vhci_hcd: invalid port number 0 vhci_hcd: invalid port number 108 ================================================================== BUG: KASAN: slab-out-of-bounds in vhci_hub_control+0x1b6d/0x1be0 drivers/usb/usbip/vhci_hcd.c:441 Read of size 4 at addr ffff8801cdf137bc by task syz-executor1/22646 CPU: 0 PID: 22646 Comm: syz-executor1 Not tainted 4.19.0-rc7+ #60 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 vhci_hub_control+0x1b6d/0x1be0 drivers/usb/usbip/vhci_hcd.c:441 rh_call_control drivers/usb/core/hcd.c:679 [inline] rh_urb_enqueue drivers/usb/core/hcd.c:838 [inline] usb_hcd_submit_urb+0x17bb/0x20a0 drivers/usb/core/hcd.c:1651 usb_submit_urb+0x893/0x14e0 drivers/usb/core/urb.c:570 usb_start_wait_urb+0x13d/0x370 drivers/usb/core/message.c:57 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x332/0x4e0 drivers/usb/core/message.c:152 proc_control+0x99b/0xef0 drivers/usb/core/devio.c:1106 usbdev_do_ioctl+0x1eb8/0x3b50 drivers/usb/core/devio.c:2412 usbdev_ioctl+0x25/0x30 drivers/usb/core/devio.c:2569 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702 __do_sys_ioctl fs/ioctl.c:709 [inline] __se_sys_ioctl fs/ioctl.c:707 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457569 Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd1ce729c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 RDX: 0000000020000000 RSI: 00000000c0185500 RDI: 0000000000000004 RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd1ce72a6d4 R13: 00000000004bf6ac R14: 00000000004cf598 R15: 00000000ffffffff Allocated by task 5519: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x730 mm/slab.c:3554 kmem_cache_zalloc include/linux/slab.h:697 [inline] __alloc_file+0xa8/0x470 fs/file_table.c:100 alloc_empty_file+0x72/0x170 fs/file_table.c:150 kobject: 'loop5' (00000000fe8708e1): fill_kobj_path: path = '/devices/virtual/block/loop5' path_openat+0x170/0x5160 fs/namei.c:3523 do_filp_open+0x255/0x380 fs/namei.c:3564 do_sys_open+0x568/0x700 fs/open.c:1063 __do_sys_open fs/open.c:1081 [inline] __se_sys_open fs/open.c:1076 [inline] __x64_sys_open+0x7e/0xc0 fs/open.c:1076 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe kobject: 'loop4' (000000000a53bcc3): kobject_uevent_env Freed by task 9: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3756 file_free_rcu+0x91/0xd0 fs/file_table.c:49 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2576 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2880 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2847 [inline] rcu_process_callbacks+0xf23/0x2670 kernel/rcu/tree.c:2864 kobject: 'loop4' (000000000a53bcc3): fill_kobj_path: path = '/devices/virtual/block/loop4' __do_softirq+0x30b/0xad8 kernel/softirq.c:292 The buggy address belongs to the object at ffff8801cdf13540 which belongs to the cache filp of size 456 The buggy address is located 180 bytes to the right of 456-byte region [ffff8801cdf13540, ffff8801cdf13708) The buggy address belongs to the page: page:ffffea000737c4c0 count:1 mapcount:0 mapping:ffff8801da978940 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea00074cfcc8 ffffea000760ce88 ffff8801da978940 kobject: 'loop0' (00000000634becbe): kobject_uevent_env raw: 0000000000000000 ffff8801cdf13040 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cdf13680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cdf13700: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801cdf13780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb kobject: 'loop0' (00000000634becbe): fill_kobj_path: path = '/devices/virtual/block/loop0' ^ ffff8801cdf13800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cdf13880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================