On Fri, Aug 04, 2023 at 03:09:04PM -0400, Alan Stern wrote: > An outstanding syzbot bug report has been traced to a race between the > routine that reads in the device descriptor for a device being > reinitialized and the routine that writes the descriptors to a sysfs > attribute file. The problem is that reinitializing a device, like > initializing it for the first time, stores the device descriptor > directly in the usb_device structure, where it may be accessed > concurrently as part of sending the descriptors to the sysfs reader. > > This three-part series fixes the problem: > > The first patch unites the code paths responsible for first > reading the device descriptor in hub.c's old scheme and new > scheme, so that neither of them will call > usb_get_device_descriptor(). > > The second patch changes usb_get_device_descriptor(), making > it return the descriptor in a dynamically allocated buffer > rather than storing it directly in the device structure. > > The third patch changes hub_port_init(), adding a new argument > that specifies a buffer in which to store the device > descriptor for devices being reinitialized. > > As a result of these changes, the copy of the device descriptor stored > in the usb_device structure will never be overwritten once it has been > initialized. This eliminates the data race causing the bug identified > by syzbot. > > It would be nice at some point to make a similar change to the code > that reads the device's BOS descriptor; reinitialization should not > overwrite its existing data either. This series doesn't attempt to do > that, but it would be a good thing to do. Thanks for cleaning this up, all now applied. greg k-h
