lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 22 Jul 2020 10:59:13 -0400
From:   Alan Stern <stern@...land.harvard.edu>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     WeitaoWangoc <WeitaoWang-oc@...oxin.com>,
        mathias.nyman@...ux.intel.com, ulf.hansson@...aro.org,
        vkoul@...nel.org, hslester96@...il.com, linux-usb@...r.kernel.org,
        linux-kernel@...r.kernel.org, Carsten_Schmid@...tor.com,
        efremov@...ux.com, tonywwang@...oxin.com, weitaowang@...oxin.com,
        CobeChen@...oxin.com, TimGuo@...oxin.com, wwt8723@....com
Subject: Re: [PATCH] USB:Fix kernel NULL pointer when unbind UHCI form
 vfio-pci

On Wed, Jul 22, 2020 at 02:44:14PM +0200, Greg KH wrote:
> On Wed, Jul 22, 2020 at 07:57:48PM +0800, WeitaoWangoc wrote:
> > This bug is found in Zhaoxin platform, but it's a commom code bug.
> > Fail sequence:
> > step1: Unbind UHCI controller from native driver;
> > step2: Bind UHCI controller to vfio-pci, which will put UHCI controller in one vfio
> >        group's device list and set UHCI's dev->driver_data to struct vfio-pci(for UHCI)
> 
> Hah, that works?  How do you do that properly?  What code does that?

Yeah, that can't possibly work.  The USB core expects that any host 
controller device (or at least, any PCI host controller device) has its 
driver_data set to point to a struct usb_hcd.  It doesn't expect a host 
controller to be bound to anything other than a host controller driver.

Things could easily go very wrong here.  For example, suppose at this 
point the ehci-hcd driver just happens to bind to the EHCI controller.  
When this happens, the EHCI controller hardware takes over all the USB 
connections that were routed to the UHCI controller.  How will vfio-pci 
deal with that?  Pretty ungracefully, I imagine.

The only way to make this work at all is to unbind both uhci-hcd and 
ehci-hcd first.  Then after both are finished you can safely bind 
vfio-pci to the EHCI controller and the UHCI controllers (in that 
order).

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ