From nobody Mon Jun 8 15:33:36 2026 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B66B37757F for ; Thu, 28 May 2026 08:27:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779956877; cv=none; b=lF5MbWUUygwmLgUF8omta0vL4u0nGFwC/7nzrihy6Vd4vuHF2YZY8RIVjADkxJSs0caBrXRcKXIxH97Ez+2AmesxtWO4YNGXaySilTAiwp7ynpS/trZH4Yb/IoD4b265rN5cUHTrlbKj/G/zFaZFkPKJ0n6vItpysWqKbArhgDE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779956877; c=relaxed/simple; bh=9lzfWbEtfKy7yDDPQwvEs6SwC+ACFHPxG5KOg5RBgKc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=mqtyHKogf4OAXTGAZYpxwW2itvMrGXeWtg8uV3QVWWX7I96pB7a4CfXjd1rh9LeKoysDpoq1CpSmFa87XjhJyk307HnTpBlqYfFUwAEDrMfF9jCvPcSpR2qup1hKFLLfzSdU7PBRK/xjlniE0FMlAUzV+qDAXod+sUDhjrJLxlQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PZuI9t41; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PZuI9t41" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-8353c9f24d2so6427669b3a.3 for ; Thu, 28 May 2026 01:27:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779956876; x=1780561676; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=iE1V6ZSM8goQIoTUw/VcFHWcLJtCjNGG+PWVULPfe6g=; b=PZuI9t41Fc4TiMnhpRnPzADPu+z39ZTZ6fSJZa/r5b+uP5QegxOEIgMNrIY8nEUyDj AF1VM/hOqnDOT26cZKpUg/JC37OWXjYWcgvkg3SC5vJdcJcENHeND89SLcNqfTHVnBEO ZHiDExDsV24nonqN3mNpCX8W6hX1Dy+Gd2WNvD3QnObbKntxXK0D7I21i8Ffx9vANUXL YiPNMf8v2RvLa+CLZXvcvl1MxDCHiVX4tlfcfH1919jdcGWzNi+XQOIvobIXJMPxeYUP PykxKFnF6+yUeAEtsNnjJcBf6CE/D34SLh2DHlAMw6tNtE9ma+DB85p3/L3sq32mNBQ1 +izQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779956876; x=1780561676; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=iE1V6ZSM8goQIoTUw/VcFHWcLJtCjNGG+PWVULPfe6g=; b=FQ6N1l3NWSy63yHOqP5WbXotyBZASMdMKxjEUp/Dbdz6gK3P5+GWYkyVxHLphZMciV yrWme2uyaEQhvAqRRN3dESNrm3TxEchjnaJUp+IxP3hg/p2RsWSlFa7jq2v+3hpI5QPu 6mF71lQjX5v6F5lr60uinP6q3ParPlzBerRKA0PgSBw14+gzSxi7PiHoXnMRRTBxalZy Q3MyXTrKHXPKTEqn2SUd7BCkdWLheS3zBPZmsuRJFxwDjgBeviHyHTh+o3EvEWPfZB4h 7kvm5BPhwiQndISsVAUGn2R7lyRMirtU5en82jF/7NVzJhQ2EZ4gfnoPbVIR+Vwdx+Ft idsQ== X-Forwarded-Encrypted: i=1; AFNElJ8e1nEksjDHeKNeAUz114EknwEvo4/zvtKtTzJXSg4P5oyMm25kTZrvYHJZSlF4HDpzKJWaGx0Z7UBhYUk=@vger.kernel.org X-Gm-Message-State: AOJu0YwNlJ7/A+6GBc3UckCUg4Xx4z8IYBsaY08GhK/nv0QIf71DL1Ph qoOxZNSXD5GMdNBiuUU/utA9aJxs6Iu6euCb06Epld1ej4ZWWnNcLhbn X-Gm-Gg: Acq92OH9peIBF44UVTbc9uN/iH9WIC/ggLpYkJsElSd5KRwMnLTF/y+qTRmmhqo1kAd 3Okh3i4LRM7S5VuClyOLURCW3uXJ66vJpg0PfpwpodjZ3wIk64u54dYynREgQgqniNzigL2SBiy GWy7xFtuexyP8xGQZ2PpN68Ze5T7VcW/UUuVSl+sZNDJlzvtEAaLA5aRg4U0Z5OcSabDWxcCCSR KVwMXNpAHGjmxDXIbsmy0wXhSEh3dumiU6/4nTtVLXMsWDDqwXWAWbVbvFPaynmflc6FC6Y/mY5 GLMN2qA5LIAuqt0+TrhP3647khnhMvTGGois3dA0MvOEUGFdGjvMSoExaA4v469Xj9rZ3XXuzsk TuzrkSafY5x/xaXxNDt7MloykvQBELZkk6ULi2wBgz7F7gMBdGfIwqzPD5+wT+oBuzHlDYCVPMy /bPz+9I04yVizaQcuhc4xS/Btrtt5IuMpXAoi8pg== X-Received: by 2002:a05:6a00:189e:b0:82f:316:3206 with SMTP id d2e1a72fcca58-8415f54464cmr25889213b3a.34.1779956875704; Thu, 28 May 2026 01:27:55 -0700 (PDT) Received: from cqian-s3.. ([175.159.214.250]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-841d730b6c0sm4198156b3a.61.2026.05.28.01.27.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2026 01:27:55 -0700 (PDT) From: Junzhe Li To: gregkh@linuxfoundation.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] usb: misc: yurex: fix ordering of usb_deregister_dev() and usb_set_intfdata() Date: Thu, 28 May 2026 16:27:51 +0800 Message-Id: <20260528082751.204898-1-ginger.jzllee@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In yurex_disconnect(), usb_set_intfdata(interface, NULL) was called=20 before usb_deregister_dev(interface, &yurex_class). This opens a race window with usb_open() in the USB core: T0 (yurex_disconnect) T1 (usb_open) -------------------------- ------------------------- usb_set_intfdata(iface, NULL) [t0] fops =3D usb_minors[minor] [t1] /* fops still valid here */ usb_deregister_dev() usb_minors[minor] =3D NULL [t2] file->f_op->open(inode, file) yurex_open() dev =3D usb_get_intfdata() [t3] /* dev is NULL! */ Because t0 precedes t1 precedes t2 precedes t3, T1 can obtain the file_operations pointer for the device (t1, while the minor is still registered), then continue into yurex_open() where it calls usb_get_intfdata() and gets NULL back, leading to a NULL dereference. Fix the race by calling usb_deregister_dev() first, which removes the device from usb_minors[] before the interface data pointer is cleared. Any concurrent usb_open() that arrives after usb_deregister_dev() returns will fail to look up the fops and will never reach yurex_open(). Reported-by: Junzhe Li Closes: https://lore.kernel.org/linux-usb/2026042718-unwieldy-dicing-626f@g= regkh Signed-off-by: Junzhe Li --- drivers/usb/misc/yurex.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 7a482cdee1e9..136272ac24ba 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -310,11 +310,12 @@ static void yurex_disconnect(struct usb_interface *in= terface) int minor =3D interface->minor; =20 dev =3D usb_get_intfdata(interface); - usb_set_intfdata(interface, NULL); =20 /* give back our minor */ usb_deregister_dev(interface, &yurex_class); =20 + usb_set_intfdata(interface, NULL); + /* prevent more I/O from starting */ usb_poison_urb(dev->urb); usb_poison_urb(dev->cntl_urb); --=20 2.34.1