usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind

uvc_function_bind() walks &opts->extension_units twice without holding
opts->lock:

  - directly, for the iExtension string-descriptor fixup loop;
  - indirectly, four times via uvc_copy_descriptors() (once per speed),
    where the helper iterates uvc->desc.extension_units (which aliases
    &opts->extension_units) to size and emit XU descriptors.

The configfs side (uvcg_extension_make / uvcg_extension_drop, in
drivers/usb/gadget/function/uvc_configfs.c) takes opts->lock around its
list_add_tail / list_del operations.  A privileged userspace process
that holds the configfs subtree open and writes the gadget UDC name
to bind the function while concurrently rmdir()'ing an extensions
subdir can race uvcg_extension_drop() against the bind-time list walks
and dereference a freed struct uvcg_extension.

Hold opts->lock from the start of the XU string-descriptor fixup
through the last uvc_copy_descriptors() call, releasing on the
descriptor-error path via a new error_unlock label that drops the
lock before falling through to the existing error label.  This
matches the locking discipline of the configfs callbacks and removes
the only remaining unsynchronised reader of the XU list during bind.

Reachability: only privileged processes that can mount configfs and
write to gadget UDC files can trigger the race, so this is a
correctness fix rather than a security boundary.

Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs")
Cc: stable <stable@kernel.org>
Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
Link: https://patch.msgid.link/20260430175643.67120-1-kai.aizen.dev@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index 8d404d88391c518613e8dd40be5e32b74a2e53a7..73dc7e42875ffb0b538ba9c939b65c960261f6f1 100644 (file)
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -768,6 +768,16 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
        uvc_hs_streaming_ep.bEndpointAddress = uvc->video.ep->address;
        uvc_ss_streaming_ep.bEndpointAddress = uvc->video.ep->address;
 
+       /*
+        * Hold opts->lock across both the XU string-descriptor fixup below and
+        * the descriptor-copy block further down.  Without this, configfs
+        * uvcg_extension_drop() (which takes opts->lock) can race with the
+        * list_for_each_entry() walks here and inside uvc_copy_descriptors(),
+        * leading to a UAF on a freed struct uvcg_extension.  See
+        * drivers/usb/gadget/function/uvc_configfs.c::uvcg_extension_drop().
+        */
+       mutex_lock(&opts->lock);
+
        /*
         * XUs can have an arbitrary string descriptor describing them. If they
         * have one pick up the ID.
@@ -785,7 +795,7 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
                                 ARRAY_SIZE(uvc_en_us_strings));
        if (IS_ERR(us)) {
                ret = PTR_ERR(us);
-               goto error;
+               goto error_unlock;
        }
 
        uvc_iad.iFunction = opts->iad_index ? cdev->usb_strings[opts->iad_index].id :
@@ -799,14 +809,14 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
 
        /* Allocate interface IDs. */
        if ((ret = usb_interface_id(c, f)) < 0)
-               goto error;
+               goto error_unlock;
        uvc_iad.bFirstInterface = ret;
        uvc_control_intf.bInterfaceNumber = ret;
        uvc->control_intf = ret;
        opts->control_interface = ret;
 
        if ((ret = usb_interface_id(c, f)) < 0)
-               goto error;
+               goto error_unlock;
        uvc_streaming_intf_alt0.bInterfaceNumber = ret;
        uvc_streaming_intf_alt1.bInterfaceNumber = ret;
        uvc->streaming_intf = ret;
@@ -817,30 +827,32 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
        if (IS_ERR(f->fs_descriptors)) {
                ret = PTR_ERR(f->fs_descriptors);
                f->fs_descriptors = NULL;
-               goto error;
+               goto error_unlock;
        }
 
        f->hs_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_HIGH);
        if (IS_ERR(f->hs_descriptors)) {
                ret = PTR_ERR(f->hs_descriptors);
                f->hs_descriptors = NULL;
-               goto error;
+               goto error_unlock;
        }
 
        f->ss_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER);
        if (IS_ERR(f->ss_descriptors)) {
                ret = PTR_ERR(f->ss_descriptors);
                f->ss_descriptors = NULL;
-               goto error;
+               goto error_unlock;
        }
 
        f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS);
        if (IS_ERR(f->ssp_descriptors)) {
                ret = PTR_ERR(f->ssp_descriptors);
                f->ssp_descriptors = NULL;
-               goto error;
+               goto error_unlock;
        }
 
+       mutex_unlock(&opts->lock);
+
        /* Preallocate control endpoint request. */
        uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
        uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL);
@@ -872,6 +884,8 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
 
        return 0;
 
+error_unlock:
+       mutex_unlock(&opts->lock);
 v4l2_error:
        v4l2_device_unregister(&uvc->v4l2_dev);
 error: