From: Johan Hovold <johan@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Vladimir Zapolskiy <vz@mleia.com>,
Piotr Wojtaszczyk <piotr.wojtaszczyk@timesys.com>,
Alan Stern <stern@rowland.harvard.edu>,
Ma Ke <make24@iscas.ac.cn>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
Johan Hovold <johan@kernel.org>,
stable@vger.kernel.org
Subject: [PATCH v2 2/5] usb: phy: isp1301: fix non-OF device reference imbalance
Date: Thu, 18 Dec 2025 16:35:16 +0100 [thread overview]
Message-ID: <20251218153519.19453-3-johan@kernel.org> (raw)
In-Reply-To: <20251218153519.19453-1-johan@kernel.org>
A recent change fixing a device reference leak in a UDC driver
introduced a potential use-after-free in the non-OF case as the
isp1301_get_client() helper only increases the reference count for the
returned I2C device in the OF case.
Increment the reference count also for non-OF so that the caller can
decrement it unconditionally.
Note that this is inherently racy just as using the returned I2C device
is since nothing is preventing the PHY driver from being unbound while
in use.
Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
Cc: stable@vger.kernel.org
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/usb/phy/phy-isp1301.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/phy/phy-isp1301.c b/drivers/usb/phy/phy-isp1301.c
index f9b5c411aee4..2940f0c84e1b 100644
--- a/drivers/usb/phy/phy-isp1301.c
+++ b/drivers/usb/phy/phy-isp1301.c
@@ -149,7 +149,12 @@ struct i2c_client *isp1301_get_client(struct device_node *node)
return client;
/* non-DT: only one ISP1301 chip supported */
- return isp1301_i2c_client;
+ if (isp1301_i2c_client) {
+ get_device(&isp1301_i2c_client->dev);
+ return isp1301_i2c_client;
+ }
+
+ return NULL;
}
EXPORT_SYMBOL_GPL(isp1301_get_client);
--
2.51.2
next prev parent reply other threads:[~2025-12-18 15:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20251218153519.19453-1-johan@kernel.org>
2025-12-18 15:35 ` [PATCH v2 1/5] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Johan Hovold
2025-12-19 0:11 ` Vladimir Zapolskiy
2025-12-18 15:35 ` Johan Hovold [this message]
2025-12-19 0:15 ` [PATCH v2 2/5] usb: phy: isp1301: fix non-OF device reference imbalance Vladimir Zapolskiy
2025-12-19 6:20 ` Johan Hovold
2025-12-18 15:35 ` [PATCH v2 3/5] usb: ohci-nxp: fix device leak on probe failure Johan Hovold
2025-12-18 15:52 ` Alan Stern
2025-12-19 0:19 ` Vladimir Zapolskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251218153519.19453-3-johan@kernel.org \
--to=johan@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=make24@iscas.ac.cn \
--cc=piotr.wojtaszczyk@timesys.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=vz@mleia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox