Re: [PATCH] usb: renesas_usbhs: fix race between device remove and ISR

Next message: Jiayuan Chen: "[PATCH net v3 0/2] net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop and add selftest"
Previous message: Eliot Courtney: "Re: [PATCH v4 7/9] gpu: nova-core: gsp: add command_size helper"
In reply to: UAF Researcher: "[PATCH] usb: renesas_usbhs: fix race between device remove and ISR"
Next in thread: Fan Wu: "[PATCH v2] usb: renesas_usbhs: fix use-after-free in ISR during device removal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alan Stern

Date: Mon Mar 02 2026 - 22:14:02 EST

On Tue, Mar 03, 2026 at 12:45:50AM +0000, UAF Researcher wrote:
> From: Fan Wu <fanwu01@xxxxxxxxxx>
>
> In usbhs_remove(), the pipe array info->pipe is freed by calling
> usbhs_pipe_remove(priv). However, the interrupt handler usbhs_interrupt()
> is registered using devm_request_irq(). The devres cleanup, which
> includes freeing the IRQ, happens after usbhs_remove() returns.
>
> If a hardware interrupt fires or a pending ISR executes after
> usbhs_pipe_remove() but before devres cleanup, the ISR will access the
> freed info->pipe array via the usbhs_for_each_pipe_with_dcp() macro,
> leading to a slab-use-after-free.

...

> drivers/usb/renesas_usbhs/common.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
> index cf4a0367d..404220ceb 100644
> --- a/drivers/usb/renesas_usbhs/common.c
> +++ b/drivers/usb/renesas_usbhs/common.c
> @@ -815,6 +815,10 @@ static void usbhs_remove(struct platform_device *pdev)
>
> usbhs_platform_call(priv, hardware_exit, pdev);
> reset_control_assert(priv->rsts);
> +
> + /* Disable IRQ before freeing resources to prevent UAF in ISR */
> + disable_irq(priv->irq);

Don't you also need to call synchronize_irq(priv->irq) here? Otherwise
there still could be pending interrupt requests that will be handled
later, causing the use-after-free problem.

Alan Stern