lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CA+fCnZcA4hEujDLUtzN=3q7akeG8qMMbYrL1Jyj=JKN0C1D12g@mail.gmail.com>
Date: Sun, 24 Nov 2024 21:29:56 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Andrey Konovalov <andreyknvl@...il.com>
Cc: Chang Yu <marcus.yu.56@...il.com>, gregkh@...uxfoundation.org, 
	linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com, 
	syzbot <syzbot+3e563d99e70973c0755c@...kaller.appspotmail.com>
Subject: Re: [syzbot] [usb?] KASAN: invalid-free in dev_free

On Sat, Nov 2, 2024 at 12:44 AM Chang Yu <marcus.yu.56@...il.com> wrote:
>
> On Sat, Nov 02, 2024 at 12:26:30AM +0100, Andrey Konovalov wrote:
> > On Mon, Sep 16, 2024 at 3:24 AM syzbot
> > <syzbot+3e563d99e70973c0755c@...kaller.appspotmail.com> wrote:
> > >
> > > syzbot has found a reproducer for the following issue on:
> > >
> > > HEAD commit:    68d4209158f4 sub: cdns3: Use predefined PCI vendor ID cons..
> > > git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=10a96200580000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=cb61872d4d8c5df9
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c
> > > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1297cc07980000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1217c8a9980000
> >
> > I'm not sure what the correct patch would be though, as I don't
> > understand what the issue is. It seems that dev_free() indeed gets
> > called twice, but since it's guarded by kref_put(), this shouldn't
> > happen AFAIU. Or at least we should get a bad refcount report.

Interestingly, crashes stopped happening 20 days ago. It could be that
there was some kind of bug in the refcount or the generic USB code,
and that got fixed (at least I don't see a problem in the Raw Gadget
code). Let's keep this bug open for now and monitor, and late I'll
close it if there are no more crashes.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ