syzbot

 sign-in | mailing list | source | docs
🐞 Open [1607]
Subsystems
🐞 Fixed [5937]
🐞 Invalid [14469]
Missing Backports [106]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in usbhid_power

Status: closed as dup on 2019/08/12 14:29
Subsystems: usb input
[Documentation on labels]
Reported-by: syzbot+ef5de9c4f99c4edb4e49@syzkaller.appspotmail.com
First crash: 1983d, last: 1919d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
general protection fault in __pm_runtime_resume input usb pm C 197 1919d 1982d
Discussions (3)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in usbhid_power 24 (28) 2019/08/12 14:29
Reminder: 3 open syzbot bugs in hid subsystem 1 (1) 2019/07/24 02:41
Reminder: 67 open syzbot bugs in usb subsystem 1 (1) 2019/07/24 01:35
Last patch testing requests (3)
Created Duration User Patch Repo Result
2019/08/09 17:37 18m andreyknvl@google.com patch https://github.com/google/kasan.git 6a3599ce OK
2019/07/25 12:15 10m oneukum@suse.com patch https://github.com/google/kasan.git usb-fuzzer-usb-testing-2019.07.11 report log
2019/07/24 20:55 19m oneukum@suse.com patch https://github.com/google/kasan.git usb-fuzzer error

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in usbhid_power+0xca/0xe0 drivers/hid/usbhid/hid-core.c:1234
Read of size 8 at addr ffff8881d4220008 by task syz-executor012/1727

CPU: 0 PID: 1727 Comm: syz-executor012 Not tainted 5.3.0+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xca/0x13e lib/dump_stack.c:113
 print_address_description+0x6a/0x32c mm/kasan/report.c:351
 __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
 kasan_report+0xe/0x12 mm/kasan/common.c:618
 usbhid_power+0xca/0xe0 drivers/hid/usbhid/hid-core.c:1234
 hid_hw_power include/linux/hid.h:1038 [inline]
 hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
 chrdev_open+0x219/0x5c0 fs/char_dev.c:414
 do_dentry_open+0x494/0x1120 fs/open.c:797
 do_last fs/namei.c:3408 [inline]
 path_openat+0x1430/0x3f50 fs/namei.c:3525
 do_filp_open+0x1a1/0x280 fs/namei.c:3555
 do_sys_open+0x3c0/0x580 fs/open.c:1089
 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x401a20
Code: 01 f0 ff ff 0f 83 c0 0b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d ad 5c 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 94 0b 00 00 c3 48 83 ec 08 e8 fa 00 00 00
RSP: 002b:00007ffe48974c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000401a20
RDX: 0000000000000000 RSI: 00000000000a8041 RDI: 00007ffe48974c90
RBP: 6666666666666667 R08: 000000000000000f R09: 0000000000000004
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402a40
R13: 0000000000402ad0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 344:
 save_stack+0x1b/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:493 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:466
 slab_post_alloc_hook mm/slab.h:520 [inline]
 slab_alloc_node mm/slub.c:2770 [inline]
 __kmalloc_node_track_caller+0xfc/0x3d0 mm/slub.c:4365
 __kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:141
 __alloc_skb+0xef/0x5a0 net/core/skbuff.c:209
 alloc_skb include/linux/skbuff.h:1049 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
 netlink_sendmsg+0x8cd/0xcc0 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:657
 ___sys_sendmsg+0x803/0x920 net/socket.c:2311
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2356
 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 344:
 save_stack+0x1b/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:455
 slab_free_hook mm/slub.c:1423 [inline]
 slab_free_freelist_hook mm/slub.c:1474 [inline]
 slab_free mm/slub.c:3016 [inline]
 kfree+0xe4/0x2f0 mm/slub.c:3957
 skb_free_head+0x8b/0xa0 net/core/skbuff.c:591
 skb_release_data+0x41f/0x7c0 net/core/skbuff.c:611
 skb_release_all+0x46/0x60 net/core/skbuff.c:665
 __kfree_skb net/core/skbuff.c:679 [inline]
 consume_skb net/core/skbuff.c:838 [inline]
 consume_skb+0xd9/0x320 net/core/skbuff.c:832
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x4d7/0x690 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x802/0xcc0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:657
 ___sys_sendmsg+0x803/0x920 net/socket.c:2311
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2356
 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881d4220000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 8 bytes inside of
 1024-byte region [ffff8881d4220000, ffff8881d4220400)
The buggy address belongs to the page:
page:ffffea0007508800 refcount:1 mapcount:0 mapping:ffff8881da002280 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da002280
raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d421ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881d421ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881d4220000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8881d4220080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d4220100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (590):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/20 16:54 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report syz C ci2-upstream-usb
2019/09/09 02:23 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 a60cb4cd .config console log report syz C ci2-upstream-usb
2019/09/08 13:48 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 a60cb4cd .config console log report syz C ci2-upstream-usb
2019/09/08 09:26 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 a60cb4cd .config console log report syz C ci2-upstream-usb
2019/08/25 20:47 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 d21c5d9d .config console log report syz C ci2-upstream-usb
2019/08/22 11:09 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz C ci2-upstream-usb
2019/08/22 06:52 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz C ci2-upstream-usb
2019/08/22 04:46 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz C ci2-upstream-usb
2019/08/22 04:26 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz C ci2-upstream-usb
2019/08/22 03:53 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz C ci2-upstream-usb
2019/08/22 00:56 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz C ci2-upstream-usb
2019/08/21 21:00 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz C ci2-upstream-usb
2019/08/21 20:33 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz C ci2-upstream-usb
2019/08/20 03:11 https://github.com/google/kasan.git usb-fuzzer e06ce4da6fa7 ae348fb7 .config console log report syz C ci2-upstream-usb
2019/08/20 02:51 https://github.com/google/kasan.git usb-fuzzer e06ce4da6fa7 ae348fb7 .config console log report syz C ci2-upstream-usb
2019/08/20 01:08 https://github.com/google/kasan.git usb-fuzzer e06ce4da6fa7 ae348fb7 .config console log report syz C ci2-upstream-usb
2019/08/20 00:41 https://github.com/google/kasan.git usb-fuzzer e06ce4da6fa7 ae348fb7 .config console log report syz C ci2-upstream-usb
2019/08/19 22:56 https://github.com/google/kasan.git usb-fuzzer e06ce4da6fa7 ae348fb7 .config console log report syz C ci2-upstream-usb
2019/08/19 22:36 https://github.com/google/kasan.git usb-fuzzer e06ce4da6fa7 ae348fb7 .config console log report syz C ci2-upstream-usb
2019/08/19 17:34 https://github.com/google/kasan.git usb-fuzzer e06ce4da6fa7 ae348fb7 .config console log report syz C ci2-upstream-usb
2019/08/18 02:28 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 55bf8926 .config console log report syz C ci2-upstream-usb
2019/08/17 09:13 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 8fd428a1 .config console log report syz C ci2-upstream-usb
2019/08/14 15:06 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 5576551b .config console log report syz C ci2-upstream-usb
2019/08/14 14:48 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 5576551b .config console log report syz C ci2-upstream-usb
2019/08/14 14:30 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 5576551b .config console log report syz C ci2-upstream-usb
2019/08/14 13:53 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 5576551b .config console log report syz C ci2-upstream-usb
2019/08/14 13:34 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 5576551b .config console log report syz C ci2-upstream-usb
2019/08/14 13:15 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 5576551b .config console log report syz C ci2-upstream-usb
2019/08/14 12:55 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 5576551b .config console log report syz C ci2-upstream-usb
2019/08/14 12:10 https://github.com/google/kasan.git usb-fuzzer d0847550e22d ef801a3e .config console log report syz C ci2-upstream-usb
2019/08/14 10:24 https://github.com/google/kasan.git usb-fuzzer d0847550e22d ef801a3e .config console log report syz C ci2-upstream-usb
2019/08/14 10:06 https://github.com/google/kasan.git usb-fuzzer d0847550e22d ef801a3e .config console log report syz C ci2-upstream-usb
2019/08/14 08:09 https://github.com/google/kasan.git usb-fuzzer d0847550e22d ef801a3e .config console log report syz C ci2-upstream-usb
2019/08/14 06:15 https://github.com/google/kasan.git usb-fuzzer d0847550e22d ef801a3e .config console log report syz C ci2-upstream-usb
2019/08/14 05:18 https://github.com/google/kasan.git usb-fuzzer d0847550e22d ef801a3e .config console log report syz C ci2-upstream-usb
2019/07/23 02:35 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 55e0c077 .config console log report syz C ci2-upstream-usb
2019/08/22 10:33 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz ci2-upstream-usb
2019/08/22 02:54 https://github.com/google/kasan.git usb-fuzzer eea39f24f4a5 4ea67ff8 .config console log report syz ci2-upstream-usb
2019/08/19 13:29 https://github.com/google/kasan.git usb-fuzzer e06ce4da6fa7 b8ceabfc .config console log report syz ci2-upstream-usb
2019/08/19 06:17 https://github.com/google/kasan.git usb-fuzzer d0847550e22d b8ceabfc .config console log report syz ci2-upstream-usb
2019/08/14 05:45 https://github.com/google/kasan.git usb-fuzzer d0847550e22d ef801a3e .config console log report syz ci2-upstream-usb
2019/09/25 12:00 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e e38a6630 .config console log report ci2-upstream-usb
2019/09/25 09:08 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e e38a6630 .config console log report ci2-upstream-usb
2019/09/25 06:38 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e e38a6630 .config console log report ci2-upstream-usb
2019/09/25 05:15 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e e38a6630 .config console log report ci2-upstream-usb
2019/09/25 03:33 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e e38a6630 .config console log report ci2-upstream-usb
2019/09/25 01:23 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e e38a6630 .config console log report ci2-upstream-usb
2019/09/24 23:45 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e e38a6630 .config console log report ci2-upstream-usb
2019/09/24 17:30 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e f8368f99 .config console log report ci2-upstream-usb
2019/09/24 14:20 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e f8368f99 .config console log report ci2-upstream-usb
2019/09/24 08:16 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e c68252d2 .config console log report ci2-upstream-usb
2019/09/24 01:57 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e c68252d2 .config console log report ci2-upstream-usb
2019/09/23 22:18 https://github.com/google/kasan.git usb-fuzzer d9e63adcd16e c68252d2 .config console log report ci2-upstream-usb
2019/09/23 10:07 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/23 08:32 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/23 06:17 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/23 03:40 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/23 00:08 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/22 18:05 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/22 17:05 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/22 12:26 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/22 10:29 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/22 08:27 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/22 07:06 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/22 04:57 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/21 18:56 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/21 17:15 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/21 11:26 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/21 02:48 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/20 23:50 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/20 20:38 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/20 16:03 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/20 14:31 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report ci2-upstream-usb
2019/09/20 05:54 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 4d3ae0b7 .config console log report ci2-upstream-usb
2019/09/19 17:58 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 eb940044 .config console log report ci2-upstream-usb
2019/09/19 16:27 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 eb940044 .config console log report ci2-upstream-usb
2019/09/19 11:54 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 eb940044 .config console log report ci2-upstream-usb
2019/09/19 10:21 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 eb940044 .config console log report ci2-upstream-usb
2019/09/19 07:28 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 46c0be24 .config console log report ci2-upstream-usb
2019/09/19 03:04 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 46c0be24 .config console log report ci2-upstream-usb
2019/09/18 22:05 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 46c0be24 .config console log report ci2-upstream-usb
2019/09/18 20:23 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 46c0be24 .config console log report ci2-upstream-usb
2019/09/18 18:36 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 46c0be24 .config console log report ci2-upstream-usb
2019/09/18 15:28 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 1037b424 .config console log report ci2-upstream-usb
2019/09/18 13:48 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 1037b424 .config console log report ci2-upstream-usb
2019/09/18 12:36 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 c2dcd700 .config console log report ci2-upstream-usb
2019/09/18 10:36 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 03e0d245 .config console log report ci2-upstream-usb
2019/09/18 06:24 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 03e0d245 .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.