X-Received: by 2002:a17:90b:3a85:b0:1b5:58c8:6d87 with SMTP id om5-20020a17090b3a8500b001b558c86d87mr11930694pjb.192.1645663284075; Wed, 23 Feb 2022 16:41:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645663284; cv=none; d=google.com; s=arc-20160816; b=bNgZrLtyn0rUpvul9f4Vd6oT9utB2vPpZRY6kCOmZ6Vl+YDA28M2+/itAolXBYnFgW t3+93B9crS0+hWn6/IDNQaXDYOt6fxdi/MrdK8EaXjSX9oz8OhYYrB6PjUI0a3R1ACo8 DacVYUaPNfMEUtkw6ATIu6hisrN5UmXkzRdCBnbRTnAOdJttLbsW39imbz9Hi2hhxjB+ SCBgM/ab5ytGf2kVwjNZMmn5qqUuNYaw6F7PbzWZ7NuNSKyWtEKx8azbRXhAjh+tj4Jg 7bhd9jJnmnDbQ9gylR4jowEsjHRUk6c4JwtGkfSeEcDd4JUB48X6qq8sqgQJN+PqVJnh NOog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=h4F6EqNmXyMog9eBsDT+0xdIbyW8wnpX/ECqudC1X0Q=; b=tp6I7Jw3C6ryKoRYKENElRs/RGO/io1Sw0PB3skqmXzzam7OWJSdKpkHrSudq6qdTY tcvr5qOzrrV1M6lEjjKxM+igBJRHtohYcIloa9sN5LMEfcl3FLs5dGv6RgcWVlLyS+zQ unesQz7BTlxN+XGGrMcVgcZNnpR2dvMRx/W7i+zy0djmgoBRa75i7sFL75ztgRvQpXQb A3gTAY6wOhU+rt0HKfzW56xsMr27IDbCasgCQM1Qf5w8SSzM9ZX0Ep+/mmBNtQEGr9/z jYUBjTHkPjGWWquVtjXKJ0+SB3TSqYB/1PMBGnjxhjISy/WHCyKMIapxnDPmJONZVUgp I7GQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id m16si992744pfh.28.2022.02.23.16.41.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 16:41:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C75C1BB56D; Wed, 23 Feb 2022 16:38:52 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242835AbiBWQff (ORCPT + 99 others); Wed, 23 Feb 2022 11:35:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242829AbiBWQfZ (ORCPT ); Wed, 23 Feb 2022 11:35:25 -0500 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 5E382532F6 for ; Wed, 23 Feb 2022 08:34:57 -0800 (PST) Received: (qmail 1012990 invoked by uid 1000); 23 Feb 2022 11:34:56 -0500 Date: Wed, 23 Feb 2022 11:34:56 -0500 From: "stern@rowland.harvard.edu" To: "gregkh@linuxfoundation.org" Cc: "Zhang, Qiang1" , syzbot , "linux-kernel@vger.kernel.org" , "rafael@kernel.org" , "syzkaller-bugs@googlegroups.com" , "balbi@kernel.org" Subject: Re: [syzbot] KASAN: use-after-free Read in dev_uevent Message-ID: References: <0000000000005a991a05a86970bb@google.com> <00000000000033314805d8765175@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 23, 2022 at 05:00:12PM +0100, gregkh@linuxfoundation.org wrote: > On Wed, Feb 23, 2022 at 09:38:20AM -0500, stern@rowland.harvard.edu wrote: > > Which bus locks are you referring to? I'm not aware of any locks that > > synchronize dev_uevent() with anything (in particular, with driver > > unbinding). > > The locks in the driver core that handle the binding and unbinding of > drivers to devices. > > > And as far as I know, usb_gadget_remove_driver() doesn't play any odd > > tricks with pointers. > > Ah, I never noticed that this is doing a "fake" bus and does the > bind/unbind itself outside of the driver core. It should just be a > normal bus type and have the core do the work for it, but oh well. > > And there is a lock that should serialize all of this already, so it's > odd that this is able to be triggered at all. I guess at a minimum the UDC core should hold the device lock when it registers, unregisters, binds, or unbinds UDC and gadget devices. Would that be enough to fix the problem? I really don't understand how sysfs file access gets synchronized with device removal. > Unless the device is being removed at the same time it was manually > unbound from the driver? If so, then this really should be fixed up to > use the driver core logic instead... Device removal does of course trigger unbinding, but they always take place in the same thread so it isn't an issue. Probably part of the reason people don't want to use the driver core here is so that they can specify which UDC a gadget driver should bind to. The driver core would always bind each new gadget to the first registered gadget driver. When Dave Brownell originally wrote the gadget subsystem, I believe he didn't bother to integrate it with the driver core because it was a "bus" with only a single device and a single driver. The ability to have multiple UDCs in the system was added later. Alan Stern