Re: KASAN: use-after-free Read in v4l2_release (3)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+75287f75e2fedd69d680@syzkaller.appspotmail.com>
To: andreyknvl@google.com, bnvandana@gmail.com,
	hans.verkuil@cisco.com, hdanton@sina.com,
	hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com,
	linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
	linux-usb@vger.kernel.org, mchehab@kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in v4l2_release (3)
Date: Fri, 24 Jan 2020 04:54:03 -0800	[thread overview]
Message-ID: <0000000000008d6b69059ce24053@google.com> (raw)
In-Reply-To: <CAAeHK+whRFCF9WzUr55MoMiFsn83Ykr9jGGUFE4CTKVbBsZu6Q@mail.gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING in kernfs_remove_by_name_ns

------------[ cut here ]------------
kernfs: can not remove 'version', no directory
WARNING: CPU: 1 PID: 94 at fs/kernfs/dir.c:1507 kernfs_remove_by_name_ns+0x98/0xb0 fs/kernfs/dir.c:1507
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.5.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 panic+0x2aa/0x6e1 kernel/panic.c:221
 __warn.cold+0x2f/0x30 kernel/panic.c:582
 report_bug+0x27b/0x2f0 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:174 [inline]
 fixup_bug arch/x86/kernel/traps.c:169 [inline]
 do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:267
 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:kernfs_remove_by_name_ns+0x98/0xb0 fs/kernfs/dir.c:1507
Code: b1 ff 48 c7 c7 20 13 1d 87 41 bc fe ff ff ff e8 2e fe fe 03 eb d9 e8 47 4d b1 ff 4c 89 e6 48 c7 c7 c0 51 f1 85 e8 20 33 86 ff <0f> 0b 41 bc fe ff ff ff eb bb 0f 1f 40 00 66 2e 0f 1f 84 00 00 00
RSP: 0018:ffff8881d5d47708 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8881cba58390 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff812959ad RDI: ffffed103aba8ed3
RBP: 0000000000000000 R08: ffff8881d6d2c980 R09: fffffbfff1269aae
R10: fffffbfff1269aad R11: ffffffff8934d56f R12: ffffffff8671eb40
R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000c
 sysfs_remove_file include/linux/sysfs.h:536 [inline]
 device_remove_file+0x25/0x30 drivers/base/core.c:1869
 usbvision_remove_sysfs drivers/media/usb/usbvision/usbvision-video.c:287 [inline]
 usbvision_release+0x88/0x1c0 drivers/media/usb/usbvision/usbvision-video.c:1360
 v4l2_device_release+0x29a/0x3e0 drivers/media/v4l2-core/v4l2-dev.c:225
 device_release+0x71/0x200 drivers/base/core.c:1358
 kobject_cleanup lib/kobject.c:693 [inline]
 kobject_release lib/kobject.c:722 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x256/0x550 lib/kobject.c:739
 put_device drivers/base/core.c:2586 [inline]
 device_unregister+0x34/0xc0 drivers/base/core.c:2697
 video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1075
 usbvision_unregister_video drivers/media/usb/usbvision/usbvision-video.c:1255 [inline]
 usbvision_unregister_video+0xfb/0x120 drivers/media/usb/usbvision/usbvision-video.c:1242
 usbvision_release+0x10d/0x1c0 drivers/media/usb/usbvision/usbvision-video.c:1361
 usbvision_disconnect+0x171/0x1e0 drivers/media/usb/usbvision/usbvision-video.c:1593
 usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:1134 [inline]
 device_release_driver_internal+0x42f/0x500 drivers/base/dd.c:1165
 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:532
 device_del+0x481/0xd30 drivers/base/core.c:2664
 usb_disable_device+0x23d/0x790 drivers/usb/core/message.c:1237
 usb_disconnect+0x293/0x900 drivers/usb/core/hub.c:2200
 hub_port_connect drivers/usb/core/hub.c:5035 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5324 [inline]
 port_event drivers/usb/core/hub.c:5470 [inline]
 hub_event+0x1a1d/0x4300 drivers/usb/core/hub.c:5552
 process_one_work+0x945/0x15c0 kernel/workqueue.c:2264
 worker_thread+0x96/0xe20 kernel/workqueue.c:2410
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit:         ae179410 usb: gadget: add raw-gadget interface
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=133b3611e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57
dashboard link: https://syzkaller.appspot.com/bug?extid=75287f75e2fedd69d680
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15921b69e00000

next prev parent reply	other threads:[~2020-01-24 12:54 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-08 20:24 KASAN: use-after-free Read in v4l2_release (3) syzbot
2020-01-22 22:58 ` syzbot
     [not found] ` <20200123102707.2596-1-hdanton@sina.com>
2020-01-23 12:19   ` Laurent Pinchart
     [not found]   ` <20200124022847.11244-1-hdanton@sina.com>
2020-01-24 12:41     ` Andrey Konovalov
2020-01-24 12:54       ` syzbot [this message]
2020-01-24 14:10   ` Dan Carpenter
2020-01-24 14:13   ` [PATCH] media: usbvision: Fix a use after free in v4l2_release() Dan Carpenter
2020-02-14 10:06     ` Hans Verkuil
2020-02-14 11:22       ` Laurent Pinchart
2020-02-14 11:30         ` Hans Verkuil
     [not found]         ` <20200214121447.13612-1-hdanton@sina.com>
2020-02-14 12:21           ` Hans Verkuil
     [not found]           ` <20200214124825.12568-1-hdanton@sina.com>
2020-02-14 13:34             ` Hans Verkuil

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000008d6b69059ce24053@google.com \
    --to=syzbot+75287f75e2fedd69d680@syzkaller.appspotmail.com \
    --cc=andreyknvl@google.com \
    --cc=bnvandana@gmail.com \
    --cc=hans.verkuil@cisco.com \
    --cc=hdanton@sina.com \
    --cc=hverkuil-cisco@xs4all.nl \
    --cc=laurent.pinchart@ideasonboard.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.