Re: [PATCH 4/4] usb: fix UAF when probe runs concurrent to dyn ID removal

From: Danilo Krummrich

Date: Tue Jun 30 2026 - 17:55:53 EST


On Tue Jun 30, 2026 at 1:38 PM CEST, Gary Guo wrote:
> @@ -320,7 +321,8 @@ static int usb_probe_interface(struct device *dev)
> struct usb_driver *driver = to_usb_driver(dev->driver);
> struct usb_interface *intf = to_usb_interface(dev);
> struct usb_device *udev = interface_to_usbdev(intf);
> - const struct usb_device_id *id;
> + struct usb_device_id id;
> + const struct usb_device_id *matched_id;
> int error = -ENODEV;
> int lpm_disable_error = -ENODEV;
>
> @@ -340,11 +342,12 @@ static int usb_probe_interface(struct device *dev)
> return error;
> }
>
> - id = usb_match_dynamic_id(intf, driver);
> - if (!id)
> - id = usb_match_id(intf, driver->id_table);
> - if (!id)
> - return error;
> + if (!usb_match_dynamic_id(intf, driver, &id)) {
> + matched_id = usb_match_id(intf, driver->id_table);
> + if (!matched_id)
> + return error;
> + id = *matched_id;
> + }

I think this could just be:

struct usb_device_id id_copy;

if (usb_match_dynamic_id(intf, driver, &id_copy)) {
id = &id_copy;
} else {
id = usb_match_id(intf, driver->id_table);
if (!id)
return error;
}

Avoids the unnecessary copy and also results in a smaller diff.