syzbot


KASAN: slab-out-of-bounds Write in betop_probe
Status: fixed on 2022/03/16 16:02
Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com
Fix commit: 689e453a9b9c HID: betop: fix slab-out-of-bounds Write in betop_probe HID: betop: fix slab-out-of-bounds Write in betop_probe
First crash: 837d, last: 280d

Cause bisection: introduced by (bisect log) [ignored commit]:
commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
Author: Andrey Konovalov <andreyknvl@google.com>
Date: Mon Feb 24 16:13:03 2020 +0000

  usb: gadget: add raw-gadget interface

Crash: KASAN: slab-out-of-bounds Write in betop_probe (log)
Repro: C syz .config
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: slab-out-of-bounds Write in betop_probe C 1 762d 762d 0/2 upstream: reported C repro on 2020/04/25 06:12
Patch testing requests:
Created Duration User Patch Repo Result
2021/08/24 12:04 0m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master error
2021/08/24 10:19 12m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master report log
2021/08/24 10:04 5m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master error
2021/08/16 11:36 0m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master error
2021/08/16 11:34 0m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master error
2021/08/16 11:32 0m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master error
2021/08/15 15:53 10m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master report log
2021/08/14 22:02 15m asha.16@itfac.mrt.ac.lk patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master OK
2021/08/13 19:57 14m asha.16@itfac.mrt.ac.lk https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master report log

Sample crash report:
usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9
usb 1-1: New USB device found, idVendor=11c0, idProduct=5506, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
betop 0003:11C0:5506.0001: hidraw0: USB HID v0.00 Device [HID 11c0:5506] on usb-dummy_hcd.0-1/input0
==================================================================
BUG: KASAN: slab-out-of-bounds in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KASAN: slab-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: slab-out-of-bounds in betopff_init drivers/hid/hid-betopff.c:99 [inline]
BUG: KASAN: slab-out-of-bounds in betop_probe+0x3bb/0x5e0 drivers/hid/hid-betopff.c:134
Write of size 8 at addr ffff8880166964c0 by task kworker/0:3/3160

CPU: 0 PID: 3160 Comm: kworker/0:3 Not tainted 5.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x2d6 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_write include/linux/instrumented.h:86 [inline]
 set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
 betopff_init drivers/hid/hid-betopff.c:99 [inline]
 betop_probe+0x3bb/0x5e0 drivers/hid/hid-betopff.c:134
 hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2287
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2439
 usbhid_probe+0xba9/0x10b0 drivers/hid/usbhid/hid-core.c:1417
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 usb_new_device.cold+0x63f/0x108e drivers/usb/core/hub.c:2559
 hub_port_connect drivers/usb/core/hub.c:5300 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5440 [inline]
 port_event drivers/usb/core/hub.c:5586 [inline]
 hub_event+0x2357/0x4330 drivers/usb/core/hub.c:5668
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 3160:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0x98/0xc0 mm/kasan/common.c:522
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 kmem_cache_alloc_trace+0x1e4/0x480 mm/slab.c:3575
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543
 hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960
 hid_hw_start drivers/hid/hid-core.c:2059 [inline]
 hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050
 betop_probe+0xce/0x5e0 drivers/hid/hid-betopff.c:128
 hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2287
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2439
 usbhid_probe+0xba9/0x10b0 drivers/hid/usbhid/hid-core.c:1417
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3352
 usb_new_device.cold+0x63f/0x108e drivers/usb/core/hub.c:2559
 hub_port_connect drivers/usb/core/hub.c:5300 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5440 [inline]
 port_event drivers/usb/core/hub.c:5586 [inline]
 hub_event+0x2357/0x4330 drivers/usb/core/hub.c:5668
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa4/0xd0 mm/kasan/generic.c:348
 insert_work+0x48/0x370 kernel/workqueue.c:1332
 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498
 queue_work_on+0xee/0x110 kernel/workqueue.c:1525
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435
 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208
 uevent_store+0x20/0x50 drivers/base/core.c:2370
 dev_attr_store+0x50/0x80 drivers/base/core.c:2071
 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139
 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x75a/0xa40 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa4/0xd0 mm/kasan/generic.c:348
 insert_work+0x48/0x370 kernel/workqueue.c:1332
 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498
 queue_work_on+0xee/0x110 kernel/workqueue.c:1525
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435
 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208
 uevent_store+0x20/0x50 drivers/base/core.c:2370
 dev_attr_store+0x50/0x80 drivers/base/core.c:2071
 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139
 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x75a/0xa40 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888016696400
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes to the right of
 192-byte region [ffff888016696400, ffff8880166964c0)
The buggy address belongs to the page:
page:ffffea000059a580 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888016696600 pfn:0x16696
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00005c31c8 ffffea000066e4c8 ffff888010840000
raw: ffff888016696600 ffff888016696000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2611248540, free_ts 0
 prep_new_page mm/page_alloc.c:2433 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4166
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5388
 __alloc_pages_node include/linux/gfp.h:570 [inline]
 kmem_getpages mm/slab.c:1377 [inline]
 cache_grow_begin+0x75/0x460 mm/slab.c:2593
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2965
 ____cache_alloc mm/slab.c:3048 [inline]
 ____cache_alloc mm/slab.c:3031 [inline]
 __do_cache_alloc mm/slab.c:3275 [inline]
 slab_alloc mm/slab.c:3316 [inline]
 kmem_cache_alloc_trace+0x38c/0x480 mm/slab.c:3573
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365
 kobject_uevent_env+0xf73/0x1650 lib/kobject_uevent.c:614
 kernel_add_sysfs_param kernel/params.c:798 [inline]
 param_sysfs_builtin kernel/params.c:833 [inline]
 param_sysfs_init+0x3bf/0x498 kernel/params.c:952
 do_one_initcall+0x103/0x650 init/main.c:1282
 do_initcall_level init/main.c:1355 [inline]
 do_initcalls init/main.c:1371 [inline]
 do_basic_setup init/main.c:1391 [inline]
 kernel_init_freeable+0x6b8/0x741 init/main.c:1593
 kernel_init+0x1a/0x1d0 init/main.c:1485
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888016696380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888016696400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888016696480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff888016696500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888016696580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc f

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2021/08/20 01:54 upstream d992fe5318d8 e6a17580 .config log report syz C
Crashes (9):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2021/07/19 17:43 upstream 2734d6c1b1a0 e6a17580 .config log report syz C KASAN: slab-out-of-bounds Write in betop_probe
ci-upstream-kasan-gce-smack-root 2021/06/06 20:38 upstream f5b6eb1e0182 500c2339 .config log report syz C KASAN: slab-out-of-bounds Write in betop_probe
ci-upstream-linux-next-kasan-gce-root 2021/06/27 22:28 linux-next a1f92694393a 9d2ab5df .config log report syz C KASAN: slab-out-of-bounds Write in betop_probe
ci2-upstream-usb 2020/12/13 17:49 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing a256e24021bf bca53db9 .config log report syz C
ci2-upstream-usb 2020/05/14 02:05 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c a885920d .config log report syz C
ci2-upstream-usb 2020/04/25 06:08 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c 03d97a1b .config log report syz C
ci2-upstream-usb 2020/04/23 18:00 https://github.com/google/kasan.git usb-fuzzer e9010320f2d9 b9233cab .config log report syz C
ci2-upstream-usb 2020/03/02 04:39 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4a4e0509 .config log report syz C
ci2-upstream-usb 2020/02/10 08:50 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 35f5e45e .config log report syz C