| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | 3 (5) | 2023/08/17 14:12 |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [1016] ≡ Subsystems 🐞 Fixed [5251] 🐞 Invalid [12563] ⬇ Missing Backports [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | 3 (5) | 2023/08/17 14:12 |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2024/01/15 09:01 | 23m | retest repro | upstream | OK log | |
| 2023/11/06 07:50 | 27m | retest repro | upstream | report log | |
| 2023/10/10 15:50 | 1h39m | retest repro | upstream | report log | |
| 2023/08/22 21:20 | 15m | retest repro | upstream | report log | |
| 2023/08/22 21:20 | 22m | retest repro | linux-next | OK log | |
| 2023/05/02 07:00 | 21m | hdanton@sina.com | patch | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 89d77f71f493 | OK log |
| 2023/05/02 04:09 | 14m | hdanton@sina.com | patch | https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 89d77f71f493 | report log |
================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline] BUG: KASAN: slab-use-after-free in usb_anchor_suspend_wakeups drivers/usb/core/urb.c:942 [inline] BUG: KASAN: slab-use-after-free in usb_anchor_suspend_wakeups+0x28/0x40 drivers/usb/core/urb.c:939 Write of size 4 at addr ffff888029ac5910 by task kworker/1:0/5049 CPU: 1 PID: 5049 Comm: kworker/1:0 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Workqueue: usb_hub_wq hub_event Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x141/0x190 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline] usb_anchor_suspend_wakeups drivers/usb/core/urb.c:942 [inline] usb_anchor_suspend_wakeups+0x28/0x40 drivers/usb/core/urb.c:939 __usb_hcd_giveback_urb+0x213/0x5c0 drivers/usb/core/hcd.c:1658 usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754 dummy_timer+0x13b6/0x3400 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700 expire_timers+0x29b/0x4b0 kernel/time/timer.c:1751 __run_timers kernel/time/timer.c:2022 [inline] __run_timers kernel/time/timer.c:1995 [inline] run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 __do_softirq+0x1d4/0x905 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x114/0x190 kernel/softirq.c:650 irq_exit_rcu+0x9/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1106 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645 RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200 Code: 16 01 8f 02 66 0f 1f 44 00 00 f3 0f 1e fa 48 8b be a8 01 00 00 e8 b0 ff ff ff 31 c0 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 <f3> 0f 1e fa 65 8b 05 dd 74 7f 7e 89 c1 48 8b 34 24 81 e1 00 01 00 RSP: 0018:ffffc90003e3f5e0 EFLAGS: 00000293 RAX: 0000000000000000 RBX: 0000000000000200 RCX: 0000000000000000 RDX: ffff88807dadbb80 RSI: ffffffff81685f45 RDI: 0000000000000007 RBP: ffffffff8d265078 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000200 R11: 205d393430355420 R12: 0000000000000000 R13: ffffffff8d265020 R14: dffffc0000000000 R15: 0000000000000001 console_emit_next_record arch/x86/include/asm/irqflags.h:42 [inline] console_flush_all+0x61b/0xcc0 kernel/printk/printk.c:2933 console_unlock+0xb8/0x1f0 kernel/printk/printk.c:3007 vprintk_emit+0x1bd/0x600 kernel/printk/printk.c:2307 dev_vprintk_emit drivers/base/core.c:4840 [inline] dev_printk_emit+0xda/0x120 drivers/base/core.c:4851 __dev_printk+0xf8/0x270 drivers/base/core.c:4863 _dev_info+0xdc/0x120 drivers/base/core.c:4909 usb_disconnect+0xe1/0x8a0 drivers/usb/core/hub.c:2220 hub_port_connect drivers/usb/core/hub.c:5246 [inline] hub_port_connect_change drivers/usb/core/hub.c:5551 [inline] port_event drivers/usb/core/hub.c:5711 [inline] hub_event+0x1fbf/0x4e40 drivers/usb/core/hub.c:5793 process_one_work+0x99a/0x15e0 kernel/workqueue.c:2405 process_scheduled_works kernel/workqueue.c:2468 [inline] worker_thread+0x881/0x10c0 kernel/workqueue.c:2554 kthread+0x344/0x440 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> Allocated by task 6529: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] ____kasan_kmalloc mm/kasan/common.c:333 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:559 [inline] kzalloc include/linux/slab.h:680 [inline] usbtmc_open+0xaa/0x9c0 drivers/usb/class/usbtmc.c:175 usb_open+0x208/0x2e0 drivers/usb/core/file.c:48 chrdev_open+0x26a/0x770 fs/char_dev.c:414 do_dentry_open+0x6cc/0x13f0 fs/open.c:920 do_open fs/namei.c:3636 [inline] path_openat+0x1baa/0x2750 fs/namei.c:3791 do_filp_open+0x1ba/0x410 fs/namei.c:3818 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x143/0x1f0 fs/open.c:1383 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 6529: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:521 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807 slab_free mm/slub.c:3786 [inline] __kmem_cache_free+0xaf/0x2d0 mm/slub.c:3799 usbtmc_release+0x289/0x3a0 drivers/usb/class/usbtmc.c:261 __fput+0x27c/0xa90 fs/file_table.c:321 task_work_run+0x16f/0x270 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888029ac5800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 272 bytes inside of freed 1024-byte region [ffff888029ac5800, ffff888029ac5c00) The buggy address belongs to the physical page: page:ffffea0000a6b000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29ac0 head:ffffea0000a6b000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000010200 ffff888012441dc0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5053, tgid 5053 (kworker/u4:1), ts 613662617115, free_ts 613241850267 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1731 prep_new_page mm/page_alloc.c:1738 [inline] get_page_from_freelist+0xf41/0x2c00 mm/page_alloc.c:3502 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4768 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279 alloc_slab_page mm/slub.c:1851 [inline] allocate_slab+0x25f/0x390 mm/slub.c:1998 new_slab mm/slub.c:2051 [inline] ___slab_alloc+0xa91/0x1400 mm/slub.c:3192 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3291 __slab_alloc_node mm/slub.c:3344 [inline] slab_alloc_node mm/slub.c:3441 [inline] __kmem_cache_alloc_node+0x136/0x320 mm/slub.c:3490 __do_kmalloc_node mm/slab_common.c:965 [inline] __kmalloc+0x4e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] ieee802_11_parse_elems_full+0x106/0x1340 net/mac80211/util.c:1609 ieee802_11_parse_elems_crc.constprop.0+0x99/0xd0 net/mac80211/ieee80211_i.h:2305 ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2312 [inline] ieee80211_bss_info_update+0x410/0xb50 net/mac80211/scan.c:212 ieee80211_rx_bss_info net/mac80211/ibss.c:1120 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline] ieee80211_ibss_rx_queued_mgmt+0x19c9/0x3030 net/mac80211/ibss.c:1638 ieee80211_iface_process_skb net/mac80211/iface.c:1594 [inline] ieee80211_iface_work+0xa4d/0xd70 net/mac80211/iface.c:1648 process_one_work+0x99a/0x15e0 kernel/workqueue.c:2405 worker_thread+0x67d/0x10c0 kernel/workqueue.c:2552 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1302 [inline] free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2564 free_unref_page+0x33/0x370 mm/page_alloc.c:2659 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2636 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:711 [inline] slab_alloc_node mm/slub.c:3451 [inline] __kmem_cache_alloc_node+0x17c/0x320 mm/slub.c:3490 __do_kmalloc_node mm/slab_common.c:965 [inline] __kmalloc+0x4e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_number_perm+0x21a/0x570 security/tomoyo/file.c:723 security_file_ioctl+0x54/0xb0 security/security.c:2608 __do_sys_ioctl fs/ioctl.c:864 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0xb7/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff888029ac5800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888029ac5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888029ac5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888029ac5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888029ac5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 01 8f 02 66 0f 1f add %ecx,0x1f0f6602(%rdi) 6: 44 00 00 add %r8b,(%rax) 9: f3 0f 1e fa endbr64 d: 48 8b be a8 01 00 00 mov 0x1a8(%rsi),%rdi 14: e8 b0 ff ff ff callq 0xffffffc9 19: 31 c0 xor %eax,%eax 1b: c3 retq 1c: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1) 23: 00 00 00 00 27: 66 90 xchg %ax,%ax * 29: f3 0f 1e fa endbr64 <-- trapping instruction 2d: 65 8b 05 dd 74 7f 7e mov %gs:0x7e7f74dd(%rip),%eax # 0x7e7f7511 34: 89 c1 mov %eax,%ecx 36: 48 8b 34 24 mov (%rsp),%rsi 3a: 81 .byte 0x81 3b: e1 00 loope 0x3d 3d: 01 00 add %eax,(%rax)
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023/06/14 18:50 | upstream | b6dad5178cea | d2ee9228 | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | |
| 2023/04/30 00:00 | upstream | 89d77f71f493 | 62df2017 | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | |
| 2023/07/18 20:34 | linux-next | aeba456828b4 | 022df2bb | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | |
| 2023/10/23 07:02 | upstream | fe3cfe869d5e | 361b23dc | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/10/11 11:47 | upstream | 1c8b86a3799f | 83165b57 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/09/26 01:31 | upstream | 6465e260f487 | 0b6a67ac | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/09/21 11:42 | upstream | 42dc814987c1 | 0b6a67ac | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/09/20 11:58 | upstream | 2cf0f7156238 | 0b6a67ac | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/09/20 02:21 | upstream | 2cf0f7156238 | 0b6a67ac | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/09/18 10:24 | upstream | ce9ecca0238b | 0b6a67ac | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/09/17 13:29 | upstream | f0b0d403eabb | 0b6a67ac | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/09/09 18:32 | upstream | 6099776f9f26 | 6654cf89 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/06/13 14:31 | upstream | fb054096aea0 | 749afb64 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups | ||
| 2023/04/29 22:22 | upstream | 89d77f71f493 | 62df2017 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups |