From: Oliver Neukum <oneukum@suse.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Pete Zaitcev <zaitcev@redhat.com>,
Hillf Danton <hdanton@sina.com>,
syzbot <syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com>,
andreyknvl@google.com, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in usblp_bulk_read
Date: Sat, 25 Apr 2020 19:31:21 +0200 [thread overview]
Message-ID: <1587835881.19130.3.camel@suse.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.2004231213260.20147-100000@netrider.rowland.org>
[-- Attachment #1: Type: text/plain, Size: 521 bytes --]
Am Donnerstag, den 23.04.2020, 12:29 -0400 schrieb Alan Stern:
> On Thu, 23 Apr 2020, Oliver Neukum wrote:
> The only suspicious thing I see is that usblp_resume() calls
> handle_bidir() without first acquiring any mutex. But resume shouldn't
> race with disconnect.
Right.
> The only other place where read URBs get submitted is under
> usblp_read(), which does acquire the mutex
Right.
> and checks for disconnection
> while holding it.
Where? It should, but I do not see where it does so.
Regards
Oliver
[-- Attachment #2: 0001-usblp-fix-race-between-disconnect-and-read.patch --]
[-- Type: text/x-patch, Size: 1022 bytes --]
From 89db5232b4df56972d284c12fd1bb8e44fb81e7d Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 22 Apr 2020 13:14:25 +0200
Subject: [PATCH] usblp: fix race between disconnect() and read()
read() needs to check whether the device has been
disconnected before it tries to talk to the device.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com
---
drivers/usb/class/usblp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
index 0d8e3f3804a3..fbc8298c5f84 100644
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -826,6 +826,11 @@ static ssize_t usblp_read(struct file *file, char __user *buffer, size_t len, lo
if (rv < 0)
return rv;
+ if (!usblp->present) {
+ count = -ENODEV;
+ goto done;
+ }
+
if ((avail = usblp->rstatus) < 0) {
printk(KERN_ERR "usblp%d: error %d reading from printer\n",
usblp->minor, (int)avail);
--
2.16.4
next prev parent reply other threads:[~2020-04-25 17:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-21 15:35 KASAN: use-after-free Read in usblp_bulk_read syzbot
[not found] ` <20200422032323.8536-1-hdanton@sina.com>
2020-04-23 5:10 ` Pete Zaitcev
2020-04-23 11:13 ` Oliver Neukum
2020-04-23 16:29 ` Alan Stern
2020-04-25 17:31 ` Oliver Neukum [this message]
2020-04-25 18:12 ` Alan Stern
2020-04-30 9:18 ` Oliver Neukum
2020-04-30 15:11 ` Alan Stern
2020-05-06 9:14 ` Oliver Neukum
2020-05-06 14:08 ` Alan Stern
2020-05-06 16:47 ` Pete Zaitcev
2020-05-06 20:09 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1587835881.19130.3.camel@suse.com \
--to=oneukum@suse.com \
--cc=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=zaitcev@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.