Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3529795pxp;
        Tue, 8 Mar 2022 16:43:52 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyGxn4Qsd+dlj/a3101qwV4fmJp9RyBfrvW8M5xyLM2vWa3sMc3PxLVaxpes74v28zxtoGU
X-Received: by 2002:a17:903:1208:b0:151:93fd:d868 with SMTP id l8-20020a170903120800b0015193fdd868mr20430318plh.121.1646786631706;
        Tue, 08 Mar 2022 16:43:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1646786631; cv=none;
        d=google.com; s=arc-20160816;
        b=QeILkb208cFCvIFMWtMGkojP2WbCnGPoNg5X3tG/+BWMJseF4vzAnljS0T5flp2OwW
         S6ONLAiHCm/D4mPxuRwyoticiCZKarYzk3bVPeXY5ZWhvcSsbWUe/tVzXpaLo8EwT1d3
         jsYFyJoQ3ZxD5VQpohEZxXPhKgYoitRXufCh20eHRsyxRjiu+FwInlnaskD6XPWtDUNZ
         glOlgI5fe616WRJkdlJln7oOPCHwxXyMSjxdwRT6PEl1nl972/mBLxNBkLeb5xVoW9bu
         hMbex9KMD7pZHMNJlC5Qq4pc/JRp8I2Wlad7D8K+7/cP+PfRFto69gKpwtrry65mQyh9
         +qJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:from:references:to:content-language
         :subject:user-agent:mime-version:date:message-id:dkim-signature;
        bh=AyFkmnjwJtbQ1OUH9crr4u8t2jQPuRzriml4H+F7bdA=;
        b=oIK6tc6mrWEWDylA2lm3p76d9B7yDqiGiuwCiG4ABnwWtzSTU+ywSXS0c06HisiCOZ
         nDZo6lQ2BUr54A/IpS0zTwXlO45jP8BcsWCuMSrEFStzEmgO4zF/ZRogYbA5I/DiPFQJ
         FkHE6nYlAMxb6CSCY2maYxzZr/UP+7l+JceuuXEAEUKxCmCPqv9v9aWiAs4u5gJDc46x
         DY0sOYcDJoNeKmGzGjS1lLdMlhpnWHJDp3MEywg5kGvujdFx81d6fV3p17rfz5tyrIQY
         KawPDWHEChBwnrZbYPlDw8fiJn0qBXwsMEI+BYr1dqMbIIoIvNfsc4oRHRrLBIYToTSV
         6a8A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=hcO3uWvu;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id i23-20020a635417000000b00342b1567fd9si360059pgb.238.2022.03.08.16.43.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 08 Mar 2022 16:43:51 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=hcO3uWvu;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id CCDE6139803;
	Tue,  8 Mar 2022 15:58:38 -0800 (PST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1348288AbiCHSNi (ORCPT <rfc822;antony.sucheston@gmail.com>
        + 99 others); Tue, 8 Mar 2022 13:13:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55548 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1349456AbiCHSNe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Mar 2022 13:13:34 -0500
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7521713DD6;
        Tue,  8 Mar 2022 10:12:35 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id r20so26189767ljj.1;
        Tue, 08 Mar 2022 10:12:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :references:from:in-reply-to;
        bh=AyFkmnjwJtbQ1OUH9crr4u8t2jQPuRzriml4H+F7bdA=;
        b=hcO3uWvue8jZ/iVqW8aY5eERrVsXQR9fgGe0TtHu3uqRLTPh0vWmvUMKQiyDVNj/jR
         ctnCJfDgxyX0ztygx2CjrUdd5ZIzYG6wjWF9kCxaUDchn3oMlfRDDMKW+omRBHaE4qRy
         HTPiWt1FIBidhuNdN98BJFDlGggGIl+gtifwoQt1k1wALMsHW7ak9XwOSLZOCXJU6Cpz
         BQavlzzlpnkvGr74/ezLl1pQYONXVT5tU1s6zDAgGwk82pT7VGnXnfhudI+9+SQQxrAp
         jKo+VhOjER7liu0zPim+ut8eJfsOXmhh3W8xOCvrp7yblGxb4R4Jydxz8iPim/owCtO2
         fOmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:references:from:in-reply-to;
        bh=AyFkmnjwJtbQ1OUH9crr4u8t2jQPuRzriml4H+F7bdA=;
        b=fqvDD5nn12olUzeqzA7NME766rR9v4V1Vp+ZafO3yD8g4Ns38Z1hGItuvgDKTGu1jZ
         23XNO+YvYq5rhABc02iNOBto/c1jInXNskrYT7yE1VEa3Y/VhZyKJixw/CLcLloyk+it
         81MdG32l8ar6aLqly8ylwOiXTvi1l3h2ir/ROC/S9OLgnqg2zJwHAVo767REeKhki5PP
         qOVSyTqrKWI6O+PXQcZO4w3eb6re4yAfMW7N+0MT6vvP6oYYp1twIs0As4bc9gFy1PqR
         dGIKISK7dZ0oEfeIsPW54Rzl0WkRxPq1/0afjuDnrtSqF1nkMAwj+DjzBkMgunrh+db9
         BChw==
X-Gm-Message-State: AOAM530xDIDfG8t237HLWZGuwCgMa70Ftp4JgR3lTep7d2eeynDkXlQZ
        O0ZkS99N0eKEyQ6gnwUfLAM=
X-Received: by 2002:a2e:3911:0:b0:246:3fec:bb3e with SMTP id g17-20020a2e3911000000b002463fecbb3emr11495221lja.337.1646763150820;
        Tue, 08 Mar 2022 10:12:30 -0800 (PST)
Received: from [192.168.1.11] ([94.103.229.107])
        by smtp.gmail.com with ESMTPSA id bt23-20020a056512261700b00443e7fa1c26sm3609793lfb.261.2022.03.08.10.12.29
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 08 Mar 2022 10:12:30 -0800 (PST)
Content-Type: multipart/mixed; boundary="------------0kTuiRdFeR90XioQw3UoZwvE"
Message-ID: <ef9d2a7e-932b-9389-ce4c-82b9d74952c8@gmail.com>
Date:   Tue, 8 Mar 2022 21:12:28 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
Subject: Re: [syzbot] KASAN: use-after-free Read in port100_send_complete
Content-Language: en-US
To:     syzbot <syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com>,
        krzysztof.kozlowski@canonical.com, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
References: <000000000000cb6dd805d9b8cbb8@google.com>
From:   Pavel Skripkin <paskripkin@gmail.com>
In-Reply-To: <000000000000cb6dd805d9b8cbb8@google.com>
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,
	RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is a multi-part message in MIME format.
--------------0kTuiRdFeR90XioQw3UoZwvE
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 3/8/22 21:03, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    38f80f42147f MAINTAINERS: Remove dead patchwork link
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14b0d321700000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=542b2708133cc492
> dashboard link: https://syzkaller.appspot.com/bug?extid=16bcb127fb73baeecb14
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14a63d21700000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17d21be1700000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com
> 
> port100 5-1:0.0: NFC: Urb failure (status -71)
> ==================================================================
> BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
> Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26

We need to kill urbs on disconnect, since urbs callbacks they may access 
freed memory

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master




With regards,
Pavel Skripkin
--------------0kTuiRdFeR90XioQw3UoZwvE
Content-Type: text/plain; charset=UTF-8; name="ph"
Content-Disposition: attachment; filename="ph"
Content-Transfer-Encoding: base64

ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmZjL3BvcnQxMDAuYyBiL2RyaXZlcnMvbmZjL3BvcnQx
MDAuYwppbmRleCBkN2RiMWEwZTZiZTEuLjAwZDhlYTZkY2I1ZCAxMDA2NDQKLS0tIGEvZHJp
dmVycy9uZmMvcG9ydDEwMC5jCisrKyBiL2RyaXZlcnMvbmZjL3BvcnQxMDAuYwpAQCAtMTYx
Miw3ICsxNjEyLDkgQEAgc3RhdGljIGludCBwb3J0MTAwX3Byb2JlKHN0cnVjdCB1c2JfaW50
ZXJmYWNlICppbnRlcmZhY2UsCiAJbmZjX2RpZ2l0YWxfZnJlZV9kZXZpY2UoZGV2LT5uZmNf
ZGlnaXRhbF9kZXYpOwogCiBlcnJvcjoKKwl1c2Jfa2lsbF91cmIoZGV2LT5pbl91cmIpOwog
CXVzYl9mcmVlX3VyYihkZXYtPmluX3VyYik7CisJdXNiX2tpbGxfdXJiKGRldi0+b3V0X3Vy
Yik7CiAJdXNiX2ZyZWVfdXJiKGRldi0+b3V0X3VyYik7CiAJdXNiX3B1dF9kZXYoZGV2LT51
ZGV2KTsKIAo=

--------------0kTuiRdFeR90XioQw3UoZwvE--