KASAN: slab-out-of-bounds Write in betop

KASAN: slab-out-of-bounds Write in betop_probe
Status: upstream: reported C repro on 2020/02/11 01:16
Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com
Fix commit: 689e453a9b9c HID: betop: fix slab-out-of-bounds Write in betop_probe HID: betop: fix slab-out-of-bounds Write in betop_probe
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce], missing on: [ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci2-upstream-usb]
First crash: 656d, last: 99d

Cause bisection: introduced by (bisect log) [ignored commit]:
commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Author: Andrey Konovalov <andreyknvl@google.com>
Date: Mon Feb 24 16:13:03 2020 +0000

usb: gadget: add raw-gadget interface

Crash: KASAN: slab-out-of-bounds Write in betop_probe (log)
Repro: C syz .config

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-54	KASAN: slab-out-of-bounds Write in betop_probe	C			1	581d	581d	0/1	upstream: reported C repro on 2020/04/25 06:12

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/08/24 12:04	0m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/24 10:19	12m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	report log
2021/08/24 10:04	5m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/16 11:36	0m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/16 11:34	0m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/16 11:32	0m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/15 15:53	10m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	report log
2021/08/14 22:02	15m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	OK
2021/08/13 19:57	14m	asha.16@itfac.mrt.ac.lk		https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	report log

Sample crash report:

usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9
usb 1-1: New USB device found, idVendor=11c0, idProduct=5506, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
betop 0003:11C0:5506.0001: hidraw0: USB HID v0.00 Device [HID 11c0:5506] on usb-dummy_hcd.0-1/input0
==================================================================
BUG: KASAN: slab-out-of-bounds in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KASAN: slab-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: slab-out-of-bounds in betopff_init drivers/hid/hid-betopff.c:99 [inline]
BUG: KASAN: slab-out-of-bounds in betop_probe+0x3bb/0x5e0 drivers/hid/hid-betopff.c:134
Write of size 8 at addr ffff8880166964c0 by task kworker/0:3/3160

CPU: 0 PID: 3160 Comm: kworker/0:3 Not tainted 5.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x2d6 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_write include/linux/instrumented.h:86 [inline]
 set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
 betopff_init drivers/hid/hid-betopff.c:99 [inline]
 betop_probe+0x3bb/0x5e0 drivers/hid/hid-betopff.c:134
 hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2287
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2439
 usbhid_probe+0xba9/0x10b0 drivers/hid/usbhid/hid-core.c:1417
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 usb_new_device.cold+0x63f/0x108e drivers/usb/core/hub.c:2559
 hub_port_connect drivers/usb/core/hub.c:5300 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5440 [inline]
 port_event drivers/usb/core/hub.c:5586 [inline]
 hub_event+0x2357/0x4330 drivers/usb/core/hub.c:5668
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 3160:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0x98/0xc0 mm/kasan/common.c:522
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 kmem_cache_alloc_trace+0x1e4/0x480 mm/slab.c:3575
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543
 hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960
 hid_hw_start drivers/hid/hid-core.c:2059 [inline]
 hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050
 betop_probe+0xce/0x5e0 drivers/hid/hid-betopff.c:128
 hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2287
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2439
 usbhid_probe+0xba9/0x10b0 drivers/hid/usbhid/hid-core.c:1417
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 usb_new_device.cold+0x63f/0x108e drivers/usb/core/hub.c:2559
 hub_port_connect drivers/usb/core/hub.c:5300 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5440 [inline]
 port_event drivers/usb/core/hub.c:5586 [inline]
 hub_event+0x2357/0x4330 drivers/usb/core/hub.c:5668
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa4/0xd0 mm/kasan/generic.c:348
 insert_work+0x48/0x370 kernel/workqueue.c:1332
 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498
 queue_work_on+0xee/0x110 kernel/workqueue.c:1525
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435
 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208
 uevent_store+0x20/0x50 drivers/base/core.c:2370
 dev_attr_store+0x50/0x80 drivers/base/core.c:2071
 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139
 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x75a/0xa40 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa4/0xd0 mm/kasan/generic.c:348
 insert_work+0x48/0x370 kernel/workqueue.c:1332
 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498
 queue_work_on+0xee/0x110 kernel/workqueue.c:1525
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435
 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208
 uevent_store+0x20/0x50 drivers/base/core.c:2370
 dev_attr_store+0x50/0x80 drivers/base/core.c:2071
 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139
 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x75a/0xa40 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888016696400
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes to the right of
 192-byte region [ffff888016696400, ffff8880166964c0)
The buggy address belongs to the page:
page:ffffea000059a580 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888016696600 pfn:0x16696
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00005c31c8 ffffea000066e4c8 ffff888010840000
raw: ffff888016696600 ffff888016696000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2611248540, free_ts 0
 prep_new_page mm/page_alloc.c:2433 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4166
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5388
 __alloc_pages_node include/linux/gfp.h:570 [inline]
 kmem_getpages mm/slab.c:1377 [inline]
 cache_grow_begin+0x75/0x460 mm/slab.c:2593
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2965
 ____cache_alloc mm/slab.c:3048 [inline]
 ____cache_alloc mm/slab.c:3031 [inline]
 __do_cache_alloc mm/slab.c:3275 [inline]
 slab_alloc mm/slab.c:3316 [inline]
 kmem_cache_alloc_trace+0x38c/0x480 mm/slab.c:3573
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365
 kobject_uevent_env+0xf73/0x1650 lib/kobject_uevent.c:614
 kernel_add_sysfs_param kernel/params.c:798 [inline]
 param_sysfs_builtin kernel/params.c:833 [inline]
 param_sysfs_init+0x3bf/0x498 kernel/params.c:952
 do_one_initcall+0x103/0x650 init/main.c:1282
 do_initcall_level init/main.c:1355 [inline]
 do_initcalls init/main.c:1371 [inline]
 do_basic_setup init/main.c:1391 [inline]
 kernel_init_freeable+0x6b8/0x741 init/main.c:1593
 kernel_init+0x1a/0x1d0 init/main.c:1485
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888016696380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888016696400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888016696480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff888016696500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888016696580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc f

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-selinux-root	2021/08/20 01:54	upstream	d992fe5318d8	e6a17580	.config	log	report	syz	C

Crashes (9):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Title
ci-upstream-kasan-gce-selinux-root	2021/07/19 17:43	upstream	2734d6c1b1a0	e6a17580	.config	log	report	syz	C	KASAN: slab-out-of-bounds Write in betop_probe
ci-upstream-kasan-gce-smack-root	2021/06/06 20:38	upstream	f5b6eb1e0182	500c2339	.config	log	report	syz	C	KASAN: slab-out-of-bounds Write in betop_probe
ci-upstream-linux-next-kasan-gce-root	2021/06/27 22:28	linux-next	a1f92694393a	9d2ab5df	.config	log	report	syz	C	KASAN: slab-out-of-bounds Write in betop_probe
ci2-upstream-usb	2020/12/13 17:49	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	a256e24021bf	bca53db9	.config	log	report	syz	C
ci2-upstream-usb	2020/05/14 02:05	https://github.com/google/kasan.git usb-fuzzer	059e7e0ff26c	a885920d	.config	log	report	syz	C
ci2-upstream-usb	2020/04/25 06:08	https://github.com/google/kasan.git usb-fuzzer	059e7e0ff26c	03d97a1b	.config	log	report	syz	C
ci2-upstream-usb	2020/04/23 18:00	https://github.com/google/kasan.git usb-fuzzer	e9010320f2d9	b9233cab	.config	log	report	syz	C
ci2-upstream-usb	2020/03/02 04:39	https://github.com/google/kasan.git usb-fuzzer	d6ff8147a51c	4a4e0509	.config	log	report	syz	C
ci2-upstream-usb	2020/02/10 08:50	https://github.com/google/kasan.git usb-fuzzer	e5cd56e94edd	35f5e45e	.config	log	report	syz	C