From: Johan Hovold <johan@kernel.org>
To: Ulf Hansson <ulf.hansson@linaro.org>
Cc: linux-mmc@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org,
Tony Olech <tony.olech@elandigitalsystems.com>
Subject: Re: [PATCH 1/4] mmc: vub300: fix NULL-deref on disconnect
Date: Tue, 31 Mar 2026 13:16:31 +0200 [thread overview]
Message-ID: <acutD9XSXP-vrU2E@hovoldconsulting.com> (raw)
In-Reply-To: <CAPDyKFpbcn3SJrZP1SE5VPw4nxk7ct=B80=nD9k2gBdEo6EBCw@mail.gmail.com>
On Tue, Mar 31, 2026 at 01:03:39PM +0200, Ulf Hansson wrote:
> On Tue, 31 Mar 2026 at 12:32, Johan Hovold <johan@kernel.org> wrote:
> > > > @@ -2365,8 +2365,8 @@ static void vub300_disconnect(struct usb_interface *interface)
> > > > usb_set_intfdata(interface, NULL);
> > > > /* prevent more I/O from starting */
> > > > vub300->interface = NULL;
> > > > - kref_put(&vub300->kref, vub300_delete);
> > > > mmc_remove_host(mmc);
> > > > + kref_put(&vub300->kref, vub300_delete);
> > >
> > > While this seems like a step in the right direction, I don't see why
> > > calling usb_set_intfdata(interface, NULL)
> >
> > The interface data is only used in the USB bus callbacks and is not
> > needed after disconnect().
> >
> > > and assigning
> > > vub300->interface = NULL is safe.
> > >
> > > For example, some of the workqueues might be running a work that uses
> > > the vub300->interface, isn't that a problem too?
> >
> > The driver uses this pointer to indicate that the device has been
> > disconnected. That doesn't mean that the implementation is correct (e.g.
> > the check in vub300_pollwork_thread() should use some locking) but that
> > would be pre-existing issues.
>
> Right, that was my thinking as well.
>
> Out of curiosity, are you planning on fixing these issues too or is
> that left for later?
No, sorry, this was just something I stumbled over when addressing USB
devres issues tree wide.
Johan
next prev parent reply other threads:[~2026-03-31 11:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 10:52 [PATCH 0/4] mmc: vub300: fix NULL-deref and UAF on disconnect Johan Hovold
2026-03-27 10:52 ` [PATCH 1/4] mmc: vub300: fix NULL-deref " Johan Hovold
2026-03-31 10:13 ` Ulf Hansson
2026-03-31 10:32 ` Johan Hovold
2026-03-31 11:03 ` Ulf Hansson
2026-03-31 11:16 ` Johan Hovold [this message]
2026-03-27 10:52 ` [PATCH 2/4] mmc: vub300: fix use-after-free " Johan Hovold
2026-03-31 10:24 ` Ulf Hansson
2026-03-27 10:52 ` [PATCH 3/4] mmc: vub300: rename probe error labels Johan Hovold
2026-03-27 10:52 ` [PATCH 4/4] mmc: vub300: clean up module init Johan Hovold
2026-03-31 11:14 ` [PATCH 0/4] mmc: vub300: fix NULL-deref and UAF on disconnect Ulf Hansson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acutD9XSXP-vrU2E@hovoldconsulting.com \
--to=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tony.olech@elandigitalsystems.com \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.