From: Johan Hovold <johan@kernel.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Johan Hovold <johan@kernel.org>,
syzbot <syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com>,
Andrey Konovalov <andreyknvl@google.com>,
dmg@turingmachine.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: use-after-free Read in adu_disconnect
Date: Fri, 20 Sep 2019 16:31:42 +0200 [thread overview]
Message-ID: <20190920143142.GR30545@localhost> (raw)
In-Reply-To: <CACT4Y+a18nm92r889vJNrwq2518FYMV-cOqiKPQ53VwqwK0oMA@mail.gmail.com>
On Fri, Sep 20, 2019 at 12:08:30PM +0200, Dmitry Vyukov wrote:
> On Fri, Sep 20, 2019 at 12:02 PM Johan Hovold <johan@kernel.org> wrote:
> >
> > On Fri, Sep 20, 2019 at 02:20:00AM -0700, syzbot wrote:
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer still triggered
> > > crash:
> > > KASAN: use-after-free Read in adu_interrupt_in_callback
> > This looks like a separate issue, which should be fixed by a separate
> > patch. Not sure how to tell syzbot that. Dmitry?
>
> There is no way, but also no need. There is nothing it can do with that info.
> If you think it's a separate one and you fixed the first one, mail the
> patch with the first fix.
> Optionally, you can fix the second one as well, and then ask it to
> test a patch with 2 fixes (but you will need either to squash them or
> point to a git tree with both commits).
>
> > There's is indeed another bug in the driver, which could lead to crashes
> > in the completion handler after clearing the struct usb_device pointer,
> > but possibly also to the above use-after-free if a new device is probed
> > immediately after a disconnect.
> >
> > The below patch addresses both bugs, let's see if that helps.
> >
> > #syz test: https://github.com/google/kasan.git e96407b4
Ok, so I was using an old syzbot kernel from when this was first
reported and apparently hit a second issue which had since been fixed by
Alan.
I was starring at usb-next and couldn't see how it was possible to
trigger this, but that code had Alan's fix 303911cfc5b9 ("USB: core: Fix
races in character device registration and deregistraion").
Guess I had to bitten by this to learn the syzbot interface. ;)
Johan
next prev parent reply other threads:[~2019-09-20 14:31 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-05 11:58 KASAN: use-after-free Read in adu_disconnect syzbot
2019-08-09 20:24 ` syzbot
2019-09-19 10:35 ` Johan Hovold
2019-09-19 10:53 ` syzbot
2019-09-20 8:26 ` Johan Hovold
2019-09-20 9:02 ` syzbot
2019-09-20 9:08 ` Johan Hovold
2019-09-20 9:13 ` Dmitry Vyukov
2019-09-20 9:21 ` Johan Hovold
2019-09-20 9:28 ` Dmitry Vyukov
2019-09-20 9:35 ` Johan Hovold
2019-09-20 10:05 ` Dmitry Vyukov
2019-09-20 9:20 ` syzbot
2019-09-20 10:02 ` Johan Hovold
2019-09-20 10:08 ` Dmitry Vyukov
2019-09-20 10:16 ` Andrey Konovalov
2019-09-20 14:31 ` Johan Hovold [this message]
2019-09-20 10:21 ` syzbot
2019-09-20 14:38 ` Johan Hovold
2019-09-20 14:58 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190920143142.GR30545@localhost \
--to=johan@kernel.org \
--cc=andreyknvl@google.com \
--cc=dmg@turingmachine.org \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.