Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4045636rdb; Mon, 11 Dec 2023 07:27:25 -0800 (PST) X-Google-Smtp-Source: AGHT+IEZyALhmMMTuX+CrRzJ5YKNOHvHEuiJ230JKR3CciFMxNNaEbpxf+Elicc8ZMpJsYZ9pGYx X-Received: by 2002:a17:903:64f:b0:1d0:8e61:1020 with SMTP id kh15-20020a170903064f00b001d08e611020mr3960490plb.89.1702308444636; Mon, 11 Dec 2023 07:27:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702308444; cv=none; d=google.com; s=arc-20160816; b=A+vmeOkAcFf8n+JIEpIpIaqSfQG6c9fwBK7eTYsivZ0myqpz7FqYelTjlQC3QFaKHq Dpa6AIyCAzNiffbOCJdoZryEKDtQmMR9HuCL4HOicTQI98x8MslmqUhDq8Tk94buDvgx 9tr7+3Zcn6WvVuahVo5Ny1TPpObaMShabl/qfLzRgY454cLEa6PwFpzy+EHgiIFhwu8v S1zR5s+ATnNJwh4a8N3mBMmDu9PQTh1+QfZ5Owrd5aKw+2IsneupftfMZFlLGq5JzdD2 b0EGkxuOpFTb3f6i0wllpmmFEHH3EfLB5fKbkBOE5D1TDsrsxFlJRMQSGU+AyuAy8YOv rxoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=ckVFAOaN/HmmTmxH8PNzGrIA1URHdvCnGHJ0BN9Mbo4=; fh=wx5zXDqu7Ma0k9DmvZpkN4+gqpUq0J4xN63t+QVyyCU=; b=g2C+T6BeW1oyw/RyC3TlQf6HX4DGrWExa7tmV296cX/rB065R51LUThGmp4enoWegG ++VWC/HWfl9YYqRPWsZMk/AHLf6MQePE6oh2aOtax/1FMAwvT9cwXNnhtEKj68FZ9ArG 4HHoahhffzF6PU73CMUrIjyWqErH4SDaw0t9f1PoUo9sy0hmFkDZnKwdfVohiXCtRepF oIrkp+Wrm06c0Y536XvnmwVyd+SH7Wf4dK0bf2uZiQlcppA7zJBBrp8pQTZJ86yDQrXs Vcytq5gbanWZKXyi6UESh+bHhfz2qFa49vXSw91np7hHCURqTPtirpS9C9p3GCGl/EQD 5GUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id jb11-20020a170903258b00b001d00594c6e6si6218629plb.106.2023.12.11.07.27.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 07:27:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 63A5380473B0; Mon, 11 Dec 2023 07:27:21 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343886AbjLKP1H (ORCPT + 99 others); Mon, 11 Dec 2023 10:27:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343710AbjLKP1G (ORCPT ); Mon, 11 Dec 2023 10:27:06 -0500 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 82FFAD6 for ; Mon, 11 Dec 2023 07:27:11 -0800 (PST) Received: (qmail 132862 invoked by uid 1000); 11 Dec 2023 10:27:10 -0500 Date: Mon, 11 Dec 2023 10:27:10 -0500 From: Alan Stern To: Douglas Anderson Cc: linux-usb@vger.kernel.org, Greg Kroah-Hartman , netdev@vger.kernel.org, =?iso-8859-1?Q?Bj=F8rn?= Mork , Eric Dumazet , Hayes Wang , Brian Geffon , "David S . Miller" , Jakub Kicinski , Simon Horman , Grant Grundler , Paolo Abeni , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] usb: core: Fix crash w/ usb_choose_configuration() if no driver Message-ID: <1ec52764-7fd9-484f-bcdc-bbf97194deef@rowland.harvard.edu> References: <20231211070808.v2.1.If27eb3bf7812f91ab83810f232292f032f4203e0@changeid> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231211070808.v2.1.If27eb3bf7812f91ab83810f232292f032f4203e0@changeid> X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Mon, 11 Dec 2023 07:27:21 -0800 (PST) On Mon, Dec 11, 2023 at 07:08:14AM -0800, Douglas Anderson wrote: > It's possible that usb_choose_configuration() can get called when a > USB device has no driver. In this case the recent commit a87b8e3be926 > ("usb: core: Allow subclassed USB drivers to override > usb_choose_configuration()") can cause a crash since it dereferenced > the driver structure without checking for NULL. Let's add a check. > > A USB device with no driver is an anomaly, so make > usb_choose_configuration() return immediately if there is no driver. > > This was seen in the real world when usbguard got ahold of a r8152 > device at the wrong time. It can also be simulated via this on a > computer with one r8152-based USB Ethernet adapter: > cd /sys/bus/usb/drivers/r8152-cfgselector > to_unbind="$(ls -d *-*)" > real_dir="$(readlink -f "${to_unbind}")" > echo "${to_unbind}" > unbind > cd "${real_dir}" > echo 0 > authorized > echo 1 > authorized > > Fixes: a87b8e3be926 ("usb: core: Allow subclassed USB drivers to override usb_choose_configuration()") > Signed-off-by: Douglas Anderson > --- > > Changes in v2: > - Return immediately if no driver, as per Alan. > > drivers/usb/core/generic.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c > index dcb897158228..2be1e8901e2f 100644 > --- a/drivers/usb/core/generic.c > +++ b/drivers/usb/core/generic.c > @@ -59,7 +59,11 @@ int usb_choose_configuration(struct usb_device *udev) > int num_configs; > int insufficient_power = 0; > struct usb_host_config *c, *best; > - struct usb_device_driver *udriver = to_usb_device_driver(udev->dev.driver); > + struct usb_device_driver *udriver; > + > + if (!udev->dev.driver) > + return -1; This is a rather unusual condition. It would be good to put a comment just before the test, explaining that if a USB device (not an interface) doesn't have a driver then the kernel has no business trying to select or install a configuration for it. Along with the comment, feel free to add: Reviewed-by: Alan Stern Alan Stern > + udriver = to_usb_device_driver(udev->dev.driver); > > if (usb_device_is_owned(udev)) > return 0; > -- > 2.43.0.472.g3155946c3a-goog >