syzbot


KASAN: null-ptr-deref Write in media_request_close

Status: fixed on 2020/09/16 22:51
Subsystems: media
[Documentation on labels]
Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com
Fix commit: e30cc79cc80f media: media-request: Fix crash if memory allocation fails
First crash: 1276d, last: 1223d
Cause bisection: introduced by (bisect log) :
commit 016baa59bf9f6c2550480b73f18100285e3a4fd2
Author: Ezequiel Garcia <ezequiel@collabora.com>
Date: Tue Apr 14 22:06:24 2020 +0000

  media: Kconfig: Don't expose the Request API option

Crash: KASAN: null-ptr-deref Write in media_request_put (log)
Repro: C syz .config
  
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 5.8 000/464] 5.8.2-rc1 review 475 (475) 2020/08/19 06:11
[PATCH 5.4 000/270] 5.4.59-rc1 review 275 (275) 2020/08/18 22:37
[PATCH 5.7 000/393] 5.7.16-rc1 review 398 (398) 2020/08/18 22:36
[PATCH] media: media-request: Fix crash if memory allocation fails 3 (3) 2020/06/23 07:58
Re: [PATCH] media: media-request: Fix crash according to a failed memory allocation 2 (2) 2020/06/21 13:55
Re: KASAN: null-ptr-deref Write in media_request_close 1 (1) 2020/06/19 14:14
KASAN: null-ptr-deref Write in media_request_close 0 (3) 2020/06/18 17:56

Sample crash report:
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402220
R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000
==================================================================
BUG: KASAN: null-ptr-deref in atomic_fetch_sub include/asm-generic/atomic-instrumented.h:199 [inline]
BUG: KASAN: null-ptr-deref in refcount_sub_and_test include/linux/refcount.h:266 [inline]
BUG: KASAN: null-ptr-deref in refcount_dec_and_test include/linux/refcount.h:294 [inline]
BUG: KASAN: null-ptr-deref in kref_put include/linux/kref.h:64 [inline]
BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline]
BUG: KASAN: null-ptr-deref in media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89
Write of size 4 at addr 0000000000000008 by task syz-executor690/6795

CPU: 0 PID: 6795 Comm: syz-executor690 Not tainted 5.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1e9/0x30e lib/dump_stack.c:118
 __kasan_report mm/kasan/report.c:517 [inline]
 kasan_report+0x151/0x1d0 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:183 [inline]
 check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:192
 atomic_fetch_sub include/asm-generic/atomic-instrumented.h:199 [inline]
 refcount_sub_and_test include/linux/refcount.h:266 [inline]
 refcount_dec_and_test include/linux/refcount.h:294 [inline]
 kref_put include/linux/kref.h:64 [inline]
 media_request_put drivers/media/mc/mc-request.c:81 [inline]
 media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89
 __fput+0x2ed/0x750 fs/file_table.c:281
 task_work_run+0x147/0x1d0 kernel/task_work.c:123
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:165 [inline]
 prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x444eb9
Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db ce fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffebb3970a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: fffffffffffffff4 RBX: 0000000000000000 RCX: 0000000000444eb9
RDX: 0000000000000000 RSI: 0000000080047c05 RDI: 0000000000000004
RBP: 000000000000cdaa R08: 0000000000000001 R09: 00000000004002e0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402220
R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000
==================================================================

Crashes (17):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/06/18 14:10 upstream 7ae77150d94d d45a4d69 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/05 06:59 upstream c0842fbc1b18 80a06902 .config console log report ci-upstream-kasan-gce-root
2020/08/03 18:35 upstream bcf876870b95 196277c4 .config console log report ci-upstream-kasan-gce-root
2020/07/22 13:11 upstream 4fa640dc5230 128cd85f .config console log report ci-upstream-kasan-gce-root
2020/07/18 01:11 upstream 8882572675c1 9c812472 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/16 18:45 upstream 994e99a96c9b f3bec699 .config console log report ci-upstream-kasan-gce
2020/07/16 00:50 upstream e9919e11e219 f3bec699 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/16 00:34 upstream e9919e11e219 f3bec699 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/14 13:56 upstream 0dc589da873b ce4c95b3 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/11 05:36 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/09 10:17 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce
2020/07/06 04:16 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/06 02:45 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-root
2020/07/02 20:05 upstream cd77006e01b3 bed10395 .config console log report ci-upstream-kasan-gce-smack-root
2020/06/18 14:00 upstream 7ae77150d94d d45a4d69 .config console log report ci-upstream-kasan-gce-smack-root
2020/06/12 22:51 upstream 7ae77150d94d df590254 .config console log report ci-upstream-kasan-gce-smack-root
2020/06/26 19:16 upstream 4a21185cda0f aea82c00 .config console log report ci-upstream-kasan-gce-386
* Struck through repros no longer work on HEAD.