From: Junzhe Li <ginger.jzllee@gmail.com>
To: gregkh@linuxfoundation.org
Cc: linux-usb@vger.kernel.org
Subject: [PATCH] usb: misc: ldusb: fix ordering of usb_deregister_dev() and usb_set_intfdata()
Date: Mon, 1 Jun 2026 15:55:24 +0800 [thread overview]
Message-ID: <20260601075524.136957-1-ginger.jzllee@gmail.com> (raw)
In ld_usb_disconnect(), usb_set_intfdata(interface, NULL) was called before
usb_deregister_dev(interface, &ld_usb_class).
This opens a race window with usb_open() in the USB core:
T0 (ld_usb_disconnect) T1 (usb_open)
-------------------------- -------------------------
fops = usb_minors[minor] [t0]
/* fops still valid here */
file->f_op->open(inode, file)
ld_usb_open()
dev = usb_get_intfdata() [t1]
if (!dev)
return -ENODEV;
usb_set_intfdata(iface, NULL) [t2]
access dev->mutex [t3]
/* dev is NULL! */
usb_deregister_dev()
usb_minors[minor] = NULL [t4]
Because t0 precedes t1 precedes t2 precedes t3 precedes t4, T1 can obtain
the file_operations pointer for the device (t0, while the minor is still
registered), then continue into ld_usb_open() where it calls
usb_get_intfdata() and gets NULL back, leading to a NULL dereference.
The intuition is that the global exposure to the 'usb_minors' should be
disabled first, so that subsequent nullification of the interface data
pointer can be regarded as a local cleanup.
Fix the race by calling usb_deregister_dev() first, which removes the
device from usb_minors[] before the interface data pointer is cleared.
Any concurrent usb_open() that arrives after usb_deregister_dev()
returns will fail to look up the fops and will never reach ld_usb_open().
Reported-by: Junzhe Li <ginger.jzllee@gmail.com>
Closes: https://lore.kernel.org/linux-usb/2026060157-pettiness-corporal-05eb@gregkh/
Signed-off-by: Junzhe Li <ginger.jzllee@gmail.com>
---
drivers/usb/misc/ldusb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/misc/ldusb.c b/drivers/usb/misc/ldusb.c
index c74f142f6637..ba65de2d4808 100644
--- a/drivers/usb/misc/ldusb.c
+++ b/drivers/usb/misc/ldusb.c
@@ -756,13 +756,14 @@ static void ld_usb_disconnect(struct usb_interface *intf)
int minor;
dev = usb_get_intfdata(intf);
- usb_set_intfdata(intf, NULL);
minor = intf->minor;
/* give back our minor */
usb_deregister_dev(intf, &ld_usb_class);
+ usb_set_intfdata(intf, NULL);
+
usb_poison_urb(dev->interrupt_in_urb);
usb_poison_urb(dev->interrupt_out_urb);
--
2.34.1
next reply other threads:[~2026-06-01 7:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 7:55 Junzhe Li [this message]
2026-06-01 9:28 ` [PATCH] usb: misc: ldusb: fix ordering of usb_deregister_dev() and usb_set_intfdata() Oliver Neukum
2026-06-01 14:40 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260601075524.136957-1-ginger.jzllee@gmail.com \
--to=ginger.jzllee@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox