From patchwork Mon Oct 5 15:26:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 290651 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF9EFC4363A for ; Mon, 5 Oct 2020 15:31:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9E1B32074F for ; Mon, 5 Oct 2020 15:31:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601911888; bh=0GjEP2suzy0wB6utPip3sV2xYtrHHvjSr4BqU5jp9Zw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=MWEtivN2eeYN/scvAoJP9sQlUYvyBhI409r9WkrJ6ZB119cNTlge6a1td/F5sSP7D 7mlPbnSe4mn53UuJO+zof2eXxxcbgbjWFn3a1SFLbFcpl58ZPiqnBCcDdvMIidGKkm pJkcB6uz66SFIKYgOcUexGjfzJNRH8ko0GlxOn6k= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727843AbgJEPbT (ORCPT ); Mon, 5 Oct 2020 11:31:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:58120 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727855AbgJEPbR (ORCPT ); Mon, 5 Oct 2020 11:31:17 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8CB5920637; Mon, 5 Oct 2020 15:31:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601911876; bh=0GjEP2suzy0wB6utPip3sV2xYtrHHvjSr4BqU5jp9Zw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=akMlBtIsNU/ynzVlbIMoOUyPiiqzBwaSisaTITN1GGe4nvxswL1oafXpIrvHsrgpZ 4bbo0uTPkMiSZiOa9yhBI43QwEvXGscHtITTwo+gfaEOgMzWtsatlwi5/UeXk9z2pk 6vGtN8znFbG4WNP1VJhjJXNEb25Kgg1wHYNV5PX4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Bastien Nocera , Shuah Khan , Valentina Manea , syzkaller@googlegroups.com, Andrey Konovalov , "M. Vefa Bicakci" Subject: [PATCH 5.8 06/85] usbcore/driver: Fix specific driver selection Date: Mon, 5 Oct 2020 17:26:02 +0200 Message-Id: <20201005142115.051069935@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201005142114.732094228@linuxfoundation.org> References: <20201005142114.732094228@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: M. Vefa Bicakci commit aea850cd35ae3d266fe6f93fb9edb25e4a555230 upstream. This commit resolves a bug in the selection/discovery of more specific USB device drivers for devices that are currently bound to generic USB device drivers. The bug is in the logic that determines whether a device currently bound to a generic USB device driver should be re-probed by a more specific USB device driver or not. The code in __usb_bus_reprobe_drivers() used to have the following lines: if (usb_device_match_id(udev, new_udriver->id_table) == NULL && (!new_udriver->match || new_udriver->match(udev) != 0)) return 0; ret = device_reprobe(dev); As the reader will notice, the code checks whether the USB device in consideration matches the identifier table (id_table) of a specific USB device_driver (new_udriver), followed by a similar check, but this time with the USB device driver's match function. However, the match function's return value is not checked correctly. When match() returns zero, it means that the specific USB device driver is *not* applicable to the USB device in question, but the code then goes on to reprobe the device with the new USB device driver under consideration. All this to say, the logic is inverted. This bug was found by code inspection and instrumentation while investigating the root cause of the issue reported by Andrey Konovalov, where usbip took over syzkaller's virtual USB devices in an undesired manner. The report is linked below. Fixes: d5643d2249b2 ("USB: Fix device driver race") Cc: # 5.8 Cc: Greg Kroah-Hartman Cc: Alan Stern Cc: Bastien Nocera Cc: Shuah Khan Cc: Valentina Manea Cc: Tested-by: Andrey Konovalov Signed-off-by: M. Vefa Bicakci Link: https://lore.kernel.org/r/20200922110703.720960-3-m.v.b@runbox.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -924,7 +924,7 @@ static int __usb_bus_reprobe_drivers(str udev = to_usb_device(dev); if (usb_device_match_id(udev, new_udriver->id_table) == NULL && - (!new_udriver->match || new_udriver->match(udev) != 0)) + (!new_udriver->match || new_udriver->match(udev) == 0)) return 0; ret = device_reprobe(dev);