syzbot


KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups

Status: auto-obsoleted due to no activity on 2024/02/14 08:18
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+d6b0b0ea0781c14b2ecf@syzkaller.appspotmail.com
First crash: 387d, last: 197d
Cause bisection: introduced by (bisect log) :
commit 9b4feb630e8e9801603f3cab3a36369e3c1cf88d
Author: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri May 24 09:31:44 2019 +0000

  arch: wire-up close_range()

Crash: KASAN: use-after-free Write in usb_anchor_suspend_wakeups (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) [ignored commit]:
commit 9ad08fb1bcfdebfe71f9485affacfc24dd1b486b
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date: Thu Sep 28 14:35:36 2023 +0000

  wifi: mac80211: fix a expired vs. cancel race in roc

  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups 3 (5) 2023/08/17 14:12
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups (2) usb C error 4 16d 49d 0/26 upstream: reported C repro on 2024/04/01 16:50
linux-5.15 KASAN: use-after-free Write in usb_anchor_suspend_wakeups origin:upstream C 1 25d 363d 0/3 upstream: reported C repro on 2023/05/24 03:23
Last patch testing requests (7)
Created Duration User Patch Repo Result
2024/01/15 09:01 23m retest repro upstream OK log
2023/11/06 07:50 27m retest repro upstream report log
2023/10/10 15:50 1h39m retest repro upstream report log
2023/08/22 21:20 15m retest repro upstream report log
2023/08/22 21:20 22m retest repro linux-next OK log
2023/05/02 07:00 21m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 89d77f71f493 OK log
2023/05/02 04:09 14m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 89d77f71f493 report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2023/12/07 02:12 9h25m bisect fix upstream job log (1)
2023/07/15 08:47 2h10m bisect fix upstream job log (0) log
2023/05/30 00:00 37m bisect fix upstream job log (0) log
Cause bisection attempts (2)
Created Duration User Patch Repo Result
2023/08/11 22:05 11h45m bisect upstream job log (1) log
2023/04/30 11:54 6h52m bisect upstream job log (0) log
marked invalid by nogikh@google.com

Sample crash report:
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline]
BUG: KASAN: slab-use-after-free in usb_anchor_suspend_wakeups drivers/usb/core/urb.c:942 [inline]
BUG: KASAN: slab-use-after-free in usb_anchor_suspend_wakeups+0x28/0x40 drivers/usb/core/urb.c:939
Write of size 4 at addr ffff888029ac5910 by task kworker/1:0/5049

CPU: 1 PID: 5049 Comm: kworker/1:0 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
 print_report mm/kasan/report.c:462 [inline]
 kasan_report+0x11c/0x130 mm/kasan/report.c:572
 check_region_inline mm/kasan/generic.c:181 [inline]
 kasan_check_range+0x141/0x190 mm/kasan/generic.c:187
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline]
 usb_anchor_suspend_wakeups drivers/usb/core/urb.c:942 [inline]
 usb_anchor_suspend_wakeups+0x28/0x40 drivers/usb/core/urb.c:939
 __usb_hcd_giveback_urb+0x213/0x5c0 drivers/usb/core/hcd.c:1658
 usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754
 dummy_timer+0x13b6/0x3400 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
 expire_timers+0x29b/0x4b0 kernel/time/timer.c:1751
 __run_timers kernel/time/timer.c:2022 [inline]
 __run_timers kernel/time/timer.c:1995 [inline]
 run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035
 __do_softirq+0x1d4/0x905 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x114/0x190 kernel/softirq.c:650
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200
Code: 16 01 8f 02 66 0f 1f 44 00 00 f3 0f 1e fa 48 8b be a8 01 00 00 e8 b0 ff ff ff 31 c0 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 <f3> 0f 1e fa 65 8b 05 dd 74 7f 7e 89 c1 48 8b 34 24 81 e1 00 01 00
RSP: 0018:ffffc90003e3f5e0 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000200 RCX: 0000000000000000
RDX: ffff88807dadbb80 RSI: ffffffff81685f45 RDI: 0000000000000007
RBP: ffffffff8d265078 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000200 R11: 205d393430355420 R12: 0000000000000000
R13: ffffffff8d265020 R14: dffffc0000000000 R15: 0000000000000001
 console_emit_next_record arch/x86/include/asm/irqflags.h:42 [inline]
 console_flush_all+0x61b/0xcc0 kernel/printk/printk.c:2933
 console_unlock+0xb8/0x1f0 kernel/printk/printk.c:3007
 vprintk_emit+0x1bd/0x600 kernel/printk/printk.c:2307
 dev_vprintk_emit drivers/base/core.c:4840 [inline]
 dev_printk_emit+0xda/0x120 drivers/base/core.c:4851
 __dev_printk+0xf8/0x270 drivers/base/core.c:4863
 _dev_info+0xdc/0x120 drivers/base/core.c:4909
 usb_disconnect+0xe1/0x8a0 drivers/usb/core/hub.c:2220
 hub_port_connect drivers/usb/core/hub.c:5246 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5551 [inline]
 port_event drivers/usb/core/hub.c:5711 [inline]
 hub_event+0x1fbf/0x4e40 drivers/usb/core/hub.c:5793
 process_one_work+0x99a/0x15e0 kernel/workqueue.c:2405
 process_scheduled_works kernel/workqueue.c:2468 [inline]
 worker_thread+0x881/0x10c0 kernel/workqueue.c:2554
 kthread+0x344/0x440 kernel/kthread.c:379
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>

Allocated by task 6529:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 ____kasan_kmalloc mm/kasan/common.c:333 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:559 [inline]
 kzalloc include/linux/slab.h:680 [inline]
 usbtmc_open+0xaa/0x9c0 drivers/usb/class/usbtmc.c:175
 usb_open+0x208/0x2e0 drivers/usb/core/file.c:48
 chrdev_open+0x26a/0x770 fs/char_dev.c:414
 do_dentry_open+0x6cc/0x13f0 fs/open.c:920
 do_open fs/namei.c:3636 [inline]
 path_openat+0x1baa/0x2750 fs/namei.c:3791
 do_filp_open+0x1ba/0x410 fs/namei.c:3818
 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x143/0x1f0 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 6529:
 kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:521
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
 slab_free mm/slub.c:3786 [inline]
 __kmem_cache_free+0xaf/0x2d0 mm/slub.c:3799
 usbtmc_release+0x289/0x3a0 drivers/usb/class/usbtmc.c:261
 __fput+0x27c/0xa90 fs/file_table.c:321
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888029ac5800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 272 bytes inside of
 freed 1024-byte region [ffff888029ac5800, ffff888029ac5c00)

The buggy address belongs to the physical page:
page:ffffea0000a6b000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29ac0
head:ffffea0000a6b000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff888012441dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5053, tgid 5053 (kworker/u4:1), ts 613662617115, free_ts 613241850267
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1731
 prep_new_page mm/page_alloc.c:1738 [inline]
 get_page_from_freelist+0xf41/0x2c00 mm/page_alloc.c:3502
 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4768
 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2279
 alloc_slab_page mm/slub.c:1851 [inline]
 allocate_slab+0x25f/0x390 mm/slub.c:1998
 new_slab mm/slub.c:2051 [inline]
 ___slab_alloc+0xa91/0x1400 mm/slub.c:3192
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3291
 __slab_alloc_node mm/slub.c:3344 [inline]
 slab_alloc_node mm/slub.c:3441 [inline]
 __kmem_cache_alloc_node+0x136/0x320 mm/slub.c:3490
 __do_kmalloc_node mm/slab_common.c:965 [inline]
 __kmalloc+0x4e/0x190 mm/slab_common.c:979
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:680 [inline]
 ieee802_11_parse_elems_full+0x106/0x1340 net/mac80211/util.c:1609
 ieee802_11_parse_elems_crc.constprop.0+0x99/0xd0 net/mac80211/ieee80211_i.h:2305
 ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2312 [inline]
 ieee80211_bss_info_update+0x410/0xb50 net/mac80211/scan.c:212
 ieee80211_rx_bss_info net/mac80211/ibss.c:1120 [inline]
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline]
 ieee80211_ibss_rx_queued_mgmt+0x19c9/0x3030 net/mac80211/ibss.c:1638
 ieee80211_iface_process_skb net/mac80211/iface.c:1594 [inline]
 ieee80211_iface_work+0xa4d/0xd70 net/mac80211/iface.c:1648
 process_one_work+0x99a/0x15e0 kernel/workqueue.c:2405
 worker_thread+0x67d/0x10c0 kernel/workqueue.c:2552
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1302 [inline]
 free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2564
 free_unref_page+0x33/0x370 mm/page_alloc.c:2659
 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2636
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook mm/slab.h:711 [inline]
 slab_alloc_node mm/slub.c:3451 [inline]
 __kmem_cache_alloc_node+0x17c/0x320 mm/slub.c:3490
 __do_kmalloc_node mm/slab_common.c:965 [inline]
 __kmalloc+0x4e/0x190 mm/slab_common.c:979
 kmalloc include/linux/slab.h:563 [inline]
 tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_number_perm+0x21a/0x570 security/tomoyo/file.c:723
 security_file_ioctl+0x54/0xb0 security/security.c:2608
 __do_sys_ioctl fs/ioctl.c:864 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0xb7/0x210 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888029ac5800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888029ac5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888029ac5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888029ac5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888029ac5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	01 8f 02 66 0f 1f    	add    %ecx,0x1f0f6602(%rdi)
   6:	44 00 00             	add    %r8b,(%rax)
   9:	f3 0f 1e fa          	endbr64
   d:	48 8b be a8 01 00 00 	mov    0x1a8(%rsi),%rdi
  14:	e8 b0 ff ff ff       	callq  0xffffffc9
  19:	31 c0                	xor    %eax,%eax
  1b:	c3                   	retq
  1c:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
  23:	00 00 00 00
  27:	66 90                	xchg   %ax,%ax
* 29:	f3 0f 1e fa          	endbr64 <-- trapping instruction
  2d:	65 8b 05 dd 74 7f 7e 	mov    %gs:0x7e7f74dd(%rip),%eax        # 0x7e7f7511
  34:	89 c1                	mov    %eax,%ecx
  36:	48 8b 34 24          	mov    (%rsp),%rsi
  3a:	81                   	.byte 0x81
  3b:	e1 00                	loope  0x3d
  3d:	01 00                	add    %eax,(%rax)

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/06/14 18:50 upstream b6dad5178cea d2ee9228 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/04/30 00:00 upstream 89d77f71f493 62df2017 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/07/18 20:34 linux-next aeba456828b4 022df2bb .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/10/23 07:02 upstream fe3cfe869d5e 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/10/11 11:47 upstream 1c8b86a3799f 83165b57 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/09/26 01:31 upstream 6465e260f487 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/09/21 11:42 upstream 42dc814987c1 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/09/20 11:58 upstream 2cf0f7156238 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/09/20 02:21 upstream 2cf0f7156238 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/09/18 10:24 upstream ce9ecca0238b 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/09/17 13:29 upstream f0b0d403eabb 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/09/09 18:32 upstream 6099776f9f26 6654cf89 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/06/13 14:31 upstream fb054096aea0 749afb64 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
2023/04/29 22:22 upstream 89d77f71f493 62df2017 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
* Struck through repros no longer work on HEAD.