On Thu, 23 Mar 2017, Dmitry Vyukov wrote: > > Putting these together: > > > > The memory was allocated in usb_internal_control_msg() line 93. > > The later events occurred within the call in line 100 to > > usb_start_wait_urb(). > > > > The invalid access occurred within usb_start_wait_urb() line 56. > > > > The memory was deallocated within usb_start_wait_urb() line 78. > > > > Since these routines don't involve any loops or backward jumps, this > > says that the invalid access occurred before the memory was > > deallocated! So why is it reported as a problem? > > > My first guess would be that pid 3348 did 2 calls to open and the urb > was somehow referenced across these calls. Is it possible? I don't think so. The URB gets allocated and deallocated separately for each call. You can see this very plainly by reading the source code for usb_internal_control_msg() and usb_start_wait_urb(). It's possible that the same memory location was allocated and deallocated for two different calls at different times. That wouldn't fool syzkaller, would it? Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
