Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1949857ybz; Thu, 30 Apr 2020 08:15:57 -0700 (PDT) X-Google-Smtp-Source: APiQypItEGMb/PVlkPWujHd3NpklZV9haeHQBBBlNOgS9xdoa4O6b8r3IJX0K264YwPjnTycHQB4 X-Received: by 2002:a17:906:fcb7:: with SMTP id qw23mr3095309ejb.256.1588259757082; Thu, 30 Apr 2020 08:15:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588259757; cv=none; d=google.com; s=arc-20160816; b=prGYoI8e07Hjk61YHEiET2i2gDysG0X+k7UdB7k9o9bUsToaFr+RtIE+SwjDJr5AYM rnolCBNsOCbVc7fCrW0vcCYTkoLGOm4glkDa2FAF1QpvmNS9TD9hRSU7aP9B5HUW/287 TMZSNNDDkBmPGpvgFgC7Xo5SiCjO3qtC6lXqy+7vybEFfunXmo+WozcDMr+38M294mpM 09DrsQHpI5HByIlanDP592XFcoEu8I+1smffY5i/VWQoKFBv0skUVAtboB9FQCDGNfDO iWTDZTg4i1KK9ATe8prbBpo7xee99lzMzQiQ2BmFk8FiGUrkOMr/Ej1D15XJjaCTK9MD fw+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=rQghCfdmSw1IuAYABWmrALy2y3TieWxPY5gBILGWSOQ=; b=SueHh1wxNIC+bu8c7l0Y+1Qe5qcBf54v2BTJAEeS+BHJZLDmngcUIntHFdQdKrsYPn bODfpM7+ByzlSpS1DLCi812WOJzJcUIuSj2H7nkFrnXpI4T9BQXwgPj2d0P9cS3OJZIC cjf2+0biMJLyE8D3VEZ0DwHuUr4J/NJvgYeLkTTafZyiDHfoq4EjvdjTrNTSzZGnJwS4 DU7NLuP2puwufN/i0zRpXUVw5J7OQSQUqNzTYRrYAC3aSFRwkPgN050nyYffYIHwq2XY uGwmCQ91wOyrT8GheFgJPcVFTdlo26rFjohzt/ucj/B+5WEuP10iB4gUnizsPizAAAcH yF1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o6si5838637ejb.97.2020.04.30.08.15.31; Thu, 30 Apr 2020 08:15:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726891AbgD3PL5 (ORCPT + 99 others); Thu, 30 Apr 2020 11:11:57 -0400 Received: from netrider.rowland.org ([192.131.102.5]:34861 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726620AbgD3PL4 (ORCPT ); Thu, 30 Apr 2020 11:11:56 -0400 Received: (qmail 1363 invoked by uid 500); 30 Apr 2020 11:11:55 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Apr 2020 11:11:55 -0400 Date: Thu, 30 Apr 2020 11:11:55 -0400 (EDT) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: Oliver Neukum cc: syzbot , , , , , , Subject: Re: KASAN: use-after-free Read in usblp_bulk_read In-Reply-To: <1588238283.16510.11.camel@suse.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 30 Apr 2020, Oliver Neukum wrote: > Am Dienstag, den 21.04.2020, 08:35 -0700 schrieb syzbot: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker.. > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=126f75d7e00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=6b9c154b0c23aecf > > dashboard link: https://syzkaller.appspot.com/bug?extid=be5b5f86a162a6c281e6 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com > > > > usblp0: nonzero read bulk status received: -71 > > OK, we have this report and nobody understands it. If I may summarize: > > 1. We do not conclusively know how the URB was submitted > 2. We are clear about which memory was freed and accessed > 3. We agree that the URB should have been unlinked Or should not have been submitted. > Do we agree on what we agree on? > > Theories: > > A. There is a race that would allow disconnect() and resume() to run > concurrently > > B. There is a race in usblp which affects 'used' > > C. There is a bug in the virtual driver that can make unlinking an URB > fail > > What do you think? How to investigate this further and is it worth it? > Do we have documentation on what KASAN does? KASAN is documented. The difficulty is that this race is obviously hard to trigger, and without the ability to reproduce it we can't run diagnostics to find the underlying cause. We can't even ask syzbot to try running tests for us; without a valid reproducer it won't agree to rerun the original test program. Alan Stern