From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60F67377EC6
	for <linux-kernel@vger.kernel.org>; Thu, 28 May 2026 08:20:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779956415; cv=none; b=pQ1ShuJsdWyvaWGaBkQCmJgzBsBgv9v4nHpuewwh+Hso/TgBCd7gX5/zJ2jmVW6cQ13N9s0OTxTSJ5PKQ6lw0uPJG1wNN7WWM7lSh9M2qmyEr/bupqDUT8gajJDcLCUU4iGAYego+RSkMwQnCGS2P+goLCniXJwgouNwq5w7n9o=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779956415; c=relaxed/simple;
	bh=yt0h3XGBchWeFUvzEbnc7l1NYOyq6+P6CPepSGZUbLA=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=hjYS2Zj5gvRCWmL0hl5kK32vxupZ+tLYz7GdBYPm/B40y9FTbe1U9/9WOLmAeywlx04tGM+hrokOn+t2fxEfKPa+V4LuPgzWd6jYvGPAGnPZHqSVd8CXWF3/BitF1ieAHs24oeFj6dQbsrJMqJSnc9+aqJCA832yq6FS3qKiKEQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=eLD0Mzqx; arc=none smtp.client-ip=209.85.128.44
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eLD0Mzqx"
Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4893940bb5eso67306455e9.3
        for <linux-kernel@vger.kernel.org>; Thu, 28 May 2026 01:20:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779956413; x=1780561213; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yt0h3XGBchWeFUvzEbnc7l1NYOyq6+P6CPepSGZUbLA=;
        b=eLD0Mzqx0dF4Ui0wegt2e89/t9NC7yvbAQ7qqSfJk+Dx82HNqOzzZt+0NUB0MaMJUt
         lRMQoqq2djwL9Zd+51B6ShplyYuJSwnomjiqhf6L8AtG0o6lJYse1O9D5+W98aZNcBJm
         1KoE0GcEsLfoRPVwN811+21VLRYH2/eHu5UoAApRwfTKhtyaP5S29JvtFjb8J8N+7csO
         sNFzUAllZmsa4MkPaVVzMi2+6Uh1LnJB1PAWUyhH6UXdxuFZmB8onMEoIOYKkYuKnX8q
         cay3jX4lWiEXOsyPITpQdihJvpJ+qFo+lFfOVe/Wn84I79WNhk/ucaEog707odeSQOf5
         XPUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779956413; x=1780561213;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=yt0h3XGBchWeFUvzEbnc7l1NYOyq6+P6CPepSGZUbLA=;
        b=o22zP/j7RUMWtkb7DxkAGzKKYXHAbOSqpN3MBnQDUHWZPxDyWhKZEmRDl615Y8BnQG
         6iCW++oQTlSht1DMwDC8RcaHLCkuu57CYPPNTG7GUUJZdGkFcF0SPQVfwoW7pZeHezvp
         6VEm1wObTxg3XEmSxQWQo7cIOyqXwufgJlJi10HzQYxcrtml7v7h+X3xFVFP3E93JqCO
         IUNMjiIIt4DyXMnrhrv+q2zALIDP+HvDJ5KFVzoxkz8jIDix4NZwla3TETukM5NVOmhl
         HGD63r3DpMw75DRtym42qBFdQ9JJJvLLgcvst59Nn72jP7O9F3loygyp8frfuaE1nyYl
         R9nw==
X-Forwarded-Encrypted: i=1; AFNElJ9U50aQEBvVqJQPFjKQ4GlGanw49izDHSZNxe4CSjZQNkNM5JvKz08OjeSszqAOWCPRkmrmL3Ql3szAFjg=@vger.kernel.org
X-Gm-Message-State: AOJu0YyXBswGYadbiN3OVulA5NpArJvjBvJ9ipJi0zn4Ru3Ta1LI2RNV
	GtndEpHZUrZOuv9AphK7I+oUlKU0ejzSZ4n5hbb7XuNCDnF0uplxx58XrWriiQ==
X-Gm-Gg: Acq92OG4I6DkGvWzw5aag5mVolALcVuk5n/AIUAmF165uqw0fW5RaZkLO/mvhrCuUnA
	WaqUGdjksfCMbN9qXLZe7yriFAGUQwJvw+jJcnLTgae51gniaMHiVreujflrskKns8K9KsUcXev
	W7CpPw9A6TzUvw6ZtctLkJNCvm2k1wCAaVVhINLhKN7AfiDn0vS0hs68VweDr+nzRKXO4hWqffW
	7ZhC2Oymmm1wCyDqoVqFOmsp9pvwwz1dDCizE0KBwgRD85DFkXaPnFtj3R5dsS9bx8y1m+Pyxhm
	z8Yu95QWZsc8O7Lyl4C/rLu6VTosChkqUDzK9Dbw446hP9E7+F8zBWmDLISatm6Q0nShAoafT6p
	mnUFrHbIwbqdWJZ4UXMnIoJG0OLSoqx/nA+3Tl0QbxVdYyS0rydyW7yONPKHSPfk6arBMr4jk+k
	H2fF8HKDkwBikRz2gO57Qi1KJDjKx4d5GkX5r7sIurc9BNK/mvaG4Oz8dg
X-Received: by 2002:a05:600c:350e:b0:490:95b4:1cd0 with SMTP id 5b1f17b1804b1-49095b41d49mr2123425e9.15.1779956412504;
        Thu, 28 May 2026 01:20:12 -0700 (PDT)
Received: from foxbook (bfe246.neoplus.adsl.tpnet.pl. [83.28.42.246])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ee5a84e92sm3422698f8f.35.2026.05.28.01.20.11
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Thu, 28 May 2026 01:20:12 -0700 (PDT)
Date: Thu, 28 May 2026 10:20:08 +0200
From: Michal Pecio <michal.pecio@gmail.com>
To: Joseph Bursey <jbursey@uci.edu>
Cc: Alan Stern <stern@rowland.harvard.edu>, syzbot
 <syzbot+ad2aac2febc3bedf0962@syzkaller.appspotmail.com>,
 gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
 linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in
 iowarrior_write_callback (2)
Message-ID: <20260528102008.558a0d9e.michal.pecio@gmail.com>
In-Reply-To: <CACR97nvAMAnfEL+j5GCi9zcmNc9VLtbAtO0ywEtbBdrw=YSHhQ@mail.gmail.com>
References: <6a0ce39b.170a0220.39a13.0007.GAE@google.com>
	<32c79569-8001-48d2-9675-b38b1670f285@uci.edu>
	<20260524103053.308501de.michal.pecio@gmail.com>
	<69c60a2a-68d2-48b0-8236-b80cd6b602cf@rowland.harvard.edu>
	<20260524184633.405c4b3c.michal.pecio@gmail.com>
	<CACR97nvAMAnfEL+j5GCi9zcmNc9VLtbAtO0ywEtbBdrw=YSHhQ@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Wed, 27 May 2026 16:36:54 -0700, Joseph Bursey wrote:
> On Sun, May 24, 2026 at 9:46=E2=80=AFAM Michal Pecio <michal.pecio@gmail.=
com> wrote:
> > On Sun, 24 May 2026 10:45:39 -0400, Alan Stern wrote: =20
> > > On Sun, May 24, 2026 at 10:30:53AM +0200, Michal Pecio wrote: =20
> > > > On Fri, 22 May 2026 13:38:40 -0700, Joseph Bursey wrote: =20
> > > > > Hello, I believe I have a reproducer for this bug using a
> > > > > combination of syz-execprog and eBPF programs. =20
> > > >
> > > > Hi, could you check if this patch (compile tested only) fixes it?
> > > > =20
> > =20
>=20
> I tested the patch but I am still seeing the same UAF.

Hmm, OK, thanks for checking.

So I'm not sure what happens there. Maybe this interrupt endpoint isn't
part of the interface the driver is bound to? I'm not sure how to read
those blobs from your syzbot script.

> However, there does appear to be a patch here which does seem to work:
> https://lore.kernel.org/all/20260523170523.1074563-1-johan@kernel.org/

Yes, it fixes the UAF, but it doesn't fix the WTF (to me), which is
that USB core somehow allows URBs to exits on an endpoint that looks
like it should be disabled. These are separate issues, though fixing
the WTF would also fix the UAF, if the fix worked.

Regards,
Michal