KASAN: use-after-free Read in v4l2

KASAN: use-after-free Read in v4l2_release (3)
Status: upstream: reported C repro on 2020/01/08 20:24
Reported-by: syzbot+75287f75e2fedd69d680@syzkaller.appspotmail.com
First crash: 143d, last: 18h40m

similar bugs (2):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in v4l2_release	C		275	307d	411d	13/17	fixed on 2019/08/05 13:45
upstream	KASAN: use-after-free Read in v4l2_release (2)			9	172d	250d	0/17	closed as dup on 2019/09/23 15:12

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/01/24 12:41	12m	andreyknvl@google.com	patch	https://github.com/google/kasan.git ae179410	report log

Sample crash report:

usbvision_radio_close: Final disconnect
==================================================================
BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
Read of size 4 at addr ffff8881ccfd5110 by task v4l_id/427

CPU: 0 PID: 427 Comm: v4l_id Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x415 mm/kasan/report.c:382
 __kasan_report.cold+0x37/0x7d mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
 __fput+0x33b/0x880 fs/file_table.c:280
 task_work_run+0xf4/0x1b0 kernel/task_work.c:123
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:165
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
 do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x7f6be870e270
Code: 73 01 c3 48 8b 0d 38 7d 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c1 20 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24
RSP: 002b:00007fff89ed5558 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6be870e270
RDX: 00007fff89ed5580 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 00007f6be8d3e698 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000013
R13: 00007fff89ed56e0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 358:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 usbvision_alloc drivers/staging/media/usbvision/usbvision-video.c:1315 [inline]
 usbvision_probe.cold+0x5c5/0x1f21 drivers/staging/media/usbvision/usbvision-video.c:1469
 usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
 really_probe+0x290/0xac0 drivers/base/dd.c:520
 driver_probe_device+0x223/0x350 drivers/base/dd.c:697
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:804
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
 __device_attach+0x21a/0x390 drivers/base/dd.c:870
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0x1367/0x1c40 drivers/base/core.c:2538
 usb_set_configuration+0xed4/0x1850 drivers/usb/core/message.c:2032
 usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
 usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
 really_probe+0x290/0xac0 drivers/base/dd.c:520
 driver_probe_device+0x223/0x350 drivers/base/dd.c:697
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:804
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
 __device_attach+0x21a/0x390 drivers/base/dd.c:870
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0x1367/0x1c40 drivers/base/core.c:2538
 usb_new_device.cold+0x552/0xf6e drivers/usb/core/hub.c:2554
 hub_port_connect drivers/usb/core/hub.c:5208 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]
 port_event drivers/usb/core/hub.c:5494 [inline]
 hub_event+0x226d/0x43c0 drivers/usb/core/hub.c:5576
 process_one_work+0x965/0x1630 kernel/workqueue.c:2268
 process_scheduled_works kernel/workqueue.c:2330 [inline]
 worker_thread+0x7ab/0xe20 kernel/workqueue.c:2416
 kthread+0x326/0x430 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351

Freed by task 427:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0x117/0x160 mm/kasan/common.c:456
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1488 [inline]
 slab_free mm/slub.c:3045 [inline]
 kfree+0xd5/0x300 mm/slub.c:4026
 usbvision_release+0x181/0x1c0 drivers/staging/media/usbvision/usbvision-video.c:1364
 usbvision_radio_close.cold+0x2b/0x74 drivers/staging/media/usbvision/usbvision-video.c:1130
 v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
 __fput+0x33b/0x880 fs/file_table.c:280
 task_work_run+0xf4/0x1b0 kernel/task_work.c:123
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:165
 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
 do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff8881ccfd4000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4368 bytes inside of
 8192-byte region [ffff8881ccfd4000, ffff8881ccfd6000)
The buggy address belongs to the page:
page:ffffea000733f400 refcount:1 mapcount:0 mapping:00000000616c8cac index:0x0 head:ffffea000733f400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c500
raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881ccfd5000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ccfd5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881ccfd5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8881ccfd5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ccfd5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (28):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci2-upstream-usb	2020/05/30 01:00	https://github.com/google/kasan.git usb-fuzzer	2089c6ed	bed08304	.config	log	report	syz	C	bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/14 14:23	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	2d572622	.config	log	report	syz	C	bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/14 13:37	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	2d572622	.config	log	report	syz	C	bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/01/22 22:58	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	3334d684	.config	log	report	syz	C	bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/05/14 22:28	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	2d572622	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/14 21:51	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	2d572622	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/14 17:32	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	2d572622	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/14 14:16	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	2d572622	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/14 12:12	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	2d572622	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/05/14 08:20	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	a885920d	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org, sakari.ailus@linux.intel.com
ci2-upstream-usb	2020/02/07 13:56	https://github.com/google/kasan.git usb-fuzzer	e5cd56e9	06150bf1	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/04 11:00	https://github.com/google/kasan.git usb-fuzzer	cd234325	93e5e335	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/03 14:38	https://github.com/google/kasan.git usb-fuzzer	cd234325	93e5e335	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/02 21:24	https://github.com/google/kasan.git usb-fuzzer	cd234325	93e5e335	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/02 17:33	https://github.com/google/kasan.git usb-fuzzer	cd234325	93e5e335	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/02/01 20:10	https://github.com/google/kasan.git usb-fuzzer	cd234325	326d4c78	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/31 00:15	https://github.com/google/kasan.git usb-fuzzer	cd234325	5ed23f9a	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/30 15:48	https://github.com/google/kasan.git usb-fuzzer	cd234325	5ed23f9a	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/29 19:39	https://github.com/google/kasan.git usb-fuzzer	cd234325	5ed23f9a	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/29 16:46	https://github.com/google/kasan.git usb-fuzzer	cd234325	5ed23f9a	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/29 12:33	https://github.com/google/kasan.git usb-fuzzer	cd234325	c8e81ce4	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/28 22:38	https://github.com/google/kasan.git usb-fuzzer	cd234325	c8e81ce4	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/28 09:28	https://github.com/google/kasan.git usb-fuzzer	cd234325	56cd6c9b	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/22 00:53	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	8eda0b95	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/21 01:52	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	8eda0b95	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/15 13:20	https://github.com/google/kasan.git usb-fuzzer	4cc301ee	fa12bd3c	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/13 03:26	https://github.com/google/kasan.git usb-fuzzer	ae179410	53faa9fe	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org
ci2-upstream-usb	2020/01/08 14:41	https://github.com/google/kasan.git usb-fuzzer	ae179410	ddc3e859	.config	log	report			bnvandana@gmail.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, mchehab@kernel.org