Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.1.y 2026-05-22T09:13:06+00:00 2026-05-22T09:13:06+00:00 Michael Bommarito michael.bommarito@gmail.com 2026-04-17T16:35:52+00:00 urn:sha1:d96209626a29ea64666be98c30b30ac82e5f1be6 This patch follows up Zheng Wang's 2023 report of a use-after-free in vudc_remove(). The original thread stalled on Shuah Khan's request for runtime testing of the unplug/unbind path. This patch supplies that testing and keeps Zheng's original fix shape. In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer(). usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer(). vudc_remove() can then free the containing struct vudc while the timer is still pending or executing. KASAN confirms the race on an unpatched x86_64 QEMU guest with CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop that repeatedly writes a socket fd to usbip_sockfd, closes the socket pair, and unbinds/rebinds usbip-vudc.0: BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0 Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239 Allocated by task 239: vudc_probe+0x4d/0xaa0 Freed by task 239: kfree+0x18f/0x520 device_release_driver_internal+0x388/0x540 unbind_store+0xd9/0x100 This lands in the timer core rather than v_timer() itself because the embedded timer_list is being walked after its containing struct vudc has already been freed. The underlying lifetime bug is the same one Zheng reported. With v_stop_timer() called from vudc_remove() and the timer deleted synchronously, the same harness completed 5000 bind/unbind iterations with no KASAN report. Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops") Cc: stable <stable@kernel.org> Reported-by: Zheng Wang <zyytlz.wz@163.com> Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/ Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Acked-by: Shuah Khan <skhan@linuxfoundation.org> Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-06-08T07:07:37+00:00 Ingo Molnar mingo@kernel.org 2025-05-09T05:51:14+00:00 urn:sha1:41cb08555c4164996d67c78b3bf1c658075b75f1 Move this API to the canonical timer_*() namespace. [ tglx: Redone against pre rc1 ] Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lore.kernel.org/all/aB2X0jCKQO56WdMt@gmail.com 2020-07-09T16:06:35+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2020-07-07T19:52:14+00:00 urn:sha1:2da3b53c78be8a11800a3d5053a8ca22b2455c8e Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Acked-by: Shuah Khan <skhan@linuxfoundation.org> Link: https://lore.kernel.org/r/20200707195214.GA3932@embeddedor Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-11-07T14:45:01+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2017-11-06T14:37:11+00:00 urn:sha1:7f2b019c8d8b0330c142a5934dd77089d5282c74 Now that the SPDX tag is in all USB files, that identifies the license in a specific and legally-defined manner. So the extra GPL text wording can be removed as it is no longer needed at all. This is done on a quest to remove the 700+ different ways that files in the kernel describe the GPL license text. And there's unneeded stuff like the address (sometimes incorrect) for the FSF which is never needed. No copyright headers or other non-license-description text was removed. Cc: Valentina Manea <valentina.manea.m@gmail.com> Acked-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-11-04T10:48:02+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2017-11-03T10:28:30+00:00 urn:sha1:5fd54ace4721fc5ce2bb5aef6318fcf17f421460 It's good to have SPDX identifiers in all files to make it easier to audit the kernel tree for correct licenses. Update the drivers/usb/ and include/linux/usb* files with the correct SPDX license identifier based on the license text in the file itself. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. This work is based on a script and data from Thomas Gleixner, Philippe Ombredanne, and Kate Stewart. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Kate Stewart <kstewart@linuxfoundation.org> Cc: Philippe Ombredanne <pombredanne@nexb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Acked-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-11-01T15:57:23+00:00 Kees Cook keescook@chromium.org 2017-10-24T10:09:05+00:00 urn:sha1:09e005c44cba626bdc2fc7867d72b8107af5a225 In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Cc: Valentina Manea <valentina.manea.m@gmail.com> Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-12-05T14:08:45+00:00 Krzysztof Opasiak k.opasiak@samsung.com 2016-12-01T18:14:37+00:00 urn:sha1:3e448e13a662fb20145916636127995cbf37eb83 ep_list inside gadget structure doesn't contain ep0. It is stored separately in ep0 field. This causes an urb hang if gadget driver decides to delay setup handling. On host side this is visible as timeout error when setting configuration. This bug can be reproduced using for example any gadget with mass storage function. Fixes: abdb29574322 ("usbip: vudc: Add vudc_transfer") Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Cc: stable <stable@vger.kernel.org> Acked-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-10-27T14:59:59+00:00 Jai Krishna rjk1024@gmail.com 2016-10-25T09:02:32+00:00 urn:sha1:1f0c41dd0c216401e88a2665dc6a07ce24d6079d This patch fixes the following checkpatch warning for usbip files WARNING: Prefer 'unsigned int' to bare use of 'unsigned' Signed-off-by: Jai Krishna <rjk1024@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-04-28T19:28:08+00:00 Krzysztof Opasiak k.opasiak@samsung.com 2016-04-27T18:02:07+00:00 urn:sha1:0255cf9e52a73ba0d5ca393c93c5fb458fea4532 As find_endpoint() is a global funcion rename it to vudc_find_endpoint() to clearly mark where does it come from. Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-04-26T22:19:50+00:00 Igor Kotrasinski i.kotrasinsk@samsung.com 2016-03-08T20:49:00+00:00 urn:sha1:abdb2957432242de09ad52d044b5221a4b56c15a This file contains a function that simulates USB traffic, based on the one in dummy_hcd. Is also handles udc-directed control requests, and contains functions for setting up and controlling a timer for the emulation. This commit is a result of cooperation between Samsung R&D Institute Poland and Open Operating Systems Student Society at University of Warsaw (O2S3@UW) consisting of: Igor Kotrasinski <ikotrasinsk@gmail.com> Karol Kosik <karo9@interia.eu> Ewelina Kosmider <3w3lfin@gmail.com> Dawid Lazarczyk <lazarczyk.dawid@gmail.com> Piotr Szulc <ps347277@students.mimuw.edu.pl> Tutor and project owner: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Igor Kotrasinski <i.kotrasinsk@samsung.com> Signed-off-by: Karol Kosik <karo9@interia.eu> Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>