| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251222174934.4c9b62d2.michal.pecio@gmail.com> Date: Mon, 22 Dec 2025 17:49:34 +0100 From: Michal Pecio <michal.pecio@...il.com> To: Alan Stern <stern@...land.harvard.edu> Cc: 胡连勤 <hulianqin@...o.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Lee Jones <lee@...nel.org>, Mathias Nyman <mathias.nyman@...ux.intel.com>, Mathias Nyman <mathias.nyman@...el.com>, Sarah Sharp <sarah.a.sharp@...ux.intel.com>, "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] usb: xhci: check Null pointer in segment alloc On Mon, 22 Dec 2025 08:34:14 -0500, Alan Stern wrote: > On Mon, Dec 22, 2025 at 12:21:09PM +0000, 胡连勤 wrote: > > Hi Michal: > > > > > On Mon, 22 Dec 2025 08:13:21 +0100, Greg Kroah-Hartman wrote: > > > > > An API that insists on its users exercising care, knowledge > > > > > and cognisance sounds fragile and vulnerable. > > > > > > > > Fragile yes, vulnerable no. Let's fix the fragility then, but > > > > as has been pointed out in this thread, we don't know the root > > > > cause, and I don't even think this "fix" would do the right > > > > thing anyway. > > > > > > The patch looks wrong. I suspect this happens when add_endpoint() > > > is called concurrently with resume(), which makes little sense. > > > And it means the same code can probably call add_endpoint() > > > before resume(), which makes no sense either. We can't do that > > > with suspended HW. > > > > > > Chances are that this crash isn't even the only thing that could > > > go wrong when such calls are attempted. For one, xhci_resume() > > > drops the spinlock after reporting usb_root_hub_lost_power(), so > > > your guess elsewhere was correct - this code isn't even locked > > > properly. > > > > > > It seems no operations on USB devices during resume() are > > > expected. > > Let's be more precise. No extraneous operations are expected on a > USB device while that device is being resumed (i.e., no operations > other than those directly involved with the resume itself). However, > operations on a USB hub or controller are expected and allowed while > a downstream device is being resumed. That's not the situation here. The problematic resume is that of the host controller itself, it's the only place I see which is expected to destroy the segment pool at runtime (other than stop()) and possibly cause the reported NULL derefence. It is not expected that anyone will add endpoints (and probably do anything) while the HC is resuming. No sanity checks for that either, the driver just does stupid things. It likely does stupid things too if you try to manipulate devices while the HC is suspended. And it looks like somebody found a way of doing just that, by calling snd_usb_autoresume() at inappropriate time for some reason. The export was added by Wesley Chang, so I guess it was part of "audio offload". IDK if offload uses it correctly. Somebody uses it incorrectly. > > Currently, after checking the logic of our KO section, we found that > > there might be two places simultaneously calling snd_usb_autoresume > > to wake up the headset device. Resuming some USB device wouldn't destroy the segment pool and cause this crash. Here, device resume tries to add an endpoint and crashes because something else has destroyed the pool. Regards, Michal
Powered by blists - more mailing lists