From nobody Thu Apr 16 03:47:28 2026
Received: from zg8tmja2lje4os4yms4ymjma.icoremail.net
 (zg8tmja2lje4os4yms4ymjma.icoremail.net [206.189.21.223])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3DB202FF641;
	Tue,  3 Mar 2026 07:35:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=206.189.21.223
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772523358; cv=none;
 b=km+jayQmU9+jNQra+E5W1Bnm+bQ/V9LkKvRqZVNZST3KkridZQEr7fHZ1VCSlojwpxfMCiECKXFGyWdcgmVTDbQrrG7cExpXHBs6n8OLWsfpg0s1Pkd+7X8F7/gWgIoUBf5+n9IFOwcxf1tGmuRfm4lf9C2eNcurRy1ZPCLUJ7Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772523358; c=relaxed/simple;
	bh=6RkYdmxbx+pPZJYPNhL0TiA+j/uhNhn1kXS00ieT6qM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=abdFNH1N3Q+lRK3TTaVxY9cio7FgxxLohg/jvL7RgnU31bKQGVAGhaANIyYx8EhpwFdjDAS2Hr8tGNQfSVUXpvl7BBEU1/WqH8JEeG8Y9JGfgPR9zW73n17XHWPXFXORRicSGV61/AcZn7JNzhmI3xr8PuQs074QqKRi9ahdXgw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=zju.edu.cn;
 spf=pass smtp.mailfrom=zju.edu.cn; arc=none smtp.client-ip=206.189.21.223
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=zju.edu.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=zju.edu.cn
Received: from zju.edu.cn (unknown [10.98.66.117])
	by mtasvr (Coremail) with SMTP id _____wA3UIZKj6ZpXW79AA--.4295S3;
	Tue, 03 Mar 2026 15:35:39 +0800 (CST)
Received: from localhost.localdomain (unknown [10.98.66.117])
	by mail-app2 (Coremail) with SMTP id zC_KCgDnSz5Jj6Zpg3EXBg--.6544S2;
	Tue, 03 Mar 2026 15:35:38 +0800 (CST)
From: Fan Wu <fanwu01@zju.edu.cn>
To: yoshihiro.shimoda.uh@renesas.com,
	stern@rowland.harvard.edu,
	gregkh@linuxfoundation.org
Cc: claudiu.beznea.uj@bp.renesas.com,
	prabhakar.mahadev-lad.rj@bp.renesas.com,
	kuninori.morimoto.gx@renesas.com,
	geert+renesas@glider.be,
	linux-usb@vger.kernel.org,
	linux-renesas-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Fan Wu <fanwu01@zju.edu.cn>
Subject: [PATCH v2] usb: renesas_usbhs: fix use-after-free in ISR during
 device removal
Date: Tue,  3 Mar 2026 07:33:44 +0000
Message-Id: <20260303073344.34577-1-fanwu01@zju.edu.cn>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <db402599-e105-45d7-82b1-0216b6f5e729@rowland.harvard.edu>
References: <db402599-e105-45d7-82b1-0216b6f5e729@rowland.harvard.edu>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-CM-TRANSID: zC_KCgDnSz5Jj6Zpg3EXBg--.6544S2
X-CM-SenderInfo: qrstjiaswqq6lmxovvfxof0/
X-CM-DELIVERINFO: 
 =?B?aYjHSgXKKxbFmtjJiESix3B1w3vZ3A9ovKVTomAyoQazvoRs/NHSP8GI2EvgeEEW7R
	sfncp7Oa4RjKRyNF7NkJaR8oIeD53r/O4AKTiBwD/dtqtv2NTNgAaF/ubij9N4b2NUrcwH
	/wVBClYzN2bJohOYX+0=
X-Coremail-Antispam: 1Uk129KBj93XoW7ArWUAw4xuFy5Jw1UZr15ZFc_yoW8tw1xpr
	W8Gay5GrW0qr1j9F43Aw48ZF1ruanYgrWUu3s2k3yfZw1aya4DAr1F9a4jgFy5A3srtanF
	krnay3Wrua4DCrXCm3ZEXasCq-sJn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7KY7ZEXa
	sCq-sGcSsGvfJ3Ic02F40EFcxC0VAKzVAqx4xG6I80ebIjqfuFe4nvWSU5nxnvy29KBjDU
	0xBIdaVrnRJUUUP0b4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2
	IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48v
	e4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI
	0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AK
	xVW0oVCq3wAac4AC62xK8xCEY4vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc804V
	CY07AIYIkI8VC2zVCFFI0UMc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AK
	xVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48Icx
	kI7VAKI48JM4x0Y48IcxkI7VAKI48G6xCjnVAKz4kxM4IIrI8v6xkF7I0E8cxan2IY04v7
	MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr
	0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0E
	wIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJV
	W8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAI
	cVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IU85l1PUUUUU==
Content-Type: text/plain; charset="utf-8"

In usbhs_remove(), the driver frees resources (including the pipe array)
while the interrupt handler (usbhs_interrupt) is still registered. If an
interrupt fires after usbhs_pipe_remove() but before the driver is fully
unbound, the ISR may access freed memory, causing a use-after-free.

Fix this by calling devm_free_irq() before freeing resources. This ensures
the interrupt handler is both disabled and synchronized (waits for any
running ISR to complete) before usbhs_pipe_remove() is called.

Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
---

v2:
  - Replace disable_irq() with devm_free_irq() as suggested by
    Alan Stern. While disable_irq() only masks the interrupt line,
    devm_free_irq() (via free_irq()) implicitly calls synchronize_irq()
    to wait for any in-progress handler to complete, and also ensures
    the interrupt is fully unregistered. This prevents both future
    interrupts and pending handlers from accessing freed resources.
  - Verified the fix in a QEMU environment with KASAN enabled.
    By injecting a delay in usbhs_remove() and using a high-frequency
    timer to simulate concurrent ISR execution, the original UAF
    report was reliably reproduced and is now confirmed to be
    eliminated with this patch.

 drivers/usb/renesas_usbhs/common.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs=
/common.c
index cf4a0367d6d6..8c93bde4b816 100644
--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -815,6 +815,15 @@ static void usbhs_remove(struct platform_device *pdev)
=20
 	usbhs_platform_call(priv, hardware_exit, pdev);
 	reset_control_assert(priv->rsts);
+
+	/*
+	 * Explicitly free the IRQ to ensure the interrupt handler is
+	 * disabled and synchronized before freeing resources.
+	 * devm_free_irq() calls free_irq() which waits for any running
+	 * ISR to complete, preventing UAF.
+	 */
+	devm_free_irq(&pdev->dev, priv->irq, priv);
+
 	usbhs_mod_remove(priv);
 	usbhs_fifo_remove(priv);
 	usbhs_pipe_remove(priv);
--=20
2.34.1