Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups

From: Oliver Neukum
Date: Thu Aug 17 2023 - 08:17:32 EST

Next message: Ilpo Järvinen: "[PATCH 00/10] Add PCIe Bandwidth Controller"
Previous message: Bartosz Golaszewski: "Re: [PATCH v3] gpio: sim: simplify code with cleanup helpers"
Next in thread: Alan Stern: "Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12.08.23 17:56, Alan Stern wrote:
Hi,

The real problem seems to be some sort of race in usbtmc and the core
between URBs being added to an anchor, file I/O being stopped, and URBs
being killed or scuttled when the file is flushed.

just to make sure, you think it is failing here:

usb_anchor_resume_wakeups(anchor);

because we cannot guarantee that the anchor pointer
is still valid, unless we refcount anchors, which would
make embedding them impossible?

Regards
Oliver

Next message: Ilpo Järvinen: "[PATCH 00/10] Add PCIe Bandwidth Controller"
Previous message: Bartosz Golaszewski: "Re: [PATCH v3] gpio: sim: simplify code with cleanup helpers"
Next in thread: Alan Stern: "Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]