Re: [PATCH 1/4] mmc: vub300: fix NULL-deref on disconnect

Next message: Ian Abbott: "Re: [PATCH] comedi: ni_usb6501: refactor endpoint lookup"
Previous message: Huang, Kai: "Re: [PATCH 02/17] KVM: x86/mmu: Update iter-&gt;old_spte if cmpxchg64 on mirror SPTE &quot;fails&quot;"
In reply to: Johan Hovold: "[PATCH 1/4] mmc: vub300: fix NULL-deref on disconnect"
Next in thread: Johan Hovold: "Re: [PATCH 1/4] mmc: vub300: fix NULL-deref on disconnect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ulf Hansson

Date: Tue Mar 31 2026 - 06:24:59 EST

On Fri, 27 Mar 2026 at 11:52, Johan Hovold <johan@xxxxxxxxxx> wrote:
>
> Make sure to deregister the controller before dropping the reference to
> the driver data on disconnect to avoid NULL-pointer dereferences or
> use-after-free.
>
> Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
> Cc: stable@xxxxxxxxxxxxxxx # 3.0
> Cc: Tony Olech <tony.olech@xxxxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> ---
> drivers/mmc/host/vub300.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c
> index ff49d0770506..f173c7cf4e1a 100644
> --- a/drivers/mmc/host/vub300.c
> +++ b/drivers/mmc/host/vub300.c
> @@ -2365,8 +2365,8 @@ static void vub300_disconnect(struct usb_interface *interface)
> usb_set_intfdata(interface, NULL);
> /* prevent more I/O from starting */
> vub300->interface = NULL;
> - kref_put(&vub300->kref, vub300_delete);
> mmc_remove_host(mmc);
> + kref_put(&vub300->kref, vub300_delete);

While this seems like a step in the right direction, I don't see why
calling usb_set_intfdata(interface, NULL) and assigning
vub300->interface = NULL is safe.

For example, some of the workqueues might be running a work that uses
the vub300->interface, isn't that a problem too?

> pr_info("USB vub300 remote SDIO host controller[%d]"
> " now disconnected", ifnum);
> return;
> --
> 2.52.0
>

Kind regards
Uffe