================================================================== BUG: KASAN: use-after-free in usbhid_power+0xca/0xe0 drivers/hid/usbhid/hid-core.c:1234 Read of size 8 at addr ffff8881d6b00008 by task syz-executor.0/14005 CPU: 0 PID: 14005 Comm: syz-executor.0 Not tainted 5.3.0+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xca/0x13e lib/dump_stack.c:113 print_address_description+0x6a/0x32c mm/kasan/report.c:351 __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 kasan_report+0xe/0x12 mm/kasan/common.c:618 usbhid_power+0xca/0xe0 drivers/hid/usbhid/hid-core.c:1234 hid_hw_power include/linux/hid.h:1038 [inline] hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282 chrdev_open+0x219/0x5c0 fs/char_dev.c:414 do_dentry_open+0x494/0x1120 fs/open.c:797 do_last fs/namei.c:3408 [inline] path_openat+0x1430/0x3f50 fs/namei.c:3525 do_filp_open+0x1a1/0x280 fs/namei.c:3555 do_sys_open+0x3c0/0x580 fs/open.c:1089 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x413911 Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007f1e9bce97a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000413911 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00007f1e9bce9850 RBP: 000000000075bfc8 R08: 000000000000000f R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 00007f1e9bcea6d4 R13: 00000000004c8e17 R14: 00000000004dff40 R15: 00000000ffffffff Allocated by task 0: save_stack+0x1b/0x80 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc mm/kasan/common.c:493 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:466 slab_post_alloc_hook mm/slab.h:520 [inline] slab_alloc_node mm/slub.c:2770 [inline] __kmalloc_node_track_caller+0xfc/0x3d0 mm/slub.c:4365 __kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:141 __alloc_skb+0xef/0x5a0 net/core/skbuff.c:209 alloc_skb include/linux/skbuff.h:1049 [inline] __tcp_send_ack.part.0+0x67/0x5a0 net/ipv4/tcp_output.c:3675 __tcp_send_ack net/ipv4/tcp_output.c:3702 [inline] tcp_send_ack+0x7d/0xa0 net/ipv4/tcp_output.c:3702 __tcp_ack_snd_check+0x156/0x8d0 net/ipv4/tcp_input.c:5241 tcp_rcv_established+0x16a4/0x1d50 net/ipv4/tcp_input.c:5672 tcp_v4_do_rcv+0x5fc/0x8a0 net/ipv4/tcp_ipv4.c:1557 tcp_v4_rcv+0x2968/0x3330 net/ipv4/tcp_ipv4.c:1938 ip_protocol_deliver_rcu+0x57/0x830 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x222/0x370 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_local_deliver+0x1c8/0x4f0 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:442 [inline] ip_rcv_finish net/ipv4/ip_input.c:413 [inline] ip_rcv_finish+0xe1/0x1b0 net/ipv4/ip_input.c:399 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_rcv+0xd0/0x3d0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xf5/0x160 net/core/dev.c:5010 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5124 netif_receive_skb_internal+0xfb/0x410 net/core/dev.c:5214 napi_skb_finish net/core/dev.c:5677 [inline] napi_gro_receive+0x4ff/0x670 net/core/dev.c:5710 receive_buf+0x634/0x53f0 drivers/net/virtio_net.c:1061 virtnet_receive drivers/net/virtio_net.c:1323 [inline] virtnet_poll+0x544/0xd70 drivers/net/virtio_net.c:1428 napi_poll net/core/dev.c:6392 [inline] net_rx_action+0x418/0xe80 net/core/dev.c:6460 __do_softirq+0x221/0x912 kernel/softirq.c:292 Freed by task 0: save_stack+0x1b/0x80 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x130/0x180 mm/kasan/common.c:455 slab_free_hook mm/slub.c:1423 [inline] slab_free_freelist_hook mm/slub.c:1474 [inline] slab_free mm/slub.c:3016 [inline] kfree+0xe4/0x2f0 mm/slub.c:3957 skb_free_head+0x8b/0xa0 net/core/skbuff.c:591 skb_release_data+0x41f/0x7c0 net/core/skbuff.c:611 skb_release_all+0x46/0x60 net/core/skbuff.c:665 __kfree_skb net/core/skbuff.c:679 [inline] consume_skb net/core/skbuff.c:838 [inline] consume_skb+0xd9/0x320 net/core/skbuff.c:832 __dev_kfree_skb_any+0x6b/0x80 net/core/dev.c:2823 dev_consume_skb_any include/linux/netdevice.h:3624 [inline] napi_consume_skb+0x377/0x4b0 net/core/skbuff.c:902 free_old_xmit_skbs+0xd6/0x230 drivers/net/virtio_net.c:1366 start_xmit+0x11c/0x15d0 drivers/net/virtio_net.c:1562 __netdev_start_xmit include/linux/netdevice.h:4420 [inline] netdev_start_xmit include/linux/netdevice.h:4434 [inline] xmit_one net/core/dev.c:3280 [inline] dev_hard_start_xmit+0x179/0x880 net/core/dev.c:3296 sch_direct_xmit+0x293/0x790 net/sched/sch_generic.c:313 __dev_xmit_skb net/core/dev.c:3481 [inline] __dev_queue_xmit+0x2126/0x2b10 net/core/dev.c:3842 neigh_hh_output include/net/neighbour.h:500 [inline] neigh_output include/net/neighbour.h:509 [inline] ip_finish_output2+0xfdb/0x2380 net/ipv4/ip_output.c:228 __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x5eb/0xb80 net/ipv4/ip_output.c:290 ip_finish_output net/ipv4/ip_output.c:318 [inline] NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip_output+0x1f5/0x5f0 net/ipv4/ip_output.c:432 dst_output include/net/dst.h:436 [inline] ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125 __ip_queue_xmit+0x85c/0x1be0 net/ipv4/ip_output.c:532 __tcp_transmit_skb+0x1940/0x34f0 net/ipv4/tcp_output.c:1169 __tcp_send_ack.part.0+0x3ba/0x5a0 net/ipv4/tcp_output.c:3696 __tcp_send_ack net/ipv4/tcp_output.c:3702 [inline] tcp_send_ack+0x7d/0xa0 net/ipv4/tcp_output.c:3702 __tcp_ack_snd_check+0x156/0x8d0 net/ipv4/tcp_input.c:5241 tcp_rcv_established+0x16a4/0x1d50 net/ipv4/tcp_input.c:5672 tcp_v4_do_rcv+0x5fc/0x8a0 net/ipv4/tcp_ipv4.c:1557 tcp_v4_rcv+0x2968/0x3330 net/ipv4/tcp_ipv4.c:1938 ip_protocol_deliver_rcu+0x57/0x830 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x222/0x370 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_local_deliver+0x1c8/0x4f0 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:442 [inline] ip_rcv_finish net/ipv4/ip_input.c:413 [inline] ip_rcv_finish+0xe1/0x1b0 net/ipv4/ip_input.c:399 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_rcv+0xd0/0x3d0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xf5/0x160 net/core/dev.c:5010 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5124 netif_receive_skb_internal+0xfb/0x410 net/core/dev.c:5214 napi_skb_finish net/core/dev.c:5677 [inline] napi_gro_receive+0x4ff/0x670 net/core/dev.c:5710 receive_buf+0x634/0x53f0 drivers/net/virtio_net.c:1061 virtnet_receive drivers/net/virtio_net.c:1323 [inline] virtnet_poll+0x544/0xd70 drivers/net/virtio_net.c:1428 napi_poll net/core/dev.c:6392 [inline] net_rx_action+0x418/0xe80 net/core/dev.c:6460 __do_softirq+0x221/0x912 kernel/softirq.c:292 The buggy address belongs to the object at ffff8881d6b00000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 8 bytes inside of 1024-byte region [ffff8881d6b00000, ffff8881d6b00400) The buggy address belongs to the page: page:ffffea00075ac000 refcount:1 mapcount:0 mapping:ffff8881da002280 index:0x0 compound_mapcount: 0 flags: 0x200000000010200(slab|head) raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da002280 raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d6afff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881d6afff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881d6b00000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881d6b00080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881d6b00100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================