On Fri, Aug 09, 2019 at 11:13:00AM -0400, Alan Stern wrote: > In fact, I don't see why any of the computations here should overflow > or wrap around, or even give rise to a negative value. If syzbot had a > reproducer we could get more debugging output -- but it doesn't. Yeah, this is odd. The only thing I could see here with more study was that ring_tail is used/updated outside of the rbsl lock in ld_usb_read(). I couldn't convince myself there wasn't a race against the interrupt, but I also couldn't think of a way it could break... -- Kees Cook
