Received: by 2002:a05:7412:bb8d:b0:d7:7d3a:4fe2 with SMTP id js13csp2008536rdb; Thu, 17 Aug 2023 08:14:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEwrkYA6eYe0JBQrPvmbgKd/Q95uIhk/04s3JHFqwTrv5pdTzOXiu4jgNM7BFkXNXxOq6Fn X-Received: by 2002:a17:906:2109:b0:99c:ae91:e812 with SMTP id 9-20020a170906210900b0099cae91e812mr3520665ejt.73.1692285274174; Thu, 17 Aug 2023 08:14:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692285274; cv=none; d=google.com; s=arc-20160816; b=czfo2N1l/w/+3v4enK/dCFWfXiXHfXAsmw4OU2fMOQz2zpRxtE84U4dK5RZDxcZCv5 jiYm2ukGjWQye0hcaP91PRtCOgv0/vwWoWcuVsiWylQLVK0vnq3/Ln0o77i0cu1Teqla 1r1eDqNnrZX0nbkwG8pulCwFa2tdQtpcfSXGFzg6eU5PPgP95Rbevvy2lAGifnURc5au jqNxx3AdeecGJAPWm2u3vsT41PaJX7VyfqJaj1QD2YZOvoxQ3dCk4ffGFhI/UzsK3kGX zf5L94O5w3QmXjtTPQHIn40Xv6N1GZgrfiIy7KrFaF/F8671Ffo+kKJYkmTnE5qQa86o DMhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=DpmaLaoteVtlND0O6teAr4KPuFGihhWoGBUBDtVOxLY=; fh=ceDCWrAWAssmIga88mRu3WCxb8RU9xNrhW1+BJVcGrk=; b=g7sQsxzSCBTNzjGHIOGieyBI26Y1NiTFX5zrcunmoSaLgoChRkmLw2pUMv2oMaOmeu ZSycCTmdUF3CAoksDknCdSWxzvUey7b+E45/LvJwB4DUGht3W1hG6KIi1gRqM4XMeNwz NYfY1rquA+XX5RYkO492fasIcO4msQR2ZTK6N0JhxWwD/dR5p535Rq10WqLAUEMHMONC SZcxYXqp+BUQNm38PvOt6zAXqxn1AZgqeuafPYknq2Ugit6t9lxS79q6019cIDiZxIgw V5kAhiD+LKUuUbj1GYKUFrNNm6JAVuj/rc/2L66vENrTmsNKuzJQnmgy3wY95UeS+SXS zSqg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c23-20020a170906155700b009935121ecd6si12806158ejd.644.2023.08.17.08.14.03; Thu, 17 Aug 2023 08:14:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351630AbjHQONR (ORCPT + 99 others); Thu, 17 Aug 2023 10:13:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351732AbjHQOMy (ORCPT ); Thu, 17 Aug 2023 10:12:54 -0400 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id E76C910C0 for ; Thu, 17 Aug 2023 07:12:52 -0700 (PDT) Received: (qmail 475574 invoked by uid 1000); 17 Aug 2023 10:12:52 -0400 Date: Thu, 17 Aug 2023 10:12:52 -0400 From: Alan Stern To: Oliver Neukum Cc: syzbot , arnd@arndb.de, christian.brauner@ubuntu.com, gregkh@linuxfoundation.org, hdanton@sina.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, mpe@ellerman.id.au, oleg@redhat.com, syzkaller-bugs@googlegroups.com, web@syzkaller.appspotmail.com Subject: Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups Message-ID: <6c58e18b-1a66-4853-af33-17bc6f9f7ebd@rowland.harvard.edu> References: <0000000000007c27e105faa4aa99@google.com> <00000000000014678c0602b6c643@google.com> <1134d446-3189-4f2d-81b4-10142e751320@rowland.harvard.edu> <5919c39c-1ee4-262b-4ba1-f0e58088611d@suse.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5919c39c-1ee4-262b-4ba1-f0e58088611d@suse.com> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 17, 2023 at 02:16:26PM +0200, Oliver Neukum wrote: > On 12.08.23 17:56, Alan Stern wrote: > Hi, > > The real problem seems to be some sort of race in usbtmc and the core > > between URBs being added to an anchor, file I/O being stopped, and URBs > > being killed or scuttled when the file is flushed. > > just to make sure, you think it is failing here: > > usb_anchor_resume_wakeups(anchor); That's what the syzbot console log output shows in the stack dump. > because we cannot guarantee that the anchor pointer > is still valid, That's my conclusion. There don't seem to be any other candidates for a bad pointer. > unless we refcount anchors, which would > make embedding them impossible? Whether the validity is ensured by refcounting or by some other mechanism is up to the implementor (i.e., you). I'm merely trying to restate and explain the syzbot results in terms understandable by humans. Alan Stern