Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp711256ybl; Wed, 11 Dec 2019 06:24:00 -0800 (PST) X-Google-Smtp-Source: APXvYqx/7zTpTN3fsKtq/JGUe2gzAg1OK/p03JbCNCzrlzOwR1Ol4J22fgPads4baGZEITEycKj+ X-Received: by 2002:a05:6830:50:: with SMTP id d16mr2585939otp.155.1576074240079; Wed, 11 Dec 2019 06:24:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576074240; cv=none; d=google.com; s=arc-20160816; b=BO2XSLk2IJEVw2G9bHFqJaDbG2fTp1cqh4hO6LKj9EDDVqe8bhoZrTPixU/JiNv0Uc APp04x/rawFBqeowd3m24MqPWh7iey4T+8vMb4kjuqXW87I0iPP1r11LWisgp/EpJMtX 4lzfEHZMblmNiUlOGSNTfuChJAAqHg/0tPKO7iZGHV6/PUbSijSOG1zOwyam2IW0YjtP yNkPx1pvXfX4p3jgZX0s54in+idDOaFdQNVmguco3Vt+XErPfnN3ZNi9swuRAhSf+UXy vlFKr/JvzjmbswnG2L4o3AuOwp3+qQ3JvVo6NYFBt9K0GkZ5MozMIng224L57SGaiXai EjnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/QWzNDzzrfxQTmZnQXAnuGOpRW2t5ObwF4zriIuU40Y=; b=WMQQw0xg96XLQS/JfG9XnHVMtDVfmhGbk6cPaoCsk2sVvY950GEtvbs8k/v27h2++y VOkX12AHmt22/4ADeDjv/7w4txltdAFTnDxUD9C+VNwQf+/QRylf6MSNggMMvboISz4f y0HT4PrOUjaX806XJ5U/L81IvUmrVEZHyq6KEag1Stx5dk3shGVrDrcj7FFGTDSYGptb rtuzinHeFTxzHvuGmnsaqkGHU5eOkLWiCmrVa6Aei8uM/yIzp8x4OOq+J2KDBOCkfko+ NdEVRFjCM1U1E0PierJOm1WfKCxXOE3pobmAf2akURUwJaKkZNQB5OmvGv3J0926AL7i OuvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=X+BARLPn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p6si1220780oig.231.2019.12.11.06.23.47; Wed, 11 Dec 2019 06:24:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=X+BARLPn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729865AbfLKOXJ (ORCPT + 99 others); Wed, 11 Dec 2019 09:23:09 -0500 Received: from mail-pf1-f196.google.com ([209.85.210.196]:34472 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726242AbfLKOXI (ORCPT ); Wed, 11 Dec 2019 09:23:08 -0500 Received: by mail-pf1-f196.google.com with SMTP id l127so615433pfl.1 for ; Wed, 11 Dec 2019 06:23:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/QWzNDzzrfxQTmZnQXAnuGOpRW2t5ObwF4zriIuU40Y=; b=X+BARLPnnb5Z0xTDzxhmbC3H9nKkYVim4Rh4phE9EBm7qNO7aIUaJGuD1TC9KIUIzm XTbb0b69nRjKZAUnvb2lPL1NgxsVRCsWAxY9+bewiEBcSjDmyYURfskgytpo9lkqF9UI ewq0eeSIIBhDWGuDL9ls7sulVX7i3SCfU1FuIXgdC+kTP2QNU0X8P6HI59thze0Fw5Z1 CC7Vi5z5iDvdTn4YUjm6IJ3jx3eDpb9J2NjXaLgGdvFOzunh1x56XR0vK0OkO3M4FlaO fmo1UspdQF/4Z1pua/UZ0ObIWIOjHLCgQ2dngWCIr+z958SLHosToJDAGJXqhpWimXwh 6hWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/QWzNDzzrfxQTmZnQXAnuGOpRW2t5ObwF4zriIuU40Y=; b=hOmqcvA6Fba0ONNQh9xgeUS1Y5MPbJJIb9qwrn8PpFK6K2ggZFjA2FXP9QomIFvVS+ fAnPnsWB99/fbMjtjoDpSiHrx4JyEs3UjDQOXb+xbtvBQvNBi8An8VA72HVDrYG6LH1x rrp+cXiVUxCobxI94wrQJsuDzp6PQOvA8bnq1qMpZp4JntQYfTbZz/xpglJRvfJLHz/Z DbIT7/eRu0SmSJ4kF6bTm4HgaeWPYVWiGLA+bqZCPAZHtybAr0eDK+/cLQXDyWCXzdJA IOZV21fIoOSUZwtOtG7avcPoAajLp7cRbRmtT/LmuqYCQre0HR+uGcuqa71Wa00joUCq oRvQ== X-Gm-Message-State: APjAAAW0F7X/Pp4dXL/0BUrBaqIiUlqqVYFcJr53N2ytbmzSEfZ17ONf 16Cr+W7lXrkJuRbH3W7/sWNJJxrWF8YNeL4F6uYTXA== X-Received: by 2002:a65:678f:: with SMTP id e15mr4437984pgr.130.1576074187917; Wed, 11 Dec 2019 06:23:07 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Andrey Konovalov Date: Wed, 11 Dec 2019 15:22:56 +0100 Message-ID: Subject: Re: KASAN: use-after-free Read in usbvision_v4l2_open To: Alan Stern , Dmitry Vyukov Cc: syzbot , Hans Verkuil , Souptick Joarder , LKML , linux-media@vger.kernel.org, USB list , Mauro Carvalho Chehab , Richard Fontana , syzkaller-bugs , Thomas Gleixner Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 10, 2019 at 9:13 PM Alan Stern wrote: > > On Tue, 10 Dec 2019, Andrey Konovalov wrote: > > > On Tue, Dec 10, 2019 at 8:48 PM Alan Stern wrote: > > > > This looks like a race in v4l2_open(): The function drops the > > > videodev_lock mutex before calling the video driver's open routine, and > > > the device can be unregistered during the short time between. > > > > > > This patch tries to make the race much more likely to happen, for > > > testing and verification. > > > > > > Andrey, will syzbot run the same test with this patch, even though it > > > says it doesn't have a reproducer? > > > > Hi Alan, > > > > No, unfortunately there's nothing to run if there's no reproducer. > > It's technically possible to run the same program log that triggered > > the bug initially, but since the bug wasn't reproduced with this log > > even without the patch, there isn't much sense in running it with the > > patch applied. > > Actually it does make sense. That bug was caused by a race, and the > patch tries to make the race much more likely to happen, so the same > test should fail again. > > But never mind; I'll try a different approach. There's another syzbot > bug report, one with a reproducer, and with this patch in place it > should trigger the same race. I'll try submitting it that way. > > By the way, do you know why syzbot sent _two_ reply messages? One with > message ID <00000000000031a0af05995eca0b@google.com> and the other with > message ID <000000000000441a4205995eca11@google.com>? It seems like > overkill. Hm, I'm not sure. Dmitry?