Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups (2)
From: Hillf Danton
Date: Mon Apr 01 2024 - 19:02:56 EST
On Mon, 01 Apr 2024 09:50:32 -0700
> syzbot found the following issue on:
>
> HEAD commit: 480e035fc4c7 Merge tag 'drm-next-2024-03-13' of https://gi..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1244fe29180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 480e035fc4c7
--- x/drivers/usb/class/usbtmc.c
+++ y/drivers/usb/class/usbtmc.c
@@ -256,6 +256,7 @@ static int usbtmc_release(struct inode *
spin_unlock_irq(&file_data->data->dev_lock);
mutex_unlock(&file_data->data->io_mutex);
+ usb_kill_anchored_urbs(&file_data->submitted);
kref_put(&file_data->data->kref, usbtmc_delete);
file_data->data = NULL;
kfree(file_data);
--