Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4032798pxf; Tue, 23 Mar 2021 00:18:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzuSBw5PrK+iks30LFqvr8tvaZO6U1qwS3mu3OFjhnD8I5t2UpBCkIRohlVGUaCq31xwqH8 X-Received: by 2002:a17:907:3d89:: with SMTP id he9mr3494359ejc.96.1616483935944; Tue, 23 Mar 2021 00:18:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616483935; cv=none; d=google.com; s=arc-20160816; b=E1SQjJVo2fRJYCAnLnb9J4hWsZSzFdVuDg/uyToOEluCZEfJz14MiPj4IFPw5ebulG NQX9ECyUQnRjdbu13vHFoWpl/Za/epCAiapf5oJI3iH0Du7YRXhlLApYK71TomU8NL9q DDIHhoUPgXi1pvNcVhGyTclpJxakcp8ZtjgND/dvcOCxjNkPMgmyZ7h2erQCBLPh9DRM +gNkZfFIZ/Zn/TEd08RrzQDEdaUBhmZxKiF/g89XBgiwXG5IBoMeUQVropy11d5vk1ET zKxd++wOnDW15hwI29W4OF0c9yr37RoGxnDsYl1Qax6moHChNeYR95bOrwydQUZZIIbb YyMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=5ytzlTXN7OhObH9yrNxNvQ9kV4REuH4NTopzA6D7ceI=; b=AacxcJTDm188tJSmqjZn2wfuk7NRIL9G/lmh9OiqtP7aK6k5e1Hs6rD83NMNusPM/y GhA5MTgpmYL560ea3EzUFUsbel+AXqU/nHRWws0NGuU0rXJ6OUwgfqwpnrm7m60vb5kj gS5Ykjm0uxMcMJvACHD61/09grS1W5NVikcgPhTgaLxhwq3HtP9anLJwHHwMWbVinm06 m9saXheccY+XfrWJl34Gejv+38Tlsoqa2sMN82lOX6/y2vQUBf4vfXoHYVFQnIfpYXJ7 8mnAkYIGXX3MEXLsMGhs4+ic9Gq2WBHNHDHf+ZBMqvtHoSFxZeK/M6d5hf+5U4kdl8Me ahpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WNLMIXyf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qu4si12989880ejb.219.2021.03.23.00.18.33; Tue, 23 Mar 2021 00:18:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WNLMIXyf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230060AbhCWHRP (ORCPT + 99 others); Tue, 23 Mar 2021 03:17:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:35710 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229508AbhCWHQ7 (ORCPT ); Tue, 23 Mar 2021 03:16:59 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 29844619AB; Tue, 23 Mar 2021 07:16:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1616483818; bh=Oic7tXm20WEsRdiZO4uFQdTa8PHRKYmlCZBotfy/kM8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=WNLMIXyfpsn6i5n4uheEFpoQTbJdwKHYngGdRmpUtlTs2m+l14nGGmshxKfUdUKyF cyyNcABTHgsmyYl1faQ96y9kwZey9iAp13CgRJyaOGXCrYwFB21RI0uTpr86KxE4CW PTNaVdkJU7Pav/ORYP/3GivYQPHspRfaCePXJQZs= Date: Tue, 23 Mar 2021 08:16:55 +0100 From: Greg KH To: Lv Yunlong Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] usb: Add data checks in usbtmc_disconnect Message-ID: References: <20210323034717.12818-1-lyl2019@mail.ustc.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210323034717.12818-1-lyl2019@mail.ustc.edu.cn> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 22, 2021 at 08:47:17PM -0700, Lv Yunlong wrote: > In usbtmc_disconnect, data is got from intf with the > initial reference. There is no refcount inc operation > before usbmc_free_int(data). In usbmc_free_int(data), > the data may be freed. > > But later in usbtmc_disconnect, there is another put > function of data. I think it is better to add necessary > checks to avoid the data being put twice. It could cause > errors in race. > > Signed-off-by: Lv Yunlong > --- > drivers/usb/class/usbtmc.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c > index 74d5a9c5238a..e0438cb46386 100644 > --- a/drivers/usb/class/usbtmc.c > +++ b/drivers/usb/class/usbtmc.c > @@ -2494,7 +2494,9 @@ static void usbtmc_disconnect(struct usb_interface *intf) > } > mutex_unlock(&data->io_mutex); > usbtmc_free_int(data); > - kref_put(&data->kref, usbtmc_delete); > + > + if (data->iin_ep_present && data->iin_urb) > + kref_put(&data->kref, usbtmc_delete); What protects the data from changing right after the check and right before the kref_put() call? krefs need a lock somewhere to protect from races like this, please fix that logic instead. thanks, greg k-h