From: syzbot <syzbot+ef5de9c4f99c4edb4e49@syzkaller.appspotmail.com>
To: andreyknvl@google.com, linux-usb@vger.kernel.org,
oneukum@suse.com, syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in usbhid_power
Date: Thu, 25 Jul 2019 05:27:01 -0700 [thread overview]
Message-ID: <000000000000ea97c9058e808ab6@google.com> (raw)
In-Reply-To: <1564056947.14544.0.camel@suse.com>
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in usbhid_power
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3a5d/0x5340
kernel/locking/lockdep.c:3665
Read of size 8 at addr ffff8881c82c68a0 by task syz-executor.2/2950
CPU: 1 PID: 2950 Comm: syz-executor.2 Not tainted 5.2.0-rc6+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x67/0x231 mm/kasan/report.c:188
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
kasan_report+0xe/0x20 mm/kasan/common.c:614
__lock_acquire+0x3a5d/0x5340 kernel/locking/lockdep.c:3665
lock_acquire+0x100/0x2b0 kernel/locking/lockdep.c:4303
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
_raw_spin_lock_irq+0x2d/0x40 kernel/locking/spinlock.c:167
spin_lock_irq include/linux/spinlock.h:363 [inline]
usbhid_power+0x4a/0x240 drivers/hid/usbhid/hid-core.c:1232
hid_hw_power include/linux/hid.h:1038 [inline]
hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
chrdev_open+0x219/0x5c0 fs/char_dev.c:413
do_dentry_open+0x497/0x1040 fs/open.c:778
do_last fs/namei.c:3416 [inline]
path_openat+0x1430/0x3ff0 fs/namei.c:3533
do_filp_open+0x1a1/0x280 fs/namei.c:3563
do_sys_open+0x3c0/0x580 fs/open.c:1070
do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x413711
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fd4b6cf27a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000413711
RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00007fd4b6cf2850
RBP: 000000000075bfc8 R08: 000000000000000f R09: 0000000000000000
R10: 00007fd4b6cf39d0 R11: 0000000000000293 R12: 00007fd4b6cf36d4
R13: 00000000004c8a7a R14: 00000000004df748 R15: 00000000ffffffff
Allocated by task 2939:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc mm/kasan/common.c:489 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462
slab_post_alloc_hook mm/slab.h:437 [inline]
slab_alloc_node mm/slub.c:2748 [inline]
__kmalloc_node_track_caller+0xee/0x370 mm/slub.c:4363
__kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:138
__alloc_skb+0xef/0x5a0 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:1054 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1179 [inline]
netlink_sendmsg+0x8d6/0xcc0 net/netlink/af_netlink.c:1897
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:665
___sys_sendmsg+0x803/0x920 net/socket.c:2286
__sys_sendmsg+0xec/0x1b0 net/socket.c:2324
do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 2939:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:451
slab_free_hook mm/slub.c:1421 [inline]
slab_free_freelist_hook mm/slub.c:1448 [inline]
slab_free mm/slub.c:2994 [inline]
kfree+0xd7/0x280 mm/slub.c:3949
skb_free_head+0x8b/0xa0 net/core/skbuff.c:588
skb_release_data+0x41f/0x7c0 net/core/skbuff.c:608
skb_release_all+0x46/0x60 net/core/skbuff.c:662
__kfree_skb net/core/skbuff.c:676 [inline]
consume_skb net/core/skbuff.c:736 [inline]
consume_skb+0xc0/0x2f0 net/core/skbuff.c:730
netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
netlink_unicast+0x4d7/0x690 net/netlink/af_netlink.c:1333
netlink_sendmsg+0x80b/0xcc0 net/netlink/af_netlink.c:1922
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:665
___sys_sendmsg+0x803/0x920 net/socket.c:2286
__sys_sendmsg+0xec/0x1b0 net/socket.c:2324
do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881c82c6880
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 32 bytes inside of
1024-byte region [ffff8881c82c6880, ffff8881c82c6c80)
The buggy address belongs to the page:
page:ffffea000720b100 refcount:1 mapcount:0 mapping:ffff8881dac02a00
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000200 ffff8881dac02a00
raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c82c6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c82c6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8881c82c6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c82c6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c82c6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
usb-fuzzer-usb-testing-2019.07.11
console output: https://syzkaller.appspot.com/x/log.txt?x=125edb68600000
kernel config: https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=16e76a7c600000
prev parent reply other threads:[~2019-07-25 12:27 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-23 12:48 KASAN: use-after-free Read in usbhid_power syzbot
2019-07-24 14:17 ` Oliver Neukum
2019-07-24 14:24 ` Andrey Konovalov
2019-07-24 20:55 ` Oliver Neukum
2019-07-24 21:02 ` Alan Stern
2019-07-25 9:33 ` Oliver Neukum
2019-07-25 15:09 ` Alan Stern
2019-08-08 18:54 ` Andrey Konovalov
2019-08-08 19:37 ` Alan Stern
2019-08-09 7:35 ` AW: " Schmid, Carsten
2019-08-09 7:55 ` Greg KH
2019-08-09 9:34 ` AW: " Schmid, Carsten
2019-08-09 10:20 ` Hans de Goede
2019-08-09 10:47 ` AW: " Schmid, Carsten
2019-08-09 10:53 ` Hans de Goede
2019-08-09 12:38 ` AW: " Schmid, Carsten
2019-08-09 12:54 ` Greg KH
2019-08-09 13:00 ` AW: " Schmid, Carsten
2019-08-09 13:38 ` Greg KH
2019-08-10 11:12 ` AW: " Hans de Goede
2019-08-09 17:36 ` Andrey Konovalov
2019-08-09 18:12 ` syzbot
2019-08-12 14:29 ` Andrey Konovalov
2019-08-09 20:26 ` Oliver Neukum
2019-07-24 21:16 ` syzbot
2019-07-25 11:22 ` Andrey Konovalov
2019-07-25 12:15 ` Oliver Neukum
2019-07-25 12:27 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000ea97c9058e808ab6@google.com \
--to=syzbot+ef5de9c4f99c4edb4e49@syzkaller.appspotmail.com \
--cc=andreyknvl@google.com \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.