Re: [PATCH] usb: core: Null deref in kernel with USB webcams.

From: Alan Stern
Date: Fri Nov 13 2020 - 12:17:02 EST

Next message: Alex Deucher: "Re: [PATCH 08/40] drm/amd/amdgpu/amdgpu_ib: Fix some incorrect/incomplete function documentation"
Previous message: Paul E. McKenney: "Re: #PF from NMI"
In reply to: John Boero: "Re: [PATCH] usb: core: Null deref in kernel with USB webcams."
Next in thread: Alan Stern: "Re: [PATCH] usb: core: Null deref in kernel with USB webcams."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Nov 13, 2020 at 04:45:52PM +0000, John Boero wrote:
> Sorry I wanted to include a pastebin or link but was trying to follow maillist
> guidelines and not include links or exceed wrap guidelines. Full contents:
> https://paste.centos.org/view/3746bc40
>
> Yes I understand the return dodges the config dereference.
>
> Original line usb.c:281 is the original error:
>
> 280| for (i = 0; i < config->desc.bNumInterfaces; i++)
> 281| if (config->interface[i]->altsetting[0]
> 282| .desc.bInterfaceNumber == ifnum)
> 283| return config->interface[i];

Okay. Without having looked at the code, I would guess that uvcvideo's
uvc_ioctl_streamon() handler -- or some routine beneath it -- either
doesn't lock the USB interface while starting I/O, or doesn't check
(while holding the lock) to see whether the driver has been unbound.

This sort of error (config->interface[i] == NULL) is what you expect to
see if a driver tries to carry out I/O to a device that has been
unplugged and that it has been unbound from.

Alan Stern

Next message: Alex Deucher: "Re: [PATCH 08/40] drm/amd/amdgpu/amdgpu_ib: Fix some incorrect/incomplete function documentation"
Previous message: Paul E. McKenney: "Re: #PF from NMI"
In reply to: John Boero: "Re: [PATCH] usb: core: Null deref in kernel with USB webcams."
Next in thread: Alan Stern: "Re: [PATCH] usb: core: Null deref in kernel with USB webcams."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]