* Re: [PATCH] usb: misc: yurex: fix ordering of usb_deregister_dev() and usb_set_intfdata()
2026-04-28 4:54 [PATCH] usb: misc: yurex: fix ordering of usb_deregister_dev() and usb_set_intfdata() Ginger
@ 2026-04-28 11:58 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-04-28 11:58 UTC (permalink / raw)
To: Ginger; +Cc: linux-usb, linux-kernel
On Tue, Apr 28, 2026 at 12:54:22PM +0800, Ginger wrote:
> In yurex_disconnect(), usb_set_intfdata(interface, NULL) was called
> before usb_deregister_dev(interface, &yurex_class). This opens a race
> window with usb_open() in the USB core:
>
> T0 (yurex_disconnect) T1 (usb_open)
> -------------------------- -------------------------
> usb_set_intfdata(iface, NULL) [t0]
> fops = usb_minors[minor] [t1]
> /* fops still valid here */
> usb_deregister_dev()
> usb_minors[minor] = NULL [t2]
> file->f_op->open(inode, file)
> yurex_open()
> dev = usb_get_intfdata() [t3]
> /* dev is NULL */
>
> Because t0 precedes t1 precedes t2 precedes t3, T1 can obtain the
> file_operations pointer for the device (t1, while the minor is still
> registered), then continue into yurex_open() where it calls
> usb_get_intfdata() and gets NULL back, leading to a NULL dereference.
>
> Fix the race by calling usb_deregister_dev() first, which removes the
> device from usb_minors[] before the interface data pointer is cleared.
> Concurrent usb_open() that arrives after usb_deregister_dev() returns
> will fail to look up the fops and will never reach yurex_open().
>
> Reported-by: Ginger <ginger.jzllee@gmail.com>
> Closes: https://lore.kernel.org/linux-usb/2026042718-unwieldy-dicing-626f@gregkh
> Signed-off-by: Ginger <ginger.jzllee@gmail.com>
> ---
> drivers/usb/misc/yurex.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
> index 6d03e689850a..b5484ab77e91 100644
> --- a/drivers/usb/misc/yurex.c
> +++ b/drivers/usb/misc/yurex.c
> @@ -310,11 +310,12 @@ static void yurex_disconnect(struct
> usb_interface *interface)
> int minor = interface->minor;
>
> dev = usb_get_intfdata(interface);
> - usb_set_intfdata(interface, NULL);
>
> /* give back our minor */
> usb_deregister_dev(interface, &yurex_class);
>
> + usb_set_intfdata(interface, NULL);
> +
> /* prevent more I/O from starting */
> usb_poison_urb(dev->urb);
> usb_poison_urb(dev->cntl_urb);
> --
> 2.39.5
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- Your patch is malformed (tabs converted to spaces, linewrapped, etc.)
and can not be applied. Please read the file,
Documentation/process/email-clients.rst in order to fix this.
- It looks like you did not use your "real" name for the patch on either
the Signed-off-by: line, or the From: line (both of which have to
match). Please read the kernel file,
Documentation/process/submitting-patches.rst for how to do this
correctly.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 2+ messages in thread