Re: [PATCH v4 1/2] hwmon: (powerz) Fix use-after-free on USB disconnect

Next message: Guenter Roeck: "Re: [PATCH v6 1/3] hwmon: emc2305: Validate fan channel index"
Previous message: Guenter Roeck: "Re: [PATCH 1/1] watchdog: sp5100_tco: Use EFCH MMIO for newer Hygon FCH"
In reply to: Pradhan, Sanman: "[PATCH v4 1/2] hwmon: (powerz) Fix use-after-free on USB disconnect"
Next in thread: Thomas Wei&#xDF;schuh: "Re: [PATCH v4 0/2] hwmon: (powerz) Fix disconnect and signal handling bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guenter Roeck

Date: Fri Apr 10 2026 - 12:09:26 EST

On Fri, Apr 10, 2026 at 12:25:35AM +0000, Pradhan, Sanman wrote:
> From: Sanman Pradhan <psanman@xxxxxxxxxxx>
>
> After powerz_disconnect() frees the URB and releases the mutex, a
> subsequent powerz_read() call can acquire the mutex and call
> powerz_read_data(), which dereferences the freed URB pointer.
>
> Fix by:
> - Setting priv->urb to NULL in powerz_disconnect() so that
> powerz_read_data() can detect the disconnected state.
> - Adding a !priv->urb check at the start of powerz_read_data()
> to return -ENODEV on a disconnected device.
> - Moving usb_set_intfdata() before hwmon registration so the
> disconnect handler can always find the priv pointer.
>
> Fixes: 4381a36abdf1c ("hwmon: add POWER-Z driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Sanman Pradhan <psanman@xxxxxxxxxxx>

Applied.

Thanks,
Guenter