From: Sanman Pradhan <psanman@juniper.net>

Fix two independent bugs in the powerz USB hwmon driver:

1. Use-after-free: After USB disconnect frees the URB, a subsequent
   sysfs read can dereference the freed pointer.
2. Missing usb_kill_urb() on signal: When
   wait_for_completion_interruptible_timeout() is interrupted by a
   signal, the in-flight URB is not cancelled.

Changes since v3:
- Patch 1/2: Split from combined patch, reword commit message,
  drop unnecessary usb_set_intfdata(NULL) calls.
- Patch 2/2: Split from combined patch, use long type for wait
  return value, split into separate signal/timeout checks.

Sanman Pradhan (2):
  hwmon: (powerz) Fix use-after-free on USB disconnect
  hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt

 drivers/hwmon/powerz.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

-- 
2.34.1

Hi Sanman,

On 2026-04-10 00:25:29+0000, Pradhan, Sanman wrote:
> Fix two independent bugs in the powerz USB hwmon driver:
> 
> 1. Use-after-free: After USB disconnect frees the URB, a subsequent
>    sysfs read can dereference the freed pointer.
> 2. Missing usb_kill_urb() on signal: When
>    wait_for_completion_interruptible_timeout() is interrupted by a
>    signal, the in-flight URB is not cancelled.
> 
> Changes since v3:
> - Patch 1/2: Split from combined patch, reword commit message,
>   drop unnecessary usb_set_intfdata(NULL) calls.
> - Patch 2/2: Split from combined patch, use long type for wait
>   return value, split into separate signal/timeout checks.
> 
> Sanman Pradhan (2):
>   hwmon: (powerz) Fix use-after-free on USB disconnect
>   hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt

Thanks! For the series:

Acked-by: Thomas Weißschuh <linux@weissschuh.net>

FYI, the cacheline issue reported by Sashiko should be fixed by this:
https://lore.kernel.org/lkml/20260408-powerz-cacheline-alias-v1-1-1254891be0dd@weissschuh.net/


Thomas