Re: [PATCH v4] mmc: vub300: fix use-after-free on probe failure

[Guangshuo Li]

On Wed, 10 Jun 2026 at 23:01, Johan Hovold <johan@xxxxxxxxxx> wrote:
>
> On Wed, Jun 10, 2026 at 10:56:30PM +0800, Guangshuo Li wrote:
> > The vub300 driver lifetime-manages its controller state using
> > vub300->kref, with vub300_delete() freeing the mmc host when the last
> > reference is dropped. The probe error path after the inactivity timer has
> > been armed still bypasses that lifetime rule, however, and falls through
> > to mmc_free_host() directly if mmc_add_host() fails.
> >
> > The race window is between arming the inactivity timer and reaching the
> > probe error unwind after mmc_add_host() fails:
> >
> >         probe thread                     timer/workqueue
> >         ------------                     ---------------
> >         kref_init(&vub300->kref)         ref = 1
> >         kref_get(&vub300->kref)          ref = 2, timer ref
> >         add_timer(inactivity_timer)      fires after one second
> >         |
> >         |   race window
> >         |<---------------------------------------------------->
> >         |
> >         mmc_add_host(mmc)
> >                                          inactivity timer fires
> >                                          vub300_queue_dead_work()
> >                                            kref_get()          ref = 3
> >                                            queue_work(deadwork)
> >         mmc_add_host() fails
> >         timer_delete_sync()
> >         mmc_free_host(mmc)
> >           frees vub300
> >                                          deadwork runs
> >                                            use-after-free
> >
> > The inactivity timeout is one second, so this would require
> > mmc_add_host() to both fail and take more than one second to do so. This
> > is unlikely to happen in practice, but the error path is still wrong.
> >
> > timer_delete_sync() only waits for the timer callback itself. It does
> > not flush deadwork that the callback may already have queued. As a
> > result, queued deadwork can still hold a kref while the probe error path
> > directly frees the backing mmc host, including the vub300 storage.
> >
> > Fix this by using the same lifetime mechanism as disconnect. Clear
> > vub300->interface so that the timer callback and any queued deadwork
> > return early and drop their references, then drop the initial probe
> > reference and return without falling through to err_free_host.
> >
> > Fixes: 8f4d20a71022 ("mmc: vub300: fix use-after-free on disconnect")
>
> Still wrong.
>
> > Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> > ---
> > v4:
> >   - Fix the Fixes tag to point to the commit which added the
> >     mmc_add_host() failure unwind.
> >   - Add Johan's Reviewed-by tag.
>
> And my tag is not there.
>
> How are you generating and reviewing these patches before posting?
>
> Johan

Sorry, Johan. That was my mistake and I did not review the regenerated
patch carefully enough before sending.

I have fixed both issues in v5.

Guangshuo