Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp658548lqb; Wed, 17 Apr 2024 07:24:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWXdRsYrA/uss7UEb69HongpR8i5B1z8dCA57yob/lskn9AnTFQ86JJZz5xO5M1jns8TWvIkNGIBuISfdG57QXsjKlbOTr+RBooEqFCHw== X-Google-Smtp-Source: AGHT+IG2ky4TZxGe9j8h/ZzyeDtN6DBrb0Be2c8kZOfZSPyG9LIjzkTJsJMxrV4rQYhBqve6JjN4 X-Received: by 2002:a05:6358:6913:b0:183:a0ac:b638 with SMTP id d19-20020a056358691300b00183a0acb638mr19259582rwh.11.1713363845181; Wed, 17 Apr 2024 07:24:05 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713363845; cv=pass; d=google.com; s=arc-20160816; b=BXNZs1AA60D5FVFvUxPIzCAItjW6XWzIGCalyKVa6dFC/zLwhFrndSUn2bWdBII3iJ IGquODe24hV0Mu6W0nzrWVsQEj+DNkXvlXWjX9Sg/PkoZTjQreiDFko9a97p96GfahW/ I2xOfAxwLiI478UpOFLiQrYk5u8cxAk4FsA76qMLDd9zTChun7a0tolXLnVMbKuoEWN4 NtcAnntw7PbGK9ZtUVbpkpyRrE6WsSrSP1oLI2vpogvVkMqRG5eG33LN6vquc1+67yRR Q+u00AedndlE8QqmxPe5fe5qyq+7lwWz6Rxe3vfsRClzLGGP8bH9RF8nUGt+cT+jccgJ 8GhA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date; bh=UJWDn6XhVoqBZkBOq8l+kfrBlNW6u7n8GvypLF0bqq8=; fh=mE7cUi3ALscNaUUUHIFVQYucggOw98/ymECRP6eTmSU=; b=lrj1itUGJXUfWbKBtf283yAEGEkoyZsKeV5X5w1/173+FROJ+Nupb1zConoIZf9+JH 1NoYNZhrAho3jO4aPUamAqfnd7EznItyXbaiQqEb7Z9mY/P5M7Bm/7ck9c4Sm/9Fi4A1 8D068WaudjiAjn0duu2MgGyIzL+3SuapjLnRvgByDVfxWVTN/rQcY72qiY8M+yhVzxF4 Ww1K4+x4soq/OXsbqdqLmFLfn1ymWDlYU0tLlnI8PPGfNn7fud/qP0It7j/cMau5IpV2 spSPbUHRIXiQX60EWosiCiM7/bAaTsHfF+/AtCxTNOhhnKykuE+fsbWPYwOtmLG2WqYt KBpw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=netrider.rowland.org); spf=pass (google.com: domain of linux-kernel+bounces-148671-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-148671-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id w11-20020ab055cb000000b007e3da5ff1e8si2346366uaa.199.2024.04.17.07.24.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 07:24:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-148671-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=netrider.rowland.org); spf=pass (google.com: domain of linux-kernel+bounces-148671-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-148671-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C58DC1C211DE for ; Wed, 17 Apr 2024 14:24:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 546F4141991; Wed, 17 Apr 2024 14:23:55 +0000 (UTC) Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by smtp.subspace.kernel.org (Postfix) with SMTP id CAAA352F86 for ; Wed, 17 Apr 2024 14:23:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.131.102.5 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713363834; cv=none; b=KiJskKQtsru4U+jZBKHGYHfSM7h3PDXXKys2mxWI3WJEXdimmiDyrKoU4M+cidgBPVX3FukfCZGRFr9tFGwT6VRnNuThFJiWl5dmGNv8YgvukP2hN4bzugbvKchdTXlxPJ88L7BFul6eeOWi/2YsV5poOJyPlhrBy6IsAMwUmr0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713363834; c=relaxed/simple; bh=cxUQhRnqHadkF6BkpNtuin2PtIpnIK0xeBndPTSzJT4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=SBthdGfjaz3g9iEaor5pzwyTstuV5qqaRSZ+BLtS4YN+vNf1Xz7ASsOA0oe1B1/7VCLSjlue+0LGvKxt+oMCamSekUJE+HerRYspfo3+Kw6OqO/Ku9gUzRRDM9HbmzNZvqJfBBvdnzwqB3wBgxMmsYs3+PM3Hxp6gvfSzpGfEa8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=rowland.harvard.edu; spf=pass smtp.mailfrom=netrider.rowland.org; arc=none smtp.client-ip=192.131.102.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=rowland.harvard.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netrider.rowland.org Received: (qmail 201056 invoked by uid 1000); 17 Apr 2024 10:23:51 -0400 Date: Wed, 17 Apr 2024 10:23:51 -0400 From: Alan Stern To: Sam Sun Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, Greg KH , swboyd@chromium.org, ricardo@marliere.net, hkallweit1@gmail.com, heikki.krogerus@linux.intel.com, mathias.nyman@linux.intel.com, royluo@google.com, syzkaller-bugs@googlegroups.com, xrivendell7@gmail.com Subject: Re: [Linux kernel bug] general protection fault in disable_store Message-ID: References: <92fe8e95-bc01-4d7d-9678-8cfc55cc4a7b@rowland.harvard.edu> <45e246ab-01e8-40b7-8ede-b47957df0d7b@rowland.harvard.edu> <69a6f4c9-6470-40d1-99f1-aaf532497d02@rowland.harvard.edu> <5704ac63-5e5b-416c-a2a1-57528e76a02f@rowland.harvard.edu> <5f3526a6-6ede-4181-a4ff-076e022cfb49@rowland.harvard.edu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Wed, Apr 17, 2024 at 03:39:02PM +0800, Sam Sun wrote: > On Wed, Apr 17, 2024 at 12:35 AM Alan Stern wrote: > > It turns out that patch is no good. The reason is mentioned in the > > changelog for commit 543d7784b07f ("USB: fix race between hub_disconnect > > and recursively_mark_NOTATTACHED"); it says that the port devices have to > > be removed _after_ maxchild has been set to 0. > > > > I checked the commit you mentioned. Maybe your first fix is all we > need to fix the problem? At least no race would occur for > hdev->maxchild and usb_set_intfdata(). No, the first patch won't help, even though it passed your testing. The race it eliminates is a harmless one -- or at least, it's harmless in this context. If usb_hub_to_struct_hub() sees bad values for hdev->maxchild or usb_get_intfdata(), it will simply return NULL. But this can happen even with the first patch applied, if the user tries to access disable_store() during the brief time between when hdev->maxchild is set to 0 and when the port devices are removed. The true fix is simply to check whether the return value from usb_hub_to_struct_hub() is NULL, which is what this patch does. > I applied this patch and it also can fix the warning. I am not sure > which one is better. I'm quite sure that this one is better. I will submit it shortly, with your Tested-by:. Thanks a lot; the work you have done on this has been a big help. Alan Stern