syzbot


KASAN: use-after-free Read in ld_usb_release

Status: fixed on 2019/09/06 20:45
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
Fix commit: 303911cfc5b9 USB: core: Fix races in character device registration and deregistraion
First crash: 1773d, last: 1763d
Duplicate bugs (5)
duplicates (5):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: use-after-free Read in prepare_to_wait_event usb C 2 1767d 1772d 0/27 closed as dup on 2019/08/12 12:05
BUG: bad usercopy in ld_usb_read usb C 124 1747d 1773d 0/27 closed as dup on 2019/08/12 12:06
KASAN: use-after-free Read in usb_kill_urb usb C 83 1748d 1772d 0/27 closed as dup on 2019/08/12 12:04
KASAN: use-after-free Write in ld_usb_interrupt_in_callback usb C 48 1762d 1769d 0/27 closed as dup on 2019/08/12 12:22
KASAN: slab-out-of-bounds Read in ld_usb_read usb C 57 1748d 1769d 0/27 closed as dup on 2019/08/12 12:23
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 3.16 00/83] 3.16.78-rc1 review 88 (88) 2019/11/21 21:42
[PATCH 5.2 000/135] 5.2.10-stable review 160 (160) 2019/08/27 10:51
[PATCH 4.4 00/78] 4.4.190-stable review 91 (91) 2019/08/24 18:14
[PATCH 4.9 000/103] 4.9.190-stable review 109 (109) 2019/08/24 17:59
[PATCH 4.14 00/71] 4.14.140-stable review 79 (79) 2019/08/24 17:55
[PATCH 4.19 00/85] 4.19.68-stable review 91 (91) 2019/08/24 17:51
[PATCH] USB: core: Fix races in character device registration and deregistraion 2 (2) 2019/08/12 20:52
KASAN: use-after-free Read in ld_usb_release 6 (8) 2019/08/12 15:31
Last patch testing requests (1)
Created Duration User Patch Repo Result
2019/08/09 17:33 18m andreyknvl@google.com patch https://github.com/google/kasan.git e96407b4 OK

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:912 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0xf23/0x1360 kernel/locking/mutex.c:1077
Read of size 8 at addr ffff8881cc9a31d8 by task syz-executor801/2476

CPU: 1 PID: 2476 Comm: syz-executor801 Not tainted 5.3.0-rc4+ #26
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xca/0x13e lib/dump_stack.c:113
 print_address_description+0x6a/0x32c mm/kasan/report.c:351
 __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
 kasan_report+0xe/0x12 mm/kasan/common.c:612
 __mutex_lock_common kernel/locking/mutex.c:912 [inline]
 __mutex_lock+0xf23/0x1360 kernel/locking/mutex.c:1077
 ld_usb_release+0xb1/0x400 drivers/usb/misc/ldusb.c:386
 __fput+0x2d7/0x840 fs/file_table.c:280
 task_work_run+0x13f/0x1c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x8ef/0x2c00 kernel/exit.c:879
 do_group_exit+0x125/0x340 kernel/exit.c:983
 __do_sys_exit_group kernel/exit.c:994 [inline]
 __se_sys_exit_group kernel/exit.c:992 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:992
 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440448
Code: Bad RIP value.
RSP: 002b:00007ffc1b1fe1f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440448
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004c0070 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 12:
 save_stack+0x1b/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:487 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:748 [inline]
 ld_usb_probe+0x6e/0xa65 drivers/usb/misc/ldusb.c:661
 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
 really_probe+0x281/0x6d0 drivers/base/dd.c:548
 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
 __device_attach+0x217/0x360 drivers/base/dd.c:894
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
 device_add+0xae6/0x16f0 drivers/base/core.c:2165
 usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
 usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
 really_probe+0x281/0x6d0 drivers/base/dd.c:548
 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
 __device_attach+0x217/0x360 drivers/base/dd.c:894
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
 device_add+0xae6/0x16f0 drivers/base/core.c:2165
 usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
 hub_port_connect drivers/usb/core/hub.c:5098 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
 port_event drivers/usb/core/hub.c:5359 [inline]
 hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
 process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
 worker_thread+0x96/0xe20 kernel/workqueue.c:2415
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 12:
 save_stack+0x1b/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
 slab_free_hook mm/slub.c:1423 [inline]
 slab_free_freelist_hook mm/slub.c:1474 [inline]
 slab_free mm/slub.c:3016 [inline]
 kfree+0xe4/0x2f0 mm/slub.c:3957
 ld_usb_probe+0x728/0xa65 drivers/usb/misc/ldusb.c:744
 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
 really_probe+0x281/0x6d0 drivers/base/dd.c:548
 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
 __device_attach+0x217/0x360 drivers/base/dd.c:894
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
 device_add+0xae6/0x16f0 drivers/base/core.c:2165
 usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
 usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
 really_probe+0x281/0x6d0 drivers/base/dd.c:548
 driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
 __device_attach+0x217/0x360 drivers/base/dd.c:894
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
 device_add+0xae6/0x16f0 drivers/base/core.c:2165
 usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
 hub_port_connect drivers/usb/core/hub.c:5098 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
 port_event drivers/usb/core/hub.c:5359 [inline]
 hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
 process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
 worker_thread+0x96/0xe20 kernel/workqueue.c:2415
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8881cc9a3180
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 88 bytes inside of
 512-byte region [ffff8881cc9a3180, ffff8881cc9a3380)
The buggy address belongs to the page:
page:ffffea0007326880 refcount:1 mapcount:0 mapping:ffff8881da002500 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 ffffea00073b6780 0000000200000002 ffff8881da002500
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881cc9a3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881cc9a3100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881cc9a3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8881cc9a3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881cc9a3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/08/18 19:24 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 55bf8926 .config console log report syz C ci2-upstream-usb
2019/08/18 06:41 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 55bf8926 .config console log report syz C ci2-upstream-usb
2019/08/14 09:28 https://github.com/google/kasan.git usb-fuzzer d0847550e22d ef801a3e .config console log report syz C ci2-upstream-usb
2019/08/12 09:00 https://github.com/google/kasan.git usb-fuzzer e96407b49762 acb51638 .config console log report syz C ci2-upstream-usb
2019/08/10 23:45 https://github.com/google/kasan.git usb-fuzzer e96407b49762 acb51638 .config console log report syz C ci2-upstream-usb
2019/08/10 05:15 https://github.com/google/kasan.git usb-fuzzer e96407b49762 acb51638 .config console log report syz C ci2-upstream-usb
2019/08/09 22:45 https://github.com/google/kasan.git usb-fuzzer e96407b49762 aff9e255 .config console log report syz C ci2-upstream-usb
2019/08/09 13:03 https://github.com/google/kasan.git usb-fuzzer e96407b49762 ede31a9b .config console log report syz C ci2-upstream-usb
2019/08/17 16:27 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 55bf8926 .config console log report ci2-upstream-usb
2019/08/17 14:32 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 55bf8926 .config console log report ci2-upstream-usb
2019/08/16 07:46 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 8fd428a1 .config console log report ci2-upstream-usb
2019/08/12 20:07 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 8620c2c2 .config console log report ci2-upstream-usb
2019/08/12 09:39 https://github.com/google/kasan.git usb-fuzzer e96407b49762 8620c2c2 .config console log report ci2-upstream-usb
2019/08/09 03:41 https://github.com/google/kasan.git usb-fuzzer e96407b49762 ede31a9b .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.