Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3396528ybb; Sun, 22 Mar 2020 23:40:12 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvwLlU+4QotUxkyiY74BArd44HJkJSeqlTO8ZaGr9zLlPrGuhXjZz/TbuODkekziqD5QZ4F X-Received: by 2002:aca:c6d1:: with SMTP id w200mr15209587oif.43.1584945612630; Sun, 22 Mar 2020 23:40:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584945612; cv=none; d=google.com; s=arc-20160816; b=trrjSZfZJTOttkuO1sLVoxlUlLylevN9G5Qd2Qp68eNMEBA29AIyUzGzOtrzjQ/bRz P1wDX+0jQFnx+zNsNSetQIMrxlx8ewd7Vw3A+K0ko6MQXvjSt+Hj0mtBWRcYPzlfZJcv Y4huAXZAX4LH5ASCDC1+yyuWR6Ril/RPYb+3BwGjC+rIaxK5TxW/SOiT2miRe1yrm2RZ wO7bQLOe21sOwCpz7GZRM1rkfp47ooZVqbXGYq7GX1/xIow4yJwfqjYGp+1bwfUgCPO/ dD9PW3vJmJB2bBhXVG18X0DxL903M/yfc+wPRGDxMNTmvQAxg+tJDDrGIvUSb2KyXsyc Gfhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=MLoTh4oBSLvr65bWs8I2CPzDFd8TTq1SJBjZ7TkM4kc=; b=zp/QpT+zm4f6FAmUOcy4yrhIWiwpAFsg4gJhaAyKtAdF+7PgNsM4M9QSs6LRS+ehM4 ULPjJbl4HluiHFrwZabB2YFlkP+SyTPJcferXsVEgYIN44K+ZhscBUGlMZ30ZqiU1m0Y DQLjCnUlQKXgUOyXbtPCscExBbVDJnGJckwN7QcJ9icOOHVZiFhB8RmV1sdVBj2z9WUi YLkfWlXcJPjQwSspTxTwXx+Oe6tc6onER6fjEXUz8gOO04Lqe21SQkiXq64ylejUz1ys bJLug4CXfbY1X329dqqZdQAw0YC9T8HQ+c3dE4aFZBngPR8pBBaL+Fv8AabGUoUA23gQ pA5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=DW+yW3ax; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c8si832979otk.67.2020.03.22.23.40.00; Sun, 22 Mar 2020 23:40:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=DW+yW3ax; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727253AbgCWGjN (ORCPT + 99 others); Mon, 23 Mar 2020 02:39:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:47662 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726080AbgCWGjN (ORCPT ); Mon, 23 Mar 2020 02:39:13 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7C864206F8; Mon, 23 Mar 2020 06:39:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1584945553; bh=z5fSvYP4ouXGOFsdEDEip3PczkCR4am1DJGyw4qKsyQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DW+yW3ax98cblVAISFyoEZLJBhDgezJos/DtLXhMPVaTfRUnTlcNymGwe0QEnbvKY cZDPtOuD3vh1odqV0AKFcG85IWMxR3F99OOuVt9koYwzlt4/0CggwHAez0nTmGSIpp LwPTx1MgRMbFkPoHZcBIb4hadSqoSE3H1ZALxDm8= Date: Mon, 23 Mar 2020 07:39:09 +0100 From: Greg KH To: Kyungtae Kim Cc: laurentiu.tudor@nxp.com, noring@nocrew.org, chunfeng.yun@mediatek.com, felipe.balbi@linux.intel.com, tweek@google.com, tony@atomide.com, rrangel@chromium.org, m.szyprowski@samsung.com, Dave Tian , linux-usb@vger.kernel.og, syzkaller , LKML Subject: Re: BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c Message-ID: <20200323063909.GA129571@kroah.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 23, 2020 at 02:16:43AM -0400, Kyungtae Kim wrote: > We report a bug (in linux-5.5.11) found by FuzzUSB (a modified version > of syzkaller) > > In function usb_hcd_unlink_urb (driver/usb/core/hcd.c:1607), it tries to > read "urb->use_count". But it seems the instance "urb" was > already freed (right after urb->dev at line 1597) by the function "urb_destroy" > in a different thread, which caused memory access violation. > To solve, it may need to check if urb is valid before urb->use_count, > to avoid such freed memory access. Can you send a patch for this? Do you have a reproducer? thanks, greg k-h