Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3702040ybl; Mon, 12 Aug 2019 05:05:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqy/eR1yTFD16w6RD3oOO3mejHqWD1fnpDwa+6yg7AzjcYLa/GGrXT8K3tWzasJAUR08pA6I X-Received: by 2002:a65:5144:: with SMTP id g4mr29975292pgq.202.1565611523282; Mon, 12 Aug 2019 05:05:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565611523; cv=none; d=google.com; s=arc-20160816; b=MYwXOHFiO9fqBgN9WELj9JbFFo/iKQwZd8BjmE0XU1p0HLOjeKfCxhuwHjdfBV38JA Cev/3Jrv8sGqdKLuXyf0sVxEX4I1FiU+G9MrSGDe7FpTIQfSTBbY5BkC/6uHjYH37JNX HzCB8pJ9URhkPJ9MrLZCPVwNrmrB3CAD73bkygOT6PPhJZdSvd0Qpu4WrLFvTAMLi94c wElijhaurXl3Bor9siWcGaXk2oidWNMQORQTn3LKtjIDjaF5m9LIl9O1FkTKbCf0vn6k gglSo/QKZw6iKKVwTD7hhhYS4O2vmcfLBcrR2KB+DjNuqx098WjHYYFm8w+5NTe973UM P0RQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=FIFevxOQtejENIKXPw7Is4Q/QJpdaof9XvfR5if/hlM=; b=uRnO9anHVx9A7csZ1837XfqnBk5tkqDwfJFdtmhk3taHiF3mFBG98r+EkWauOIhmjA 7fFiA0F/QcbR6coOduexEPHfGsLnIWcfWzf9aGJbDog7aSckZlcm54sgbz6F66dUVL6i pow3TCYBoUSw0oxAoB0qVH+gjncvNM/ZXTzFS/csYIFOlqd9ZuZHKu5o/HYz89FI9AmX SjiNKaHPLeYs4AE0MXJyembfF4vGaRGIIunmbtdT5IrYr8S8yUSM6QOBrJ1syAXKKq/D 1dIDocbN5e3rdp6oaw0fRMfxzXzONBAhFmtBZ92hWjKMjrEIkMAtntSA71xHIBRyt2Y4 /nlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZbQ2S5yw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j5si59934541pgm.427.2019.08.12.05.05.07; Mon, 12 Aug 2019 05:05:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZbQ2S5yw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727994AbfHLMEK (ORCPT + 99 others); Mon, 12 Aug 2019 08:04:10 -0400 Received: from mail-pl1-f194.google.com ([209.85.214.194]:44259 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726987AbfHLMEJ (ORCPT ); Mon, 12 Aug 2019 08:04:09 -0400 Received: by mail-pl1-f194.google.com with SMTP id t14so47762892plr.11 for ; Mon, 12 Aug 2019 05:04:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FIFevxOQtejENIKXPw7Is4Q/QJpdaof9XvfR5if/hlM=; b=ZbQ2S5ywhnWZ9VGkBs5RSNIxxulgtRILYMiJXBeaSZSdFMfiq2nW9MFU0nAfRgYk3l x4UwOBmE/VoMnZr+z4Rwj1uIbLi+Akbcv/GnJdOoxvofvG8oWIJq2pOzfHViIP7txhud 6oKvWyqoeT6u+Ig3IXYnAG0zER9ge5R96HRrswYJyltCh8VWPCdGNvFtcYmoNfj7p3/G Sot3TFKWLL1lbbjCvojO1527uzVTbRQjhtaH4JGlU8/BSMVQAaPzlNmdawHBerPgczyF si5qYNwMRgWdbME3mEtR4EEkXbbMGGhEBLY7FLP/PU8C432j2ykiB6LkIZgeC3aooQG+ XFeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FIFevxOQtejENIKXPw7Is4Q/QJpdaof9XvfR5if/hlM=; b=FSiWaxXnTuyPCJMZNK/DYMuZLucYK+EH7ORBPPsD+gZe/rY8xqYC4prLnz/XSAuZ5F inmYGF9nnz2+JcP/aKZoSb5LWs6omLGrU2lot4gLBDIVwh8I/poZYpktqmb0nbQrcvzN u4LUA108LjPEsG5PqrOUYbKx5gFOb8QkbkXWzF5ByEk1Uq6wUdvB0Qz8hn0mqLo7Kjge FuAuSWmZTPE2Ki1HBlxp5gshCVGQCPR/HoH/WDmx5Od9Bsvz3IRZcYQZb2plQe5zGcig 7vh9jUQrrItgbH8EGgtufju4iJ/hpYPVOUpynOX212sxYttaF+VduXMASu8PkFNKGOXn bxsQ== X-Gm-Message-State: APjAAAXXW+ZCHAQQNxK4j0Us5Fv9kS3Ke3cGD3xl2gvHmlKjlqt88O98 kKIS4DibzRpDJumQfTvxT918SMQb0RUb9mpjtVQW9A== X-Received: by 2002:a17:902:8649:: with SMTP id y9mr5338163plt.252.1565611448967; Mon, 12 Aug 2019 05:04:08 -0700 (PDT) MIME-Version: 1.0 References: <0000000000007e2e84058fb46c49@google.com> In-Reply-To: From: Andrey Konovalov Date: Mon, 12 Aug 2019 14:03:57 +0200 Message-ID: Subject: Re: KASAN: use-after-free Read in usb_kill_urb To: Alan Stern Cc: syzbot , Greg Kroah-Hartman , "Gustavo A. R. Silva" , LKML , USB list , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 9, 2019 at 10:52 PM Alan Stern wrote: > > On Fri, 9 Aug 2019, syzbot wrote: > > > Hello, > > > > syzbot has tested the proposed patch and the reproducer did not trigger > > crash: > > > > Reported-and-tested-by: > > syzbot+22ae4e3b9fcc8a5c153a@syzkaller.appspotmail.com > > > > Tested on: > > > > commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git > > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > patch: https://syzkaller.appspot.com/x/patch.diff?x=173f2d2c600000 > > > > Note: testing is done by a robot and is best-effort only. > > This shows that this bug is a duplicate of extid=30cf45ebfe0b0c4847a1. Let's mark it as one: #syz dup: KASAN: use-after-free Read in ld_usb_release I'll also mark all bugs that involve ldusb as duplicates, as they all likely are. > This fact is also visible in the console logs; both have lines saying > something like: > > [ 549.416341][ T22] sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0' > > and > > [ 549.958755][ T22] ldusb 1-1:0.28: Not able to get a minor for this device. > > preceding the invalid access. > > Alan Stern >