* [PATCH] usb: core: port: Deattach Type-C connector on component unbind
@ 2026-06-11 7:12 Chia-Lin Kao (AceLan)
2026-07-02 2:26 ` AceLan Kao
0 siblings, 1 reply; 3+ messages in thread
From: Chia-Lin Kao (AceLan) @ 2026-06-11 7:12 UTC (permalink / raw)
To: Greg Kroah-Hartman, Xu Yang, Sean Rhodes, Kees Cook,
Heikki Krogerus, linux-usb, linux-kernel
connector_unbind() is the mirror of connector_bind(), but it is missing
the symmetric call to typec_deattach() that connector_bind() makes via:
if (port_dev->child)
typec_attach(port_dev->connector, &port_dev->child->dev);
When a Thunderbolt dock is unplugged, two teardown paths race:
1. The component framework calls connector_unbind() first, which sets
port_dev->connector = NULL without calling typec_deattach(). This
leaves port->usb2_dev/port->usb3_dev in struct typec_port pointing at
the USB device that is about to be freed.
2. usb_disconnect() then calls typec_deattach(port_dev->connector, ...),
but port_dev->connector is already NULL, so the call is a no-op and
port->usb2_dev is never cleared.
3. Concurrently, UCSI detects a PD partner-disconnect event and calls
typec_unregister_partner(), which reads port->usb2_dev (now a dangling
pointer to freed memory) and passes it to typec_partner_unlink_device()
-> sysfs_remove_link() -> dev_name() on the freed device, corrupting
the typec/UCSI partner state.
This corruption leaves the Thunderbolt tunnel in an inconsistent state on
the next dock hot-plug. On affected hardware the dock's I225/igc NIC fails
to enumerate: AER fires a slot reset while the igc driver is still
initialising ("PCIe link lost"), and the subsequent igc_reset attempt hits
igc_rd32 on an already-detached device:
igc 0000:2e:00.0 eth0: PCIe link lost, device now detached
igc: Failed to read reg 0x0!
WARNING: CPU: 9 PID: 129 at drivers/net/ethernet/intel/igc/igc_main.c:7005
igc_rd32+0xa4/0xc0 [igc]
Call Trace:
igc_disable_pcie_master+0x16/0xa0 [igc]
igc_reset_hw_base+0x14/0x170 [igc]
igc_reset+0x63/0x110 [igc]
igc_io_slot_reset+0x9e/0xd0 [igc]
report_slot_reset+0x5d/0xc0
pcie_do_recovery+0x209/0x400
aer_isr_one_error_type+0x235/0x430
aer_isr+0x4e/0x80
irq_thread+0xf4/0x1f0
4. UCSI later handles the PD partner-disconnect and calls
typec_unregister_partner(), which still sees the stale port->usb2_dev
and tries to remove its sysfs link a second time:
kernfs: can not remove 'typec', no directory
WARNING: CPU: 6 PID: 55 at fs/kernfs/dir.c:1706 kernfs_remove_by_name_ns+0xe9/0xf0
Workqueue: events ucsi_handle_connector_change [typec_ucsi]
Call Trace:
sysfs_remove_link+0x19/0x50
typec_unregister_partner+0x6e/0x120 [typec]
ucsi_unregister_partner+0x107/0x150 [typec_ucsi]
ucsi_handle_connector_change+0x3ec/0x490 [typec_ucsi]
process_one_work+0x18e/0x3e0
worker_thread+0x2e3/0x420
kthread+0x10a/0x230
ret_from_fork+0x121/0x140
ret_from_fork_asm+0x1a/0x30
With worse timing the same stale pointer is dereferenced after the
backing memory is freed, turning the warning into a use-after-free.
Fix the asymmetry: call typec_deattach() before clearing
port_dev->connector, matching what connector_bind() does on the bind side.
typec_partner_deattach() is already protected by port->partner_link_lock,
so it serialises safely with the concurrent typec_unregister_partner() path.
Fixes: 11110783f5ea ("usb: Inform the USB Type-C class about enumerated devices")
Cc: stable@vger.kernel.org
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
---
drivers/usb/core/port.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/core/port.c b/drivers/usb/core/port.c
index b1364f0c384ce..b4452b665f591 100644
--- a/drivers/usb/core/port.c
+++ b/drivers/usb/core/port.c
@@ -740,6 +740,8 @@ static void connector_unbind(struct device *dev, struct device *connector, void
sysfs_remove_link(&connector->kobj, dev_name(dev));
sysfs_remove_link(&dev->kobj, "connector");
+ if (port_dev->child)
+ typec_deattach(port_dev->connector, &port_dev->child->dev);
port_dev->connector = NULL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] usb: core: port: Deattach Type-C connector on component unbind
2026-06-11 7:12 [PATCH] usb: core: port: Deattach Type-C connector on component unbind Chia-Lin Kao (AceLan)
@ 2026-07-02 2:26 ` AceLan Kao
2026-07-02 5:50 ` Greg Kroah-Hartman
0 siblings, 1 reply; 3+ messages in thread
From: AceLan Kao @ 2026-07-02 2:26 UTC (permalink / raw)
To: Greg Kroah-Hartman, Xu Yang, Sean Rhodes, Kees Cook,
Heikki Krogerus, linux-usb, linux-kernel
Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> 於 2026年6月11日週四 下午3:12寫道:
>
> connector_unbind() is the mirror of connector_bind(), but it is missing
> the symmetric call to typec_deattach() that connector_bind() makes via:
>
> if (port_dev->child)
> typec_attach(port_dev->connector, &port_dev->child->dev);
>
> When a Thunderbolt dock is unplugged, two teardown paths race:
>
> 1. The component framework calls connector_unbind() first, which sets
> port_dev->connector = NULL without calling typec_deattach(). This
> leaves port->usb2_dev/port->usb3_dev in struct typec_port pointing at
> the USB device that is about to be freed.
>
> 2. usb_disconnect() then calls typec_deattach(port_dev->connector, ...),
> but port_dev->connector is already NULL, so the call is a no-op and
> port->usb2_dev is never cleared.
>
> 3. Concurrently, UCSI detects a PD partner-disconnect event and calls
> typec_unregister_partner(), which reads port->usb2_dev (now a dangling
> pointer to freed memory) and passes it to typec_partner_unlink_device()
> -> sysfs_remove_link() -> dev_name() on the freed device, corrupting
> the typec/UCSI partner state.
>
> This corruption leaves the Thunderbolt tunnel in an inconsistent state on
> the next dock hot-plug. On affected hardware the dock's I225/igc NIC fails
> to enumerate: AER fires a slot reset while the igc driver is still
> initialising ("PCIe link lost"), and the subsequent igc_reset attempt hits
> igc_rd32 on an already-detached device:
>
> igc 0000:2e:00.0 eth0: PCIe link lost, device now detached
> igc: Failed to read reg 0x0!
> WARNING: CPU: 9 PID: 129 at drivers/net/ethernet/intel/igc/igc_main.c:7005
> igc_rd32+0xa4/0xc0 [igc]
> Call Trace:
> igc_disable_pcie_master+0x16/0xa0 [igc]
> igc_reset_hw_base+0x14/0x170 [igc]
> igc_reset+0x63/0x110 [igc]
> igc_io_slot_reset+0x9e/0xd0 [igc]
> report_slot_reset+0x5d/0xc0
> pcie_do_recovery+0x209/0x400
> aer_isr_one_error_type+0x235/0x430
> aer_isr+0x4e/0x80
> irq_thread+0xf4/0x1f0
>
> 4. UCSI later handles the PD partner-disconnect and calls
> typec_unregister_partner(), which still sees the stale port->usb2_dev
> and tries to remove its sysfs link a second time:
>
> kernfs: can not remove 'typec', no directory
> WARNING: CPU: 6 PID: 55 at fs/kernfs/dir.c:1706 kernfs_remove_by_name_ns+0xe9/0xf0
> Workqueue: events ucsi_handle_connector_change [typec_ucsi]
> Call Trace:
> sysfs_remove_link+0x19/0x50
> typec_unregister_partner+0x6e/0x120 [typec]
> ucsi_unregister_partner+0x107/0x150 [typec_ucsi]
> ucsi_handle_connector_change+0x3ec/0x490 [typec_ucsi]
> process_one_work+0x18e/0x3e0
> worker_thread+0x2e3/0x420
> kthread+0x10a/0x230
> ret_from_fork+0x121/0x140
> ret_from_fork_asm+0x1a/0x30
>
> With worse timing the same stale pointer is dereferenced after the
> backing memory is freed, turning the warning into a use-after-free.
>
> Fix the asymmetry: call typec_deattach() before clearing
> port_dev->connector, matching what connector_bind() does on the bind side.
> typec_partner_deattach() is already protected by port->partner_link_lock,
> so it serialises safely with the concurrent typec_unregister_partner() path.
>
> Fixes: 11110783f5ea ("usb: Inform the USB Type-C class about enumerated devices")
> Cc: stable@vger.kernel.org
> Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
> ---
> drivers/usb/core/port.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/usb/core/port.c b/drivers/usb/core/port.c
> index b1364f0c384ce..b4452b665f591 100644
> --- a/drivers/usb/core/port.c
> +++ b/drivers/usb/core/port.c
> @@ -740,6 +740,8 @@ static void connector_unbind(struct device *dev, struct device *connector, void
>
> sysfs_remove_link(&connector->kobj, dev_name(dev));
> sysfs_remove_link(&dev->kobj, "connector");
> + if (port_dev->child)
> + typec_deattach(port_dev->connector, &port_dev->child->dev);
> port_dev->connector = NULL;
> }
>
> --
> 2.53.0
>
Hi,
Just a gentle ping, please help to review this path.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] usb: core: port: Deattach Type-C connector on component unbind
2026-07-02 2:26 ` AceLan Kao
@ 2026-07-02 5:50 ` Greg Kroah-Hartman
0 siblings, 0 replies; 3+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 5:50 UTC (permalink / raw)
To: AceLan Kao
Cc: Xu Yang, Sean Rhodes, Kees Cook, Heikki Krogerus, linux-usb,
linux-kernel
On Thu, Jul 02, 2026 at 10:26:39AM +0800, AceLan Kao wrote:
> Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> 於 2026年6月11日週四 下午3:12寫道:
> >
> > connector_unbind() is the mirror of connector_bind(), but it is missing
> > the symmetric call to typec_deattach() that connector_bind() makes via:
> >
> > if (port_dev->child)
> > typec_attach(port_dev->connector, &port_dev->child->dev);
> >
> > When a Thunderbolt dock is unplugged, two teardown paths race:
> >
> > 1. The component framework calls connector_unbind() first, which sets
> > port_dev->connector = NULL without calling typec_deattach(). This
> > leaves port->usb2_dev/port->usb3_dev in struct typec_port pointing at
> > the USB device that is about to be freed.
> >
> > 2. usb_disconnect() then calls typec_deattach(port_dev->connector, ...),
> > but port_dev->connector is already NULL, so the call is a no-op and
> > port->usb2_dev is never cleared.
> >
> > 3. Concurrently, UCSI detects a PD partner-disconnect event and calls
> > typec_unregister_partner(), which reads port->usb2_dev (now a dangling
> > pointer to freed memory) and passes it to typec_partner_unlink_device()
> > -> sysfs_remove_link() -> dev_name() on the freed device, corrupting
> > the typec/UCSI partner state.
> >
> > This corruption leaves the Thunderbolt tunnel in an inconsistent state on
> > the next dock hot-plug. On affected hardware the dock's I225/igc NIC fails
> > to enumerate: AER fires a slot reset while the igc driver is still
> > initialising ("PCIe link lost"), and the subsequent igc_reset attempt hits
> > igc_rd32 on an already-detached device:
> >
> > igc 0000:2e:00.0 eth0: PCIe link lost, device now detached
> > igc: Failed to read reg 0x0!
> > WARNING: CPU: 9 PID: 129 at drivers/net/ethernet/intel/igc/igc_main.c:7005
> > igc_rd32+0xa4/0xc0 [igc]
> > Call Trace:
> > igc_disable_pcie_master+0x16/0xa0 [igc]
> > igc_reset_hw_base+0x14/0x170 [igc]
> > igc_reset+0x63/0x110 [igc]
> > igc_io_slot_reset+0x9e/0xd0 [igc]
> > report_slot_reset+0x5d/0xc0
> > pcie_do_recovery+0x209/0x400
> > aer_isr_one_error_type+0x235/0x430
> > aer_isr+0x4e/0x80
> > irq_thread+0xf4/0x1f0
> >
> > 4. UCSI later handles the PD partner-disconnect and calls
> > typec_unregister_partner(), which still sees the stale port->usb2_dev
> > and tries to remove its sysfs link a second time:
> >
> > kernfs: can not remove 'typec', no directory
> > WARNING: CPU: 6 PID: 55 at fs/kernfs/dir.c:1706 kernfs_remove_by_name_ns+0xe9/0xf0
> > Workqueue: events ucsi_handle_connector_change [typec_ucsi]
> > Call Trace:
> > sysfs_remove_link+0x19/0x50
> > typec_unregister_partner+0x6e/0x120 [typec]
> > ucsi_unregister_partner+0x107/0x150 [typec_ucsi]
> > ucsi_handle_connector_change+0x3ec/0x490 [typec_ucsi]
> > process_one_work+0x18e/0x3e0
> > worker_thread+0x2e3/0x420
> > kthread+0x10a/0x230
> > ret_from_fork+0x121/0x140
> > ret_from_fork_asm+0x1a/0x30
> >
> > With worse timing the same stale pointer is dereferenced after the
> > backing memory is freed, turning the warning into a use-after-free.
> >
> > Fix the asymmetry: call typec_deattach() before clearing
> > port_dev->connector, matching what connector_bind() does on the bind side.
> > typec_partner_deattach() is already protected by port->partner_link_lock,
> > so it serialises safely with the concurrent typec_unregister_partner() path.
> >
> > Fixes: 11110783f5ea ("usb: Inform the USB Type-C class about enumerated devices")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
> > ---
> > drivers/usb/core/port.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/usb/core/port.c b/drivers/usb/core/port.c
> > index b1364f0c384ce..b4452b665f591 100644
> > --- a/drivers/usb/core/port.c
> > +++ b/drivers/usb/core/port.c
> > @@ -740,6 +740,8 @@ static void connector_unbind(struct device *dev, struct device *connector, void
> >
> > sysfs_remove_link(&connector->kobj, dev_name(dev));
> > sysfs_remove_link(&dev->kobj, "connector");
> > + if (port_dev->child)
> > + typec_deattach(port_dev->connector, &port_dev->child->dev);
> > port_dev->connector = NULL;
> > }
> >
> > --
> > 2.53.0
> >
>
> Hi,
>
> Just a gentle ping, please help to review this path.
It was the merge window :(
Also, if you wish to have patches merged quicker, please provide review
comments on other patches while you wait, what is preventing that from
happening here?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-02 5:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11 7:12 [PATCH] usb: core: port: Deattach Type-C connector on component unbind Chia-Lin Kao (AceLan)
2026-07-02 2:26 ` AceLan Kao
2026-07-02 5:50 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox