Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp2594670rdb; Fri, 8 Dec 2023 12:48:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IHnZtgUJDfl428CMsTl3N0nUpL6csN5nYVwJ/btFjOu7UuEwMcx4VasUccRtvSkR71olH+g X-Received: by 2002:a05:6a20:734f:b0:18b:5a8a:4333 with SMTP id v15-20020a056a20734f00b0018b5a8a4333mr622643pzc.19.1702068497534; Fri, 08 Dec 2023 12:48:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702068497; cv=none; d=google.com; s=arc-20160816; b=FDhWzo9xUh1kKDVuo4z/S/BUi71WMhkni1hfkZHvt0w+Ur50JpebEMmgkHHlXjHyVV uyY/p7fiWGecVI+hc+cCj207Ylm0UIvW4vic4e3y1Nq3//HTYSSoXZeAjEAkZUwGTi4x uwo49VEScC4lWBhvOo7GycXWgygnEgwS1QL/mCUAXyJ4xgE6dWB0Bl6Dlx81+u04Fb8a H9yOaZ68I9MbEfs+rASEN/a6Y/160S9mu1WtQRoCO/Rylw8NEeCsUjrr4Ov3KMYF7pXA 3tz5er4bsvifmTtxiG3iLGTbfkh587tsWpfpMO1332ir8XQwn1nkAt8atEOC3jJrSA3v Z9JA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=cXWHMmNfLkYZBzXIHw6tsmSDMnWQsE5HJ84wtcb6BZQ=; fh=ujJ8bg8T/rWuh2VWM78oaNwIbK0C1WMh8K7Efu2EKCM=; b=IlZcN/JHIUZ870TY/TjbnpHSrd+TEnaRLKREHag+18S6idY/HPXuGBWlVrZ8KwRexv ICWnWsAZNlKegB6Wm5r03DXw1hheDuAqt/4Vj+qfQDUrkQ51642gFWLDFEhLpfOUnwkp DXJ1H6GBX/+ueUGWNCN85VbYBMqdmYI0+L5ovusS5GiNtATR4O1qz5VjWPCriZpuWVUK KfLGGzXc86xbTLJ/Iva6vAzevbeebSU0ZCQcXuPVTwcksEKTE5COmqAGXJp+sSmVfmqR SrDjJwrOgIIdEVdzPaoKwS4bE+tjUO69vchgqb/dwHoHXsh1BKO7vhzlzHgPbI3/Q+yf pQnw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id ka17-20020a056a00939100b006c0e02cdadcsi2059572pfb.208.2023.12.08.12.48.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Dec 2023 12:48:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 243DE82FA572; Fri, 8 Dec 2023 12:48:15 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1574735AbjLHUr4 (ORCPT + 99 others); Fri, 8 Dec 2023 15:47:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229572AbjLHUrz (ORCPT ); Fri, 8 Dec 2023 15:47:55 -0500 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 2BC9E171E for ; Fri, 8 Dec 2023 12:48:00 -0800 (PST) Received: (qmail 55366 invoked by uid 1000); 8 Dec 2023 15:47:59 -0500 Date: Fri, 8 Dec 2023 15:47:59 -0500 From: Alan Stern To: Douglas Anderson Cc: linux-usb@vger.kernel.org, Greg Kroah-Hartman , Jakub Kicinski , Paolo Abeni , =?iso-8859-1?Q?Bj=F8rn?= Mork , Eric Dumazet , Grant Grundler , Brian Geffon , "David S . Miller" , Hayes Wang , Simon Horman , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] usb: core: Fix crash w/ usb_choose_configuration() if no driver Message-ID: <90fb5279-c1da-4d8c-8f89-b1f54175eee3@rowland.harvard.edu> References: <20231208123119.1.If27eb3bf7812f91ab83810f232292f032f4203e0@changeid> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231208123119.1.If27eb3bf7812f91ab83810f232292f032f4203e0@changeid> X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Fri, 08 Dec 2023 12:48:15 -0800 (PST) On Fri, Dec 08, 2023 at 12:31:24PM -0800, Douglas Anderson wrote: > It's possible that usb_choose_configuration() can get called when a > USB device has no driver. In this case the recent commit a87b8e3be926 > ("usb: core: Allow subclassed USB drivers to override > usb_choose_configuration()") can cause a crash since it dereferenced > the driver structure without checking for NULL. Let's add a check. > > This was seen in the real world when usbguard got ahold of a r8152 > device at the wrong time. It can also be simulated via this on a > computer with one r8152-based USB Ethernet adapter: > cd /sys/bus/usb/drivers/r8152-cfgselector > to_unbind="$(ls -d *-*)" > real_dir="$(readlink -f "${to_unbind}")" > echo "${to_unbind}" > unbind > cd "${real_dir}" > echo 0 > authorized > echo 1 > authorized > > Fixes: a87b8e3be926 ("usb: core: Allow subclassed USB drivers to override usb_choose_configuration()") > Signed-off-by: Douglas Anderson > --- I'm not sure this is the best solution. A USB device with no driver is an anomaly; in all likelihood we shouldn't be calling usb_choose_configuration() for such a device in the first place. So I think a better solution would be to put this check in usb_authorize_device() before it does the autoresume, or else to make usb_choose_configuration() return immediately, right at the start, if there is no driver. Alan Stern