syzbot

 sign-in | mailing list | source | docs
🐞 Open [977] Subsystems 🐞 Fixed [5215] 🐞 Invalid [12468] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: use-after-free in usb_autopm_put_interface

Status: fixed on 2019/11/27 06:10
Subsystems: usb
[Documentation on labels]
Fix commit: 7a7591979748 USB: usblp: fix use-after-free on disconnect
First crash: 1647d, last: 1633d

Sample crash report:
=====================================================
BUG: KMSAN: use-after-free in __write_once_size include/linux/compiler.h:235 [inline]
BUG: KMSAN: use-after-free in pm_runtime_mark_last_busy include/linux/pm_runtime.h:107 [inline]
BUG: KMSAN: use-after-free in usb_mark_last_busy include/linux/usb.h:773 [inline]
BUG: KMSAN: use-after-free in usb_autopm_put_interface+0xf2/0x120 drivers/usb/core/driver.c:1632
CPU: 0 PID: 12168 Comm: syz-executor649 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x191/0x1f0 lib/dump_stack.c:113
 kmsan_report+0x14a/0x2f0 mm/kmsan/kmsan_report.c:109
 __msan_warning+0x73/0xf0 mm/kmsan/kmsan_instr.c:245
 __write_once_size include/linux/compiler.h:235 [inline]
 pm_runtime_mark_last_busy include/linux/pm_runtime.h:107 [inline]
 usb_mark_last_busy include/linux/usb.h:773 [inline]
 usb_autopm_put_interface+0xf2/0x120 drivers/usb/core/driver.c:1632
 usblp_release+0x182/0x3d0 drivers/usb/class/usblp.c:467
 __fput+0x4c9/0xba0 fs/file_table.c:280
 ____fput+0x37/0x40 fs/file_table.c:313
 task_work_run+0x22e/0x2a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x39d/0x4d0 arch/x86/entry/common.c:194
 syscall_return_slowpath+0x90/0x610 arch/x86/entry/common.c:274
 do_syscall_64+0xdc/0x160 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x4071b1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:000000000080fd60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004071b1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000070003c R08: 0000000000000000 R09: 0000000000000000
R10: 000000000080fd90 R11: 0000000000000293 R12: 0000000000031415
R13: 0000000000031442 R14: 20c49ba5e353f7cf R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline]
 kmsan_internal_poison_shadow+0x60/0x110 mm/kmsan/kmsan.c:133
 kmsan_slab_free+0x8d/0x100 mm/kmsan/kmsan_hooks.c:121
 slab_free_freelist_hook mm/slub.c:1473 [inline]
 slab_free mm/slub.c:3040 [inline]
 kfree+0x4c1/0x2e70 mm/slub.c:3990
 skb_free_head net/core/skbuff.c:591 [inline]
 skb_release_data+0x7de/0x9d0 net/core/skbuff.c:611
 skb_release_all net/core/skbuff.c:665 [inline]
 __kfree_skb+0x8a/0x210 net/core/skbuff.c:679
 consume_skb+0x2b0/0x2e0 net/core/skbuff.c:838
 skb_free_datagram+0x52/0x180 net/core/datagram.c:328
 netlink_recvmsg+0xd2d/0x18e0 net/netlink/af_netlink.c:1996
 sock_recvmsg_nosec net/socket.c:871 [inline]
 sock_recvmsg+0x3b3/0x3c0 net/socket.c:889
 ___sys_recvmsg+0x461/0x11e0 net/socket.c:2480
 __sys_recvmsg net/socket.c:2537 [inline]
 __do_sys_recvmsg net/socket.c:2547 [inline]
 __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2544
 __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2544
 do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
=====================================================

Crashes (63):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/14 23:11 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report syz C ci-upstream-kmsan-gce
2019/10/28 13:08 https://github.com/google/kmsan.git master d86c15562d02 25bb509e .config console log report ci-upstream-kmsan-gce
2019/10/28 10:40 https://github.com/google/kmsan.git master d86c15562d02 25bb509e .config console log report ci-upstream-kmsan-gce
2019/10/28 06:28 https://github.com/google/kmsan.git master d86c15562d02 25bb509e .config console log report ci-upstream-kmsan-gce
2019/10/26 12:35 https://github.com/google/kmsan.git master d86c15562d02 413926c5 .config console log report ci-upstream-kmsan-gce
2019/10/26 04:42 https://github.com/google/kmsan.git master d86c15562d02 413926c5 .config console log report ci-upstream-kmsan-gce
2019/10/25 07:14 https://github.com/google/kmsan.git master d86c15562d02 d01bb02a .config console log report ci-upstream-kmsan-gce
2019/10/24 18:50 https://github.com/google/kmsan.git master d86c15562d02 d01bb02a .config console log report ci-upstream-kmsan-gce
2019/10/23 22:42 https://github.com/google/kmsan.git master ba606e9df216 b602d64b .config console log report ci-upstream-kmsan-gce
2019/10/23 21:40 https://github.com/google/kmsan.git master ba606e9df216 b602d64b .config console log report ci-upstream-kmsan-gce
2019/10/23 11:32 https://github.com/google/kmsan.git master 3c8ca70889aa d0686497 .config console log report ci-upstream-kmsan-gce
2019/10/23 09:44 https://github.com/google/kmsan.git master 3c8ca70889aa d0686497 .config console log report ci-upstream-kmsan-gce
2019/10/23 05:43 https://github.com/google/kmsan.git master 3c8ca70889aa d0686497 .config console log report ci-upstream-kmsan-gce
2019/10/22 21:31 https://github.com/google/kmsan.git master 3c8ca70889aa 5681358a .config console log report ci-upstream-kmsan-gce
2019/10/22 16:17 https://github.com/google/kmsan.git master 3c8ca70889aa 5681358a .config console log report ci-upstream-kmsan-gce
2019/10/21 19:56 https://github.com/google/kmsan.git master 3c8ca70889aa b24d2b8a .config console log report ci-upstream-kmsan-gce
2019/10/21 14:09 https://github.com/google/kmsan.git master 3c8ca70889aa b24d2b8a .config console log report ci-upstream-kmsan-gce
2019/10/21 12:54 https://github.com/google/kmsan.git master 3c8ca70889aa b24d2b8a .config console log report ci-upstream-kmsan-gce
2019/10/21 07:28 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/20 22:56 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/20 20:32 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/20 20:26 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/20 19:53 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/20 19:19 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/20 18:30 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/20 05:27 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/20 01:18 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/19 18:06 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/19 17:22 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/19 14:24 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/19 12:52 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/19 08:13 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/19 00:44 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/18 14:50 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/18 08:42 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 22:33 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 20:51 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 20:29 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 18:55 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 15:01 https://github.com/google/kmsan.git master 18ccb5c7d3f4 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 14:42 https://github.com/google/kmsan.git master 18ccb5c7d3f4 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 14:00 https://github.com/google/kmsan.git master 18ccb5c7d3f4 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 10:07 https://github.com/google/kmsan.git master 18ccb5c7d3f4 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/16 19:02 https://github.com/google/kmsan.git master c24534505750 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/16 18:08 https://github.com/google/kmsan.git master c24534505750 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/16 01:33 https://github.com/google/kmsan.git master c24534505750 d4ea592f .config console log report ci-upstream-kmsan-gce
2019/10/15 21:36 https://github.com/google/kmsan.git master c24534505750 b5268b89 .config console log report ci-upstream-kmsan-gce
2019/10/15 13:15 https://github.com/google/kmsan.git master c24534505750 b5268b89 .config console log report ci-upstream-kmsan-gce
2019/10/15 12:15 https://github.com/google/kmsan.git master c24534505750 b5268b89 .config console log report ci-upstream-kmsan-gce
2019/10/15 10:57 https://github.com/google/kmsan.git master c24534505750 b5268b89 .config console log report ci-upstream-kmsan-gce
2019/10/15 10:54 https://github.com/google/kmsan.git master c24534505750 b5268b89 .config console log report ci-upstream-kmsan-gce
2019/10/15 07:05 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report ci-upstream-kmsan-gce
2019/10/15 06:32 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report ci-upstream-kmsan-gce
2019/10/15 01:02 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report ci-upstream-kmsan-gce
2019/10/15 00:43 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report ci-upstream-kmsan-gce
2019/10/14 20:18 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report ci-upstream-kmsan-gce
2019/10/14 20:11 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report ci-upstream-kmsan-gce
2019/10/14 20:02 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report ci-upstream-kmsan-gce
2019/10/14 19:33 https://github.com/google/kmsan.git master c24534505750 05ad7292 .config console log report ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.