From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D36AD38E8BB
	for <linux-kernel@vger.kernel.org>; Sun, 24 May 2026 08:30:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.51
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779611461; cv=none; b=PzmB0LvGFRAKlMNhgtfrktswDb+TQWN4whPIr29iJ9vXNWoidKXRSLwoIxA2Q27MIYBRPtzT7y69O/uH206wkuUK587YPWKeToKzoZjoH5VX6GigExeHXsnQ5UhvXrcFCoCBEj5FDNnNZYszBNitVXWXZnUARquTUOpOcFSJ678=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779611461; c=relaxed/simple;
	bh=VttMbDlvLgw2G/I4Aw7HZ4R11PoG8jiUwczUsi1qoUc=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=sloMVfwASTV18sqoa84zJr97dAS98JWUDjQLqJRoXAmqe7N5tsPtW/NjDdQYfJ7JPb5KXBfZKuJ1cSWODmmU/Nxr/LTi4/lNPE1MaWq8wr9OmsYdLJ08vSAn/Vekm2GQnOfAlo9KV7e1EFjpPfs8k7lbCX+yAduTuyrojkjwB60=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SBIR3Xj1; arc=none smtp.client-ip=209.85.167.51
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SBIR3Xj1"
Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-5a877510541so9751123e87.2
        for <linux-kernel@vger.kernel.org>; Sun, 24 May 2026 01:30:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779611458; x=1780216258; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=OSdJZOa5hy/Nodbj4dZkXLtOENV90ph6gNx9+T8TlxY=;
        b=SBIR3Xj1TJiW91zL1XpkOIjQWV5LGBodXakpxFRZJsCjb0IcX2D3cDgonv44QQNmyP
         qTKatpJc2vkjcDYD9uhojHXW+m9m0rlyLnc9845biFJJoJCOTWwoDrl+vGl/pJsM5ng3
         NdDJ6tnv3CJDsuY6WOGt+VM02y7dxp17Ui9Tl3AAsr9WdTOkCVhyS8P+UeQLIOp+Mab8
         8rFqc3MNPgQcsb/JK33kJqldAoPPEIDY7bvUHH8+C4vNKdZDD3OchVdEr6/K8PHn9VAU
         8ev7PSic7VNvPhMJw4CyqnhaOCno6w4wA9YV6U8nkEgTnuflybwhtQ61s4gveZz/iTD+
         ag2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779611458; x=1780216258;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=OSdJZOa5hy/Nodbj4dZkXLtOENV90ph6gNx9+T8TlxY=;
        b=MVZVBws4lNHT0wUvC1RtE4hDeQX2ypXiruMMWaUdYM5CvgTRqe8bDNt8Z0Cz99EZdK
         2CamTW0k3vWP6MdHCZfpY9tkZx3hs7WHbvQlhDoYKHQIZTcopAJLQIY0KSb7Xrdk6hXo
         wy1hYJ0juCUi8K3wvDtnkoTFpgyWcwIhplVOENiwsE5eSez3b69ytGe2LPwOFkbrXaWC
         rDVdttGGcjaS2hjalJOYhUefwQAf+6cSTXgXG67IDyjUGEg5QHhJIgGD9U8Pc+NdihlA
         LBk5ztUIGqfpOqz6WzOAsX4ygr+Wq9nc2XgQX5RdYxqKTh9Oa5U3vwWAX1BVE6dQDlP3
         yGjQ==
X-Forwarded-Encrypted: i=1; AFNElJ+vb6FvpiNnfQ/n5FLeqDrGJSyz/RzTJ5VCwzqG0o7D4sKo+b5gqDYqi+Sj5b1rZIYz3zqEq8QSQMDZEnY=@vger.kernel.org
X-Gm-Message-State: AOJu0YzYbdTYoqS2xzXRM+UqnkSbY93ITfigMPGMdYxYEncbHSe+CXMa
	SXyQihfba5v4s1/+20j64s5tI7AeVwPz/dxTgWo3jJwE8lKrmhoTWWBp
X-Gm-Gg: Acq92OGRda6MIgjqKCInT4sWj9eEkkRMk+FawwSjZBvET1PASxcLFGJEbDc/uYBrpjD
	ScRgRq3V4ju0fbxwFSbq85/Xu6VyY/YWp/5t0cp4+ckV+RBUKWePCFDh2Zn/1embMlrUBXc/vr1
	0JfKJLHbCU2bTa0rrFAPZr1sFIjZ5KBLnxvD1WGggp/Wxmaz85YiVRFovv0MrRL6qYlQCODsYxa
	Kwl8GE3ygK5PS0NC1BivfjtMAVtq6/pUz/PhjOMcDcE8kh4qtyssdkvo6qsJEQNeiOKuzn58yX7
	5+dRhgD3MMEUyde8Db/u2KPYROm53Jo9TO8dqBO5doyLJ2Po/6uDthee/L7GSZgj49TOSooXPFc
	66snsjomkmG4agjsFuV2DpKLSYuWo1RZ58LKBrBMbqZpTFDG6M3ugT+LuUhx7wkqA9CH6PGS2jH
	nohycMi9BPvDqTpplNFcizP+Ej52cbtq6W
X-Received: by 2002:a05:6512:685:b0:5a9:95be:7f7f with SMTP id 2adb3069b0e04-5aa3238b732mr3379175e87.14.1779611457470;
        Sun, 24 May 2026 01:30:57 -0700 (PDT)
Received: from foxbook (bfk48.neoplus.adsl.tpnet.pl. [83.28.48.48])
        by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5aa32cf4f1csm1731116e87.70.2026.05.24.01.30.56
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Sun, 24 May 2026 01:30:57 -0700 (PDT)
Date: Sun, 24 May 2026 10:30:53 +0200
From: Michal Pecio <michal.pecio@gmail.com>
To: Joseph Bursey <jbursey@uci.edu>
Cc: syzbot <syzbot+ad2aac2febc3bedf0962@syzkaller.appspotmail.com>,
 gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
 linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in
 iowarrior_write_callback (2)
Message-ID: <20260524103053.308501de.michal.pecio@gmail.com>
In-Reply-To: <32c79569-8001-48d2-9675-b38b1670f285@uci.edu>
References: <6a0ce39b.170a0220.39a13.0007.GAE@google.com>
	<32c79569-8001-48d2-9675-b38b1670f285@uci.edu>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 22 May 2026 13:38:40 -0700, Joseph Bursey wrote:
> Hello, I believe I have a reproducer for this bug using a combination
> of syz-execprog and eBPF programs.

Hi, could you check if this patch (compile tested only) fixes it?

I admit I'm not an expert on USB core, but I see nothing _reliably_
preventing URB submissions after usb_disable_interface(), which may
be the root cause of this bug (besides the driver sloppiness for
which separate patches have been posted by Johan Hovold).

My patch tries to fix it by updating ep->enabled under a spinlock
which will be held while checking this flag on submission attempts.

Such bug is trouble not only for sloppy drivers, but also for HCDs
which assume that no URBs exist while endpoints are being "dropped".
Syzbot and you apparently found ways to break this assumption:

static int usb_unbind_interface(struct device *dev)
{
	[...]
        /*
         * Terminate all URBs for this interface unless the driver
         * supports "soft" unbinding and the device is still present.
         */
        if (!driver->soft_unbind || udev->state == USB_STATE_NOTATTACHED)
                usb_disable_interface(udev, intf, false);
	// no URBs should be pending on these endpoints now

        driver->disconnect(intf);
	// but one is observed completing concurrently now

I also suspect that more UAF in sloppy drivers is possible due to
usb_hcd_flush_endpoint() failing to wait for pending BH givebacks.
It seems that dummy-hcd doesn't use HCD_BH, so this shouldn't be
a factor here, but it could become an issue on real hardware.

As long as resubmission is prevented reliably, this won't affect
HCDs, but it may cause UAF in buggy class drivers.

---

diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index b181b43a35dc..4fee30101e96 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -1958,6 +1958,15 @@ int usb_hcd_alloc_bandwidth(struct usb_device *udev,
 	return ret;
 }
 
+void usb_hcd_set_endpoint_enabled(struct usb_host_endpoint *ep, int enabled)
+{
+	unsigned long flags;
+
+	spin_lock_irqsave(&hcd_urb_list_lock, flags);
+	ep->enabled = enabled;
+	spin_unlock_irqrestore(&hcd_urb_list_lock, flags);
+}
+
 /* Disables the endpoint: synchronizes with the hcd to make sure all
  * endpoint state is gone from hardware.  usb_hcd_flush_endpoint() must
  * have been called previously.  Use for set_configuration, set_interface,
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 75e2bfd744a9..8d656d7e8f69 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1358,7 +1358,7 @@ void usb_disable_endpoint(struct usb_device *dev, unsigned int epaddr,
 			dev->ep_in[epnum] = NULL;
 	}
 	if (ep) {
-		ep->enabled = 0;
+		usb_hcd_set_endpoint_enabled(ep, 0);
 		usb_hcd_flush_endpoint(dev, ep);
 		if (reset_hardware)
 			usb_hcd_disable_endpoint(dev, ep);
@@ -1523,7 +1523,7 @@ void usb_enable_endpoint(struct usb_device *dev, struct usb_host_endpoint *ep,
 		dev->ep_out[epnum] = ep;
 	if (!is_out || is_control)
 		dev->ep_in[epnum] = ep;
-	ep->enabled = 1;
+	usb_hcd_set_endpoint_enabled(ep, 1);
 }
 
 /**
diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
index 181db044c4d2..de97827a579b 100644
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -437,6 +437,7 @@ extern void usb_hcd_unmap_urb_setup_for_dma(struct usb_hcd *, struct urb *);
 extern void usb_hcd_unmap_urb_for_dma(struct usb_hcd *, struct urb *);
 extern void usb_hcd_flush_endpoint(struct usb_device *udev,
 		struct usb_host_endpoint *ep);
+extern void usb_hcd_set_endpoint_enabled(struct usb_host_endpoint *ep, int enabled);
 extern void usb_hcd_disable_endpoint(struct usb_device *udev,
 		struct usb_host_endpoint *ep);
 extern void usb_hcd_reset_endpoint(struct usb_device *udev,