[CC: list drastically trimmed]
On Tue, 6 Dec 2016, Andrey Konovalov wrote:
> On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote:
> > On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> >> On Mon, 5 Dec 2016, Andrey Konovalov wrote:
> >>
> >>> Hi!
> >>>
> >>> I've got the following error report while running the syzkaller fuzzer.
> >>>
> >>> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2).
> >>>
> >>> BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr
> >>> ffff88003dfe5bf2
> >> Can you test whether the patch below fixes this problem?
> >
> > Hi Alan,
> >
> > Yes, I believe it does.
> > It also seems to fix the warnings in dummy_free_request() I've been getting.
>
> It seems that I was wrong. Still see both use-after-free and warnings.
You posted three messages about possibly related problems:
use-after-free in gadgetfs_setup (this one),
GPF in usb_gadget_unregister_driver,
warning in dummy_free_request.
Are you saying the patch below didn't fix any of them?
And in any case, is there any way you can post the series of system
calls that syzkaller makes so we can tell what went wrong?
Alan Stern
> >> Index: usb-4.x/drivers/usb/gadget/legacy/inode.c
> >> ===================================================================
> >> --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c
> >> +++ usb-4.x/drivers/usb/gadget/legacy/inode.c
> >> @@ -1762,6 +1762,10 @@ dev_config (struct file *fd, const char
> >> }
> >> spin_unlock_irq(&dev->lock);
> >>
> >> + /* Registered but not yet bound to a UDC driver? */
> >> + if (dev->gadget_registered)
> >> + return -EIO;
> >> +
> >> if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
> >> return -EINVAL;
> >>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
