syzbot

 sign-in | mailing list | source | docs
🐞 Open [79] 🐞 Fixed [21] 🐞 Invalid [281] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Write in input_ff_create

Status: auto-obsoleted due to no activity on 2022/08/27 06:41
Reported-by: syzbot+76c3e73ecd15671ec076@syzkaller.appspotmail.com
First crash: 1434d, last: 1434d
Last patch testing requests (1)
Created Duration User Patch Repo Result
2022/08/27 05:27 0m retest repro https://android.googlesource.com/kernel/common android-5.4 error OK

Sample crash report:
betop 0003:20BC:5500.0001: unknown main item tag 0x0
betop 0003:20BC:5500.0001: unknown main item tag 0x0
betop 0003:20BC:5500.0001: hidraw0: USB HID v0.00 Device [HID 20bc:5500] on usb-dummy_hcd.0-1/input0
==================================================================
BUG: KASAN: use-after-free in input_ff_create+0x157/0x350 drivers/input/ff-core.c:341
Write of size 8 at addr ffff8881d029d168 by task kworker/1:1/115

CPU: 1 PID: 115 Comm: kworker/1:1 Not tainted 5.4.40-syzkaller-00122-g79c00997a007 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x14a/0x1ce lib/dump_stack.c:118
 print_address_description+0x93/0x620 mm/kasan/report.c:374
 __kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
 kasan_report+0x34/0x60 mm/kasan/common.c:634
 input_ff_create+0x157/0x350 drivers/input/ff-core.c:341
 input_ff_create_memless+0x14d/0x6d0 drivers/input/ff-memless.c:530
 betopff_init drivers/hid/hid-betopff.c:101 [inline]
 betop_probe+0x3ee/0x5c0 drivers/hid/hid-betopff.c:134
 hid_device_probe+0x27a/0x420 drivers/hid/hid-core.c:2263
 really_probe+0x707/0xf70 drivers/base/dd.c:551
 driver_probe_device+0xe6/0x230 drivers/base/dd.c:724
 bus_for_each_drv+0x17a/0x200 drivers/base/bus.c:430
 __device_attach+0x27b/0x420 drivers/base/dd.c:897
 bus_probe_device+0xbb/0x200 drivers/base/bus.c:490
 device_add+0x105a/0x1750 drivers/base/core.c:2507
 hid_add_device+0xd7e/0xfd0 drivers/hid/hid-core.c:2419
 usbhid_probe+0x94e/0xcc0 drivers/hid/usbhid/hid-core.c:1386
 usb_probe_interface+0x631/0xad0 drivers/usb/core/driver.c:361
 really_probe+0x764/0xf70 drivers/base/dd.c:555
 driver_probe_device+0xe6/0x230 drivers/base/dd.c:724
 bus_for_each_drv+0x17a/0x200 drivers/base/bus.c:430
 __device_attach+0x27b/0x420 drivers/base/dd.c:897
 bus_probe_device+0xbb/0x200 drivers/base/bus.c:490
 device_add+0x105a/0x1750 drivers/base/core.c:2507
 usb_set_configuration+0x184c/0x1dc0 drivers/usb/core/message.c:2030
 generic_probe+0x82/0x140 drivers/usb/core/generic.c:210
 really_probe+0x764/0xf70 drivers/base/dd.c:555
 driver_probe_device+0xe6/0x230 drivers/base/dd.c:724
 bus_for_each_drv+0x17a/0x200 drivers/base/bus.c:430
 __device_attach+0x27b/0x420 drivers/base/dd.c:897
 bus_probe_device+0xbb/0x200 drivers/base/bus.c:490
 device_add+0x105a/0x1750 drivers/base/core.c:2507
 usb_new_device+0xda7/0x1710 drivers/usb/core/hub.c:2553
 hub_port_connect drivers/usb/core/hub.c:5122 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5237 [inline]
 port_event drivers/usb/core/hub.c:5383 [inline]
 hub_event+0x2963/0x4fa0 drivers/usb/core/hub.c:5465
 process_one_work+0x777/0xf90 kernel/workqueue.c:2274
 worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
 kthread+0x2df/0x300 kernel/kthread.c:255
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 379:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
 kmem_cache_zalloc include/linux/slab.h:680 [inline]
 __alloc_file+0x26/0x390 fs/file_table.c:101
 alloc_empty_file+0xa9/0x1b0 fs/file_table.c:151
 path_openat+0x11e/0x3d10 fs/namei.c:3635
 do_sys_open+0x387/0x7d0 fs/open.c:1106
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 0:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
 slab_free_hook mm/slub.c:1424 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1457
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2158 [inline]
 rcu_core+0xbf0/0x1360 kernel/rcu/tree.c:2378

The buggy address belongs to the object at ffff8881d029d140
 which belongs to the cache filp of size 256
The buggy address is located 40 bytes inside of
 256-byte region [ffff8881d029d140, ffff8881d029d240)
The buggy address belongs to the page:
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea000742afc0 0000000a0000000a ffff8881da8ef900
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d029d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d029d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881d029d100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                          ^
 ffff8881d029d200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
------------[ cut here ]------------
WARNING: CPU: 1 PID: 115 at mm/page_alloc.c:4809 __alloc_pages_nodemask+0x529/0x7c0 mm/page_alloc.c:4809
Modules linked in:
CPU: 1 PID: 115 Comm: kworker/1:1 Tainted: G    B             5.4.40-syzkaller-00122-g79c00997a007 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__alloc_pages_nodemask+0x529/0x7c0 mm/page_alloc.c:4809
Code: 24 e0 00 00 00 0f 85 a3 02 00 00 4c 89 e0 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 41 f7 c6 00 20 00 00 0f 85 c9 fc ff ff <0f> 0b 45 31 e4 eb 96 31 db e9 24 fc ff ff 65 48 8b 1c 25 00 ed 01
RSP: 0018:ffff8881d9c36620 EFLAGS: 00010046
RAX: ffff8881d9c366a0 RBX: 0000000000000012 RCX: 0000000000000000
RDX: 0000000000000028 RSI: 0000000000000000 RDI: ffff8881d9c366c8
RBP: ffff8881d9c36758 R08: dffffc0000000000 R09: ffff8881d9c366a0
R10: ffffed103b386cd9 R11: 0000000000000000 R12: 0000000020000007
R13: ffff8881d9c366a0 R14: 0000000000040a20 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881db900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f68ca763010 CR3: 00000001c6356003 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 kmalloc_order mm/slab_common.c:1317 [inline]
 kmalloc_order_trace+0x2a/0xf0 mm/slab_common.c:1333
 kmalloc_large include/linux/slab.h:485 [inline]
 __kmalloc+0x268/0x2d0 mm/slub.c:3810
 kmalloc include/linux/slab.h:561 [inline]
 hid_alloc_report_buf+0x73/0xc0 drivers/hid/hid-core.c:1630
 __usbhid_submit_report drivers/hid/usbhid/hid-core.c:588 [inline]
 usbhid_submit_report+0x499/0xb50 drivers/hid/usbhid/hid-core.c:638
 hid_hw_request include/linux/hid.h:1053 [inline]
 betopff_init drivers/hid/hid-betopff.c:108 [inline]
 betop_probe+0x550/0x5c0 drivers/hid/hid-betopff.c:134
 hid_device_probe+0x27a/0x420 drivers/hid/hid-core.c:2263
 really_probe+0x707/0xf70 drivers/base/dd.c:551
 driver_probe_device+0xe6/0x230 drivers/base/dd.c:724
 bus_for_each_drv+0x17a/0x200 drivers/base/bus.c:430
 __device_attach+0x27b/0x420 drivers/base/dd.c:897
 bus_probe_device+0xbb/0x200 drivers/base/bus.c:490
 device_add+0x105a/0x1750 drivers/base/core.c:2507
 hid_add_device+0xd7e/0xfd0 drivers/hid/hid-core.c:2419
 usbhid_probe+0x94e/0xcc0 drivers/hid/usbhid/hid-core.c:1386
 usb_probe_interface+0x631/0xad0 drivers/usb/core/driver.c:361
 really_probe+0x764/0xf70 drivers/base/dd.c:555
 driver_probe_device+0xe6/0x230 drivers/base/dd.c:724
 bus_for_each_drv+0x17a/0x200 drivers/base/bus.c:430
 __device_attach+0x27b/0x420 drivers/base/dd.c:897
 bus_probe_device+0xbb/0x200 drivers/base/bus.c:490
 device_add+0x105a/0x1750 drivers/base/core.c:2507
 usb_set_configuration+0x184c/0x1dc0 drivers/usb/core/message.c:2030
 generic_probe+0x82/0x140 drivers/usb/core/generic.c:210
 really_probe+0x764/0xf70 drivers/base/dd.c:555
 driver_probe_device+0xe6/0x230 drivers/base/dd.c:724
 bus_for_each_drv+0x17a/0x200 drivers/base/bus.c:430
 __device_attach+0x27b/0x420 drivers/base/dd.c:897
 bus_probe_device+0xbb/0x200 drivers/base/bus.c:490
 device_add+0x105a/0x1750 drivers/base/core.c:2507
 usb_new_device+0xda7/0x1710 drivers/usb/core/hub.c:2553
 hub_port_connect drivers/usb/core/hub.c:5122 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5237 [inline]
 port_event drivers/usb/core/hub.c:5383 [inline]
 hub_event+0x2963/0x4fa0 drivers/usb/core/hub.c:5465
 process_one_work+0x777/0xf90 kernel/workqueue.c:2274
 worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
 kthread+0x2df/0x300 kernel/kthread.c:255
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
---[ end trace ed459a7fa9582a96 ]---

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/05/14 03:14 https://android.googlesource.com/kernel/common android-5.4 79c00997a007 a885920d .config console log report syz C ci2-android-5-4-kasan
* Struck through repros no longer work on HEAD.