syzbot


KASAN: use-after-free Read in load_firmware_cb

Status: upstream: reported C repro on 2020/02/27 14:20
Reported-by: syzbot+434bc1054077aac11da3@syzkaller.appspotmail.com
First crash: 942d, last: 25d
Patch testing requests:
Created Duration User Patch Repo Result
2022/08/31 12:27 18m upstream report log
2020/09/16 03:59 16m brookebasile@gmail.com upstream OK

Sample crash report:
em28xx 5-1:0.254: Registering V4L2 extension
i2c i2c-2: Invalid 7-bit I2C address 0x00
tuner: 2-0061: Tuner -1 found with type(s) Radio TV.
xc2028 2-0061: creating new instance
xc2028 2-0061: type set to XCeive xc2028/xc3028 tuner
em28xx 5-1:0.254: Config register raw data: 0xffffffed
em28xx 5-1:0.254: AC97 chip type couldn't be determined
em28xx 5-1:0.254: No AC97 audio processor
em28xx 5-1:0.254: Registered radio device as radio32
usb 5-1: Decoder not found
em28xx 5-1:0.254: failed to create media graph
em28xx 5-1:0.254: V4L2 device radio32 deregistered
em28xx 5-1:0.254: V4L2 device video71 deregistered
xc2028 2-0061: destroying instance
em28xx 5-1:0.254: Registering input extension
usb 5-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2
usb 5-1:0.254: Falling back to sysfs fallback for: xc3028-v27.fw
kobject_add_internal failed for firmware (error: -2 parent: 5-1:0.254)
firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed
==================================================================
BUG: KASAN: use-after-free in load_firmware_cb+0x269/0x290 drivers/media/tuners/xc2028.c:1364
Read of size 8 at addr ffff8880231c2318 by task kworker/0:0/6

CPU: 0 PID: 6 Comm: kworker/0:0 Not tainted 5.17.0-syzkaller-10734-gcb7cbaae7fd9 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 load_firmware_cb+0x269/0x290 drivers/media/tuners/xc2028.c:1364
 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1022
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 6:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3582
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 tuner_probe+0xa4/0x1180 drivers/media/v4l2-core/tuner-core.c:638
 i2c_device_probe+0xa0c/0xb90 drivers/i2c/i2c-core-base.c:563
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x245/0xcc0 drivers/base/dd.c:596
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:755
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:785
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:902
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:973
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xb83/0x1e20 drivers/base/core.c:3405
 i2c_new_client_device+0x67b/0xb60 drivers/i2c/i2c-core-base.c:969
 v4l2_i2c_new_subdev_board+0xaf/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:80
 v4l2_i2c_new_subdev+0x102/0x170 drivers/media/v4l2-core/v4l2-i2c.c:135
 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2627 [inline]
 em28xx_v4l2_init.cold+0x9cb/0x329c drivers/media/usb/em28xx/em28xx-video.c:2520
 em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1126
 request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3415
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 6:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x13d/0x180 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:200 [inline]
 __cache_free mm/slab.c:3438 [inline]
 kfree+0xfb/0x2c0 mm/slab.c:3809
 tuner_remove+0x198/0x200 drivers/media/v4l2-core/tuner-core.c:791
 i2c_device_remove+0x7b/0x240 drivers/i2c/i2c-core-base.c:606
 __device_release_driver+0x3bd/0x760 drivers/base/dd.c:1207
 device_release_driver_internal drivers/base/dd.c:1242 [inline]
 device_release_driver+0x26/0x40 drivers/base/dd.c:1265
 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:529
 device_del+0x4f3/0xc80 drivers/base/core.c:3592
 device_unregister+0x1f/0xc0 drivers/base/core.c:3624
 i2c_unregister_device+0x38/0x40 include/linux/err.h:41
 v4l2_i2c_subdev_unregister+0xa2/0xc0 drivers/media/v4l2-core/v4l2-i2c.c:28
 v4l2_device_unregister drivers/media/v4l2-core/v4l2-device.c:102 [inline]
 v4l2_device_unregister+0x20d/0x2e0 drivers/media/v4l2-core/v4l2-device.c:88
 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2908 [inline]
 em28xx_v4l2_init.cold+0xd26/0x329c drivers/media/usb/em28xx/em28xx-video.c:2520
 em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1126
 request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3415
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff8880231c2000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 792 bytes inside of
 2048-byte region [ffff8880231c2000, ffff8880231c2800)

The buggy address belongs to the physical page:
page:ffffea00008c7080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x231c2
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000054a8c8 ffffea000087ccc8 ffff888010c40800
raw: 0000000000000000 ffff8880231c2000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 6, tgid 6 (kworker/0:0), ts 50536143903, free_ts 48667167805
 prep_new_page mm/page_alloc.c:2438 [inline]
 get_page_from_freelist+0xba2/0x3df0 mm/page_alloc.c:4179
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5405
 __alloc_pages_node include/linux/gfp.h:589 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x350 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 __do_cache_alloc mm/slab.c:3267 [inline]
 slab_alloc mm/slab.c:3309 [inline]
 kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3580
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 tuner_probe+0xa4/0x1180 drivers/media/v4l2-core/tuner-core.c:638
 i2c_device_probe+0xa0c/0xb90 drivers/i2c/i2c-core-base.c:563
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x245/0xcc0 drivers/base/dd.c:596
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:755
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:785
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:902
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:973
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xb83/0x1e20 drivers/base/core.c:3405
 i2c_new_client_device+0x67b/0xb60 drivers/i2c/i2c-core-base.c:969
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1353 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1403
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3420
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558

Memory state around the buggy address:
 ffff8880231c2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880231c2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880231c2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880231c2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880231c2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (12):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu-upstream 2022/03/26 13:05 upstream cb7cbaae7fd9 89bc8608 .config log report syz C KASAN: use-after-free Read in load_firmware_cb
ci-qemu-upstream 2022/03/13 09:24 upstream aad611a868d1 9e8eaa75 .config log report syz C KASAN: use-after-free Read in load_firmware_cb
ci-qemu-upstream 2022/03/13 09:12 upstream aad611a868d1 9e8eaa75 .config log report syz C KASAN: use-after-free Read in load_firmware_cb
ci-qemu-upstream 2022/03/07 12:08 upstream ffb217a13a2e 7bdd8b2c .config log report syz C KASAN: use-after-free Read in load_firmware_cb
ci-qemu-upstream 2022/03/07 11:10 upstream ffb217a13a2e 7bdd8b2c .config log report syz C KASAN: use-after-free Read in load_firmware_cb
ci2-upstream-usb 2020/05/15 00:53 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c 2d572622 .config log report syz C
ci2-upstream-usb 2020/03/19 23:32 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 2c31c529 .config log report syz C
ci2-upstream-usb 2020/03/06 13:54 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 7fb694ef .config log report syz C
ci2-upstream-usb 2020/02/26 21:05 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 251aabb7 .config log report syz C
ci2-upstream-usb 2021/05/02 17:43 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 4a0225c3d208 77e2b668 .config log report info KASAN: use-after-free Read in load_firmware_cb
ci2-upstream-usb 2021/01/30 12:43 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3c648d3deb0f fc9fd31e .config log report info KASAN: use-after-free Read in load_firmware_cb
ci2-upstream-usb 2020/12/02 05:05 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing ebad43260d22 c42a35e9 .config log report info
* Struck through repros no longer work on HEAD.