Re: KASAN: use-after-free Read in usblp_bulk_read

linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Oliver Neukum <oneukum@suse.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com>,
	andreyknvl@google.com, gregkh@linuxfoundation.org,
	linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, zaitcev@redhat.com
Subject: Re: KASAN: use-after-free Read in usblp_bulk_read
Date: Wed, 06 May 2020 11:14:42 +0200	[thread overview]
Message-ID: <1588756482.13662.20.camel@suse.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.2004301103500.27217-100000@netrider.rowland.org>

[-- Attachment #1: Type: text/plain, Size: 569 bytes --]

Am Donnerstag, den 30.04.2020, 11:11 -0400 schrieb Alan Stern:

> KASAN is documented.  The difficulty is that this race is obviously 
> hard to trigger, and without the ability to reproduce it we can't run 
> diagnostics to find the underlying cause.
> 
> We can't even ask syzbot to try running tests for us; without a valid 
> reproducer it won't agree to rerun the original test program.


Very well. We are not going to find it without exceptional luck. Yet
there may be a real issue, too. We simply do not know. How about the
attached patch?

	Regards
		Oliver



[-- Attachment #2: 0001-usblp-poison-URBs-upon-disconnect.patch --]
[-- Type: text/x-patch, Size: 1239 bytes --]

From 5ed23e0029cf10cf8dbdd790a190d7e2113560ae Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 6 May 2020 11:05:41 +0200
Subject: [PATCH] usblp: poison URBs upon disconnect

syzkaller reported an UB that should have been killed to be active.
We do not understand it, but this should fix the issue if it is real.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/class/usblp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
index 0d8e3f3804a3..084c48c5848f 100644
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -468,7 +468,8 @@ static int usblp_release(struct inode *inode, struct file *file)
 	usb_autopm_put_interface(usblp->intf);
 
 	if (!usblp->present)		/* finish cleanup from disconnect */
-		usblp_cleanup(usblp);
+		usblp_cleanup(usblp);	/* any URBs must be dead */
+
 	mutex_unlock(&usblp_mutex);
 	return 0;
 }
@@ -1375,9 +1376,11 @@ static void usblp_disconnect(struct usb_interface *intf)
 
 	usblp_unlink_urbs(usblp);
 	mutex_unlock(&usblp->mut);
+	usb_poison_anchored_urbs(&usblp->urbs);
 
 	if (!usblp->used)
 		usblp_cleanup(usblp);
+
 	mutex_unlock(&usblp_mutex);
 }
 
-- 
2.16.4

next prev parent reply	other threads:[~2020-05-06  9:15 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-21 15:35 KASAN: use-after-free Read in usblp_bulk_read syzbot
     [not found] ` <20200422032323.8536-1-hdanton@sina.com>
2020-04-23  5:10   ` Pete Zaitcev
2020-04-23 11:13     ` Oliver Neukum
2020-04-23 16:29       ` Alan Stern
2020-04-25 17:31         ` Oliver Neukum
2020-04-25 18:12           ` Alan Stern
2020-04-30  9:18 ` Oliver Neukum
2020-04-30 15:11   ` Alan Stern
2020-05-06  9:14     ` Oliver Neukum [this message]
2020-05-06 14:08       ` Alan Stern
2020-05-06 16:47       ` Pete Zaitcev
2020-05-06 20:09         ` Alan Stern

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0d8e3f3804a dfblob:084c48c5848 )
 OR (
bs:"usblp: poison URBs upon disconnect" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1588756482.13662.20.camel@suse.com \
    --to=oneukum@suse.com \
    --cc=andreyknvl@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=zaitcev@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).