Re: Oops when rebinding f_hid while /dev/hidg* is still opened

public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Michael Zimmermann <sigmaepsilon92@gmail.com>
Cc: linux-usb@vger.kernel.org
Subject: Re: Oops when rebinding f_hid while /dev/hidg* is still opened
Date: Tue, 24 Mar 2026 16:28:16 +0100	[thread overview]
Message-ID: <2026032431-chance-dodge-6b6e@gregkh> (raw)
In-Reply-To: <CAN9vWD+N6K4VExNgnhp=amfBDJTFN9Sz156qsy550dP-d1S9Qw@mail.gmail.com>

On Mon, Mar 23, 2026 at 06:11:27PM +0100, Michael Zimmermann wrote:
> > This bug has happened a lot on many gadget drivers, I think we fixed a
> > bunch of them already, can you verify this is still an issue on the
> > latest 7.0-rc4 or 6.19.y kernel release (6.17 is very old and obsolete
> > and insecure, don't run that thing...)
> 
> Apparently, Fedora updates their images very rarely and they need a
> package manager update, sorry about that.
> 
> I now tested it 6.19.8-200.fc43.aarch64 and the bug is still there. I
> then switched to testing with buildroot, because that makes it easier
> to test different kernel versions. There, the behavior is a bit
> different but there's still a bug: Instead of immediately triggering
> an oops, everything appears fine on the first run of my script. But on
> the second run I see this:
> [   81.514126] refcount_t: underflow; use-after-free.

Ok, something is not being initialized again properly.

Take a look at the patch series at commit 41f71deda1c1 ("Merge patch
series "usb: gadget: Refactor function drivers to use __free()
cleanup"")

Perhaps something like commit 42988380ac67 ("usb: gadget: f_ecm:
Refactor bind path to use __free()") should be done for the f_hid
driver?  Can you work on that as you have a way to test this well, or do
you want a patch to test?

thanks,

greg k-h

next prev parent reply	other threads:[~2026-03-24 15:28 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-22 14:01 Oops when rebinding f_hid while /dev/hidg* is still opened Michael Zimmermann
2026-03-23 11:00 ` Greg Kroah-Hartman
2026-03-23 17:11   ` Michael Zimmermann
2026-03-24 15:28     ` Greg Kroah-Hartman [this message]
2026-03-24 19:56       ` Michael Zimmermann
2026-03-27 18:46         ` Michael Zimmermann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026032431-chance-dodge-6b6e@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=sigmaepsilon92@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox