Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4051264rdb; Mon, 11 Dec 2023 07:35:34 -0800 (PST) X-Google-Smtp-Source: AGHT+IFpoaMOkWG7wsB+C9Cy13kzLdasEDZZm4RWfHDDyBvQmSKuzKf1PQRmCyd4wQHWAZ8kItZw X-Received: by 2002:a17:90a:4316:b0:286:c9b5:5ca6 with SMTP id q22-20020a17090a431600b00286c9b55ca6mr3415269pjg.38.1702308934536; Mon, 11 Dec 2023 07:35:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702308934; cv=none; d=google.com; s=arc-20160816; b=RcO4j4Xm3JP3XfWXeW1Lfs8lxdnYT0gjvf+AeOthgfCWLLGb1XuemSzItNXEvPuqox Mc2cvUlL9orK1uxLGURzn/q/jaMcqIJt+SoTZ7bh/DRoypLqgLoyTGH/ELpn7grCJ9PV ct5pjVOu7IxvPrWnWE/Gytg3+aQJXvWrZ5GKqKWcSnkZrLCc8KawXSGdA5X3k+5g/umV mb6MSKRVfAbZudgHnslt7van7m75AcPERcUov38Bra7kicEDQJJNNhOHaGC1o4yLlhOl OPFwLV/YGwIpiMZmwZGpbWltUSMLoKerveU0vbKwVXGKOM587EiBCa4YWeFQr7sdDFla zLsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=SD+slHvHquFxJLd6D5SBrC9H4ySn5gVhp3h2f4/9JhE=; fh=OmUhu+FRIIKHHH6lTph/Ldz/6aVeWqH01rt7hhGmB3g=; b=zkQZmsw93XrJ/oCkscKbQzzoprfxWmnmO1t3ZuvjhRgLzDVzGjDz+JGXSQR6cM1PVH zkcQOQl1c5fhz85qjgve7dinB9YntwO5oCCpmQbM7n6svromtPFJembn3D5XZ+WCByPs WTzQ82HyzzLJ5IZlFnjtiMiLxuVmxtAiM8ULqzNy0+nL+990aiEuuqFy83PiuJL6LBYb bEDF/HCYOF7R1ZX9GdW2hVj5Bxi7DyeDO3yl0gaHwHs2vTFXgsLX1A0VUr7jEp/ULMqr nI6q/vx5rgzNcUfvbje7Sqt1MQTUCeATsg36wD7iq3/kWG+Gpzb75Xui2+8qujevSsfl D72A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bli5bog1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id o15-20020a17090a744f00b0028862a781f3si7599342pjk.39.2023.12.11.07.35.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 07:35:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=bli5bog1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id C1C99805B2C5; Mon, 11 Dec 2023 07:35:31 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344141AbjLKPfT (ORCPT + 99 others); Mon, 11 Dec 2023 10:35:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344139AbjLKPfI (ORCPT ); Mon, 11 Dec 2023 10:35:08 -0500 Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08336116 for ; Mon, 11 Dec 2023 07:35:14 -0800 (PST) Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2ca02def690so57332691fa.3 for ; Mon, 11 Dec 2023 07:35:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1702308909; x=1702913709; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=SD+slHvHquFxJLd6D5SBrC9H4ySn5gVhp3h2f4/9JhE=; b=bli5bog1kLW1SE0HtRlRn8nEKYWQQbdYJDxVehhanSADI4T3lM1N4fcA9Z7oiH3TgP 4IMgOWVMfoc44jTf96AwQZcbXplPjxxEIE5ud9kSJ6vwNLLgqLRxZkkutijavZOUndD7 DsBQEMfM8KXBf4fZfwf7458xFatavBQvWFKs8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702308909; x=1702913709; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SD+slHvHquFxJLd6D5SBrC9H4ySn5gVhp3h2f4/9JhE=; b=VG6LgS1nCa0mzIgRPQ9D2VZSpmngfjzTrAbZ5Rs9qsd4zmpgcy2NeJxL3Z/jUPcXC4 PbNXNpOhT+wuxjCxvMWvV3TefWZ7VfsLKkIZn0o6+gs1oLj2W3DbSxTTfdWzXCrb3zNO 8XuKd83+3O/GJ+BLecRrf9I7+6tvj8LEM4Vv00/JABrKUvIekcWTuTKu9jeEa8uvrq3U 83zMwcNb5rCiH+d26aIgTFaqT46Huo3tvo8dL5UdkOzaedwkGf90nDXQJt7WkteMlFiW iFqSEAhen3eal59tpzwWBoR2aTBtH8kgDGpXPKrPPtt52Q3uHt8LOrcPUnT29pfLdulN 8/HA== X-Gm-Message-State: AOJu0YyywSPUXNMQoJbGaXDT/T49omAAq8M3u+1J2kXEWEwAsn0Gygk+ h14QaNz9pXNIEr+v+7g0MhkdrV8JkLIFXcLBXBcz/w== X-Received: by 2002:a05:651c:88b:b0:2cc:1c75:3494 with SMTP id d11-20020a05651c088b00b002cc1c753494mr1911611ljq.55.1702308908676; Mon, 11 Dec 2023 07:35:08 -0800 (PST) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com. [209.85.128.49]) by smtp.gmail.com with ESMTPSA id tl18-20020a170907c31200b00a1da2c9b06asm4969022ejc.42.2023.12.11.07.35.07 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 Dec 2023 07:35:08 -0800 (PST) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-40c2db0ca48so101705e9.1 for ; Mon, 11 Dec 2023 07:35:07 -0800 (PST) X-Received: by 2002:a05:600c:3b20:b0:40c:1e46:508e with SMTP id m32-20020a05600c3b2000b0040c1e46508emr225387wms.0.1702308907352; Mon, 11 Dec 2023 07:35:07 -0800 (PST) MIME-Version: 1.0 References: <20231211070808.v2.1.If27eb3bf7812f91ab83810f232292f032f4203e0@changeid> <1ec52764-7fd9-484f-bcdc-bbf97194deef@rowland.harvard.edu> In-Reply-To: <1ec52764-7fd9-484f-bcdc-bbf97194deef@rowland.harvard.edu> From: Doug Anderson Date: Mon, 11 Dec 2023 07:34:50 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] usb: core: Fix crash w/ usb_choose_configuration() if no driver To: Alan Stern Cc: linux-usb@vger.kernel.org, Greg Kroah-Hartman , netdev@vger.kernel.org, =?UTF-8?Q?Bj=C3=B8rn_Mork?= , Eric Dumazet , Hayes Wang , Brian Geffon , "David S . Miller" , Jakub Kicinski , Simon Horman , Grant Grundler , Paolo Abeni , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Mon, 11 Dec 2023 07:35:31 -0800 (PST) Hi, On Mon, Dec 11, 2023 at 7:27=E2=80=AFAM Alan Stern wrote: > > On Mon, Dec 11, 2023 at 07:08:14AM -0800, Douglas Anderson wrote: > > It's possible that usb_choose_configuration() can get called when a > > USB device has no driver. In this case the recent commit a87b8e3be926 > > ("usb: core: Allow subclassed USB drivers to override > > usb_choose_configuration()") can cause a crash since it dereferenced > > the driver structure without checking for NULL. Let's add a check. > > > > A USB device with no driver is an anomaly, so make > > usb_choose_configuration() return immediately if there is no driver. > > > > This was seen in the real world when usbguard got ahold of a r8152 > > device at the wrong time. It can also be simulated via this on a > > computer with one r8152-based USB Ethernet adapter: > > cd /sys/bus/usb/drivers/r8152-cfgselector > > to_unbind=3D"$(ls -d *-*)" > > real_dir=3D"$(readlink -f "${to_unbind}")" > > echo "${to_unbind}" > unbind > > cd "${real_dir}" > > echo 0 > authorized > > echo 1 > authorized > > > > Fixes: a87b8e3be926 ("usb: core: Allow subclassed USB drivers to overri= de usb_choose_configuration()") > > Signed-off-by: Douglas Anderson > > --- > > > > Changes in v2: > > - Return immediately if no driver, as per Alan. > > > > drivers/usb/core/generic.c | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c > > index dcb897158228..2be1e8901e2f 100644 > > --- a/drivers/usb/core/generic.c > > +++ b/drivers/usb/core/generic.c > > @@ -59,7 +59,11 @@ int usb_choose_configuration(struct usb_device *udev= ) > > int num_configs; > > int insufficient_power =3D 0; > > struct usb_host_config *c, *best; > > - struct usb_device_driver *udriver =3D to_usb_device_driver(udev->= dev.driver); > > + struct usb_device_driver *udriver; > > + > > + if (!udev->dev.driver) > > + return -1; > > This is a rather unusual condition. It would be good to put a comment > just before the test, explaining that if a USB device (not an interface) > doesn't have a driver then the kernel has no business trying to select > or install a configuration for it. > > Along with the comment, feel free to add: > > Reviewed-by: Alan Stern Thanks for the quick reply. I've added your comment almost verbatim to the code and sent out a quick v3 with your tag: https://lore.kernel.org/r/20231211073237.v3.1.If27eb3bf7812f91ab83810f23229= 2f032f4203e0@changeid