2026-06-25T14:11:56+00:00</updated>
<author>
<name>Paul Cercueil</name>
<email>paul@crapouillou.net</email>
</author>
<published>2026-06-09T15:29:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=baa6b6068a3f2bf2ed525a1cb37975905dadc658'/>
<id>urn:sha1:baa6b6068a3f2bf2ed525a1cb37975905dadc658</id>
<content type='text'>
In ffs_dmabuf_transfer(), a ffs_dma_fence object is kmalloc'd, with the
underlying dma_fence later initialized by dma_fence_init(), which sets
its kref counter to 1. Then, dma_resv_add_fence() gets a second
reference, and a pointer to the ffs_dma_fence is passed as the
usb_request's "context" field.

The dma-resv mechanism will manage the second reference, but the first
reference is never properly released; the ffs_dmabuf_cleanup() function
decreases the reference count, but only to balance with the reference
grab in ffs_dmabuf_signal_done().

The code will then slowly leak memory as more ffs_dma_fence objects are
created without being ever freed.

Address this issue by transferring ownership of the fence to the DMA
reservation object, by calling dma_fence_put() right after
dma_resv_add_fence(). The ffs_dma_fence then gets properly discarded
after being signalled.

Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Paul Cercueil &lt;paul@crapouillou.net&gt;
Tested-by: Nuno Sá &lt;nuno.sa@analog.com&gt;
Reviewed-by: Nuno Sá &lt;nuno.sa@analog.com&gt;
Link: https://patch.msgid.link/20260609152905.729328-1-paul@crapouillou.net
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: serialize DMABUF cancel against request completion</title>
<updated>2026-05-22T09:20:43+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-04-19T16:12:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=2796646f6d892c1eb6818c7ca41fdfa12568e8d1'/>
<id>urn:sha1:2796646f6d892c1eb6818c7ca41fdfa12568e8d1</id>
<content type='text'>
ffs_epfile_dmabuf_io_complete() calls usb_ep_free_request() on the
completed request but leaves priv-&gt;req, the back-pointer that
ffs_dmabuf_transfer() set on submission, pointing at the freed
memory.  A later FUNCTIONFS_DMABUF_DETACH ioctl or
ffs_epfile_release() on the close path still sees priv-&gt;req
non-NULL under ffs-&gt;eps_lock:

    if (priv-&gt;ep &amp;&amp; priv-&gt;req)
            usb_ep_dequeue(priv-&gt;ep, priv-&gt;req);

so usb_ep_dequeue() is called on a freed usb_request.

On dummy_hcd the dequeue path only walks a live queue and
pointer-compares, so the freed pointer reads without faulting and
KASAN requires an explicit check at the FunctionFS call site to
surface the use-after-free.  On SG-capable in-tree UDCs the
dequeue path dereferences the supplied request immediately:

  * chipidea's ep_dequeue() does
    container_of(req, struct ci_hw_req, req) and reads
    hwreq-&gt;req.status before acquiring its own lock.
  * cdnsp's cdnsp_gadget_ep_dequeue() reads request-&gt;status first.

The narrower option of clearing priv-&gt;req via cmpxchg() in the
completion does not close the race: the completion runs without
eps_lock, so a cancel path holding eps_lock can still observe
priv-&gt;req non-NULL, race a concurrent completion that clears and
frees, and pass the freed pointer to usb_ep_dequeue().  A slightly
longer fix that moves the free into the cleanup work is needed.

Same class of lifetime race as the recent usbip-vudc timer fix [1].

Take eps_lock in the sole place that mutates priv-&gt;req from the
callback direction by moving usb_ep_free_request() out of the
completion into ffs_dmabuf_cleanup(), the existing work handler
scheduled by ffs_dmabuf_signal_done() on
ffs-&gt;io_completion_wq.  Clear priv-&gt;req there under eps_lock
before freeing, and only clear if priv-&gt;req still names our
request (a subsequent ffs_dmabuf_transfer() on the same
attachment may have queued a new one).

This keeps the existing dummy_hcd sync-dequeue invariant: the
completion callback is still invoked by the UDC without
eps_lock held (dummy_hcd drops its own lock before calling the
callback), and the callback now takes no f_fs lock at all.
Serialization against the cancel path happens in cleanup, which
runs from the workqueue with no f_fs lock held on entry.

The priv ref count protects the containing ffs_dmabuf_priv:
ffs_dmabuf_transfer() takes a ref via ffs_dmabuf_get(), cleanup
drops it via ffs_dmabuf_put(), so priv stays live for the
cleanup even after the cancel path's list_del + ffs_dmabuf_put.

The ffs_dmabuf_transfer() error path no longer frees usb_req
inline: fence-&gt;req and fence-&gt;ep are set before usb_ep_queue(),
so ffs_dmabuf_cleanup() (scheduled by the error-path
ffs_dmabuf_signal_done()) owns the free regardless of whether
the queue succeeded.

Reproduced under KASAN on both detach and close paths against
dummy_hcd with an observability hook
(kasan_check_byte(priv-&gt;req) immediately before usb_ep_dequeue)
at the two FunctionFS cancel sites to surface the stale-pointer
access; the hook is not part of this patch.  The KASAN
allocator / free stacks in the captured splats identify the
same request: alloc in dummy_alloc_request, free in
dummy_timer, fault reached from ffs_epfile_release (close) and
from the FUNCTIONFS_DMABUF_DETACH ioctl (detach).  With the
patch applied, both paths are silent under the same hook.

The bug is reached from the FunctionFS device node, which in
real deployments is owned by the privileged gadget daemon
(adbd, UMS, composite gadget services, etc.); it is not
reachable from unprivileged userspace or from a USB host on the
cable.  FunctionFS mounts default to GLOBAL_ROOT_UID, but the
filesystem supports uid=, gid=, and fmode= delegation to a
non-root gadget daemon, so on real deployments the attacker may
be a less-privileged service rather than root.

Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
Link: https://lore.kernel.org/all/20260417163552.807548-1-michael.bommarito@gmail.com/ [1]
Cc: stable &lt;stable@kernel.org&gt;
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Link: https://patch.msgid.link/20260419161227.1587668-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: f_fs: copy only received bytes on short ep0 read</title>
<updated>2026-05-22T09:20:30+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-04-19T16:03:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4e036c10e7f4df5d951c69cc3697bc8e209c6d02'/>
<id>urn:sha1:4e036c10e7f4df5d951c69cc3697bc8e209c6d02</id>
<content type='text'>
ffs_ep0_read() allocates its control-OUT data buffer with
kmalloc() (not kzalloc) at the Length value from the Setup
packet, then copies that full len to userspace regardless of
how many bytes were actually received:

    data = kmalloc(len, GFP_KERNEL);
    ...
    ret = __ffs_ep0_queue_wait(ffs, data, len);
    if ((ret &gt; 0) &amp;&amp; (copy_to_user(buf, data, len)))
            ret = -EFAULT;

__ffs_ep0_queue_wait() returns req-&gt;actual, which on a short
control OUT transfer is strictly less than len.  The
copy_to_user() call still copies len bytes, so on a short OUT
the last (len - ret) bytes of the kmalloc() buffer --
uninitialised slab residue -- are delivered to the FunctionFS
daemon.

Short ep0 OUT completions are specified USB control-transfer
behavior and are produced by in-tree UDCs:

  * dwc2 continues on req-&gt;actual &lt; req-&gt;length for ep0 DATA OUT
    (short-not-ok is the only ep0-OUT stall path).
  * aspeed_udc ends ep0 OUT on rx_len &lt; ep-&gt;ep.maxpacket.
  * renesas_usbf logs "ep0 short packet" and completes the
    request.
  * dwc3 stalls on short IN but not on short OUT.

A short ep0 OUT is therefore not evidence of a broken UDC; it is
a normal condition f_fs has to cope with.  The sibling gadgetfs
implementation in drivers/usb/gadget/legacy/inode.c already does
this correctly via min(len, dev-&gt;req-&gt;actual) before
copy_to_user().  This patch brings f_fs.c to the same safe
pattern rather than trimming at a defensive layer.

The bug is reached from the FunctionFS device node, which in
real deployments is owned by the privileged gadget daemon
(adbd, UMS, composite gadget services, etc.); it is not
reachable from unprivileged userspace.  Linux host stacks
normally reject short-wLength control OUTs before they reach
the gadget, so reproducing this required a build that
bypasses that host-side check.  With the bypass in place, a
1-byte payload on a 64-byte Setup produces 63 bytes of
non-canary slab residue in the daemon's read buffer.

Fix by copying only ret (actually received) bytes to
userspace.

Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Cc: stable &lt;stable@kernel.org&gt;
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Link: https://patch.msgid.link/20260419160359.1577270-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: gadget: uvc: hold opts-&gt;lock across XU walks in uvc_function_bind</title>
<updated>2026-05-22T08:35:36+00:00</updated>
<author>
<name>Kai Aizen</name>
<email>kai.aizen.dev@gmail.com</email>
</author>
<published>2026-04-30T17:56:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=68aa70648b625fa684bc0b71bbfd905f4943ca20'/>
<id>urn:sha1:68aa70648b625fa684bc0b71bbfd905f4943ca20</id>
<content type='text'>
uvc_function_bind() walks &amp;opts-&gt;extension_units twice without holding
opts-&gt;lock:

  - directly, for the iExtension string-descriptor fixup loop;
  - indirectly, four times via uvc_copy_descriptors() (once per speed),
    where the helper iterates uvc-&gt;desc.extension_units (which aliases
    &amp;opts-&gt;extension_units) to size and emit XU descriptors.

The configfs side (uvcg_extension_make / uvcg_extension_drop, in
drivers/usb/gadget/function/uvc_configfs.c) takes opts-&gt;lock around its
list_add_tail / list_del operations.  A privileged userspace process
that holds the configfs subtree open and writes the gadget UDC name
to bind the function while concurrently rmdir()'ing an extensions
subdir can race uvcg_extension_drop() against the bind-time list walks
and dereference a freed struct uvcg_extension.

Hold opts-&gt;lock from the start of the XU string-descriptor fixup
through the last uvc_copy_descriptors() call, releasing on the
descriptor-error path via a new error_unlock label that drops the
lock before falling through to the existing error label.  This
matches the locking discipline of the configfs callbacks and removes
the only remaining unsynchronised reader of the XU list during bind.

Reachability: only privileged processes that can mount configfs and
write to gadget UDC files can trigger the race, so this is a
correctness fix rather than a security boundary.

Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Kai Aizen &lt;kai.aizen.dev@gmail.com&gt;
Link: https://patch.msgid.link/20260430175643.67120-1-kai.aizen.dev@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
</feed>
