Re: [PATCH] USB: serial: opticon: fix UAF in write callback during port removal

[Johan Hovold]

On Mon, Mar 09, 2026 at 02:27:57PM +0000, Fan Wu wrote:
> The opticon driver anchors write URBs to priv->anchor in opticon_write()
> and frees priv in opticon_port_remove() without first killing these
> anchored URBs. The completion callback opticon_write_control_callback()
> may dereference priv via usb_get_serial_port_data() and access
> priv->lock, priv->outstanding_urbs, and priv->outstanding_bytes after
> it has been freed.
> 
> If a write URB is in flight when the port is removed:
> 
>     CPU 0 (remove path)              CPU 1 (URB completion)
>     ---------------------            ---------------------
>     opticon_port_remove()
>       kfree(priv)  <--+
>                      |  --> opticon_write_control_callback()
>                      |        priv = usb_get_serial_port_data()
>                      |        spin_lock_irqsave(&priv->lock)
>                      |        --priv->outstanding_urbs  // possible UAF
>     return           |
>                      usb_free_urb()

This cannot happen as ports are always shut down before being
deregistered (see usb_serial_disconnect()).

It used to be possible to trigger something like this by manually
unbinding a port device through sysfs as root but even that's no longer
possible since commit fdb838efa31e ("USB: serial: suppress driver bind
attributes").

> Fix this by calling usb_kill_anchored_urbs(&priv->anchor) before
> kfree(priv) so that all in-flight URBs have finished before the private
> data is freed.
> 
> Note that opticon_close() already correctly kills anchored URBs; this
> fix addresses the port_remove path which was overlooked.
> 
> Fixes: 648d4e16567e ("USB: serial: opticon: add write support")
> Signed-off-by: Fan Wu <fanwu01@xxxxxxxxxx>

How was this potential issue found? Are you using some kind of LLM or
other tool?

Johan