Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp4167825ybh;
        Tue, 6 Aug 2019 07:22:11 -0700 (PDT)
X-Google-Smtp-Source: APXvYqybd1p5wG81aQ6h93n1ivcoHwWzWKbW21NSDVIfDALDMV6/+ZKuIShUNryLfp7pmEbJ7bHI
X-Received: by 2002:aa7:914e:: with SMTP id 14mr3940904pfi.136.1565101331612;
        Tue, 06 Aug 2019 07:22:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1565101331; cv=none;
        d=google.com; s=arc-20160816;
        b=Tf5PeBj6jpeLycGhA7r2YLH26m4nIBRR6LrG+TfOcFu8SNTI21F5DXYTKJjK8n+Nec
         H2h5qMY4riMpVUrCQYACZxmjSx3DBRm/dfIf59m/jREG1aPb2twrAFaAqhnMlesLTgmX
         n5hte/r7wLr3m+SsDAYkjkGLy/IDs4PxcYlXsw+urvtJcHmgAUMI+wkPrW9Z3z/4cEtQ
         rZi9ei2r8nz1uQVVFg2dlcnwpHX9L2kVScI8ZAKD3sb4mWbwToCbnwtMI8AnBucvMjqF
         7Y5v2WgdeS+97wARXL+dcjnplx3fKRmcJH0m1lymbaagn6yzMkFxRix78UaJS2grF3i1
         6ZIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=1XRnWdzb7g42MQC1ieUIwvW0bMB0gU5cX5tIRHHTnSg=;
        b=I76qHfMDsNkaOXeLAz7lITBmwXGrpTwGb6EpzLCJA3Le+zymPiJTOl7q1OTHsYwWNv
         xkvT+ti1XcD9BkQkehd/9ZRpAti1cxrFEjmlF1hsR1LjjAHvYZ+tUQPbBE34aNeI3g4C
         Jb0g5kMjL0V5tAX8GBDjfIY+uiO7VJHUVrjUA96C9lELyxQ6rXkTSdGucYkRuB5bOLCz
         b824TIHwh+hLmrKJ4JO6aN6ZQdKMkKOM25KFZzJ/1c3UJsBmcIyobDGFg47I8uzbPYer
         LLVWtpCR8rnEf/The22b49mtoQrWagQtORKUPcIPgP1yYbkf8De0NQ1/SoOpAWPhVX8+
         HlwA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y15si49348549pfb.28.2019.08.06.07.21.54;
        Tue, 06 Aug 2019 07:22:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1733058AbfHFOTj (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 6 Aug 2019 10:19:39 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:43046 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1731893AbfHFOTi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Aug 2019 10:19:38 -0400
Received: (qmail 2562 invoked by uid 2102); 6 Aug 2019 10:19:37 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 6 Aug 2019 10:19:37 -0400
Date:   Tue, 6 Aug 2019 10:19:37 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     Oliver Neukum <oneukum@suse.com>
cc:     Andrey Konovalov <andreyknvl@google.com>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        syzbot <syzbot+1b2449b7b5dc240d107a@syzkaller.appspotmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        USB list <linux-usb@vger.kernel.org>
Subject: Re: KASAN: use-after-free Read in device_release_driver_internal
In-Reply-To: <1565095011.8136.20.camel@suse.com>
Message-ID: <Pine.LNX.4.44L0.1908061009450.1571-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 6 Aug 2019, Oliver Neukum wrote:

> Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern:
> > 
> > I think this must be caused by an unbalanced refcount.  That is,
> > something must drop one more reference to the device than it takes.
> > That would explain why the invalid access occurs inside a single
> > bus_remove_device() call, between the klist_del() and
> > device_release_driver().
> > 
> > The kernel log indicates that the device was probed by rndis_wlan,
> > rndis_host, and cdc_acm, all of which got errors because of the
> > device's bogus descriptors.  Probably one of them is messing up the
> > refcount.
> 
> Hi,
> 
> you made me look at cdc-acm. I suspect
> 
> cae2bc768d176bfbdad7035bbcc3cdc973eb7984 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail")
> 
> is buggy decrementing the refcount on the interface in destroy()
> even before the refcount is increased.
> 
> Unfortunately I cannot tell from the bug report how many and which
> interfaces the emulated test device has. Hence it is unclear to me,
> when exactly probe() would fail cdc-acm.

Only one interface (numbered 234!).

> If you agree. I am attaching a putative fix.

Your patch adds a line saying:

> +	usb_get_intf(acm->control); /* undone in destroy() */

but I don't see any destroy() function in that source file.  Did you 
mean acm_port_destruct()?

In any case, I don't know if this missing "get" would cause the 
problem, but it might well.

Alan Stern