KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh

KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
Status: auto-closed as invalid on 2021/01/02 08:21
Reported-by: syzbot+0158aeaaf21c1e19fac4@syzkaller.appspotmail.com
First crash: 253d, last: 250d

similar bugs (4):
Kernel	Title	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status	6	8d10h	127d	0/1	upstream: reported on 2021/01/05 09:57
linux-4.19	KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)	3	21d	28d	0/1	upstream: reported on 2021/04/14 12:03
upstream	KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status	3	617d	623d	0/22	auto-closed as invalid on 2020/01/01 21:24
upstream	KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)	18	1d15h	246d	0/22	upstream: reported on 2020/09/08 07:37

Sample crash report:

bridge0: port 1(bridge_slave_0) entered disabled state
bridge0: port 2(bridge_slave_1) entered disabled state
usb usb9: usbfs: process 28542 (syz-executor.2) did not claim interface 0 before use
ip6t_srh: unknown srh match flags  4800
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:373 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x387/0x6f0 drivers/usb/core/hcd.c:771
Write of size 2 at addr ffff88809b517dc0 by task syz-executor.5/28387

CPU: 1 PID: 28387 Comm: syz-executor.5 Not tainted 4.19.143-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report+0x8f/0x96 mm/kasan/report.c:412
 memcpy+0x35/0x50 mm/kasan/kasan.c:303
 memcpy include/linux/string.h:373 [inline]
 usb_hcd_poll_rh_status+0x387/0x6f0 drivers/usb/core/hcd.c:771
 call_timer_fn+0x177/0x700 kernel/time/timer.c:1338
 expire_timers+0x243/0x4e0 kernel/time/timer.c:1375
 __run_timers kernel/time/timer.c:1703 [inline]
 run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1716
8021q: adding VLAN 0 to HW filter on device bond0
 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x215/0x260 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:544 [inline]
 smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1094
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline]
RIP: 0010:do_syscall_64+0x56/0x620 arch/x86/entry/common.c:281
Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 2d 05 00 00 48 83 3d 14 c3 d1 07 00 0f 84 44 04 00 00 e8 81 19 69 00 fb 66 0f 1f 44 00 00 <65> 4c 8b 24 25 40 ee 01 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2
RSP: 0018:ffff88805068ff28 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
RAX: ffff8880a94aa280 RBX: 000000000000003d RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8100984f RDI: ffff8880a94aab04
RBP: ffff88805068ff58 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff88d25b58 R14: 0000000000000000 R15: 0000000000000000
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4171fb
Code: 54 55 41 89 d4 53 48 89 f5 89 fb 48 83 ec 10 e8 1b f9 ff ff 45 31 d2 41 89 c0 49 63 d4 48 89 ee 48 63 fb b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 19 44 89 c7 89 44 24 0c e8 51 f9 ff ff 8b 44
RSP: 002b:00007ffe92a4b6b0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00000000004171fb
RDX: 0000000040000001 RSI: 00007ffe92a4b710 RDI: ffffffffffffffff
RBP: 00007ffe92a4b710 R08: 0000000000000000 R09: 00000000033d8940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000040000001
R13: 00007ffe92a4b710 R14: 00000000001946e0 R15: 00007ffe92a4b720

Allocated by task 28542:
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15a/0x3c0 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 proc_do_submiturb+0x2d08/0x3af0 drivers/usb/core/devio.c:1668
 proc_submiturb drivers/usb/core/devio.c:1822 [inline]
 usbdev_do_ioctl+0x773/0x3030 drivers/usb/core/devio.c:2476
 usbdev_ioctl+0x21/0x30 drivers/usb/core/devio.c:2580
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 kfree_const+0x51/0x60 mm/util.c:38
 kernfs_put.part.0+0x159/0x590 fs/kernfs/dir.c:532
 kernfs_put+0x42/0x50 fs/kernfs/dir.c:515
 sysfs_put include/linux/sysfs.h:547 [inline]
 kobject_del lib/kobject.c:593 [inline]
 kobject_del lib/kobject.c:584 [inline]
 kobject_cleanup lib/kobject.c:656 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:70 [inline]
 kobject_put+0x16e/0x350 lib/kobject.c:708
 netdev_queue_update_kobjects+0x28b/0x3c0 net/core/net-sysfs.c:1524
 remove_queue_kobjects net/core/net-sysfs.c:1577 [inline]
 netdev_unregister_kobject+0x159/0x1e0 net/core/net-sysfs.c:1727
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
 rollback_registered_many+0x646/0xde0 net/core/dev.c:8211
 unregister_netdevice_many.part.0+0x1a/0x300 net/core/dev.c:9310
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
 unregister_netdevice_many net/core/dev.c:9309 [inline]
 default_device_exit_batch+0x2fa/0x3c0 net/core/dev.c:9781
 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:156
 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready

The buggy address belongs to the object at ffff88809b517dc0
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff88809b517dc0, ffff88809b517de0)
The buggy address belongs to the page:
page:ffffea00026d45c0 count:1 mapcount:0 mapping:ffff88812c39c1c0 index:0xffff88809b517fc1
8021q: adding VLAN 0 to HW filter on device team0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000258d548 ffffea00028f1d48 ffff88812c39c1c0
raw: ffff88809b517fc1 ffff88809b517000 000000010000003b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809b517c80: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc
 ffff88809b517d00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff88809b517d80: fb fb fb fb fc fc fc fc 01 fc fc fc fc fc fc fc
                                           ^
 ffff88809b517e00: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
 ffff88809b517e80: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
==================================================================

Crashes (2):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci2-linux-4-19	2020/09/04 08:20	linux-4.19.y	c37da90e	abf9ba4f	.config	log	report
ci2-linux-4-19	2020/09/01 15:07	linux-4.19.y	f6d5cb9e	d5a3ae1f	.config	log	report