From nobody Wed Jun 17 05:18:19 2026 Received: from mail-yw1-f176.google.com (mail-yw1-f176.google.com [209.85.128.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 200571F4181 for ; Tue, 28 Apr 2026 04:54:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.128.176 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777352073; cv=pass; b=FBZtbII/L6jXo9wf8bn5sI+cG5/TIvB5btRLV1kdcxMJY0uzsnzHOqP9xuHpnBqL1yZodjXTBRQoEEnYbrAA9e5276Mxt6U/Q2O1CzmETPt2FHt5uJLusQ+fOc9PEekEDoSgudmgVFNHKhGa42QTNCWj5srndMWNojN2clo0+j8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777352073; c=relaxed/simple; bh=oLlvzt7wQd754o+fNti7yQsWlu8oDJ0/kFO4ahn9mrM=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=hxzTxBHhcNn1fSn8a4IQD6SPC79F3pcYYluicxOLMlJhrNS2Wx0jFhr69L/kh436hKgB0gvt6iPsjm/Q6Ma63eRfVq69zEFrosydu2qjpGJCp4VNcDqJgs4n5T/6QbvWuvPDu/wxxMmqavGX8Bt2Nd8ES1H1LVObv10ASMz0a8g= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Omi+rLiO; arc=pass smtp.client-ip=209.85.128.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Omi+rLiO" Received: by mail-yw1-f176.google.com with SMTP id 00721157ae682-7927261a3acso97017887b3.0 for ; Mon, 27 Apr 2026 21:54:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1777352071; cv=none; d=google.com; s=arc-20240605; b=GFkbiAoKXAR3Kp70QZiufzF2rAZeJo6kMpX53zNvm+eRzD7//iBa7Ireh0iIrKZpVw hnMQU7dWSBfMlblK8jVKMIsh0htdXOCQ3DOL1bWezoVU3M5/w52xFdaHTAzhnq2ZuM0Y 39CHj56qlWzDNC1sD+zPJfcMQWDJH7/5pHD71F1muSjLtNg4blST7UWrFb0Wju10LYBL p+v/UcCCU9fQhsjDSKOpbiIpgZgw4xx10xphA/ehsVJ8Ewom86zu+RVfz4DNoq2EROh2 yTeagldic6L5QzWL9OumRU2TyOORUIxAf90FMABtfGS8w96yFh+afqo3YVvlJx7zi/ZI VqOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:mime-version:dkim-signature; bh=c5yJ6QtvwIt+J51E0AEX/MTYwYAVQGf1uPUogc5Ssz4=; fh=0ctG3Fz9l+JdI7iJqIMecjXO7We9IGnd934r/JYEPkA=; b=eq72Y2KV6sXlRiixnrNISeLuCAqUrjHyg/uJRW2ehW4GwQc501YudDNruUIE6jmDnv K8XGuEPjSC126e5pnzhGq+bQfUIyJSUkTAp7XvdL3MFz11OW2Xre1arWlJWWQI6epA2o AUDkxxnK2KeZLSvOK31XpABd9v3l5AYlA0etGcRDgyRWMB8BPxsiewVVQPqm2v11Dy1q v7vDxFe2M9Nss+YpDAJOcZUvPQmQqBVfo0sSMFbDExhbmZOCrdumOAFJIgmf1a30llju UuPN/2wOaFHlhnY0AWThSEFcrxeFyMD/eD4tQeFJUUY79ZhA95QSuWz2vMzWTMCKggMI wSoA==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777352071; x=1777956871; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=c5yJ6QtvwIt+J51E0AEX/MTYwYAVQGf1uPUogc5Ssz4=; b=Omi+rLiOrs9L455c1HWo1rWwss93HxfTcqwPYwGbahbReAWmzX+BNs247Eb0ez2VAN 3QE8b7LzHucEZzlqal/MCLerXdZXuX6CUcWCs7ZlgUnDSqL/JOLy6xPtEwKTbQa3hfyE 0TO5VOUw95b7bM+xX0I1LEJxcstKvvYcUW2UIfeYiLvVRjddUAjUN7aYOhSp8T2M3vB1 6sxiSSdHJLPgzC/OqhjU+sDmN7i5qQVoFx/6wn8W7HQJbUcBsGUl9OiNJieQrcOgYo9n 4rZqxfpZzLwsvQKBDCcgg+mDh+w4LeFGAsPTVsQBQb7OsWTH8uR8MZFhBznVjeZW69xH VI7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777352071; x=1777956871; h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=c5yJ6QtvwIt+J51E0AEX/MTYwYAVQGf1uPUogc5Ssz4=; b=WbI4NGIrW4s1F6gmDMnO2zyrMA+KvrwN67ATWZs6w+sTP1rWzwhQ3Tgn1ifVsdkdKL Xc7NiMpM2bTXicJz4xJKLDI8WZgc5ykMxfNhwmRHI+JwifaS86k/ritE0Dptk7ZQf2wG x+EMeO8oh6487YBf91PKY/d7rd/qijbc8oteNW4mj0eP2WWU8NP9oLpCQGFMlkcYGmGX sBGQCisEdx9e5NoeOd5roJv4ZJZxxtF/a3gXNzVfFXf3vEbznR2A1DB8w7aicZxB7MQk 0SdgZG8o080RKNtXud7Cx5AhTboYPRC8YMBcvJXGAtMoIrHK21jg8nY/6m8hZsNpjKps TOFQ== X-Forwarded-Encrypted: i=1; AFNElJ/CJXPSdtHFV8U6LRezwy7aym/W73Suz8RHb/XRfqkbzm90IScs75/gve+MnwOa9T4WVnxgx8dk3asyumA=@vger.kernel.org X-Gm-Message-State: AOJu0YxUwEktDjhyEg9AY6B9UmQ5NRWVRhnoMImkIv0LDa9trwkF3/Nd NXteiDkqw/kv361ZKmtRvLUpLWlDbwMLvVyeelTXu7T/dGCzZdUHxq0AKEHwbpztENQ8a5JPhRz rRzGzFKpBh/O55gvgYF8FeXAaCGWtu/Y= X-Gm-Gg: AeBDiesPYlIPyGk4vx4R1swg01Vj63/R1/u6TV2pyd0XFMWDTDb5xj76nSGpzlw0mSG z8CVTPni9x87Q8G81fG9Vi+4oKmI/QmE9LQlilzeZqRlaq3bciqvSf8Mm59U9Lhy5PzqWKTzWGi a76S9Aihawg43qtNjYqDpoIkoJ1MFdw/ScF9SWNsV9gG92t7zu2lWGWyHz/+weEJF+nyDWCCrB9 PN/8gWDRsLxCkXkDpHvdRFrJUXexwpA+0Rg/Gd8hHstHJdHAK0WRdYj2BneQbSeXtHwVllvA63y qZ/ax0SJFQgo16AdIKkr X-Received: by 2002:a05:690c:4b0c:b0:7b2:9ad9:cd2e with SMTP id 00721157ae682-7bcf50f490fmr15229327b3.14.1777352070977; Mon, 27 Apr 2026 21:54:30 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Ginger Date: Tue, 28 Apr 2026 12:54:22 +0800 X-Gm-Features: AVHnY4LPN2ibgbkOecF0vz3Ad-wqCGRP853NBhPt6pBq6Axs8UzNIXGeuRy0ETU Message-ID: Subject: [PATCH] usb: misc: yurex: fix ordering of usb_deregister_dev() and usb_set_intfdata() To: Greg KH Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In yurex_disconnect(), usb_set_intfdata(interface, NULL) was called before usb_deregister_dev(interface, &yurex_class). This opens a race window with usb_open() in the USB core: T0 (yurex_disconnect) T1 (usb_open) -------------------------- ------------------------- usb_set_intfdata(iface, NULL) [t0] fops =3D usb_minors[minor] [t1] /* fops still valid here */ usb_deregister_dev() usb_minors[minor] =3D NULL [t2] file->f_op->open(inode, file) yurex_open() dev =3D usb_get_intfdata() [t3] /* dev is NULL */ Because t0 precedes t1 precedes t2 precedes t3, T1 can obtain the file_operations pointer for the device (t1, while the minor is still registered), then continue into yurex_open() where it calls usb_get_intfdata() and gets NULL back, leading to a NULL dereference. Fix the race by calling usb_deregister_dev() first, which removes the device from usb_minors[] before the interface data pointer is cleared. Concurrent usb_open() that arrives after usb_deregister_dev() returns will fail to look up the fops and will never reach yurex_open(). Reported-by: Ginger Closes: https://lore.kernel.org/linux-usb/2026042718-unwieldy-dicing-626f@g= regkh Signed-off-by: Ginger --- drivers/usb/misc/yurex.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 6d03e689850a..b5484ab77e91 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -310,11 +310,12 @@ static void yurex_disconnect(struct usb_interface *interface) int minor =3D interface->minor; dev =3D usb_get_intfdata(interface); - usb_set_intfdata(interface, NULL); /* give back our minor */ usb_deregister_dev(interface, &yurex_class); + usb_set_intfdata(interface, NULL); + /* prevent more I/O from starting */ usb_poison_urb(dev->urb); usb_poison_urb(dev->cntl_urb); -- 2.39.5