On Fri, Sep 20, 2019 at 12:08:30PM +0200, Dmitry Vyukov wrote: > On Fri, Sep 20, 2019 at 12:02 PM Johan Hovold <johan@xxxxxxxxxx> wrote: > > > > On Fri, Sep 20, 2019 at 02:20:00AM -0700, syzbot wrote: > > > Hello, > > > > > > syzbot has tested the proposed patch but the reproducer still triggered > > > crash: > > > KASAN: use-after-free Read in adu_interrupt_in_callback > > This looks like a separate issue, which should be fixed by a separate > > patch. Not sure how to tell syzbot that. Dmitry? > > There is no way, but also no need. There is nothing it can do with that info. > If you think it's a separate one and you fixed the first one, mail the > patch with the first fix. > Optionally, you can fix the second one as well, and then ask it to > test a patch with 2 fixes (but you will need either to squash them or > point to a git tree with both commits). > > > There's is indeed another bug in the driver, which could lead to crashes > > in the completion handler after clearing the struct usb_device pointer, > > but possibly also to the above use-after-free if a new device is probed > > immediately after a disconnect. > > > > The below patch addresses both bugs, let's see if that helps. > > > > #syz test: https://github.com/google/kasan.git e96407b4 Ok, so I was using an old syzbot kernel from when this was first reported and apparently hit a second issue which had since been fixed by Alan. I was starring at usb-next and couldn't see how it was possible to trigger this, but that code had Alan's fix 303911cfc5b9 ("USB: core: Fix races in character device registration and deregistraion"). Guess I had to bitten by this to learn the syzbot interface. ;) Johan
