syzbot


KASAN: use-after-free Read in hiddev_disconnect

Status: closed as dup on 2020/01/27 12:29
Reported-by: syzbot+106b378813251e52fc5e@syzkaller.appspotmail.com
First crash: 994d, last: 929d
Duplicate of (1):
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: use-after-free Write in hiddev_disconnect 20 929d 994d
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in hiddev_disconnect (4) 1 24d 20d 0/24 upstream: reported on 2022/09/14 08:14
upstream KASAN: use-after-free Read in hiddev_disconnect (3) 1 151d 151d 0/24 auto-obsoleted due to no activity on 2022/09/03 10:29
upstream KASAN: use-after-free Read in hiddev_disconnect (2) 1 316d 312d 0/24 auto-closed as invalid on 2022/02/19 22:15

Sample crash report:
usb 3-1: USB disconnect, device number 8
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x31af/0x3b60 kernel/locking/lockdep.c:3827
Read of size 8 at addr ffff8881c78b7ca8 by task kworker/1:1/67

CPU: 1 PID: 67 Comm: kworker/1:1 Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 __lock_acquire+0x31af/0x3b60 kernel/locking/lockdep.c:3827
 lock_acquire+0x130/0x340 kernel/locking/lockdep.c:4484
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x32/0x50 kernel/locking/spinlock.c:159
 __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:122
 hiddev_disconnect+0x154/0x1b4 drivers/hid/usbhid/hiddev.c:937
 hid_disconnect+0xb4/0x1a0 drivers/hid/hid-core.c:2008
 hid_hw_stop+0x12/0x70 drivers/hid/hid-core.c:2053
 cmhid_remove+0x38/0x50 drivers/hid/hid-cmedia.c:140
 hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2294
 __device_release_driver drivers/base/dd.c:1135 [inline]
 device_release_driver_internal+0x231/0x500 drivers/base/dd.c:1168
 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:533
 device_del+0x481/0xd30 drivers/base/core.c:2664
 hid_remove_device drivers/hid/hid-core.c:2465 [inline]
 hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2484
 usbhid_disconnect+0x9f/0xe0 drivers/hid/usbhid/hid-core.c:1413
 usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:1137 [inline]
 device_release_driver_internal+0x42f/0x500 drivers/base/dd.c:1168
 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:533
 device_del+0x481/0xd30 drivers/base/core.c:2664
 usb_disable_device+0x23d/0x790 drivers/usb/core/message.c:1237
 usb_disconnect+0x293/0x900 drivers/usb/core/hub.c:2201
 hub_port_connect drivers/usb/core/hub.c:5036 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5325 [inline]
 port_event drivers/usb/core/hub.c:5471 [inline]
 hub_event+0x1a1d/0x4300 drivers/usb/core/hub.c:5553
 process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
 worker_thread+0x96/0xe20 kernel/workqueue.c:2410
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 1811:
 save_stack+0x1b/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:515 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 hiddev_connect+0x242/0x5b0 drivers/hid/usbhid/hiddev.c:890
 hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1934
 hid_hw_start drivers/hid/hid-core.c:2033 [inline]
 hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2024
 cmhid_probe+0x104/0x160 drivers/hid/hid-cmedia.c:123
 hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2261
 really_probe+0x290/0xac0 drivers/base/dd.c:551
 driver_probe_device+0x223/0x350 drivers/base/dd.c:724
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
 __device_attach+0x217/0x390 drivers/base/dd.c:897
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0x1459/0x1bf0 drivers/base/core.c:2487
 hid_add_device drivers/hid/hid-core.c:2417 [inline]
 hid_add_device+0x33c/0x9a0 drivers/hid/hid-core.c:2366
 usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
 usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361
 really_probe+0x290/0xac0 drivers/base/dd.c:551
 driver_probe_device+0x223/0x350 drivers/base/dd.c:724
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
 __device_attach+0x217/0x390 drivers/base/dd.c:897
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0x1459/0x1bf0 drivers/base/core.c:2487
 usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
 usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266
 really_probe+0x290/0xac0 drivers/base/dd.c:551
 driver_probe_device+0x223/0x350 drivers/base/dd.c:724
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
 __device_attach+0x217/0x390 drivers/base/dd.c:897
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0x1459/0x1bf0 drivers/base/core.c:2487
 usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2538
 hub_port_connect drivers/usb/core/hub.c:5185 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5325 [inline]
 port_event drivers/usb/core/hub.c:5471 [inline]
 hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5553
 process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
 worker_thread+0x96/0xe20 kernel/workqueue.c:2410
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 1935:
 save_stack+0x1b/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
 slab_free_hook mm/slub.c:1444 [inline]
 slab_free_freelist_hook mm/slub.c:1477 [inline]
 slab_free mm/slub.c:3024 [inline]
 kfree+0xd5/0x300 mm/slub.c:3976
 hiddev_release+0x402/0x520 drivers/hid/usbhid/hiddev.c:232
 __fput+0x2d7/0x840 fs/file_table.c:280
 task_work_run+0x13f/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
 do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881c78b7c00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 168 bytes inside of
 512-byte region [ffff8881c78b7c00, ffff8881c78b7e00)
The buggy address belongs to the page:
page:ffffea00071e2d00 refcount:1 mapcount:0 mapping:ffff8881da002500 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 ffffea00071fb800 0000000200000002 ffff8881da002500
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881c78b7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881c78b7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881c78b7c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8881c78b7d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881c78b7d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (127):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-upstream-usb 2020/02/11 05:22 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 d9e55b05 .config log report syz C
ci2-upstream-usb 2020/02/01 00:21 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 0eb59c27 .config log report syz C
ci2-upstream-usb 2020/01/25 21:42 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 2e95ab33 .config log report syz C
ci2-upstream-usb 2020/03/19 01:01 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 2c31c529 .config log report
ci2-upstream-usb 2020/03/18 17:54 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 0a96a13c .config log report
ci2-upstream-usb 2020/03/18 12:43 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 0a96a13c .config log report
ci2-upstream-usb 2020/03/18 09:51 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 0a96a13c .config log report
ci2-upstream-usb 2020/03/17 16:58 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 749688d2 .config log report
ci2-upstream-usb 2020/03/17 08:53 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 749688d2 .config log report
ci2-upstream-usb 2020/03/16 13:44 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 749688d2 .config log report
ci2-upstream-usb 2020/03/15 11:43 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 749688d2 .config log report
ci2-upstream-usb 2020/03/14 19:07 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 749688d2 .config log report
ci2-upstream-usb 2020/03/14 11:24 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 749688d2 .config log report
ci2-upstream-usb 2020/03/12 12:12 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c d850e9d0 .config log report
ci2-upstream-usb 2020/03/09 06:22 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 2e9971bb .config log report
ci2-upstream-usb 2020/03/08 20:14 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 2e9971bb .config log report
ci2-upstream-usb 2020/03/08 14:55 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 2e9971bb .config log report
ci2-upstream-usb 2020/03/07 02:16 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c fd2a5f28 .config log report
ci2-upstream-usb 2020/03/06 09:48 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 7fb694ef .config log report
ci2-upstream-usb 2020/03/06 07:34 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c b655d91b .config log report
ci2-upstream-usb 2020/03/06 05:28 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c b655d91b .config log report
ci2-upstream-usb 2020/03/05 16:09 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c b655d91b .config log report
ci2-upstream-usb 2020/03/05 06:21 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 576fb9bc .config log report
ci2-upstream-usb 2020/03/04 21:39 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 712198ac .config log report
ci2-upstream-usb 2020/03/04 18:02 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 712198ac .config log report
ci2-upstream-usb 2020/03/04 03:43 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 1f73b64b .config log report
ci2-upstream-usb 2020/03/03 15:37 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 350a7a26 .config log report
ci2-upstream-usb 2020/03/03 10:12 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 350a7a26 .config log report
ci2-upstream-usb 2020/03/02 07:58 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4a4e0509 .config log report
ci2-upstream-usb 2020/03/02 00:13 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4a4e0509 .config log report
ci2-upstream-usb 2020/03/01 20:36 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c c88c7b75 .config log report
ci2-upstream-usb 2020/02/29 11:37 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c c88c7b75 .config log report
ci2-upstream-usb 2020/02/29 09:49 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c c88c7b75 .config log report
ci2-upstream-usb 2020/02/27 20:47 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c c88c7b75 .config log report
ci2-upstream-usb 2020/02/26 09:27 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4f588111 .config log report
ci2-upstream-usb 2020/02/26 08:09 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4f588111 .config log report
ci2-upstream-usb 2020/02/26 04:52 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4f588111 .config log report
ci2-upstream-usb 2020/02/26 02:08 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4f588111 .config log report
ci2-upstream-usb 2020/02/25 23:41 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4c886d6a .config log report
ci2-upstream-usb 2020/02/25 22:29 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4c886d6a .config log report
ci2-upstream-usb 2020/02/25 20:53 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 4c886d6a .config log report
ci2-upstream-usb 2020/02/25 00:28 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 59b57593 .config log report
ci2-upstream-usb 2020/02/24 14:52 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 1253d6f0 .config log report
ci2-upstream-usb 2020/02/24 09:56 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 1253d6f0 .config log report
ci2-upstream-usb 2020/02/24 04:31 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 d801cb02 .config log report
ci2-upstream-usb 2020/02/23 21:35 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 d801cb02 .config log report
ci2-upstream-usb 2020/02/23 13:16 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config log report
ci2-upstream-usb 2020/02/23 06:54 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config log report
ci2-upstream-usb 2020/02/23 04:18 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config log report
ci2-upstream-usb 2020/02/23 00:42 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config log report
ci2-upstream-usb 2020/01/14 09:21 https://github.com/google/kasan.git usb-fuzzer 5a67532ceae3 32881205 .config log report
* Struck through repros no longer work on HEAD.