Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5834797ybl;
        Tue, 10 Dec 2019 12:15:52 -0800 (PST)
X-Google-Smtp-Source: APXvYqz7ReJx86ap8xZL5u6RyRyBkQeij1B0eS6CmEyGLkI+SwLfIGJOOuekrv0wmi0ui0BF0G36
X-Received: by 2002:aca:5fc1:: with SMTP id t184mr689528oib.20.1576008952623;
        Tue, 10 Dec 2019 12:15:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576008952; cv=none;
        d=google.com; s=arc-20160816;
        b=vG1KcDnJolsP+DvRBoOoEvRYnIoMirBJfkyKmRmfWSVn4boPeHYvwFWyislwOO+Z3W
         D8kNsDCj/8QmdDjNbzRO0pkaCUeSPYubmaI0/h6zMMuQR8wTm80nLoEa6nsFB198W+nD
         2yOJE3p3UbZu2u42U7Wa46ZKTg3fcwSXfbyrh+tcmoD2w1da2CKn1RHQAKv6nbZnm7u7
         Y5HoBmtmSnmUaq+UcLWFv5+4ogOmdpWUDXsCD7bSK7Qr5pnOvIz9GqxyRUy4OmPf0oy0
         QzW7g+FIObVO6alJllrFfz/no0NJbyLIiTi2U5PmWn0JaRAAGE8DbRy2RmUCvZDOPyRD
         iHEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=GSIvTzL345YUNAzd/eMGKIiA6EImKh4gRHQmh/rKfNw=;
        b=yXuv7LU5ZIuAZ0/HnPAj/auKslduSLqkZt45nwgZq6Tszb6ARZkO88i8S1VcBnOfOU
         FEmqimfgQM0RByxGrWFvUwckloQrX4DPyi03KXr17bRBNkLU7JPiwf9SDU6p4EkFJwzn
         CH5CLt4vXaX/arK9owjAt8wXTBxhoPAG093IYCYImG+yVnnJnGVHr21v+/nNIPNwwr1+
         VyZqSspNqp1CawHYcdZaU29WWCtYKbCY8iG/owg39FzLk0Ar8brMMlY9JDQSvDl2NkKm
         jrOyNiz+I0oMklZp1bvIQg97ZE9z9sVnC/sNU6ZQw/PngddDh3qrIXybWWcP15ZfkLT0
         Pexg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p67si1114334oig.256.2019.12.10.12.15.40;
        Tue, 10 Dec 2019 12:15:52 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726930AbfLJUN3 (ORCPT <rfc822;yuvraaj@gmail.com> + 99 others);
        Tue, 10 Dec 2019 15:13:29 -0500
Received: from iolanthe.rowland.org ([192.131.102.54]:51764 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1726364AbfLJUN3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Dec 2019 15:13:29 -0500
Received: (qmail 6889 invoked by uid 2102); 10 Dec 2019 15:13:28 -0500
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 10 Dec 2019 15:13:28 -0500
Date:   Tue, 10 Dec 2019 15:13:28 -0500 (EST)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     Andrey Konovalov <andreyknvl@google.com>
cc:     syzbot <syzbot+c7b0ec009a216143df30@syzkaller.appspotmail.com>,
        Hans Verkuil <hverkuil@xs4all.nl>,
        Souptick Joarder <jrdr.linux@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        <linux-media@vger.kernel.org>,
        USB list <linux-usb@vger.kernel.org>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        Richard Fontana <rfontana@redhat.com>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        Thomas Gleixner <tglx@linutronix.de>
Subject: Re: KASAN: use-after-free Read in usbvision_v4l2_open
In-Reply-To: <CAAeHK+wY+35uBvr0=FnKsWOj91QhXuVE++V7frn5AihAPLvo5Q@mail.gmail.com>
Message-ID: <Pine.LNX.4.44L0.1912101508470.1647-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 10 Dec 2019, Andrey Konovalov wrote:

> On Tue, Dec 10, 2019 at 8:48 PM Alan Stern <stern@rowland.harvard.edu> wrote:

> > This looks like a race in v4l2_open(): The function drops the
> > videodev_lock mutex before calling the video driver's open routine, and
> > the device can be unregistered during the short time between.
> >
> > This patch tries to make the race much more likely to happen, for
> > testing and verification.
> >
> > Andrey, will syzbot run the same test with this patch, even though it
> > says it doesn't have a reproducer?
> 
> Hi Alan,
> 
> No, unfortunately there's nothing to run if there's no reproducer.
> It's technically possible to run the same program log that triggered
> the bug initially, but since the bug wasn't reproduced with this log
> even without the patch, there isn't much sense in running it with the
> patch applied.

Actually it does make sense.  That bug was caused by a race, and the 
patch tries to make the race much more likely to happen, so the same 
test should fail again.

But never mind; I'll try a different approach.  There's another syzbot
bug report, one with a reproducer, and with this patch in place it
should trigger the same race.  I'll try submitting it that way.

By the way, do you know why syzbot sent _two_ reply messages?  One with 
message ID <00000000000031a0af05995eca0b@google.com> and the other with 
message ID <000000000000441a4205995eca11@google.com>?  It seems like 
overkill.

Alan Stern