Am Sonntag, den 20.12.2020, 00:25 +0900 schrieb Tetsuo Handa: > syzbot is reporting UAF at usb_submit_urb() [1], for > service_outstanding_interrupt() is not checking WDM_DISCONNECTING > before calling usb_submit_urb(). Close the race by doing same checks > wdm_read() does upon retry. But wdm_read() does them with proper locking. > Also, while wdm_read() checks WDM_DISCONNECTING with desc->rlock held, > service_interrupt_work() does not hold desc->rlock. Thus, it is possible > that usb_submit_urb() is called from service_outstanding_interrupt() from > service_interrupt_work() after WDM_DISCONNECTING was set and kill_urbs() > from wdm_disconnect() completed. Thus, move kill_urbs() in > wdm_disconnect() to after cancel_work_sync() (which makes sure that > service_interrupt_work() is no longer running) completed. That seems to be the right approach. You must prevent this helper from being called in the first place. Regards Oliver
