Re: [PATCH] net: 9p: usbg: clear stale client pointer on close

Next message: kernel test robot: "Re: [PATCH 2/2] remoteproc: qcom: pas: Map/unmap subsystem region before auth_and_reset"
Previous message: Nicolin Chen: "Re: [PATCH v2 4/7] iommu/arm-smmu-v3: Mark ATC invalidate timeouts via lockless bitmap"
In reply to: Hyungjung Joo: "Re: [PATCH] net: 9p: usbg: clear stale client pointer on close"
Next in thread: Dominique Martinet: "Re: [PATCH] net: 9p: usbg: clear stale client pointer on close"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Grzeschik

Date: Wed Mar 18 2026 - 19:25:14 EST

Hi

On Sat, Mar 14, 2026 at 02:16:59AM +0900, Hyungjung Joo wrote:

p9_usbg_close() tears down the client transport, but usb9pfs keeps
using usb9pfs->client from asynchronous TX and RX completion handlers.
A late completion can therefore dereference a client that has already
been freed during mount teardown.

Clear usb9pfs->client under usb9pfs->lock when closing the transport,
detach any pending TX request from in_req->context, and make the TX/RX
completion handlers bail out once the transport has been detached. This
keeps late completions from touching a freed or rebound p9_client.

Fixes: a3be076dc174 ("net/9p/usbg: Add new usb gadget function transport")
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

I wonder where greg did this review? Was this in another thread?

I will have to drop this anyway, when splitting it appart.

Signed-off-by: Hyungjung Joo <jhj140711@xxxxxxxxx>
---
net/9p/trans_usbg.c | 63 +++++++++++++++++++++++++++++++++------------
1 file changed, 47 insertions(+), 16 deletions(-)

Attachment: signature.asc
Description: PGP signature