| Message ID | 20231208123119.1.If27eb3bf7812f91ab83810f232292f032f4203e0@changeid |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp5704424vqy;
Fri, 8 Dec 2023 12:32:19 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFjefUdsYXpkbxqM6QsY/eiKZALYroF1yaeyWT2rzAyDi0NKAwfoV+dvzjZ+kwcqTw047Yu
X-Received: by 2002:a05:6602:305a:b0:7b4:28f8:15c5 with SMTP id
p26-20020a056602305a00b007b428f815c5mr789497ioy.37.1702067538706;
Fri, 08 Dec 2023 12:32:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702067538; cv=none;
d=google.com; s=arc-20160816;
b=ws+t7uJLooGV9Ac1mfb0oVXVmRwxjCLVumVNPz4zFo0vEZBh5TDgSsf7MPEyASdj0x
y9cekfK4GPFa9qbZMRha6xmwClvlPmOdyEXRLhPXj4PUFsA9M/LcKpjWSKXXT6pYSoL/
k8UqbpcgmlGpZfE32fJ4gSRS0435EZ3yRjaERvxhpop+zgI4WZbEoAC1s16Zaoy/2fr+
H9xj4N9KnTyDFMIxsrajlSZKw2hBXe3SEj4b+vUgfTsbTYMklwpzN85FX6RGEdD9pDcJ
xmNxjZtjh7S/GeLk/OTLdJM0KvUlNfv8lKVAIeGDAYIfRUJkI6Zb0TUneHCmKYO32O7j
iNvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=w2mQlIlH8/Z8tgvJ/zwHnI8QH4gOVcIFjCJw+TXnnTk=;
fh=0dtxmebFT11KfAV+CO7qYpEzfqb/xsHqJm4nufBb7vA=;
b=T1qdT4FlICrrWmU+oNO2xCQvjoliYU0NDX5JpXkgZq+9bNxmgvNY29WyclInyGsSGq
pUF8xPwakF1PJOIy1/2vTfyzwI6MzefzzK2u1Vki5aTk0AQZduaG7DFmbH05FIu+jDJD
yJvN2NgsVb1iOGAUKQ7yEPAAwc8m+8+g5T/O8Bsq5Lmz4aapJbAjCIoo1THHpH4l0sKf
Ky9KMR671+OXQHQsDpiep3nNtYtOsH4l4oXesf9B019hJP3WD+zOBrgJpC99m5Dy7cSz
LdNt3QjZ+nap6kLrQPAdKef91x4aRkUEEhxxSIN60kjVN9H+3JqAIP9oqE+ANtmIZWPW
Q0Vw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=C4BlyNZu;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5])
by mx.google.com with ESMTPS id
q9-20020a63f949000000b005c6763c2ff8si1958379pgk.760.2023.12.08.12.32.18
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 08 Dec 2023 12:32:18 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
client-ip=2620:137:e000::3:5;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=C4BlyNZu;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by groat.vger.email (Postfix) with ESMTP id 07B43826659A;
Fri, 8 Dec 2023 12:32:13 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233919AbjLHUcD (ORCPT <rfc822;makky5685@gmail.com> + 99 others);
Fri, 8 Dec 2023 15:32:03 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43694 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229572AbjLHUcC (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 8 Dec 2023 15:32:02 -0500
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com
[IPv6:2607:f8b0:4864:20::42e])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E420A10EF
for <linux-kernel@vger.kernel.org>;
Fri, 8 Dec 2023 12:32:08 -0800 (PST)
Received: by mail-pf1-x42e.google.com with SMTP id
d2e1a72fcca58-6cedc988cf6so742688b3a.3
for <linux-kernel@vger.kernel.org>;
Fri, 08 Dec 2023 12:32:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1702067528; x=1702672328;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=w2mQlIlH8/Z8tgvJ/zwHnI8QH4gOVcIFjCJw+TXnnTk=;
b=C4BlyNZuX0vmWiywMiDGcgYLLtThyzY7EqukTWLvqaoLBkfEkaOCCAlU9XXuJPMOqF
MxSr6/JUGCvuEKavfvhjy+99Y2Y66ayNTY8LzDl2kIvmsfphNMKQpAmheuyYS5KuXkhT
Met10JV2pE+2z7KRmybincabz6tU+eRbChw0E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1702067528; x=1702672328;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=w2mQlIlH8/Z8tgvJ/zwHnI8QH4gOVcIFjCJw+TXnnTk=;
b=ZmTapdJZQW0lwbixKOxzNPgnYhznv65++fP26D7b26xrMz/iaDGUINLq1Gk/RMXjYf
i1K8cYMQNdhvyc2BrH/WyvMvV5iSdg/rigvqD47LTuLKGQQJHxdo4lOvdz0+Vz17w2jw
2XWT6i6K5dYliQDXLzOVFgeENQqzHBZeBJcK/969j/s2EjmZ4RiSYiLwtQG4pizWdlNx
vEjbqZWy3fXfJLmfbzKjGPo3zY6bp0FPvsTk6S2TRnoaIEjtSNosmwZ5lJcXSutJIjwr
nMBhYeo/OI5NAkpE4OCO6Tmm0bJN6ctIlGfSUvq/GzykJjCz1Mf7tya5J7kCRXLi51gJ
r3XA==
X-Gm-Message-State: AOJu0YycWhtCu/uBk3Byc5wosJm3AOAQwm2g4ZL94lwj7fCjSxTYQLff
kZMcm0/ksLIDoW4DHipRoKVonQ==
X-Received: by 2002:a05:6a00:2387:b0:6cb:bc06:b058 with SMTP id
f7-20020a056a00238700b006cbbc06b058mr775362pfc.0.1702067528378;
Fri, 08 Dec 2023 12:32:08 -0800 (PST)
Received: from tictac2.mtv.corp.google.com
([2620:15c:9d:2:e1ca:b36e:48ba:c0e0])
by smtp.gmail.com with ESMTPSA id
n24-20020aa78a58000000b006ce4965fdbdsm1995691pfa.116.2023.12.08.12.32.06
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 08 Dec 2023 12:32:07 -0800 (PST)
From: Douglas Anderson <dianders@chromium.org>
To: linux-usb@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
=?utf-8?q?Bj=C3=B8rn_Mork?= <bjorn@mork.no>,
Eric Dumazet <edumazet@google.com>, Grant Grundler <grundler@chromium.org>,
Brian Geffon <bgeffon@google.com>, "David S . Miller" <davem@davemloft.net>,
Hayes Wang <hayeswang@realtek.com>, Alan Stern <stern@rowland.harvard.edu>,
Simon Horman <horms@kernel.org>, netdev@vger.kernel.org,
Douglas Anderson <dianders@chromium.org>, linux-kernel@vger.kernel.org
Subject: [PATCH] usb: core: Fix crash w/ usb_choose_configuration() if no
driver
Date: Fri, 8 Dec 2023 12:31:24 -0800
Message-ID:
<20231208123119.1.If27eb3bf7812f91ab83810f232292f032f4203e0@changeid>
X-Mailer: git-send-email 2.43.0.472.g3155946c3a-goog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]);
Fri, 08 Dec 2023 12:32:13 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1784747171218224749
X-GMAIL-MSGID: 1784747171218224749
|
| Series |
usb: core: Fix crash w/ usb_choose_configuration() if no driver
|
|
Commit Message
Doug Anderson
Dec. 8, 2023, 8:31 p.m. UTC
It's possible that usb_choose_configuration() can get called when a
USB device has no driver. In this case the recent commit a87b8e3be926
("usb: core: Allow subclassed USB drivers to override
usb_choose_configuration()") can cause a crash since it dereferenced
the driver structure without checking for NULL. Let's add a check.
This was seen in the real world when usbguard got ahold of a r8152
device at the wrong time. It can also be simulated via this on a
computer with one r8152-based USB Ethernet adapter:
cd /sys/bus/usb/drivers/r8152-cfgselector
to_unbind="$(ls -d *-*)"
real_dir="$(readlink -f "${to_unbind}")"
echo "${to_unbind}" > unbind
cd "${real_dir}"
echo 0 > authorized
echo 1 > authorized
Fixes: a87b8e3be926 ("usb: core: Allow subclassed USB drivers to override usb_choose_configuration()")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
---
drivers/usb/core/generic.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
Comments
On Fri, Dec 08, 2023 at 12:31:24PM -0800, Douglas Anderson wrote: > It's possible that usb_choose_configuration() can get called when a > USB device has no driver. In this case the recent commit a87b8e3be926 > ("usb: core: Allow subclassed USB drivers to override > usb_choose_configuration()") can cause a crash since it dereferenced > the driver structure without checking for NULL. Let's add a check. > > This was seen in the real world when usbguard got ahold of a r8152 > device at the wrong time. It can also be simulated via this on a > computer with one r8152-based USB Ethernet adapter: > cd /sys/bus/usb/drivers/r8152-cfgselector > to_unbind="$(ls -d *-*)" > real_dir="$(readlink -f "${to_unbind}")" > echo "${to_unbind}" > unbind > cd "${real_dir}" > echo 0 > authorized > echo 1 > authorized > > Fixes: a87b8e3be926 ("usb: core: Allow subclassed USB drivers to override usb_choose_configuration()") > Signed-off-by: Douglas Anderson <dianders@chromium.org> > --- I'm not sure this is the best solution. A USB device with no driver is an anomaly; in all likelihood we shouldn't be calling usb_choose_configuration() for such a device in the first place. So I think a better solution would be to put this check in usb_authorize_device() before it does the autoresume, or else to make usb_choose_configuration() return immediately, right at the start, if there is no driver. Alan Stern
diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c index dcb897158228..365482347333 100644 --- a/drivers/usb/core/generic.c +++ b/drivers/usb/core/generic.c @@ -59,15 +59,19 @@ int usb_choose_configuration(struct usb_device *udev) int num_configs; int insufficient_power = 0; struct usb_host_config *c, *best; - struct usb_device_driver *udriver = to_usb_device_driver(udev->dev.driver); + struct usb_device_driver *udriver; if (usb_device_is_owned(udev)) return 0; - if (udriver->choose_configuration) { - i = udriver->choose_configuration(udev); - if (i >= 0) - return i; + if (udev->dev.driver) { + udriver = to_usb_device_driver(udev->dev.driver); + + if (udriver->choose_configuration) { + i = udriver->choose_configuration(udev); + if (i >= 0) + return i; + } } best = NULL;