KASAN: use-after-free Read in v4l2

KASAN: use-after-free Read in v4l2_release (3)
Status: upstream: reported C repro on 2020/01/08 20:24
Reported-by: syzbot+75287f75e2fedd69d680@syzkaller.appspotmail.com
First crash: 44d, last: 14d

similar bugs (2):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in v4l2_release	C		275	208d	312d	13/17	fixed on 2019/08/05 13:45
upstream	KASAN: use-after-free Read in v4l2_release (2)			9	73d	151d	0/17	closed as dup on 2019/09/23 15:12

Sample crash report:

usbvision_set_audio: can't write iopin register for audio switching
usbvision_radio_close: Final disconnect
==================================================================
BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
Read of size 4 at addr ffff8881caba1068 by task v4l_id/1913

CPU: 1 PID: 1913 Comm: v4l_id Not tainted 5.5.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
 __kasan_report.cold+0x37/0x85 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:639
 v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
 __fput+0x2d7/0x840 fs/file_table.c:280
 task_work_run+0x13f/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
 do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fbeb0b822b0
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0 07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007ffe52d6b158 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007fbeb0b822b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007ffe52d6b2b0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 94:
 save_stack+0x1b/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:486
 kmalloc include/linux/slab.h:556 [inline]
 kzalloc include/linux/slab.h:670 [inline]
 usbvision_alloc drivers/media/usb/usbvision/usbvision-video.c:1315 [inline]
 usbvision_probe.cold+0x5c5/0x1f21 drivers/media/usb/usbvision/usbvision-video.c:1469
 usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361
 really_probe+0x290/0xad0 drivers/base/dd.c:548
 driver_probe_device+0x223/0x350 drivers/base/dd.c:721
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
 __device_attach+0x217/0x390 drivers/base/dd.c:894
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
 device_add+0x1459/0x1bf0 drivers/base/core.c:2487
 usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
 usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266
 really_probe+0x290/0xad0 drivers/base/dd.c:548
 driver_probe_device+0x223/0x350 drivers/base/dd.c:721
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
 __device_attach+0x217/0x390 drivers/base/dd.c:894
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
 device_add+0x1459/0x1bf0 drivers/base/core.c:2487
 usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537
 hub_port_connect drivers/usb/core/hub.c:5184 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5324 [inline]
 port_event drivers/usb/core/hub.c:5470 [inline]
 hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552
 process_one_work+0x945/0x15c0 kernel/workqueue.c:2264
 process_scheduled_works kernel/workqueue.c:2326 [inline]
 worker_thread+0x7ab/0xe20 kernel/workqueue.c:2412
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 1913:
 save_stack+0x1b/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:335 [inline]
 __kasan_slab_free+0x117/0x160 mm/kasan/common.c:474
 slab_free_hook mm/slub.c:1425 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3005 [inline]
 kfree+0xd5/0x300 mm/slub.c:3957
 usbvision_release+0x181/0x1c0 drivers/media/usb/usbvision/usbvision-video.c:1364
 usbvision_radio_close.cold+0x2b/0x74 drivers/media/usb/usbvision/usbvision-video.c:1130
 v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
 __fput+0x2d7/0x840 fs/file_table.c:280
 task_work_run+0x13f/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
 do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881caba0000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4200 bytes inside of
 8192-byte region [ffff8881caba0000, ffff8881caba2000)
The buggy address belongs to the page:
page:ffffea00072ae800 refcount:1 mapcount:0 mapping:ffff8881da00c500 index:0x0 compound_mapcount: 0
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c500
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881caba0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881caba0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881caba1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8881caba1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881caba1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (19):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci2-upstream-usb	2020/01/22 22:58	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	3334d684	.config	log	report	syz	C	bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/07 13:56	https://github.com/google/kasan.git usb-fuzzer	e5cd56e9	06150bf1	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/04 11:00	https://github.com/google/kasan.git usb-fuzzer	cd234325	93e5e335	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/03 14:38	https://github.com/google/kasan.git usb-fuzzer	cd234325	93e5e335	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/02 21:24	https://github.com/google/kasan.git usb-fuzzer	cd234325	93e5e335	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/02 17:33	https://github.com/google/kasan.git usb-fuzzer	cd234325	93e5e335	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/01 20:10	https://github.com/google/kasan.git usb-fuzzer	cd234325	326d4c78	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/31 00:15	https://github.com/google/kasan.git usb-fuzzer	cd234325	5ed23f9a	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/30 15:48	https://github.com/google/kasan.git usb-fuzzer	cd234325	5ed23f9a	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/29 19:39	https://github.com/google/kasan.git usb-fuzzer	cd234325	5ed23f9a	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/29 16:46	https://github.com/google/kasan.git usb-fuzzer	cd234325	5ed23f9a	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/29 12:33	https://github.com/google/kasan.git usb-fuzzer	cd234325	c8e81ce4	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/28 22:38	https://github.com/google/kasan.git usb-fuzzer	cd234325	c8e81ce4	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/28 09:28	https://github.com/google/kasan.git usb-fuzzer	cd234325	56cd6c9b	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/22 00:53	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	8eda0b95	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/21 01:52	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	8eda0b95	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/15 13:20	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	fa12bd3c	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/13 03:26	https://github.com/google/kasan.git usb-fuzzer	ae179410	53faa9fe	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/08 14:41	https://github.com/google/kasan.git usb-fuzzer	ae179410	ddc3e859	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org