lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 10 Dec 2022 18:01:48 +0900
From:   Vincent Mailhol <>
To:     Marc Kleine-Budde <>,
Cc:     Oliver Neukum <>,
        Wolfgang Grandegger <>,
        "David S . Miller" <>,
        Eric Dumazet <>,
        Jakub Kicinski <>,
        Paolo Abeni <>,
        Frank Jungclaus <>,,
        Yasushi SHOJI <>,
        Stefan Mätje <>,
        Hangyu Hua <>,
        Oliver Hartkopp <>,
        Peter Fink <>,
        Jeroen Hofstee <>,
        Christoph Möhring <>,
        John Whittington <>,
        Vasanth Sadhasivan <>,
        Jimmy Assarsson <>,
        Anssi Hannula <>,
        Pavel Skripkin <>,
        Stephane Grosjean <>,
        Wolfram Sang <>,
        "Gustavo A . R . Silva" <>,
        Julia Lawall <>,
        Dongliang Mu <>,
        Sebastian Haas <>,
        Maximilian Schneider <>,
        Daniel Berglund <>,
        Olivier Sobrie <>,
        Remigiusz Kołłątaj 
        Jakob Unterwurzacher <>,
        Martin Elshuber <>,
        Bernd Krumboeck <>,,,
        Alan Stern <>,,
        Vincent Mailhol <>
Subject: [PATCH v2 0/9] can: usb: remove all usb_set_intfdata(intf, NULL) in drivers' disconnect()

Many of the can usb drivers set their driver's priv data to NULL in
their disconnect function using below pattern:

	struct driver_priv *priv = usb_get_intfdata(intf);

	usb_set_intfdata(intf, NULL);

	if (priv)
                /* ... */

The pattern comes from other drivers which have a secondary interface
and for which disconnect() may be called twice. However, usb can
drivers do not have such secondary interface.

On the contrary, if a driver set the driver's priv data to NULL before
all actions relying on the interface-data pointer complete, there is a
risk of NULL pointer dereference. Typically, this is the case if there
are outstanding urbs which have not yet completed when entering

Finally, even if there is a valid reason to set the driver's priv
data, it would still be useless to do it in usb_driver::disconnect()
because the core sets the driver's data to NULL in [1] (and this
operation is done in within locked context, so that race conditions
should not occur).

The first seven patches fix all drivers which set their usb_interface
to NULL while outstanding URB might still exists. There is one patch
per driver in order to add the relevant "Fixes:" tag to each of them.

The eighth patch removes the check toward the driver data being
NULL. This just reduces the kernel size so no fixes tag here and all
changes are done in bulk in one single patch.

Finally, the last patch removes in bulk the remaining benign calls to
usb_set_intfdata(intf, NULL) in etas_es58x and peak_usb.

N.B. some other usb drivers outside of the can tree also have the same
issue, but this is out of scope of this series.

[1] function usb_unbind_interface() from drivers/usb/core/driver.c
* Changelog *

v1 -> v2

  * add explanation in the cover letter on the origin of this pattern
    and why it does not apply to can usb drivers.

  * v1 claimed that usb_set_intfdata(intf, NULL) sets the
    usb_interface to NULL. This is incorrect, it is the pointer to
    driver's private data which set to NULL. Fix this point of
    confusion in commit message.

  * add a patch to clean up the useless check on the driver's private
    data being NULL.

Vincent Mailhol (9):
  can: ems_usb: ems_usb_disconnect(): fix NULL pointer dereference
  can: esd_usb: esd_usb_disconnect(): fix NULL pointer dereference
  can: gs_usb: gs_usb_disconnect(): fix NULL pointer dereference
  can: kvaser_usb: kvaser_usb_disconnect(): fix NULL pointer dereference
  can: mcba_usb: mcba_usb_disconnect(): fix NULL pointer dereference
  can: ucan: ucan_disconnect(): fix NULL pointer dereference
  can: usb_8dev: usb_8dev_disconnect(): fix NULL pointer dereference
  can: usb: remove useless check on driver data
  can: etas_es58x and peak_usb: remove useless call to

 drivers/net/can/usb/ems_usb.c                  | 16 ++++++----------
 drivers/net/can/usb/esd_usb.c                  | 18 +++++++-----------
 drivers/net/can/usb/etas_es58x/es58x_core.c    |  1 -
 drivers/net/can/usb/gs_usb.c                   |  7 -------
 .../net/can/usb/kvaser_usb/kvaser_usb_core.c   |  9 +--------
 drivers/net/can/usb/mcba_usb.c                 |  2 --
 drivers/net/can/usb/peak_usb/pcan_usb_core.c   |  2 --
 drivers/net/can/usb/ucan.c                     |  8 ++------
 drivers/net/can/usb/usb_8dev.c                 | 13 ++++---------
 9 files changed, 20 insertions(+), 56 deletions(-)


Powered by blists - more mailing lists