<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/drivers/usb/usbip, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-22T19:09:47+00:00</updated>
<entry>
<title>Merge tag 'usb-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb</title>
<updated>2026-06-22T19:09:47+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-22T19:09:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=364f4a55c661641c02c86a849f0608d8fc3c0006'/>
<id>urn:sha1:364f4a55c661641c02c86a849f0608d8fc3c0006</id>
<content type='text'>
Pull USB and Thunderbolt driver updates from Greg KH:
 "Here is the big set of USB and Thunderbolt driver changes for 7.2-rc1.

  Lots of little stuff in here, major highlights include:

   - USB4STREAM support for Thunderbolt devices. A new way to send "raw"
     data very quickly over a USB4 connection to another system directly

   - Other thunderbolt updates and changes to make the stream code work

   - xhci driver updates and additions

   - typec driver updates and additions

   - usb gadget driver updates and fixes for reported issues

   - zh_CN documentation translation of the USB documentation

   - usb-serial driver updates

   - dts cleanups for some USB platforms

   - other minor USB driver updates and tweaks

  All of these have been in linux-next for over a week with no reported
  issues, most of them for many many weeks"

* tag 'usb-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (131 commits)
  usb: ucsi: huawei_gaokun: support mode switching
  thunderbolt: debugfs: Fix sideband write size check
  thunderbolt: debugfs: Fix margining error counter buffer leak
  usb: host: xhci-rcar: Split R-Car Gen2 and Gen3 .plat_start() handling
  usb: host: xhci-rcar: Remove SET_XHCI_PLAT_PRIV_FOR_RCAR() macro
  usb: xhci: allocate internal DCBAA mirror dynamically
  usb: xhci: allocate DCBAA based on host controller max slots
  usb: xhci: refactor DCBAA struct
  xhci: Prevent queuing new commands if xhci is inaccessible
  xhci: dbc: detect and recover hung DbC during enumeraton
  xhci: dbc: add timestamps to DbC state changes in a new helper.
  xhci: dbc: add helper to set and clear DbC DCE enable bit
  xhci: dbc: serialize enabling and disabling dbc
  xhci: dbc: Fix sysfs ABI Documentation for xhci dbc states
  usb: xhci: Improve Soft Retries after short transfers
  usb: xhci: Remove isochronous URB_SHORT_NOT_OK handling
  usb: xhci: Remove skip_isoc_td()
  usb: xhci: Simplify xhci_quiesce()
  usb: xhci: remove legacy 'num_trbs_free' tracking
  usb: xhci: fix typo in xhci_set_port_power() comment
  ...
</content>
</entry>
<entry>
<title>Merge tag 'mm-nonmm-stable-2026-06-21-10-22' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm</title>
<updated>2026-06-21T20:20:19+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-21T20:20:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=2e05544060b9fef5d4d0e0172944e6956c55080f'/>
<id>urn:sha1:2e05544060b9fef5d4d0e0172944e6956c55080f</id>
<content type='text'>
Pull non-MM updates from Andrew Morton:

 - "taskstats: fix TGID dead-thread stat retention" (Yiyang Chen)

   Fix a taskstats TGID aggregation bug where fields added in the TGID
   query path were not preserved after thread exit, and adds a kselftest
   covering the regression.

 - "lib/tests: string_helpers: Slight improvements" (Andy Shevchenko)

   Improve lib/tests/string_helpers_kunit.c a little

 - "lib/base64: decode fixes" (Josh Law)

   Address minor issues in lib/base64.c

 - "selftests/filelock: Make output more kselftestish" (Mark Brown)

   Make the output from the ofdlocks test a bit easier for tooling to
   work with. Also ignore the generated file

 - "uaccess: unify inline vs outline copy_{from,to}_user() selection"
   (Yury Norov)

   Simplify the usercopy code by removing the selectability of inlining
   copy_{from,to}_user().

 - "ocfs2: validate inline xattr header consumers" (ZhengYuan Huang)

   Fix a number of possible issues in the ocfs2 xattr code

 - "lib and lib/cmdline enhancements" (Dmitry Antipov)

   Provide additional robustness checking in the cmdline handling code
   and its in-kernel testing and selftests

 - "cleanup the RAID6 P/Q library" (Christoph Hellwig)

   Clean up the RAID6 P/Q library to match the recent updates to the
   RAID 5 XOR library and other CRC/crypto libraries

 - "ocfs2: harden inode validators against forged metadata" (Michael
   Bommarito)

   Add three structural checks to OCFS2 dinode validation so malformed
   on-disk fields are rejected before ocfs2_populate_inode() copies them
   into the in-core inode

 - "lib/raid: replace __get_free_pages() call with kmalloc()" (Mike
   Rapoport)

   Clean up the lib/raid code by using kmalloc() in more places

* tag 'mm-nonmm-stable-2026-06-21-10-22' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: (108 commits)
  ocfs2: fix circular locking dependency in ocfs2_dio_end_io_write
  ocfs2: fix NULL h_transaction deref in ocfs2_assure_trans_credits
  lib: interval_tree_test: validate benchmark parameters
  ocfs2: avoid moving extents to occupied clusters
  treewide: fix transposed "sign" typos and update spelling.txt
  ocfs2: fix UBSAN array-index-out-of-bounds in ocfs2_sum_rightmost_rec
  fat: reject BPB volumes whose data area starts beyond total sectors
  selftests/uevent: increase __UEVENT_BUFFER_SIZE to avoid ENOBUFS on busy systems
  lib/test_firmware: allocate the configured into_buf size
  fs: efs: remove unneeded debug prints
  checkpatch: cuppress warnings when Reported-by: is followed by Link:
  MAINTAINERS: add Alexander as a kcov reviewer
  mailmap: update Alexander Sverdlin's Email addresses
  fs: fat: inode: replace sprintf() with scnprintf()
  ocfs2: fix out-of-bounds write in ocfs2_remove_refcount_extent
  ocfs2: fix race between ocfs2_control_install_private() and ocfs2_control_release()
  ocfs2/dlm: require a ref for locking_state debugfs open
  ocfs2: reject FITRIM ranges shorter than a cluster
  ocfs2: validate fast symlink target during inode read
  ocfs2: add journal NULL check in ocfs2_checkpoint_inode()
  ...
</content>
</entry>
<entry>
<title>Merge tag 'v7.1-rc6' into usb-next</title>
<updated>2026-06-01T15:39:51+00:00</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@linuxfoundation.org</email>
</author>
<published>2026-06-01T15:39:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=55311a92bc9564b058a036074f85200a5954ccd2'/>
<id>urn:sha1:55311a92bc9564b058a036074f85200a5954ccd2</id>
<content type='text'>
We need the USB and Thunderbolt fixes in here as well.

Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>kcov: refactor common handle ID into kcov_common_handle_id</title>
<updated>2026-05-29T04:24:45+00:00</updated>
<author>
<name>Jann Horn</name>
<email>jannh@google.com</email>
</author>
<published>2026-04-30T14:15:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=5a13e296a3e32a70db2a520d8611a53d7bde10e8'/>
<id>urn:sha1:5a13e296a3e32a70db2a520d8611a53d7bde10e8</id>
<content type='text'>
Store common handle IDs in "struct kcov_common_handle_id", which consumes
no space in non-KCOV builds.

This cleanup removes #ifdef boilerplate code from subsystems that
integrate with KCOV (in particular in usbip_common.h and skbuff.h, see the
diffstat).

This should also make it easier to add KCOV remote coverage to more
subsystems in the future.

Link: https://lore.kernel.org/20260430-kcov-refactor-common-handle-v1-1-23a0c7a0ba38@google.com
Signed-off-by: Jann Horn &lt;jannh@google.com&gt;
Acked-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Reviewed-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Acked-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Cc: Alexander Potapenko &lt;glider@google.com&gt;
Cc: Andrey Konovalov &lt;andreyknvl@gmail.com&gt;
Cc: Eugenio Pérez &lt;eperezma@redhat.com&gt;
Cc: Hongren (Zenithal) Zheng &lt;i@zenithal.me&gt;
Cc: Jann Horn &lt;jannh@google.com&gt;
Cc: Jason Wang &lt;jasowang@redhat.com&gt;
Cc: "Michael S. Tsirkin" &lt;mst@redhat.com&gt;
Cc: Shuah Khan &lt;shuah@kernel.org&gt;
Cc: Valentina Manea &lt;valentina.manea.m@gmail.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>usbip: vhci_hcd: reduce CONFIG_USBIP_VHCI_NR_HCS upper bound to 32</title>
<updated>2026-05-22T09:34:27+00:00</updated>
<author>
<name>Adrian Wowk</name>
<email>dev@adrianwowk.com</email>
</author>
<published>2026-04-14T01:00:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=105644154a60c8ec0c7b3e0758bd18c9a243a3b4'/>
<id>urn:sha1:105644154a60c8ec0c7b3e0758bd18c9a243a3b4</id>
<content type='text'>
Each VHCI HC instance registers two USB buses (one HS, one SS).
USB_MAXBUS in drivers/usb/core/hcd.c is hard-coded to 64, giving an
effective maximum of 32 VHCI HC instances (32 * 2 = 64 buses).

The Kconfig range for USBIP_VHCI_NR_HCS currently allows up to 128,
which will cause probe failures for any HC instance beyond the 32nd.
These probe failures trigger the NULL pointer dereference fixed in the
previous commit.

Reduce the upper bound to 32 to reflect the real maximum imposed by
USB_MAXBUS. Note that probe failures can still occur below this limit
if real hardware has already claimed enough USB bus numbers, making
the NULL check fix necessary regardless.

Signed-off-by: Adrian Wowk &lt;dev@adrianwowk.com&gt;
Reviewed-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Link: https://patch.msgid.link/20260414010050.158064-3-dev@adrianwowk.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usbip: vhci_hcd: fix NULL deref in status_show_vhci</title>
<updated>2026-05-22T09:34:27+00:00</updated>
<author>
<name>Adrian Wowk</name>
<email>dev@adrianwowk.com</email>
</author>
<published>2026-04-14T01:00:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=bc150783542ba2e7c1257d1299c6f3269bdba270'/>
<id>urn:sha1:bc150783542ba2e7c1257d1299c6f3269bdba270</id>
<content type='text'>
platform_get_drvdata() can return NULL if a VHCI host controller's
probe failed (e.g. due to USB bus number exhaustion). status_show_vhci()
checked for a NULL pdev but not for a NULL hcd returned by
platform_get_drvdata(). Passing NULL to hcd_to_vhci_hcd() does not
return NULL - it returns a pointer offset of 0x260, causing a NULL
pointer dereference when that value is subsequently dereferenced.

Add a NULL check on hcd before calling hcd_to_vhci_hcd(). Move
status_show_not_ready() above status_show_vhci() to make it callable
from the new error path without a forward declaration.

Signed-off-by: Adrian Wowk &lt;dev@adrianwowk.com&gt;
Reviewed-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Link: https://patch.msgid.link/20260414010050.158064-2-dev@adrianwowk.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usbip: vudc: Fix use after free bug in vudc_remove due to race condition</title>
<updated>2026-05-22T09:13:06+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-04-17T16:35:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=d96209626a29ea64666be98c30b30ac82e5f1be6'/>
<id>urn:sha1:d96209626a29ea64666be98c30b30ac82e5f1be6</id>
<content type='text'>
This patch follows up Zheng Wang's 2023 report of a use-after-free in
vudc_remove(). The original thread stalled on Shuah Khan's request for
runtime testing of the unplug/unbind path. This patch supplies that
testing and keeps Zheng's original fix shape.

In vudc_probe(), v_init_timer() binds udc-&gt;tr_timer.timer to v_timer().
usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer().
vudc_remove() can then free the containing struct vudc while the timer is
still pending or executing.

KASAN confirms the race on an unpatched x86_64 QEMU guest with
CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop
that repeatedly writes a socket fd to usbip_sockfd, closes the socket
pair, and unbinds/rebinds usbip-vudc.0:

  BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0
  Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239
  Allocated by task 239:
    vudc_probe+0x4d/0xaa0
  Freed by task 239:
    kfree+0x18f/0x520
    device_release_driver_internal+0x388/0x540
    unbind_store+0xd9/0x100

This lands in the timer core rather than v_timer() itself because the
embedded timer_list is being walked after its containing struct vudc has
already been freed. The underlying lifetime bug is the same one Zheng
reported.

With v_stop_timer() called from vudc_remove() and the timer deleted
synchronously, the same harness completed 5000 bind/unbind iterations
with no KASAN report.

Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Cc: stable &lt;stable@kernel.org&gt;
Reported-by: Zheng Wang &lt;zyytlz.wz@163.com&gt;
Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Acked-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usbip: validate number_of_packets in usbip_pack_ret_submit()</title>
<updated>2026-04-07T11:48:44+00:00</updated>
<author>
<name>Nathan Rebello</name>
<email>nathan.c.rebello@gmail.com</email>
</author>
<published>2026-04-02T08:52:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=2ab833a16a825373aad2ba7d54b572b277e95b71'/>
<id>urn:sha1:2ab833a16a825373aad2ba7d54b572b277e95b71</id>
<content type='text'>
When a USB/IP client receives a RET_SUBMIT response,
usbip_pack_ret_submit() unconditionally overwrites
urb-&gt;number_of_packets from the network PDU. This value is
subsequently used as the loop bound in usbip_recv_iso() and
usbip_pad_iso() to iterate over urb-&gt;iso_frame_desc[], a flexible
array whose size was fixed at URB allocation time based on the
*original* number_of_packets from the CMD_SUBMIT.

A malicious USB/IP server can set number_of_packets in the response
to a value larger than what was originally submitted, causing a heap
out-of-bounds write when usbip_recv_iso() writes to
urb-&gt;iso_frame_desc[i] beyond the allocated region.

KASAN confirmed this with kernel 7.0.0-rc5:

  BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
  Write of size 4 at addr ffff888106351d40 by task vhci_rx/69

  The buggy address is located 0 bytes to the right of
   allocated 320-byte region [ffff888106351c00, ffff888106351d40)

The server side (stub_rx.c) and gadget side (vudc_rx.c) already
validate number_of_packets in the CMD_SUBMIT path since commits
c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle
malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden
CMD_SUBMIT path to handle malicious input"). The server side validates
against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.
On the client side we have the original URB, so we can use the tighter
bound: the response must not exceed the original number_of_packets.

This mirrors the existing validation of actual_length against
transfer_buffer_length in usbip_recv_xbuff(), which checks the
response value against the original allocation size.

Kelvin Mbogo's series ("usb: usbip: fix integer overflow in
usbip_recv_iso()", v2) hardens the receive-side functions themselves;
this patch complements that work by catching the bad value at its
source -- in usbip_pack_ret_submit() before the overwrite -- and
using the tighter per-URB allocation bound rather than the global
USBIP_MAX_ISO_PACKETS limit.

Fix this by checking rpdu-&gt;number_of_packets against
urb-&gt;number_of_packets in usbip_pack_ret_submit() before the
overwrite. On violation, clamp to zero so that usbip_recv_iso() and
usbip_pad_iso() safely return early.

Fixes: 1325f85fa49f ("staging: usbip: bugfix add number of packets for isochronous frames")
Cc: stable &lt;stable@kernel.org&gt;
Acked-by: Shuah Khan &lt;skhan@linuxfoundation.org&gt;
Signed-off-by: Nathan Rebello &lt;nathan.c.rebello@gmail.com&gt;
Link: https://patch.msgid.link/20260402085259.234-1-nathan.c.rebello@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: usbip: fix OOB read/write in usbip_pad_iso()</title>
<updated>2026-04-02T07:52:51+00:00</updated>
<author>
<name>Kelvin Mbogo</name>
<email>addcontent08@gmail.com</email>
</author>
<published>2026-03-25T10:36:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=74a2287209a858470d15e2996ead2337bd293ff4'/>
<id>urn:sha1:74a2287209a858470d15e2996ead2337bd293ff4</id>
<content type='text'>
usbip_pad_iso() repositions ISO frame data within the transfer buffer
via memmove().  Neither the source offset (actualoffset, derived by
subtracting wire-supplied actual_length values) nor the destination
offset (iso_frame_desc[i].offset, taken directly from the wire) is
bounds-checked.

If a crafted actual_length wraps actualoffset negative through the
subtraction (see patch 2/3 for the root cause), the memmove source
points before the allocation - slab OOB read, data returned to
userspace.

Independently, iso_frame_desc[i].offset is never validated against
transfer_buffer_length.  Setting offset past the end of the buffer
gives a fully controlled OOB write into whatever sits next in the
slab - confirmed with offset=400 on a 392-byte buffer, 64-byte write.

Add bounds checks for both the source and destination ranges before
each memmove call.  Use unsigned comparisons after the sign check on
actualoffset to avoid signed/unsigned conversion surprises.

Signed-off-by: Kelvin Mbogo &lt;addcontent08@gmail.com&gt;
Link: https://patch.msgid.link/20260325103640.8090-3-addcontent08@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>usb: usbip: validate iso frame actual_length in usbip_recv_iso()</title>
<updated>2026-04-02T07:52:51+00:00</updated>
<author>
<name>Kelvin Mbogo</name>
<email>addcontent08@gmail.com</email>
</author>
<published>2026-03-25T10:36:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=591c1d972d8f19862ecd7279c7ef4df48b0a9b33'/>
<id>urn:sha1:591c1d972d8f19862ecd7279c7ef4df48b0a9b33</id>
<content type='text'>
usbip_recv_iso() sums each frame's actual_length into an int
accumulator without checking the individual values first:

    total_length += urb-&gt;iso_frame_desc[i].actual_length;

A malicious server can send actual_length = 0xFFFFFFFC for one frame
and a small value for the other, making the signed sum wrap around to
match urb-&gt;actual_length.  The sanity check passes, and usbip_pad_iso()
later computes a negative actualoffset, feeding it to memmove() as a
source pointer - reads before the allocation, leaked to userspace via
USBDEVFS_REAPURB.

Reject any frame whose actual_length exceeds transfer_buffer_length
(one frame can't carry more data than the whole buffer), and widen the
accumulator to u32 so that many moderately-large frames can't wrap it
either.

Signed-off-by: Kelvin Mbogo &lt;addcontent08@gmail.com&gt;
Link: https://patch.msgid.link/20260325103640.8090-2-addcontent08@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
</entry>
</feed>
