From: Johan Hovold <johan@kernel.org>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: Johan Hovold <johan@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
USB list <linux-usb@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: usb/serial: use-after-free in usb_serial_disconnect/__lock_acquire
Date: Wed, 4 Oct 2017 11:06:03 +0200 [thread overview]
Message-ID: <20171004090603.GE3404@localhost> (raw)
In-Reply-To: <CAAeHK+yOwGNetHVupMEMOexrGK1N+GhbLo5a765UNmUE6yVgFw@mail.gmail.com>
On Wed, Sep 27, 2017 at 04:36:11PM +0200, Andrey Konovalov wrote:
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
>
> gadgetfs: bound to dummy_udc driver
> usb 1-1: new full-speed USB device number 2 using dummy_hcd
> gadgetfs: connected
> gadgetfs: disconnected
> gadgetfs: connected
> usb 1-1: config 4 has an invalid interface number: 1 but max is 0
> usb 1-1: config 4 has an invalid interface number: 153 but max is 0
> usb 1-1: config 4 has 2 interfaces, different from the descriptor's value: 1
> usb 1-1: config 4 has no interface number 0
> usb 1-1: config 4 interface 1 altsetting 255 has an invalid endpoint
> with address 0x0, skipping
> usb 1-1: config 4 interface 1 altsetting 255 has an invalid endpoint
> with address 0xFF, skipping
> usb 1-1: config 4 interface 1 altsetting 255 has an invalid endpoint
> with address 0x56, skipping
> usb 1-1: too many endpoints for config 4 interface 153 altsetting 67:
> 174, using maximum allowed: 30
> usb 1-1: config 4 interface 153 altsetting 67 has 0 endpoint
> descriptors, different from the interface d
> escriptor's value: 174
> usb 1-1: config 4 interface 1 has no altsetting 0
> usb 1-1: config 4 interface 153 has no altsetting 0
> usb 1-1: New USB device found, idVendor=1199, idProduct=6832
> usb 1-1: New USB device strings: Mfr=4, Product=20, SerialNumber=3
> usb 1-1: Product: a
> usb 1-1: Manufacturer: a
> usb 1-1: SerialNumber: a
> gadgetfs: configuration #4
> sierra 1-1:4.1: Sierra USB modem converter detected
> usb 1-1: Sierra USB modem converter now attached to ttyUSB0
> sierra 1-1:4.153: Sierra USB modem converter detected
> gadgetfs: disconnected
> usb 1-1: USB disconnect, device number 2
> sierra ttyUSB0: Sierra USB modem converter now disconnected from ttyUSB0
> sierra 1-1:4.1: device disconnected
> ==================================================================
> BUG: KASAN: use-after-free in __lock_acquire+0x4504/0x4550
> Read of size 8 at addr ffff8800674df790 by task kworker/1:2/1846
>
> CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
> 4.14.0-rc2-42660-g24b7bd59eec0 #277
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:16
> dump_stack+0x292/0x395 lib/dump_stack.c:52
> print_address_description+0x78/0x280 mm/kasan/report.c:252
> kasan_report_error mm/kasan/report.c:351
> kasan_report+0x23d/0x350 mm/kasan/report.c:409
> __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
> __lock_acquire+0x4504/0x4550 kernel/locking/lockdep.c:3376
> lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
> __mutex_lock_common kernel/locking/mutex.c:756
> __mutex_lock+0x18e/0x1a50 kernel/locking/mutex.c:893
> mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:908
> usb_serial_disconnect+0x69/0x2e0 drivers/usb/serial/usb-serial.c:1084
> usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
> __device_release_driver drivers/base/dd.c:861
> device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
> device_release_driver+0x1e/0x30 drivers/base/dd.c:918
> bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
> device_del+0x5c4/0xab0 drivers/base/core.c:1985
> usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
> usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
> hub_port_connect drivers/usb/core/hub.c:4754
> hub_port_connect_change drivers/usb/core/hub.c:5009
> port_event drivers/usb/core/hub.c:5115
> hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
> process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
> worker_thread+0x221/0x1850 kernel/workqueue.c:2253
> kthread+0x3a1/0x470 kernel/kthread.c:231
> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Thanks for reporting this. I was able to reproduce the bug from the
information you provided here, and incidentally discovered a
long-standing related issue which I've now also fixed.
Thanks,
Johan
prev parent reply other threads:[~2017-10-04 9:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-27 14:36 usb/serial: use-after-free in usb_serial_disconnect/__lock_acquire Andrey Konovalov
2017-10-04 9:06 ` Johan Hovold [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171004090603.GE3404@localhost \
--to=johan@kernel.org \
--cc=andreyknvl@google.com \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.