Am Dienstag, den 05.01.2021, 04:50 +0000 schrieb Zhang, Qiang:

________________________________________
发件人: Oliver Neukum [off-list ref]
发送时间: 2021年1月5日 0:28
收件人: syzbot; andreyknvl@google.com; gregkh@linuxfoundation.org; gustavoars@kernel.org; ingrassia@epigenesys.com; lee.jones@linaro.org; linux-kernel@vger.kernel.org; linux-usb@vger.kernel.org; penguin-kernel@I-love.SAKURA.ne.jp; syzkaller-bugs@googlegroups.com
主题: Re: KASAN: use-after-free Read in service_outstanding_interrupt

Am Donnerstag, den 17.12.2020, 19:21 -0800 schrieb syzbot:

quoted

syzbot has found a reproducer for the following issue on:

HEAD commit:    5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=12c5b623500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5cea7506b7139727
dashboard link: https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=175adf07500000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1672680f500000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: >syzbot+9e04e2df4a32fb661daf@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git  5e60366d

 Hello Oliver 
 
 this use-after-free still exists，It can be seen from calltrace that it is 
 usb_device's object  has been released when disconnect,
 can add a reference count to usb_device's object to avoid this problem 

Hi,

thanks for your analysis. I think you are correct in your analysis, but
I am afraid your fix is not correct. The driver is submitting an URB
to a disconnected device. Your fix would prevent a crash, which is
definitely good, but we still cannot do that, because the device may
be owned by another driver or usbfs at that time.

	Regards
		Oliver