Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1311124pxb; Fri, 13 Nov 2020 09:20:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJwNX4PSt9DXMp3M8U58LucpxZhteCi1Dovo1zNNaDjk4C/dstHP89tq4qbjI50uW2OlknvV X-Received: by 2002:a17:906:1381:: with SMTP id f1mr2948541ejc.87.1605288052309; Fri, 13 Nov 2020 09:20:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605288052; cv=none; d=google.com; s=arc-20160816; b=SA/H91dobCRHczSXn90/13/lLgBfmS3Ym2YQlfcldkkrQPTzcze4NLpZwVxi4PnJP1 RpfY+RamHIKHqb4u+zXECPH19rJi6Kk2pV9KzAeJCBYgL0WfHx9lSrClKR519KCGdhh4 FzXkz6u0L4RfyF9yCmcnEwp96XNBcakHU5UHSEvLvUdiEyVr839p+wkxv8f0QnCwxak+ Sm2G2li0dleiWsR3C3cRUlGiStutj8yqaBOTW9X2mPMtD3PLR1SyMzUzTUIy/VT4SmgI mEUcZ9uyGHcWRDhF+waeGnKdhurduE9EtI2kRYgPNjWSmsbNvjE3nLtJp+FBLPnXukRf 6Rdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=GTdR8PmhUUOiEw3BbCaK5Yx4qz+iCNJyAYnGbXE5iGA=; b=CwL2pyiag2VI8iADAx1s3/mKhg6JiRa1QCEmjoJDV37sN795YLC4+ax1szENG+otSX xq3NEwCD1NYw0wFGG8yTdN6QG1afSpa+p3DNHkSYPd/1ZMwYxoMqpFnfwhkfYi2XJQBE IXdO32vVH6EbVHeGbC6uvh0KawAQeO9rv5n8j/1asr407Q5f/vqEM/3hKfUqHYPIbwdX IFFShSL5s5U+UzDLcX7i9w20qVCcz10dfbLyI9CiTrzGQsB4EsYIUV3XjVK9HEPoKAR4 RM50rQiU4HCSNjUBxYMIC/uI5FLaWkSKqiT3sTNOwdfBt2mbW2AA0QsBWL0g5xhbYj2m jhVg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o19si6543313edq.24.2020.11.13.09.20.28; Fri, 13 Nov 2020 09:20:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726003AbgKMRQq (ORCPT + 99 others); Fri, 13 Nov 2020 12:16:46 -0500 Received: from netrider.rowland.org ([192.131.102.5]:57705 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726028AbgKMRQp (ORCPT ); Fri, 13 Nov 2020 12:16:45 -0500 Received: (qmail 327091 invoked by uid 1000); 13 Nov 2020 12:16:58 -0500 Date: Fri, 13 Nov 2020 12:16:58 -0500 From: Alan Stern To: John Boero Cc: Laurent Pinchart , Greg Kroah-Hartman , Felipe Balbi , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] usb: core: Null deref in kernel with USB webcams. Message-ID: <20201113171658.GF322940@rowland.harvard.edu> References: <20201112192524.GB287229@rowland.harvard.edu> <20201113163449.GB322940@rowland.harvard.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 13, 2020 at 04:45:52PM +0000, John Boero wrote: > Sorry I wanted to include a pastebin or link but was trying to follow maillist > guidelines and not include links or exceed wrap guidelines. Full contents: > https://paste.centos.org/view/3746bc40 > > Yes I understand the return dodges the config dereference. > > Original line usb.c:281 is the original error: > > 280| for (i = 0; i < config->desc.bNumInterfaces; i++) > 281| if (config->interface[i]->altsetting[0] > 282| .desc.bInterfaceNumber == ifnum) > 283| return config->interface[i]; Okay. Without having looked at the code, I would guess that uvcvideo's uvc_ioctl_streamon() handler -- or some routine beneath it -- either doesn't lock the USB interface while starting I/O, or doesn't check (while holding the lock) to see whether the driver has been unbound. This sort of error (config->interface[i] == NULL) is what you expect to see if a driver tries to carry out I/O to a device that has been unplugged and that it has been unbound from. Alan Stern