syzbot


KASAN: use-after-free Read in v4l2_fh_open

Status: upstream: reported C repro on 2021/02/15 15:18
Subsystems: usb media
[Documentation on labels]
Reported-by: syzbot+b2391895514ed9ef4a8e@syzkaller.appspotmail.com
First crash: 1131d, last: 55d
Cause bisection: introduced by (bisect log) [ignored commit]:
commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Author: Andrey Konovalov <andreyknvl@google.com>
Date: Mon Feb 24 16:13:03 2020 +0000

  usb: gadget: add raw-gadget interface

Crash: KASAN: use-after-free Read in v4l2_fh_init (log)
Repro: C syz .config
  
Fix bisection the fix commit could be any of (bisect log):
  e4e453434a19 Merge tag 'perf-tools-fixes-for-v5.13-2021-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
  3cc40a443a04 Merge tag 'nios2_fixes_v6.0' of git://git.kernel.org/pub/scm/linux/kernel/git/dinguyen/linux
  
Discussions (12)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in v4l2_fh_open 4 (8) 2024/03/03 02:55
Re: KASAN: use-after-free Read in v4l2_fh_open 1 (1) 2024/03/02 08:08
[syzbot] Monthly media report (Sep 2023) 0 (1) 2023/09/06 08:13
[syzbot] Monthly media report (Jul 2023) 0 (1) 2023/07/05 13:10
[RFT PATCH] media: em28xx: Enable v4l2 file ops at the end of em28xx_v4l2_init() 3 (3) 2022/09/08 23:12
[PATCH v6] media: em28xx: Fix race condition between open and init function 3 (3) 2021/09/13 15:11
Re: [PATCH v5] media: em28xx: Fix race condition between open and init function 1 (1) 2021/05/28 14:56
[PATCH v5] media: em28xx: Fix race condition between open and init function 2 (2) 2021/05/26 13:32
[PATCH] media: em28xx: Fix possible memory leak of em28xx struct 8 (8) 2021/05/06 13:37
[PATCH RFC v3] media: em28xx: Fix race condition between open and init function 4 (4) 2021/04/16 23:03
[PATCH RFC v2] media: em28xx: Fix race condition between open and init function 1 (1) 2021/04/14 16:04
[PATCH] media: em28xx: Fix race condition between open and init function 4 (4) 2021/04/09 13:40
Last patch testing requests (22)
Created Duration User Patch Repo Result
2024/03/03 01:44 52m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK log
2024/03/02 23:07 26m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2024/03/02 10:56 1h37m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2024/01/23 11:49 2h11m retest repro upstream report log
2024/01/23 11:49 23m retest repro upstream report log
2023/11/11 20:11 21m retest repro upstream report log
2023/11/11 20:11 44m retest repro upstream report log
2023/09/02 17:44 14m retest repro upstream report log
2023/09/02 17:44 14m retest repro upstream report log
2023/06/22 21:37 19m retest repro upstream report log
2023/06/22 21:37 15m retest repro upstream report log
2023/06/22 21:37 23m retest repro upstream OK log
2023/04/13 18:11 19m retest repro upstream report log
2022/08/29 08:18 21m soumya.negi97@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e4e453434a19 OK log
2022/08/29 03:37 0m soumya.negi97@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e4e453434a19 error OK
2022/08/29 03:25 0m soumya.negi97@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e4e453434a19 error OK
2021/05/07 18:26 12m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git v4l2-open-use-after-free error OK
2021/05/03 14:57 33m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git v4l2-open-use-after-free error OK
2021/04/07 17:19 35m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git v4l2-open-use-after-free OK
2021/03/19 22:13 36m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git v4l2-open-use-after-free report log
2021/03/19 13:20 16m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git v4l2-open-use-after-free report log
2021/03/10 14:17 12m igormtorrente@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ master report log
Fix bisection attempts (17)
Created Duration User Patch Repo Result
2022/08/17 05:17 28m bisect fix upstream job log (2)
2022/07/12 19:56 20m bisect fix upstream job log (0) log
2022/06/11 20:51 29m bisect fix upstream job log (0) log
2022/05/12 20:29 19m bisect fix upstream job log (0) log
2022/04/12 20:10 19m bisect fix upstream job log (0) log
2022/03/13 19:49 20m bisect fix upstream job log (0) log
2022/02/11 18:53 20m bisect fix upstream job log (0) log
2022/01/12 18:31 21m bisect fix upstream job log (0) log
2021/12/13 15:58 21m bisect fix upstream job log (0) log
2021/11/13 15:35 21m bisect fix upstream job log (0) log
2021/10/14 15:14 21m bisect fix upstream job log (0) log
2021/09/14 13:56 20m bisect fix upstream job log (0) log
2021/08/15 13:15 26m bisect fix upstream job log (0) log
2021/07/14 07:09 22m bisect fix upstream job log (0) log
2021/05/13 04:14 21m bisect fix upstream job log (0) log
2021/04/12 15:33 21m bisect fix upstream job log (0) log
2021/03/13 15:12 20m bisect fix upstream job log (0) log
Cause bisection attempts (2)
Created Duration User Patch Repo Result
2021/02/20 14:25 4h15m bisect upstream job log (1) log
2021/02/11 15:12 0m bisect upstream error job log (0)

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: use-after-free in v4l2_fh_open+0xc7/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
Read of size 8 at addr ffff88801e3448b8 by task v4l_id/9085

CPU: 1 PID: 9085 Comm: v4l_id Not tainted 5.13.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x202/0x31e lib/dump_stack.c:120
 print_address_description+0x5f/0x3b0 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x15c/0x200 mm/kasan/report.c:436
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xc7/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
 em28xx_v4l2_open+0x15c/0xa60 drivers/media/usb/em28xx/em28xx-video.c:2163
 v4l2_open+0x229/0x360 drivers/media/v4l2-core/v4l2-dev.c:429
 chrdev_open+0x53b/0x5f0 fs/char_dev.c:414
 do_dentry_open+0x7cb/0x1010 fs/open.c:826
 do_open fs/namei.c:3361 [inline]
 path_openat+0x28e6/0x39b0 fs/namei.c:3494
 do_filp_open+0x221/0x460 fs/namei.c:3521
 do_sys_openat2+0x124/0x460 fs/open.c:1187
 do_sys_open fs/open.c:1203 [inline]
 __do_sys_open fs/open.c:1211 [inline]
 __se_sys_open fs/open.c:1207 [inline]
 __x64_sys_open+0x221/0x270 fs/open.c:1207
 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f35ca4d3840
Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24
RSP: 002b:00007ffd4728d3b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ffd4728d528 RCX: 00007f35ca4d3840
RDX: 00007f35ca4bfea0 RSI: 0000000000000000 RDI: 00007ffd4728ef1e
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 00005644f66df8d0
R13: 00007ffd4728d520 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea000078d100 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1e344
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00005be908 ffff88813fffb910 0000000000000000
raw: 0000000000000000 0000000000000002 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 8571, ts 62798090898, free_ts 62877735033
 prep_new_page mm/page_alloc.c:2358 [inline]
 get_page_from_freelist+0x779/0xa20 mm/page_alloc.c:3994
 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5200
 kmalloc_order+0x41/0x170 mm/slab_common.c:924
 kmalloc_order_trace+0x15/0x70 mm/slab_common.c:940
 kmalloc_large include/linux/slab.h:485 [inline]
 kmalloc include/linux/slab.h:549 [inline]
 kzalloc include/linux/slab.h:686 [inline]
 em28xx_v4l2_init+0x1c3/0x4f90 drivers/media/usb/em28xx/em28xx-video.c:2542
 em28xx_init_extension+0x128/0x1d0 drivers/media/usb/em28xx/em28xx-core.c:1126
 process_one_work+0x833/0x10c0 kernel/workqueue.c:2276
 process_scheduled_works kernel/workqueue.c:2338 [inline]
 worker_thread+0xdad/0x1300 kernel/workqueue.c:2427
 kthread+0x39a/0x3c0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1298 [inline]
 __free_pages_ok+0x10a5/0x1180 mm/page_alloc.c:1572
 kfree+0x287/0x2d0 mm/slub.c:4214
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2128 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x22cb/0x4f90 drivers/media/usb/em28xx/em28xx-video.c:2911
 em28xx_init_extension+0x128/0x1d0 drivers/media/usb/em28xx/em28xx-core.c:1126
 process_one_work+0x833/0x10c0 kernel/workqueue.c:2276
 process_scheduled_works kernel/workqueue.c:2338 [inline]
 worker_thread+0xdad/0x1300 kernel/workqueue.c:2427
 kthread+0x39a/0x3c0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Memory state around the buggy address:
 ffff88801e344780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88801e344800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88801e344880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff88801e344900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88801e344980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/06/14 07:09 upstream e4e453434a19 1ba81399 .config console log report syz C ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in v4l2_fh_open
2021/06/04 08:21 upstream f88cd3fb9df2 0740de69 .config console log report syz C ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in v4l2_fh_open
2021/02/11 15:12 upstream 291009f656e8 a52ee10a .config console log report syz C ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in v4l2_fh_open
* Struck through repros no longer work on HEAD.