[PATH v2] usb: usblp: add the reset_resume function interface

[PATH v2] usb: usblp: add the reset_resume function interface

[shitao]

Add reset_resume callback to prevent premature device unbinding during
S4 (hibernation) thaw phase, which would otherwise cause usblp to require
a re-probe — a process that is slow and trigger error -517, and even
has a high probability of causing use-after-free bugs and kernel panics.

Problem:
When a USB printer(CH340S USB-to-parallel adapter ID 1a86:7584)
is connected during S4 hibernation,the following sequence occurs:

1. During thaw phase, USB core sets udev->reset_resume = 1
2. usb_resume_interface() checks for driver->reset_resume callback
3. If not implemented, interface is marked as needs_binding=1
4. usb_resume() calls unbind_marked_interfaces()
5. This forces disconnect via usb_forced_unbind_intf()
6. usblp_disconnect() immediately frees usblp structure if !usblp->used
7. However, PM subsystem still has references (usage_count > 0)
8. Subsequent PM callbacks access freed memory (0x6b6b6b6b SLAB poison)
9. Result: kernel panic in pm_op() with use-after-free

The bug manifests as:
Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b93
pc : pm_op+0x50/0x80
Call trace:
pm_op+0x50/0x80
dpm_resume+0xdc/0x200
hibernation_snapshot+0x234/0x3d8

Signed-off-by: shitao <shitao@kylinos.cn>
---
 drivers/usb/class/usblp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
index 669b9e6879bf..d0e286fe7108 100644
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -1473,6 +1473,7 @@ static struct usb_driver usblp_driver = {
 	.disconnect =	usblp_disconnect,
 	.suspend =	usblp_suspend,
 	.resume =	usblp_resume,
+	.reset_resume =	usblp_resume,
 	.id_table =	usblp_ids,
 	.dev_groups =	usblp_groups,
 	.supports_autosuspend =	1,
-- 
2.25.1

Re: [PATH v2] usb: usblp: add the reset_resume function interface

[Greg KH]

On Tue, Mar 17, 2026 at 08:56:14PM +0800, shitao wrote:
> Add reset_resume callback to prevent premature device unbinding during
> S4 (hibernation) thaw phase, which would otherwise cause usblp to require
> a re-probe — a process that is slow and trigger error -517, and even
> has a high probability of causing use-after-free bugs and kernel panics.
> 
> Problem:
> When a USB printer(CH340S USB-to-parallel adapter ID 1a86:7584)
> is connected during S4 hibernation,the following sequence occurs:
> 
> 1. During thaw phase, USB core sets udev->reset_resume = 1
> 2. usb_resume_interface() checks for driver->reset_resume callback
> 3. If not implemented, interface is marked as needs_binding=1
> 4. usb_resume() calls unbind_marked_interfaces()
> 5. This forces disconnect via usb_forced_unbind_intf()
> 6. usblp_disconnect() immediately frees usblp structure if !usblp->used
> 7. However, PM subsystem still has references (usage_count > 0)
> 8. Subsequent PM callbacks access freed memory (0x6b6b6b6b SLAB poison)
> 9. Result: kernel panic in pm_op() with use-after-free
> 
> The bug manifests as:
> Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b93
> pc : pm_op+0x50/0x80
> Call trace:
> pm_op+0x50/0x80
> dpm_resume+0xdc/0x200
> hibernation_snapshot+0x234/0x3d8
> 
> Signed-off-by: shitao <shitao@kylinos.cn>
> ---
>  drivers/usb/class/usblp.c | 1 +
>  1 file changed, 1 insertion(+)
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- It looks like you did not use your "real" name for the patch on either
  the Signed-off-by: line, or the From: line (both of which have to
  match).  Please read the kernel file,
  Documentation/process/submitting-patches.rst for how to do this
  correctly.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATH v2] usb: usblp: add the reset_resume function interface

[Alan Stern]

On Tue, Mar 17, 2026 at 08:56:14PM +0800, shitao wrote:
> Add reset_resume callback to prevent premature device unbinding during
> S4 (hibernation) thaw phase, which would otherwise cause usblp to require
> a re-probe — a process that is slow and trigger error -517, and even
> has a high probability of causing use-after-free bugs and kernel panics.
> 
> Problem:
> When a USB printer(CH340S USB-to-parallel adapter ID 1a86:7584)
> is connected during S4 hibernation,the following sequence occurs:
> 
> 1. During thaw phase, USB core sets udev->reset_resume = 1
> 2. usb_resume_interface() checks for driver->reset_resume callback
> 3. If not implemented, interface is marked as needs_binding=1
> 4. usb_resume() calls unbind_marked_interfaces()
> 5. This forces disconnect via usb_forced_unbind_intf()
> 6. usblp_disconnect() immediately frees usblp structure if !usblp->used
> 7. However, PM subsystem still has references (usage_count > 0)

How can the PM subsystem have any references to anything that is private 
to usblp?  It should hold only references to the usb_device's and 
usb_interface's embedded device structs.

> 8. Subsequent PM callbacks access freed memory (0x6b6b6b6b SLAB poison)

This should not happen at all.  It indicates there is a serious bug 
somewhere, and hiding the bug by setting the reset_resume callback will 
not fix it.

> 9. Result: kernel panic in pm_op() with use-after-free
> 
> The bug manifests as:
> Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b93
> pc : pm_op+0x50/0x80
> Call trace:
> pm_op+0x50/0x80
> dpm_resume+0xdc/0x200
> hibernation_snapshot+0x234/0x3d8

First, are you certain that setting the reset_resume callback equal to 
the resume callback is the right thing to do?  Don't printers hold some 
state information that will need to be restored after a reset?

Second, you should concentrate on fixing the invalid memory-access bug.

Alan Stern

Re: [PATH v2] usb: usblp: add the reset_resume function interface

[Oliver Neukum]

On 17.03.26 14:28, Greg KH wrote:
> On Tue, Mar 17, 2026 at 08:56:14PM +0800, shitao wrote:
>> Add reset_resume callback to prevent premature device unbinding during
>> S4 (hibernation) thaw phase, which would otherwise cause usblp to require
>> a re-probe — a process that is slow and trigger error -517, and even
>> has a high probability of causing use-after-free bugs and kernel panics.

Hi,

I am sorry but this patch is fundamentally broken. Let me explain.

Implementing reset_resume() means that a driver has to guarantee
that the device is restored to the same state it had when suspend()
was called. For a printer you cannot do that. Its state depends
on the data you sent to it before suspend() was called and that
data is gone and the driver does not understand it.

Implementing reset_resume() for usblp is basically impossible.
Instead we need to fix the issue you are seeing. Do you have
a call trace?

NACKED-BY: Oliver Neukum <oneukum@suse.com>

	Regards
		Oliver

Re: [PATH v2] usb: usblp: add the reset_resume function interface

[Oliver Neukum]

On 17.03.26 15:06, Alan Stern wrote:
> On Tue, Mar 17, 2026 at 08:56:14PM +0800, shitao wrote:

>> 9. Result: kernel panic in pm_op() with use-after-free
>>
>> The bug manifests as:
>> Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b93
>> pc : pm_op+0x50/0x80
>> Call trace:
>> pm_op+0x50/0x80
>> dpm_resume+0xdc/0x200
>> hibernation_snapshot+0x234/0x3d8
> 
> First, are you certain that setting the reset_resume callback equal to
> the resume callback is the right thing to do?  Don't printers hold some
> state information that will need to be restored after a reset?

Correct. This will not work.

However, if we take the trace seriously, it means that resume() was called
after disconnect(). That must never happen. Yet, if that happens the issue
is in the PM core, not USB.

	Regards
		Oliver

  

Re: [PATH v2] usb: usblp: add the reset_resume function interface

[Alan Stern]

On Tue, Mar 17, 2026 at 03:35:26PM +0100, Oliver Neukum wrote:
> 
> 
> On 17.03.26 15:06, Alan Stern wrote:
> > On Tue, Mar 17, 2026 at 08:56:14PM +0800, shitao wrote:
> 
> > > 9. Result: kernel panic in pm_op() with use-after-free
> > > 
> > > The bug manifests as:
> > > Unable to handle kernel paging request at virtual address 006b6b6b6b6b6b93
> > > pc : pm_op+0x50/0x80
> > > Call trace:
> > > pm_op+0x50/0x80
> > > dpm_resume+0xdc/0x200
> > > hibernation_snapshot+0x234/0x3d8
> > 
> > First, are you certain that setting the reset_resume callback equal to
> > the resume callback is the right thing to do?  Don't printers hold some
> > state information that will need to be restored after a reset?
> 
> Correct. This will not work.
> 
> However, if we take the trace seriously, it means that resume() was called
> after disconnect(). That must never happen. Yet, if that happens the issue
> is in the PM core, not USB.

In fact, it would be good to have a kernel log showing more exactly 
where the invalid request happened, what was on the call stack, and what 
device was involved.  The log extract in the patch submission doesn't 
even include any details to prove that the error was associated with 
usblp.

In general, the PM core will invoke callbacks in the USB core for device 
resume (such as usb_dev_thaw()).  usb_resume_interface() is then 
responsible for calling the driver's resume handler -- or not calling it 
if the interface's needs_binding flag is set, which is what should have 
happened here since that flag is set by usb_forced_unbind_intf().

Alan Stern