syzbot

 sign-in | mailing list | source | docs
🐞 Open [994] Subsystems 🐞 Fixed [5242] 🐞 Invalid [12515] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in dvb_usb_device_exit

Status: fixed on 2019/08/05 13:45
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
Fix commit: 6cf97230cd5f media: dvb: usb: fix use after free in dvb_usb_device_exit
First crash: 1841d, last: 1726d
Discussions (19)
Title Replies (including bot) Last reply
[PATCH] dvb: usb: fix use after free in dvb_usb_device_exit 7 (7) 2020/04/14 10:10
[PATCH 4.9 000/223] 4.9.187-stable review 231 (231) 2019/08/28 03:02
[PATCH 5.2 000/413] 5.2.3-stable review 444 (444) 2019/08/05 12:40
[PATCH 4.4 000/158] 4.4.187-stable review 166 (166) 2019/08/03 15:57
[PATCH 4.14 000/293] 4.14.135-stable review 302 (302) 2019/07/31 09:35
[PATCH 4.19 000/271] 4.19.61-stable review 284 (284) 2019/07/27 10:51
[PATCH AUTOSEL 4.19 001/158] wil6210: fix potential out-of-bounds read 161 (161) 2019/07/26 18:07
[PATCH 5.1 000/371] 5.1.20-stable review 384 (384) 2019/07/26 12:24
[PATCH AUTOSEL 5.2 001/249] ath10k: Check tx_stats before use it 267 (267) 2019/07/24 03:35
[PATCH AUTOSEL 4.14 001/105] wil6210: fix potential out-of-bounds read 107 (107) 2019/07/22 00:40
[PATCH AUTOSEL 5.1 001/219] ath10k: Check tx_stats before use it 25 (25) 2019/07/22 00:39
[PATCH AUTOSEL 4.4 01/53] ath10k: Do not send probe response template for mesh 53 (53) 2019/07/15 14:45
[PATCH AUTOSEL 4.9 01/73] ath10k: Do not send probe response template for mesh 73 (73) 2019/07/15 14:36
[PATCH AUTOSEL 5.1 001/219] ath10k: Check tx_stats before use it 219 (219) 2019/07/15 14:03
[PATCH AUTOSEL 4.19 001/158] wil6210: fix potential out-of-bounds read 15 (15) 2019/07/15 13:37
[PATCH AUTOSEL 5.2 001/249] ath10k: Check tx_stats before use it 24 (24) 2019/07/15 13:32
[PATCHv3] dvb: usb: fix use after free in dvb_usb_device_exit 3 (3) 2019/05/03 05:10
[PATCHv2] dvb: usb: fix use after free in dvb_usb_device_exit 2 (2) 2019/04/30 11:29
KASAN: use-after-free Read in dvb_usb_device_exit 4 (5) 2019/04/25 14:08
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in dvb_usb_device_exit (2) usb media C error unreliable 2393 1087d 1725d 0/26 auto-obsoleted due to no activity on 2023/01/14 20:37

Sample crash report:
input: TeVii S632 USB as /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5
dvb-usb: schedule remote query interval to 150 msecs.
dw2102: su3000_power_ctrl: 0, initialized 1
dvb-usb: TeVii S632 USB successfully initialized and connected.
usb 1-1: USB disconnect, device number 2
==================================================================
BUG: KASAN: use-after-free in dvb_usb_device_exit+0xb6/0xc0 /drivers/media/usb/dvb-usb/dvb-usb-init.c:291
Read of size 8 at addr ffff8881d36403d0 by task kworker/0:1/12

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6+ #15
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack /lib/dump_stack.c:77 [inline]
 dump_stack+0xca/0x13e /lib/dump_stack.c:113
 print_address_description+0x67/0x231 /mm/kasan/report.c:188
 __kasan_report.cold+0x1a/0x32 /mm/kasan/report.c:317
 kasan_report+0xe/0x20 /mm/kasan/common.c:614
 dvb_usb_device_exit+0xb6/0xc0 /drivers/media/usb/dvb-usb/dvb-usb-init.c:291
 usb_unbind_interface+0x1bd/0x8a0 /drivers/usb/core/driver.c:423
 __device_release_driver /drivers/base/dd.c:1081 [inline]
 device_release_driver_internal+0x404/0x4c0 /drivers/base/dd.c:1112
 bus_remove_device+0x2dc/0x4a0 /drivers/base/bus.c:556
 device_del+0x460/0xb80 /drivers/base/core.c:2274
 usb_disable_device+0x211/0x690 /drivers/usb/core/message.c:1237
 usb_disconnect+0x284/0x830 /drivers/usb/core/hub.c:2199
 hub_port_connect /drivers/usb/core/hub.c:4949 [inline]
 hub_port_connect_change /drivers/usb/core/hub.c:5213 [inline]
 port_event /drivers/usb/core/hub.c:5359 [inline]
 hub_event+0x13bd/0x3550 /drivers/usb/core/hub.c:5441
 process_one_work+0x905/0x1570 /kernel/workqueue.c:2269
 process_scheduled_works /kernel/workqueue.c:2331 [inline]
 worker_thread+0x7ab/0xe20 /kernel/workqueue.c:2417
 kthread+0x30b/0x410 /kernel/kthread.c:255
 ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:352

Allocated by task 12:
 save_stack+0x1b/0x80 /mm/kasan/common.c:71
 set_track /mm/kasan/common.c:79 [inline]
 __kasan_kmalloc /mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 /mm/kasan/common.c:462
 slab_post_alloc_hook /mm/slab.h:437 [inline]
 slab_alloc_node /mm/slub.c:2748 [inline]
 slab_alloc /mm/slub.c:2756 [inline]
 __kmalloc_track_caller+0xe2/0x2b0 /mm/slub.c:4333
 kmemdup+0x23/0x50 /mm/util.c:119
 kmemdup /./include/linux/string.h:432 [inline]
 dw2102_probe+0x627/0xc40 /drivers/media/usb/dvb-usb/dw2102.c:2372
 usb_probe_interface+0x305/0x7a0 /drivers/usb/core/driver.c:361
 really_probe+0x281/0x660 /drivers/base/dd.c:509
 driver_probe_device+0x104/0x210 /drivers/base/dd.c:670
 __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777
 bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454
 __device_attach+0x217/0x360 /drivers/base/dd.c:843
 bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514
 device_add+0xae6/0x16f0 /drivers/base/core.c:2111
 usb_set_configuration+0xdf6/0x1670 /drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 /drivers/usb/core/generic.c:210
 usb_probe_device+0x99/0x100 /drivers/usb/core/driver.c:266
 really_probe+0x281/0x660 /drivers/base/dd.c:509
 driver_probe_device+0x104/0x210 /drivers/base/dd.c:670
 __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777
 bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454
 __device_attach+0x217/0x360 /drivers/base/dd.c:843
 bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514
 device_add+0xae6/0x16f0 /drivers/base/core.c:2111
 usb_new_device.cold+0x6a4/0xe61 /drivers/usb/core/hub.c:2536
 hub_port_connect /drivers/usb/core/hub.c:5098 [inline]
 hub_port_connect_change /drivers/usb/core/hub.c:5213 [inline]
 port_event /drivers/usb/core/hub.c:5359 [inline]
 hub_event+0x1abd/0x3550 /drivers/usb/core/hub.c:5441
 process_one_work+0x905/0x1570 /kernel/workqueue.c:2269
 worker_thread+0x96/0xe20 /kernel/workqueue.c:2415
 kthread+0x30b/0x410 /kernel/kthread.c:255
 ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:352

Freed by task 12:
 save_stack+0x1b/0x80 /mm/kasan/common.c:71
 set_track /mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x130/0x180 /mm/kasan/common.c:451
 slab_free_hook /mm/slub.c:1421 [inline]
 slab_free_freelist_hook /mm/slub.c:1448 [inline]
 slab_free /mm/slub.c:2994 [inline]
 kfree+0xd7/0x280 /mm/slub.c:3949
 dw2102_probe+0x871/0xc40 /drivers/media/usb/dvb-usb/dw2102.c:2406
 usb_probe_interface+0x305/0x7a0 /drivers/usb/core/driver.c:361
 really_probe+0x281/0x660 /drivers/base/dd.c:509
 driver_probe_device+0x104/0x210 /drivers/base/dd.c:670
 __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777
 bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454
 __device_attach+0x217/0x360 /drivers/base/dd.c:843
 bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514
 device_add+0xae6/0x16f0 /drivers/base/core.c:2111
 usb_set_configuration+0xdf6/0x1670 /drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 /drivers/usb/core/generic.c:210
 usb_probe_device+0x99/0x100 /drivers/usb/core/driver.c:266
 really_probe+0x281/0x660 /drivers/base/dd.c:509
 driver_probe_device+0x104/0x210 /drivers/base/dd.c:670
 __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777
 bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454
 __device_attach+0x217/0x360 /drivers/base/dd.c:843
 bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514
 device_add+0xae6/0x16f0 /drivers/base/core.c:2111
 usb_new_device.cold+0x6a4/0xe61 /drivers/usb/core/hub.c:2536
 hub_port_connect /drivers/usb/core/hub.c:5098 [inline]
 hub_port_connect_change /drivers/usb/core/hub.c:5213 [inline]
 port_event /drivers/usb/core/hub.c:5359 [inline]
 hub_event+0x1abd/0x3550 /drivers/usb/core/hub.c:5441
 process_one_work+0x905/0x1570 /kernel/workqueue.c:2269
 worker_thread+0x96/0xe20 /kernel/workqueue.c:2415
 kthread+0x30b/0x410 /kernel/kthread.c:255
 ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8881d3640000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 976 bytes inside of
 4096-byte region [ffff8881d3640000, ffff8881d3641000)
The buggy address belongs to the page:
page:ffffea00074d9000 refcount:1 mapcount:0 mapping:ffff8881dac02600 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000200 ffff8881dac02600
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d3640280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d3640300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d3640380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff8881d3640400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d3640480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (825):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/23 02:50 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 55e0c077 .config console log report syz C ci2-upstream-usb
2019/07/11 19:46 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 186a30b9 .config console log report syz C ci2-upstream-usb
2019/07/10 22:00 https://github.com/google/kasan.git usb-fuzzer 7829a896a587 ff7bf04c .config console log report syz C ci2-upstream-usb
2019/07/09 23:34 https://github.com/google/kasan.git usb-fuzzer 7829a896a587 f62e1e85 .config console log report syz C ci2-upstream-usb
2019/06/28 19:18 https://github.com/google/kasan.git usb-fuzzer 7829a896a587 7509bf36 .config console log report syz C ci2-upstream-usb
2019/06/22 18:04 https://github.com/google/kasan.git usb-fuzzer 9939f56ee6c0 34bf9440 .config console log report syz C ci2-upstream-usb
2019/06/18 21:19 https://github.com/google/kasan.git usb-fuzzer 9939f56ee6c0 34bf9440 .config console log report syz C ci2-upstream-usb
2019/06/12 22:54 https://github.com/google/kasan.git usb-fuzzer 69bbe8c72e6f 3f4e812b .config console log report syz C ci2-upstream-usb
2019/06/07 19:05 https://github.com/google/kasan.git usb-fuzzer 69bbe8c72e6f cf9c3a50 .config console log report syz C ci2-upstream-usb
2019/06/03 22:07 https://github.com/google/kasan.git usb-fuzzer 69bbe8c72e6f 63bf051f .config console log report syz C ci2-upstream-usb
2019/04/14 09:43 https://github.com/google/kasan.git usb-fuzzer 9a33b36996cb 505ab413 .config console log report syz C ci2-upstream-usb
2019/04/12 04:29 https://github.com/google/kasan.git usb-fuzzer 9a33b36996cb 8916f5e1 .config console log report syz C ci2-upstream-usb
2019/04/12 01:55 https://github.com/google/kasan.git usb-fuzzer 9a33b36996cb 13030ef8 .config console log report syz ci2-upstream-usb
2019/08/05 03:00 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/04 23:34 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/04 17:35 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/04 14:18 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/04 10:31 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/04 06:45 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/03 17:26 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/03 16:10 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/03 05:00 https://github.com/google/kasan.git usb-fuzzer e96407b49762 6affd8e8 .config console log report ci2-upstream-usb
2019/08/02 20:40 https://github.com/google/kasan.git usb-fuzzer e96407b49762 3faab807 .config console log report ci2-upstream-usb
2019/08/02 15:44 https://github.com/google/kasan.git usb-fuzzer e96407b49762 835dffe7 .config console log report ci2-upstream-usb
2019/08/02 12:05 https://github.com/google/kasan.git usb-fuzzer e96407b49762 835dffe7 .config console log report ci2-upstream-usb
2019/08/02 00:01 https://github.com/google/kasan.git usb-fuzzer e96407b49762 835dffe7 .config console log report ci2-upstream-usb
2019/08/01 22:12 https://github.com/google/kasan.git usb-fuzzer e96407b49762 835dffe7 .config console log report ci2-upstream-usb
2019/08/01 00:53 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf c692b5bd .config console log report ci2-upstream-usb
2019/07/31 22:41 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf 995b2a26 .config console log report ci2-upstream-usb
2019/07/31 08:21 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf 7c7ded69 .config console log report ci2-upstream-usb
2019/07/31 03:01 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf 7c7ded69 .config console log report ci2-upstream-usb
2019/07/30 19:20 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf f28bf2a5 .config console log report ci2-upstream-usb
2019/07/30 15:28 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf f28bf2a5 .config console log report ci2-upstream-usb
2019/07/30 11:40 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf f28bf2a5 .config console log report ci2-upstream-usb
2019/07/29 20:38 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf f67095ee .config console log report ci2-upstream-usb
2019/07/29 18:38 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf f67095ee .config console log report ci2-upstream-usb
2019/07/29 16:10 https://github.com/google/kasan.git usb-fuzzer 7f7867ff95bf f67095ee .config console log report ci2-upstream-usb
2019/07/29 06:14 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/29 04:35 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/29 02:17 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 22:36 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 20:56 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 15:46 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 12:17 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 08:19 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 06:53 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 04:05 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 00:27 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 23:17 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 19:27 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 16:39 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 14:41 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 10:30 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 09:09 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 07:21 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 02:30 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/04/12 00:50 https://github.com/google/kasan.git usb-fuzzer 9a33b36996cb 13030ef8 .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.