Re: [PATCH] net: 9p: usbg: clear stale client pointer on close

Next message: Slava Imameev: "Re: [PATCH bpf-next v5 2/2] selftests/bpf: Add trampolines single and multi-level pointer params test coverage"
Previous message: Zilin Guan: "RE: [PATCH] hfsplus: fix held lock freed on hfsplus_fill_super()"
In reply to: Michael Grzeschik: "Re: [PATCH] net: 9p: usbg: clear stale client pointer on close"
Next in thread: Hyungjung Joo: "Re: [PATCH] net: 9p: usbg: clear stale client pointer on close"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dominique Martinet

Date: Sat Mar 14 2026 - 02:02:05 EST

Hyungjung Joo wrote on Sat, Mar 14, 2026 at 02:16:59AM +0900:
> p9_usbg_close() tears down the client transport, but usb9pfs keeps
> using usb9pfs->client from asynchronous TX and RX completion handlers.
> A late completion can therefore dereference a client that has already
> been freed during mount teardown.
>
> Clear usb9pfs->client under usb9pfs->lock when closing the transport,
> detach any pending TX request from in_req->context, and make the TX/RX
> completion handlers bail out once the transport has been detached. This
> keeps late completions from touching a freed or rebound p9_client.

Just to make sure the problem is the usb9pfs struct being freed, not the
p9_client itself which is still alive after the usb device is gone
(until umount)?

I'm surprised free_func isn't called after unbind, which should stop the
queues (through disable_usb9pfs)?
or are the ep being disabled not enough to ensure the callbacks are not
in use? (e.g. disabling prevents further calls, but doesn't wait for
currently running/queued requests?)

(Also, thanks Michael for looking -- I'll let you do a first review
before looking deeper)
--
Dominique