Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.0.y 2026-02-23T19:22:00+00:00 2026-02-23T19:22:00+00:00 Jiasheng Jiang jiashengjiangcool@gmail.com 2026-02-19T02:38:34+00:00 urn:sha1:b9fde507355342a2d64225d582dc8b98ff5ecb19 The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system. Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") Cc: stable <stable@kernel.org> Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com> Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Link: https://patch.msgid.link/20260219023834.17976-1-jiashengjiangcool@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-02-22T01:09:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-22T00:37:42+00:00 urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43 This was done entirely with mindless brute force, using git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' | xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/' to convert the new alloc_obj() users that had a simple GFP_KERNEL argument to just drop that argument. Note that due to the extreme simplicity of the scripting, any slightly more complex cases spread over multiple lines would not be triggered: they definitely exist, but this covers the vast bulk of the cases, and the resulting diff is also then easier to check automatically. For the same reason the 'flex' versions will be done as a separate conversion. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2026-01-14T14:58:13+00:00 Jiasheng Jiang jiashengjiangcool@gmail.com 2026-01-07T19:06:22+00:00 urn:sha1:da0faa257f10da39052ca7f1cfa35179ca8749e5 In usbg_submit_command(), which handles the UAS protocol, the 'data_len' member of the 'usbg_cmd' structure was left uninitialized by the logic, relying instead on the zeroing performed by usbg_get_cmd(). In contrast, the BOT path (bot_submit_command) explicitly initializes this field from the Command Block Wrapper (CBW). This discrepancy is evident in error handling paths where __target_init_cmd() is called using cmd->data_len. Explicitly initialize cmd->data_len to 0 in the UAS path and use this variable when calling target_submit_cmd(). This ensures architectural consistency between the UAS and BOT protocols within the driver and avoids reliance on implicit memory state during error transitions. Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com> Link: https://patch.msgid.link/20260107190622.26070-1-jiashengjiangcool@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-12-23T14:31:01+00:00 Christophe JAILLET christophe.jaillet@wanadoo.fr 2025-12-19T17:16:15+00:00 urn:sha1:e715bc42e337b6f54ada7262e1bbc0b7860525c2 'struct configfs_item_operations' and 'configfs_group_operations' are not modified in these drivers. Constifying these structures moves some data to a read-only section, so increases overall security, especially when the structure holds some function pointers. On a x86_64, with allmodconfig, as an example: Before: ====== text data bss dec hex filename 65061 20968 256 86285 1510d drivers/usb/gadget/configfs.o After: ===== text data bss dec hex filename 66181 19848 256 86285 1510d drivers/usb/gadget/configfs.o Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://patch.msgid.link/49cec1cb84425f854de80b6d69b53a5a3cda8189.1766164523.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-04-15T12:29:33+00:00 Chen Yufeng chenyufeng@iie.ac.cn 2025-04-15T06:58:57+00:00 urn:sha1:153874010354d050f62f8ae25cbb960c17633dc5 The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly. This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential memory corruption"). Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn> Link: https://lore.kernel.org/r/20250415065857.1619-1-chenyufeng@iie.ac.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-12-24T07:56:08+00:00 Thinh Nguyen Thinh.Nguyen@synopsys.com 2024-12-11T00:34:20+00:00 urn:sha1:d7123c77dc6072b028291355e4c4be0ad8046066 Move the command initialization before the check_condition to after the goto statement for a cleaner look. No functional change here. Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Link: https://lore.kernel.org/r/8442364f51f2788d2a191997581a8eda7a143272.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-12-24T07:56:08+00:00 Thinh Nguyen Thinh.Nguyen@synopsys.com 2024-12-11T00:34:15+00:00 urn:sha1:de92fb3fc2bd20ac9ad267af4dfb075b8e792fbc Set TARGET_SCF_ACK_KREF flag and allow f_tcm to take the BOT command reference. A usb request may be canceled, the f_tcm knows this. Let it decides if the command should be freed. This is the same as how the UAS interface is done. Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Link: https://lore.kernel.org/r/e791c639e91b5d91a8787f5d6902e8c58f1dc172.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-12-24T07:56:08+00:00 Thinh Nguyen Thinh.Nguyen@synopsys.com 2024-12-11T00:34:09+00:00 urn:sha1:3ce3b2108f38059e0830222da4c3003aff2ab097 If there's error on command request, make sure to requeue to receive the next one. Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Link: https://lore.kernel.org/r/d4e55c13be8f83f99ee55f7b979a99e2c14fc4c8.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-12-24T07:56:07+00:00 Thinh Nguyen Thinh.Nguyen@synopsys.com 2024-12-11T00:34:03+00:00 urn:sha1:a4d7274d07ae4b3e77b3b35f46cab7c90b95ef21 If the BOT command CBW is invalid, make sure to respond by setting status endpoint STALL until the next proper CBW or reset. Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com> Link: https://lore.kernel.org/r/96022e2d5225f01a20263a4ba9c2e2c8a63328b8.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>