Re: [PATCH 1/4] mmc: vub300: fix NULL-deref on disconnect

Next message: Konrad Dybcio: "Re: [PATCH 3/3] arm64: dts: qcom: eliza-mtp: Enable USB and ADSP support"
Previous message: Fabrizio Castro: "RE: [PATCH v2 1/3] dt-bindings: watchdog: renesas,r9a09g057-wdt: Rework example"
In reply to: Ulf Hansson: "Re: [PATCH 1/4] mmc: vub300: fix NULL-deref on disconnect"
Next in thread: Johan Hovold: "[PATCH 3/4] mmc: vub300: rename probe error labels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Tue Mar 31 2026 - 07:17:10 EST

On Tue, Mar 31, 2026 at 01:03:39PM +0200, Ulf Hansson wrote:
> On Tue, 31 Mar 2026 at 12:32, Johan Hovold <johan@xxxxxxxxxx> wrote:

> > > > @@ -2365,8 +2365,8 @@ static void vub300_disconnect(struct usb_interface *interface)
> > > > usb_set_intfdata(interface, NULL);
> > > > /* prevent more I/O from starting */
> > > > vub300->interface = NULL;
> > > > - kref_put(&vub300->kref, vub300_delete);
> > > > mmc_remove_host(mmc);
> > > > + kref_put(&vub300->kref, vub300_delete);
> > >
> > > While this seems like a step in the right direction, I don't see why
> > > calling usb_set_intfdata(interface, NULL)
> >
> > The interface data is only used in the USB bus callbacks and is not
> > needed after disconnect().
> >
> > > and assigning
> > > vub300->interface = NULL is safe.
> > >
> > > For example, some of the workqueues might be running a work that uses
> > > the vub300->interface, isn't that a problem too?
> >
> > The driver uses this pointer to indicate that the device has been
> > disconnected. That doesn't mean that the implementation is correct (e.g.
> > the check in vub300_pollwork_thread() should use some locking) but that
> > would be pre-existing issues.
>
> Right, that was my thinking as well.
>
> Out of curiosity, are you planning on fixing these issues too or is
> that left for later?

No, sorry, this was just something I stumbled over when addressing USB
devres issues tree wide.

Johan