On Thu, Aug 17, 2023 at 02:16:26PM +0200, Oliver Neukum wrote: > On 12.08.23 17:56, Alan Stern wrote: > Hi, > > The real problem seems to be some sort of race in usbtmc and the core > > between URBs being added to an anchor, file I/O being stopped, and URBs > > being killed or scuttled when the file is flushed. > > just to make sure, you think it is failing here: > > usb_anchor_resume_wakeups(anchor); That's what the syzbot console log output shows in the stack dump. > because we cannot guarantee that the anchor pointer > is still valid, That's my conclusion. There don't seem to be any other candidates for a bad pointer. > unless we refcount anchors, which would > make embedding them impossible? Whether the validity is ensured by refcounting or by some other mechanism is up to the implementor (i.e., you). I'm merely trying to restate and explain the syzbot results in terms understandable by humans. Alan Stern
