Starting from early 2019, bugs in the USB drivers are being automatically reported by the USB fuzzing instance of syzbot and can be found here. A list of CVEs for some of those can be found here here.
Some of the USB bugs are reported by the KMSAN fuzzing instance and can be either found here or here (via a manual search, e.g. for kernel-usb-infoleak).
These are the bugs that were manually reported before USB fuzzing was integrated into syzbot.
- usb/core: memory corruption due to an out-of-bounds access in usb_destroy_configuration [fix] [CVE-2017-17558]
- usb/net/zd1211rw: possible deadlock in zd_chip_disable_rxtx
- usb/sound: use-after-free in __uac_clock_find_source [fix]
- usb/sound: slab-out-of-bounds in parse_audio_unit [fix]
- usb/media/em28xx: use-after-free in dvb_unregister_frontend [fix]
- usb/media/technisat: slab-out-of-bounds in technisat_usb2_rc_query
- usb/media/tm6000: use-after-free in tm6000_read_write_usb
- usb/net/qmi_wwan: divide error in qmi_wwan_probe/usbnet_probe [fix1, fix2] [CVE-2017-16649, CVE-2017-16650]
- usb/media/uvc: slab-out-of-bounds in uvc_probe
- usb/media/em28xx: use-after-free in em28xx_dvb_fini
- usb/media/em28xx: use-after-free in v4l2_fh_init
- usb/media/pvrusb2: WARNING in pvr2_i2c_core_done/sysfs_remove_group
- usb/sound/usx2y: WARNING in usb_stream_start [fix]
- usb/net/hfa384x: WARNING in submit_rx_urb/usb_submit_urb
- usb/media/dw2102: null-ptr-deref in dvb_usb_adapter_frontend_init/tt_s2_4600_frontend_attach
- usb/net/asix: kernel hang in asix_phy_reset
- usb/media/dtt200u: use-after-free in __dvb_frontend_free [fix] [CVE-2017-16648]
- usb/media/mxl111sf: trying to register non-static key in mxl111sf_ctrl_msg
- usb/media/au0828: use-after-free in au0828_rc_unregister
- usb/input/gtco: slab-out-of-bounds in parse_hid_report_descriptor [fix] [CVE-2017-16643]
- usb/core: slab-out-of-bounds in usb_get_bos_descriptor [fix] [CVE-2017-16535]
- usb/net/asix: null-ptr-deref in asix_suspend [fix] [CVE-2017-16647]
- usb/net/rt2x00: warning in rt2800_eeprom_word_index
- usb/irda: global-out-of-bounds in irda_qos_bits_to_value
- usb/media/imon: global-out-of-bounds in imon_probe/imon_init_intf0
- usb/sound: use-after-free in snd_usb_mixer_interrupt [fix] [CVE-2017-16527]
- usb/net/rtlwifi: trying to register non-static key in rtl_c2hcmd_launcher
- usb/net/prism2usb: warning in hfa384x_usbctlxq_run/usb_submit_urb
- usb/nfs/pn533: use-after-free in pn533_send_complete
- usb/media/imon: null-ptr-deref in imon_probe [fix] [CVE-2017-16537]
- usb/net/prism2usb: warning in hfa384x_drvr_start/usb_submit_urb
- usb/net/ath6kl: GPF in ath6kl_usb_alloc_urb_from_pipe
- usb/net/ar5523: warning in ar5523_submit_rx_cmd/usb_submit_urb
- usb/media/uvc: BUG in uvc_mc_create_links/media_create_pad_link
- usb/media/v4l2: use-after-free in video_unregister_device/device_del
- usb/serial/visor: slab-out-of-bounds in palm_os_3_probe [fix on the way]
- usb/misc/usbtest: null-ptr-deref in usbtest_probe/get_endpoints [fix] [CVE-2017-16532]
- usb/misc/ims-pcu: slab-out-of-bounds in ims_pcu_parse_cdc_data [fix] [CVE-2017-16645]
- usb/serial: use-after-free in usb_serial_disconnect/__lock_acquire [fix1, fix2] [CVE-2017-16525]
- usb/misc/rio500: double-free or invalid-free in disconnect_rio
- usb/sound/caiaq: warning in init_card/usb_submit_urb [fix]
- usb/input/aiptek: warning in aiptek_open/usb_submit_urb
- usb/net/lan78xx: use-after-free in lan78xx_write_reg
- usb/media/b2c2: GPF in flexcop_usb_transfer_init
- usb/media/uvc: warning in uvc_scan_chain_forward/__list_add
- usb/sound/line6: trying to register non-static key in podhd_disconnect
- usb/sound/line6: warning in line6_start_listen/usb_submit_urb [fix]
- usb/media/lmedm04: GPF in lme2510_int_read/usb_pipe_endpoint [fix1, fix2] [CVE-2017-16538]
- usb/sound/bcd2000: warning in bcd2000_idrivers/usb/serial/usb-serial.cnit_device [fix]
- usb/wireless/rsi_91x: use-after-free write in __run_timers
- usb/media/zr364xx: GPF in zr364xx_vidioc_querycap/strlcpy
- usb/media/stkwebcam: use-after-free in v4l2_ctrl_handler_free
- usb/media/dib0700: BUG in stk7070p_frontend_attach/symbol_put_addr [fix] [CVE-2017-16646]
- usb/sounds: slab-out-of-bounds read in snd_usb_create_streams [fix] [CVE-2017-16529]
- usb/media/hdpvr: trying to register non-static key in hdpvr_probe [fix] [CVE-2017-16644]
- usb/net/hso: warning in hso_free_net_device
- usb/net/hso: global-out-of-bounds in hso_probe
- usb/media/smsusb: use-after-free in worker_thread
- usb/storage/uas: slab-out-of-bounds in uas_probe [fix] [CVE-2017-16530]
- usb/sound/usx2y: warning in usb_stream_new/__alloc_pages_slowpath [fix]
- usb/media/pvrusb2: warning in pvr2_send_request_ex/usb_submit_urb [fix]
- usb/media/smsusb: null-ptr-deref in smsusb_init_device
- usb/media/cx231xx: null-ptr-deref in cx231xx_usb_probe [fix] [CVE-2017-16536]
- usb/net/p54: trying to register non-static key in p54_unregister_leds [fix]
- usb/core: slab-out-of-bounds read in cdc_parse_cdc_header [fix] [CVE-2017-16534]
- usb/hid: slab-out-of-bounds read in usbhid_parse [fix] [CVE-2017-16533]
- usb/core: slab-out-of-bounds in usb_set_configuration [fix] [CVE-2017-16531]
- usb/uwb: WARNING in hwarc_neep_init/usb_submit_urb [fix]
- usb/uwb: GPF in uwbd_start [fix] [CVE-2017-16526]
- usb/joystick: warnings in xpad_start_input and xpad_try_sending_next_out_packet [fix]
- usb/midi: use-after-free in snd_rawmidi_dev_seq_free [fix] [CVE-2017-16528]
- usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns [fix]
- usb/gadget: stalls in dummy_timer / usbtouch_probe [fix]
- usb/gadget: null-ptr-deref in dev_ioctl [fix]
- usb/gadget: copy_to_user called with spinlock held [fix]
- usb/gadget: potential deadlock in gadgetfs_suspend [fix]
- usb/gadget: another GPF in usb_gadget_unregister_driver [fix]
- usb/gadget: warning in ep_write_iter/__alloc_pages_nodemask [fix]
- usb/gadget: slab-out-of-bounds write in dev_config [fix]
- usb/gadget: warning in dummy_free_request [fix]
- usb/gadget: poor checks of wTotalLength in config descriptors [fix]
- usb/gadget: use-after-free in gadgetfs_setup [fix]
- usb/gadget: GPF in usb_gadget_unregister_driver [fix]
- usb/gadget: warning in dev_config/memdup_user [fix]