[PATCH v2 0/2] USB: gadget: fix mm lifetime use-after-free in async read paths
From: Gabriel Prostitis via B4 Relay
Date: Mon Jun 01 2026 - 02:44:50 EST
There is a use-after-free in the USB gadget FunctionFS and legacy
GadgetFS asynchronous read paths. Both implementations store
current->mm in per-request state without taking a reference, and
later use it in a workqueue context via kthread_use_mm().
If the submitting task exits before the USB request completes,
the stored mm_struct may be freed while a pending request still
references it, leading to a use-after-free.
The issue affects:
- FunctionFS: drivers/usb/gadget/function/f_fs.c
- GadgetFS legacy: drivers/usb/gadget/legacy/inode.c
Fix this by taking a reference to mm_struct with mmgrab() when
queueing the request and releasing it with mmdrop() after
completion. Before using the saved mm_struct, acquire a temporary
reference with mmget_not_zero() to ensure it is still alive.
The issue can be triggered by submitting asynchronous reads on
OUT endpoints (e.g. via io_uring for FunctionFS) and exiting the
submitting task before completion. This may result in memory
corruption in the address space of another process if the freed
mm_struct is reclaimed during the race window.
KASAN reports confirm use-after-free in the workqueue completion
path when accessing the stale mm_struct.
Signed-off-by: Gabriel Prostitis <prostitisgabriel@xxxxxxxxx>
---
Changes in v2:
- Fix swapped lines in drivers/usb/gadget/legacy/inode.c
- Link to v1: https://patch.msgid.link/20260531-mm-uaf-fix-v1-0-91571cc6ca46@xxxxxxxxx
To: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: linux-usb@xxxxxxxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
---
Gabriel Prostitis (2):
USB: gadget: ffs: fix mm lifetime handling
USB: gadget: inode: fix mm lifetime handling
drivers/usb/gadget/function/f_fs.c | 27 ++++++++++++++++++++-------
drivers/usb/gadget/legacy/inode.c | 17 +++++++++++++----
2 files changed, 33 insertions(+), 11 deletions(-)
---
base-commit: 22d91cef94b5b86cff0d68ebfce7741740672704
change-id: 20260531-mm-uaf-fix-91d9dacac692
Best regards,
--
Gabriel Prostitis <prostitisgabriel@xxxxxxxxx>