Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in iowarrior_write_callback (2)

Next message: Harry Yoo: "Re: [PATCH v3 2/2] mm, slab: simplify returning slab in __refill_objects_node()"
Previous message: Nam Cao: "Re: [PATCH v2 00/14] rv: Add selftests to tools and KUnit tests"
In reply to: Michal Pecio: "Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in iowarrior_write_callback (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michal Pecio

Date: Thu May 28 2026 - 04:25:22 EST

On Wed, 27 May 2026 16:36:54 -0700, Joseph Bursey wrote:
> On Sun, May 24, 2026 at 9:46 AM Michal Pecio <michal.pecio@xxxxxxxxx> wrote:
> > On Sun, 24 May 2026 10:45:39 -0400, Alan Stern wrote:
> > > On Sun, May 24, 2026 at 10:30:53AM +0200, Michal Pecio wrote:
> > > > On Fri, 22 May 2026 13:38:40 -0700, Joseph Bursey wrote:
> > > > > Hello, I believe I have a reproducer for this bug using a
> > > > > combination of syz-execprog and eBPF programs.
> > > >
> > > > Hi, could you check if this patch (compile tested only) fixes it?
> > > >
> >
>
> I tested the patch but I am still seeing the same UAF.

Hmm, OK, thanks for checking.

So I'm not sure what happens there. Maybe this interrupt endpoint isn't
part of the interface the driver is bound to? I'm not sure how to read
those blobs from your syzbot script.

> However, there does appear to be a patch here which does seem to work:
> https://lore.kernel.org/all/20260523170523.1074563-1-johan@xxxxxxxxxx/

Yes, it fixes the UAF, but it doesn't fix the WTF (to me), which is
that USB core somehow allows URBs to exits on an endpoint that looks
like it should be disabled. These are separate issues, though fixing
the WTF would also fix the UAF, if the fix worked.

Regards,
Michal