Re: KASAN: use-after-free Read in usblp_bulk_read

From: Alan Stern
Date: Sat Apr 25 2020 - 14:12:46 EST

Next message: Andy Lutomirski: "Re: [PATCH] Allow RDTSC and RDTSCP from userspace"
Previous message: Bart Van Assche: "Re: [PATCH v2 5/5] scsi: ufs: UFS Host Performance Booster(HPB) driver"
In reply to: Oliver Neukum: "Re: KASAN: use-after-free Read in usblp_bulk_read"
Next in thread: Oliver Neukum: "Re: KASAN: use-after-free Read in usblp_bulk_read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 25 Apr 2020, Oliver Neukum wrote:

> Am Donnerstag, den 23.04.2020, 12:29 -0400 schrieb Alan Stern:
> > On Thu, 23 Apr 2020, Oliver Neukum wrote:
>
> > The only suspicious thing I see is that usblp_resume() calls
> > handle_bidir() without first acquiring any mutex. But resume shouldn't
> > race with disconnect.
>
> Right.
>
> > The only other place where read URBs get submitted is under
> > usblp_read(), which does acquire the mutex
>
> Right.
>
> > and checks for disconnection
> > while holding it.
>
> Where? It should, but I do not see where it does so.

usblp_read() calls usblp_rwait_and_lock(), which calls usblp_rtest(),
which returns -ENODEV if usblp->present is clear.

Alan Stern

Next message: Andy Lutomirski: "Re: [PATCH] Allow RDTSC and RDTSCP from userspace"
Previous message: Bart Van Assche: "Re: [PATCH v2 5/5] scsi: ufs: UFS Host Performance Booster(HPB) driver"
In reply to: Oliver Neukum: "Re: KASAN: use-after-free Read in usblp_bulk_read"
Next in thread: Oliver Neukum: "Re: KASAN: use-after-free Read in usblp_bulk_read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]