From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5782C224B04; Tue, 30 Jun 2026 21:55:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782856549; cv=none; b=k1RVh0q59DP4nGsY7qMQL4gDNTtqct6wzASbZtmGj5n53JFBC3yZGLLhOTz0e6HUkm1p3vM27iW6L1BxSPU8Ct2wX5M06hinhYHtpHtPCf/7otSSCnQu/9oKUkkpNN3R7XgU381+v7W5yet3A+ERR3z6pPskcatse+jxHdA/Kg8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782856549; c=relaxed/simple; bh=AzgWfUadsxXXl91k1YepQX3sOGSydX+rniN6XnLDOWk=; h=Mime-Version:Content-Type:Date:Message-Id:Subject:Cc:To:From: References:In-Reply-To; b=b2oakdQdUltpWLWyABplN5YILrb+HuEZbP5KDE3tF1A+EW/eOp9lRHr4U5pu8GSZEYbMPbVL0K2W66CG5uWxeJxsgHgWvryFNcMFNPMLW8g6U4AgPXPtdMqGaS8gN269czppm0VTplk7azcOl9gVhW/TROEvieAG+jkkPkEsjRI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dCg0wK7L; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dCg0wK7L" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 313291F000E9; Tue, 30 Jun 2026 21:55:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1782856547; bh=srQ9IMbSxBsXUogcwFbDc7WcbubgWp0stEVi0zSwC6E=; h=Date:Subject:Cc:To:From:References:In-Reply-To; b=dCg0wK7L3bAkrxJoAbg45PoI34akiDZgSlNyyLIAamfVjDexyiIkIfvKLOe94+e3h fYu1HtabqCs0J2HACQlB6vjzzMebaz+UPBSdWNfQ8fnzZlXcnqTCzsqly4aX6yNOGj W17JJH8WW8KES68nl8XgWsN7nEuzreDQm11jUX0h/4hW6VrG95FrP52muTNxX3YRwP mGttoi80U+NS9u07u+uup/j3Gn3/keNvW5kO89L0DeBkqxW8bSBoqew2mvdhntxVeV uP/dY+tk138kjMIyqJRLDYu4+0jNMOTerwGREgg3YmQQrr/DY0nli4SRh60DZGMGWM tlpozJ+B+IB9Q== Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 30 Jun 2026 23:55:44 +0200 Message-Id: Subject: Re: [PATCH 4/4] usb: fix UAF when probe runs concurrent to dyn ID removal Cc: "Greg Kroah-Hartman" , "Rafael J. Wysocki" , =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , "Johan Hovold" , , , , To: "Gary Guo" From: "Danilo Krummrich" References: <20260630-usb_dyn_id_uaf-v1-0-160a02be5ac2@garyguo.net> <20260630-usb_dyn_id_uaf-v1-4-160a02be5ac2@garyguo.net> In-Reply-To: <20260630-usb_dyn_id_uaf-v1-4-160a02be5ac2@garyguo.net> On Tue Jun 30, 2026 at 1:38 PM CEST, Gary Guo wrote: > @@ -320,7 +321,8 @@ static int usb_probe_interface(struct device *dev) > struct usb_driver *driver =3D to_usb_driver(dev->driver); > struct usb_interface *intf =3D to_usb_interface(dev); > struct usb_device *udev =3D interface_to_usbdev(intf); > - const struct usb_device_id *id; > + struct usb_device_id id; > + const struct usb_device_id *matched_id; > int error =3D -ENODEV; > int lpm_disable_error =3D -ENODEV; > =20 > @@ -340,11 +342,12 @@ static int usb_probe_interface(struct device *dev) > return error; > } > =20 > - id =3D usb_match_dynamic_id(intf, driver); > - if (!id) > - id =3D usb_match_id(intf, driver->id_table); > - if (!id) > - return error; > + if (!usb_match_dynamic_id(intf, driver, &id)) { > + matched_id =3D usb_match_id(intf, driver->id_table); > + if (!matched_id) > + return error; > + id =3D *matched_id; > + } I think this could just be: struct usb_device_id id_copy; if (usb_match_dynamic_id(intf, driver, &id_copy)) { id =3D &id_copy; } else { id =3D usb_match_id(intf, driver->id_table); if (!id) return error; } Avoids the unnecessary copy and also results in a smaller diff.