Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1113503ybz; Sat, 25 Apr 2020 11:15:33 -0700 (PDT) X-Google-Smtp-Source: APiQypLtwNu9MpoNrU3l4I8dQGjFOqOIeBg7pFreQ9IXg7kB+m3uXNVFDI+dKv9jKtjJoeuwvoi5 X-Received: by 2002:a17:906:7d7:: with SMTP id m23mr12115456ejc.154.1587838533046; Sat, 25 Apr 2020 11:15:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587838533; cv=none; d=google.com; s=arc-20160816; b=SsnKjZ0X3AD6zX5YqEYeMQpsIYgoZ5T0agZ2+0X78Nvr09Lu9JJ/zRkqwvgaIt//9C Hi9F/aQsy7zKzhBm3rtqOK7w86ePGvQEExgLaKk4aJvqMKUBVL5aD0vjRm33nNhBDvYs JYABGE7JSygCB3dp9iQeHLg+6s3x/LnxhLceOjtjw3zpUs2beaMLsNo+tyA3ah2k3Wle ZNATsQwrrVHn2wAGIue5GtngVWR2Ujsr9uIwJXLVqZXWiqik5z3Z+jLv7o/UOonsMa7U UKq8OXwFojVEknp1BIFISDZ/f+deMuTgsIl32crZYdPZC91iLHEtj/RqAQExthoohNGU JlwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=y6+XLL18Ocratu8tXvCBGdeI1royTWQcLRxsEyZxLcI=; b=zIN+669q7KCsbdyGcuNtbO8QraAtElo7xZYe9NG8CKWXm8zrSAJVSy+27joo+xa+7b /ZkLvCYWTqp6jWdHq2n9jvWuFV1hEqz6v0uLcDbJs6LbN3WmE/eTbGWq+I9Yge8ry94l mMLu318ZF383r9pAlQRdyQ42UEI8tqno1kpUiMvMQNcsBLTqLD+fHodsPFbHE2lYXwV/ YU2ap4ViQhbkCajzZ3OOzmwvxZJa3NBAeGLjcRb9qY7dcNcrFDll2ZgvFkw2mGUs/zgE bvzakEhx3h6Jxprd9bpUJ/tVkqPx0WzyPrj/xLJ1yH7tDoty255oZhJxiwJwDmvQhKEY YOTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lw23si5432418ejb.423.2020.04.25.11.14.56; Sat, 25 Apr 2020 11:15:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726216AbgDYSMo (ORCPT + 99 others); Sat, 25 Apr 2020 14:12:44 -0400 Received: from netrider.rowland.org ([192.131.102.5]:50711 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726061AbgDYSMo (ORCPT ); Sat, 25 Apr 2020 14:12:44 -0400 Received: (qmail 29597 invoked by uid 500); 25 Apr 2020 14:12:42 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Apr 2020 14:12:42 -0400 Date: Sat, 25 Apr 2020 14:12:42 -0400 (EDT) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: Oliver Neukum cc: Pete Zaitcev , Hillf Danton , syzbot , , , , , Subject: Re: KASAN: use-after-free Read in usblp_bulk_read In-Reply-To: <1587835881.19130.3.camel@suse.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 25 Apr 2020, Oliver Neukum wrote: > Am Donnerstag, den 23.04.2020, 12:29 -0400 schrieb Alan Stern: > > On Thu, 23 Apr 2020, Oliver Neukum wrote: > > > The only suspicious thing I see is that usblp_resume() calls > > handle_bidir() without first acquiring any mutex. But resume shouldn't > > race with disconnect. > > Right. > > > The only other place where read URBs get submitted is under > > usblp_read(), which does acquire the mutex > > Right. > > > and checks for disconnection > > while holding it. > > Where? It should, but I do not see where it does so. usblp_read() calls usblp_rwait_and_lock(), which calls usblp_rtest(), which returns -ENODEV if usblp->present is clear. Alan Stern