From nobody Mon Jun  8 07:23:00 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A37A34B404;
	Sun, 31 May 2026 21:05:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780261553; cv=none;
 b=PQjebcubnGUW2G+fEUQjSinkMw6/BJOClVOH/woSffeFSOVN1jhg/ZF7If0DfSx02I7ZoptEaS2sm4AEx7qQxJcgEZ1vhA+e5EbO7DDUV23R6UOL7axDl//PzHROazxv4Wp2DgBKcM60lVOsBBaHD3qjbaYSwbBJnGCCfI+kH6E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780261553; c=relaxed/simple;
	bh=+gtme44HgV3+0cY0fNPZva52Dkwj7je2hlaTW5P9DVU=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=V7FJ5ms3mmHmoM4w2rHG0LEgWwN2WUuwbgjCmxwiJ4vIj8K+ecStETkmBtZy4FVTde2uupLj841Oo/Bm6WfyvV7e7yXUKmlMXC1Jai6ProHU0v4WomH+lO8OjBzPLrli36oqgk2xy+NeIgg6XQUueQwWKsuPVhZfTIOUWWVX9NI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=IKdrk9W6; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="IKdrk9W6"
Received: by smtp.kernel.org (Postfix) with ESMTPS id F0B52C2BCF4;
	Sun, 31 May 2026 21:05:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1780261553;
	bh=+gtme44HgV3+0cY0fNPZva52Dkwj7je2hlaTW5P9DVU=;
	h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From;
	b=IKdrk9W6L4eUJwNKBbYFpzoklAoF/W++dIAcDOEcBPOuTXRB7U2adGKVhYwGZPqpZ
	 FArn5mj2m6oXN5aY44bhkcwjc4amQh7ObrYvOwuaxIgEPxbKLQ5bPmSJ5MGUhDmajI
	 6KavCjLR8e/2kwXqLdIR4Y+JYuiG4vl1fbvGYCczN5YNY424iOFva1dMXLEr3RHXpO
	 rkRRBdcwqrZ1QWm2Vbf6n2qfV7NoBuddduYTtwXYdvxx4z1ukWv0dQdRzXt7Za881c
	 Hh8O6a57RtWzpKFGo/QSWOk/CtEDDQTvETkgA4oK1B7gPIjGohBnSA4nVeB7pGBjyt
	 yhY9i6NaH0Q4A==
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DD37CCD6E56;
	Sun, 31 May 2026 21:05:52 +0000 (UTC)
From: Gabriel Prostitis via B4 Relay
 <devnull+prostitisgabriel.gmail.com@kernel.org>
Date: Sun, 31 May 2026 23:04:40 +0200
Subject: [PATCH 1/2] USB: gadget: ffs: fix mm lifetime handling
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260531-mm-uaf-fix-v1-1-91571cc6ca46@gmail.com>
References: <20260531-mm-uaf-fix-v1-0-91571cc6ca46@gmail.com>
In-Reply-To: <20260531-mm-uaf-fix-v1-0-91571cc6ca46@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
 Gabriel Prostitis <prostitisgabriel@gmail.com>
X-Mailer: b4 0.15.2
X-Developer-Signature: v=1; a=ed25519-sha256; t=1780261550; l=2293;
 i=prostitisgabriel@gmail.com; s=20260530; h=from:subject:message-id;
 bh=la8smGq95XcSDzHNQL1zzeelJ5kGKb2oaQaJ/J86UgM=;
 b=bWD7quM1JesXEp+CJMNyh3twqqiiU88cfzLM0iyn8a96yeZe3ocz+jYu/9YcFi5h+Bt91fSDv
 ZuxZfjf8IzsB+A5i7SsBINrfyb1BOE9uHNsl8f/ZQ2QwMuLIf9Zmk00
X-Developer-Key: i=prostitisgabriel@gmail.com; a=ed25519;
 pk=FwuU+O6ZnvvnFVA45nfqkGlhSmC1P64HLtxRgBebOuY=
X-Endpoint-Received: by B4 Relay for prostitisgabriel@gmail.com/20260530
 with auth_id=800
X-Original-From: Gabriel Prostitis <prostitisgabriel@gmail.com>
Reply-To: prostitisgabriel@gmail.com

From: Gabriel Prostitis <prostitisgabriel@gmail.com>

io_data stores a pointer to the submitting task's mm_struct,
but does not currently hold a reference to it while async
requests are pending.

This can result in a use-after-free if the task exits before
completion handling finishes.

Take a reference with mmgrab() when queuing the read request
and release it with mmdrop() on request completion.

Signed-off-by: Gabriel Prostitis <prostitisgabriel@gmail.com>
---
 drivers/usb/gadget/function/f_fs.c | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/functi=
on/f_fs.c
index 002c3441bea3..674f2fd5450f 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -864,9 +864,15 @@ static void ffs_user_copy_worker(struct work_struct *w=
ork)
 	bool kiocb_has_eventfd =3D io_data->kiocb->ki_flags & IOCB_EVENTFD;
=20
 	if (io_data->read && ret > 0) {
-		kthread_use_mm(io_data->mm);
-		ret =3D ffs_copy_to_iter(io_data->buf, ret, &io_data->data);
-		kthread_unuse_mm(io_data->mm);
+		if (mmget_not_zero(io_data->mm)) {
+			kthread_use_mm(io_data->mm);
+			ret =3D ffs_copy_to_iter(io_data->buf, ret, &io_data->data);
+			kthread_unuse_mm(io_data->mm);
+			mmput(io_data->mm);
+		} else {
+			ret =3D -EFAULT;
+		}
+		mmdrop(io_data->mm);
 	}
=20
 	io_data->kiocb->ki_complete(io_data->kiocb, ret);
@@ -1261,16 +1267,20 @@ static ssize_t ffs_epfile_write_iter(struct kiocb *=
kiocb, struct iov_iter *from)
=20
 	kiocb->private =3D p;
=20
-	if (p->aio)
+	if (p->aio) {
+		mmgrab(p->mm);
 		kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
+	}
=20
 	res =3D ffs_epfile_io(kiocb->ki_filp, p);
 	if (res =3D=3D -EIOCBQUEUED)
 		return res;
-	if (p->aio)
+	if (p->aio) {
+		mmdrop(p->mm);
 		kfree(p);
-	else
+	} else {
 		*from =3D p->data;
+	}
 	return res;
 }
=20
@@ -1305,14 +1315,17 @@ static ssize_t ffs_epfile_read_iter(struct kiocb *k=
iocb, struct iov_iter *to)
=20
 	kiocb->private =3D p;
=20
-	if (p->aio)
+	if (p->aio) {
+		mmgrab(p->mm);
 		kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
+	}
=20
 	res =3D ffs_epfile_io(kiocb->ki_filp, p);
 	if (res =3D=3D -EIOCBQUEUED)
 		return res;
=20
 	if (p->aio) {
+		mmdrop(p->mm);
 		kfree(p->to_free);
 		kfree(p);
 	} else {

--=20
2.54.0
From nobody Mon Jun  8 07:23:00 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A2EA34B1B0;
	Sun, 31 May 2026 21:05:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780261553; cv=none;
 b=kgGBwWVkhSo7akiiYj4Gl6bK4WFTOGpFPJkeWrr0a5cWqvrdroAWBL7smndOFKUwCINvOD7llfpFCYPenA8fnoAISCUJ3wsy/GljxCG36Gu6EZvXVYNrRCk/+IlPh05kafedfF4iHqugmQk4jA96mDW8miwSOw1X+FUnSCfpRDk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780261553; c=relaxed/simple;
	bh=i6wVPsKwuCpGC/ZVYlaGjJ3RExM3Y7x8ptFNTiMS+Ss=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=LAR4a3rq2QaVrv3bIOeorxnysCNNW7lpZHi7IQg7CHP35CKc2X9pBk6fCaiWuL04zFQLMiT+vfFeW1Ot7w10W02Yp2G5qMrdtLIicAlEl4FA+Rhs//eUrX5jZc7rUKFFrmpIy65uNeuF8QNUjKUeVMLLU76eQqfSz2EU7eTjCCI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=HSxhA4hE; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="HSxhA4hE"
Received: by smtp.kernel.org (Postfix) with ESMTPS id 04B3DC2BCC6;
	Sun, 31 May 2026 21:05:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1780261553;
	bh=i6wVPsKwuCpGC/ZVYlaGjJ3RExM3Y7x8ptFNTiMS+Ss=;
	h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From;
	b=HSxhA4hEigVunz5sofuTK2vqXtlrxsy9mE1MlfHl8zGze6zwxbE/BxOza51Tx2AaH
	 UW0Z30wdafl80bY2etggWlgurMjP3gEyZPKh9Xp/HR56gI69kkcPcPtgc8i/3Wg/5U
	 dR+xPY4JeVlLm0y8V6tmHZMrtZ6A12YPJuci/3Vh/qlVktUlu7Yqe1Kxlnm8fT1l5O
	 FG/UoLx7pXeBl0rfDUXcMrNDTAcHM6GguVUJ0CqFE8OJlR93Ipra2Bdmckfds7S9KX
	 +tjAb+GvnMb4ZWNjMt0Dz3rVl6PeqT+IXr8YG1XNO2ns/6AE96NgNHr7SXRzpTv7fr
	 P6vEkSI6xK4kg==
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EAD66CD6E5F;
	Sun, 31 May 2026 21:05:52 +0000 (UTC)
From: Gabriel Prostitis via B4 Relay
 <devnull+prostitisgabriel.gmail.com@kernel.org>
Date: Sun, 31 May 2026 23:04:41 +0200
Subject: [PATCH 2/2] USB: gadget: inode: fix mm lifetime handling
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260531-mm-uaf-fix-v1-2-91571cc6ca46@gmail.com>
References: <20260531-mm-uaf-fix-v1-0-91571cc6ca46@gmail.com>
In-Reply-To: <20260531-mm-uaf-fix-v1-0-91571cc6ca46@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
 Gabriel Prostitis <prostitisgabriel@gmail.com>
X-Mailer: b4 0.15.2
X-Developer-Signature: v=1; a=ed25519-sha256; t=1780261550; l=2138;
 i=prostitisgabriel@gmail.com; s=20260530; h=from:subject:message-id;
 bh=vEsZ4QwqvYlH70rsOhB9QVTgchod8aGQd1KQsxPk2MY=;
 b=CBMq6EY2jYW4/qQuk4vuyeWMbY/35Da4Bx0LXIeCPcDKA4uhhbwz2m2t2EByNaQw3putwapkH
 cfOA3ye99+DB0OWBbu0xy8d5KHCejS5yQQp21HaO4GpBjo0xSlsf4lI
X-Developer-Key: i=prostitisgabriel@gmail.com; a=ed25519;
 pk=FwuU+O6ZnvvnFVA45nfqkGlhSmC1P64HLtxRgBebOuY=
X-Endpoint-Received: by B4 Relay for prostitisgabriel@gmail.com/20260530
 with auth_id=800
X-Original-From: Gabriel Prostitis <prostitisgabriel@gmail.com>
Reply-To: prostitisgabriel@gmail.com

From: Gabriel Prostitis <prostitisgabriel@gmail.com>

priv stores a pointer to the submitting task's mm_struct,
but does not currently hold a reference to it while async
requests are pending.

This can result in a use-after-free if the task exits before
completion handling finishes.

Take a reference with mmgrab() when queuing the read request
and release it with mmdrop() on request completion.

Signed-off-by: Gabriel Prostitis <prostitisgabriel@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
---
 drivers/usb/gadget/legacy/inode.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/=
inode.c
index d87a8ab51510..f9b7199afc9e 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -471,11 +471,17 @@ static void ep_user_copy_worker(struct work_struct *w=
ork)
 	struct kiocb *iocb =3D priv->iocb;
 	size_t ret;
=20
-	kthread_use_mm(mm);
-	ret =3D copy_to_iter(priv->buf, priv->actual, &priv->to);
-	kthread_unuse_mm(mm);
-	if (!ret)
+	if (mmget_not_zero(mm)) {
+		kthread_use_mm(mm);
+		ret =3D copy_to_iter(priv->buf, priv->actual, &priv->to);
+		kthread_unuse_mm(mm);
+		mmput(mm);
+		if (!ret)
+			ret =3D -EFAULT;
+	} else {
 		ret =3D -EFAULT;
+	}
+	mmdrop(mm);
=20
 	/* completing the iocb can drop the ctx and mm, don't touch mm after */
 	iocb->ki_complete(iocb, ret);
@@ -501,6 +507,7 @@ static void ep_aio_complete(struct usb_ep *ep, struct u=
sb_request *req)
 	 * complete the aio request immediately.
 	 */
 	if (priv->to_free =3D=3D NULL || unlikely(req->actual =3D=3D 0)) {
+		mmdrop(priv->mm);
 		kfree(req->buf);
 		kfree(priv->to_free);
 		kfree(priv);
@@ -540,6 +547,7 @@ static ssize_t ep_aio(struct kiocb *iocb,
 	get_ep(epdata);
 	priv->epdata =3D epdata;
 	priv->actual =3D 0;
+	mmgrab(priv->mm);
 	priv->mm =3D current->mm; /* mm teardown waits for iocbs in exit_aio() */
=20
 	/* each kiocb is coupled to one usb_request, but we can't
@@ -570,6 +578,7 @@ static ssize_t ep_aio(struct kiocb *iocb,
=20
 fail:
 	spin_unlock_irq(&epdata->dev->lock);
+	mmdrop(priv->mm);
 	kfree(priv->to_free);
 	kfree(priv);
 	put_ep(epdata);

--=20
2.54.0