Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1472595ybl; Tue, 13 Aug 2019 13:16:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqyYJ76gm1YemSwbGFy0tk2HgM0E3XIUpAeQQK5mJksLmNhRqFG18VkplItQcZO6vHiOxfDa X-Received: by 2002:aa7:81d4:: with SMTP id c20mr42939850pfn.235.1565727381886; Tue, 13 Aug 2019 13:16:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565727381; cv=none; d=google.com; s=arc-20160816; b=MkD5DupztjP4cs2S1y7QyivCrDf+gjCYaIZr6aPpLsTYaU9LVOucfM4CqJOG2o7I0h UgIJJzk2TS3l+av9lJbRO5yd82kuYCNAnhl8gIeF5LqaWDNEZFEI8Tbd0mx57tRiq7qb y3W4mb/NV60TKwjLUtImkqRtNr1jWJXra/b6wFRjq/M/u0eGahnpFNj85YYR5yA4v8sQ rRqzOMMXBXCbtk6CeSU6cuHhbEHmuVb2mFxtV7DNzrIywxG+ts7GUIDGFq2z4l6Uebqs T+hl2eVtzslsf7EhrY1pL6xOXOKsg3zK8Fa29dgPtslOJ87DehyKIWKV/QIdzX3EhHkE 9j7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=ggfDgBh+IR5SVOGDwp+EbnCc9Awb3FATXPOFGctNxD0=; b=mrEUNZH17g2m1HKWmrNtRC0MNZueEoH1Mwr46zDKRGKaGX82N7s/OYVo1qjYpRwY4n wk4Hn7e9Pg8er8JVfraZY65I5sDdnPC1LpEWM/d/KyZTTqHNTrnGDNjvlTgJU8FHCsTt qCH0jAxESycWatcLooEYEMw98qd0TK6Qb/S6uLRt5QaBADmoX8TtjaGmbz4VFM8q4pM/ J2+cxUsTF64InZ1uXR6ptGN37Cbo54VJR589OH32ok3cFrhtqqaRvC6cZ+VB1o0Kvc5M n2+TsEIklE0rNewX2LDvHt+w80GrFYD+KxC/IXr76RU9ak+YzVhS6KmulXSVZdghrdf1 U9SQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y71si62083120pgd.271.2019.08.13.13.16.05; Tue, 13 Aug 2019 13:16:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726742AbfHMUNt (ORCPT + 99 others); Tue, 13 Aug 2019 16:13:49 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:42648 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726066AbfHMUNt (ORCPT ); Tue, 13 Aug 2019 16:13:49 -0400 Received: (qmail 3672 invoked by uid 2102); 13 Aug 2019 16:13:48 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Aug 2019 16:13:48 -0400 Date: Tue, 13 Aug 2019 16:13:48 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: syzbot cc: andreyknvl@google.com, , , , , , , Subject: Re: WARNING in usbhid_raw_request/usb_submit_urb In-Reply-To: <000000000000d195cc058feb2498@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 12 Aug 2019, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: invalid-free in hcd_buffer_free This bug report shows that Hillf's fix isn't exactly right. > usb 5-1: USB disconnect, device number 2 > ================================================================== > BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260 > drivers/usb/core/buffer.c:165 > > CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444 > __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428 > slab_free_hook mm/slub.c:1423 [inline] > slab_free_freelist_hook mm/slub.c:1470 [inline] > slab_free mm/slub.c:3012 [inline] > kfree+0xe4/0x2f0 mm/slub.c:3953 > hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165 > usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932 > hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964 > usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224 > logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797 Here the double-free occurred when logi_dj_remove() called hd_hw_stop()... > hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242 > __device_release_driver drivers/base/dd.c:1118 [inline] > device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151 > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > device_del+0x420/0xb10 drivers/base/core.c:2288 > hid_remove_device drivers/hid/hid-core.c:2413 [inline] > hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432 > usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414 which occurred inside usbhid_disconnect()'s call to hid_destroy_device(). But just above the call to hid_destroy_device(), Hillf's patch adds a direct call to hid_hw_stop(), which is what did the original free. So it looks like the problem here is that some paths in the original unpatched code end up calling hid_hw_stop() by way of the hid_device's driver, and other paths do not. I haven't had time to track down this difference. Maybe somebody on the mailing list already knows why it occurs. Alan Stern