From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 799F13537E0 for ; Mon, 27 Apr 2026 08:11:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.20 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777277474; cv=none; b=l/aKg5+A2IMyEInyCUTEN7IjWLYdib7ZcCtLhG4JotpLy1gnRkk7CFH6CIzuhv/fohb4gOlRkd/kxXH/HBOKwvRwEHb68qkGqnXoyZD4Lk3gS/mec7VG1GnPj1dqxiN+lok4+q5C/MujKRFIzE/mqzo93pXO4MddklDxZrXEpXQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777277474; c=relaxed/simple; bh=OV6cXHsKhht9PRauGZoERydqDgxANolu7NVs0q+CPHM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e3R8rDYqSxdkXTldv/+fEQH0XXX+GVlwt6wLmBYTtR7SH0f2zNk9bo2ucfeLPeJZ2wzvskcQTEj+Bl+i7Xpx8n5DePdFgbsJkoqHKjTPbHtZVOUrqS640UqFodT503y5gMakB5cRZP16qIQN+10RAz9YKBu5m8YrBZmP40BXENw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Y3xgmFOj; arc=none smtp.client-ip=198.175.65.20 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Y3xgmFOj" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1777277472; x=1808813472; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=OV6cXHsKhht9PRauGZoERydqDgxANolu7NVs0q+CPHM=; b=Y3xgmFOjUP0M8h9sI7y815miGZkzoyQ0Iss+Wohy32KYhlsKNJRY0Sfr ybCQqxb+XDLaw8tNrzHZ17Kuc9yy6EfKh0m0dT+v8UTFA1BhM7mH4YegI l9yF4LHBCnPIAcWK/ZH/ZfsdwbTENxtOO5Wamuz453yemzTu6bSPeEk/Y cM4zWBa4kqS1JRAdw3RU4WJlvcVggyRXZ32jE+CCd6p55o6Lq8jE8moMS Q+bNSISMHeM2nI5MyL67r6fgjHhZy2l/W6Xh87LSXPePEOjutrpayp/jL qm4A//oqqgY/hsqqIrxJr3+fzS76gVBbHVasijSU6CvndFyvqxYYl6KLb g==; X-CSE-ConnectionGUID: FKyv1Dd1TbyUojADjsJxQQ== X-CSE-MsgGUID: vLnryVp3SE6F3hpxdc8q3A== X-IronPort-AV: E=McAfee;i="6800,10657,11768"; a="77863243" X-IronPort-AV: E=Sophos;i="6.23,201,1770624000"; d="scan'208";a="77863243" Received: from fmviesa006.fm.intel.com ([10.60.135.146]) by orvoesa112.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2026 01:11:12 -0700 X-CSE-ConnectionGUID: J9IGOfEYRJisr555R10Wag== X-CSE-MsgGUID: vp4TdiJuRbq5yJphfmyC6w== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,201,1770624000"; d="scan'208";a="229008928" Received: from black.igk.intel.com ([10.91.253.5]) by fmviesa006.fm.intel.com with ESMTP; 27 Apr 2026 01:11:10 -0700 Received: by black.igk.intel.com (Postfix, from userid 1001) id 741679D; Mon, 27 Apr 2026 10:11:09 +0200 (CEST) From: Mika Westerberg To: linux-usb@vger.kernel.org Cc: Yehezkel Bernat , Lukas Wunner , Andreas Noever , Alan Borzeszkowski , Gil Fine , Mika Westerberg Subject: [PATCH 04/12] thunderbolt: Keep the domain reference while processing hotplug Date: Mon, 27 Apr 2026 10:11:01 +0200 Message-ID: <20260427081109.2337731-5-mika.westerberg@linux.intel.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260427081109.2337731-1-mika.westerberg@linux.intel.com> References: <20260427081109.2337731-1-mika.westerberg@linux.intel.com> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit We process hotplug events in a workqueue that may run after the domain has been removed by tb_domain_remove(). For example if user unloads the driver while at the same time plugging a device router we may have scheduled tb_handle_hotplug() to run. Avoid possible UAF in this case by taking the domain reference before scheduling the hotplug handler in tb_queue_hotplug(). Signed-off-by: Mika Westerberg --- drivers/thunderbolt/tb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c index c69c323e6952..34b7d18cce56 100644 --- a/drivers/thunderbolt/tb.c +++ b/drivers/thunderbolt/tb.c @@ -98,7 +98,7 @@ static void tb_queue_hotplug(struct tb *tb, u64 route, u8 port, bool unplug) if (!ev) return; - ev->tb = tb; + ev->tb = tb_domain_get(tb); ev->route = route; ev->port = port; ev->unplug = unplug; @@ -2527,6 +2527,9 @@ static void tb_handle_hotplug(struct work_struct *work) pm_runtime_mark_last_busy(&tb->dev); pm_runtime_put_autosuspend(&tb->dev); + /* Undo the refcount increased in tb_queue_hotplug() */ + tb_domain_put(tb); + kfree(ev); } -- 2.50.1