From: syzbot <syzbot+6b52c2b24e341804a58c@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
linux-usb@vger.kernel.org, mchehab@kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release
Date: Tue, 19 Nov 2024 10:42:25 -0800 [thread overview]
Message-ID: <673cdc11.050a0220.102984.0000.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: cfaaa7d010d1 Merge tag 'net-6.12-rc8' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1365b1a7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=327b6119dd928cbc
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d7dcc0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11176b5f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/165690e61317/disk-cfaaa7d0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f9a0f36bc43c/vmlinux-cfaaa7d0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6e15e2011b02/bzImage-cfaaa7d0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6b52c2b24e341804a58c@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_release+0x3e2/0x460 drivers/media/v4l2-core/v4l2-dev.c:453
Read of size 8 at addr ffff8880502e80c8 by task v4l_id/7854
CPU: 1 UID: 0 PID: 7854 Comm: v4l_id Not tainted 6.12.0-rc7-syzkaller-00125-gcfaaa7d010d1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
v4l2_release+0x3e2/0x460 drivers/media/v4l2-core/v4l2-dev.c:453
__fput+0x3f6/0xb60 fs/file_table.c:431
__fput_sync+0x45/0x50 fs/file_table.c:516
__do_sys_close fs/open.c:1567 [inline]
__se_sys_close fs/open.c:1552 [inline]
__x64_sys_close+0x86/0x100 fs/open.c:1552
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb945b170a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffce37bdcf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007fb945ecdce0 RCX: 00007fb945b170a8
RDX: 0000000000000001 RSI: 000055f495dc60e7 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000006 R09: 0000000000000000
R10: 000055f495dc60e1 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffce37bdef0 R14: 000055f495dbf670 R15: 00007fb945fb3a80
</TASK>
Allocated by task 6058:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
hackrf_probe+0xd1/0x1cf0 drivers/media/usb/hackrf/hackrf.c:1353
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 6058:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x14f/0x4b0 mm/slub.c:4727
hackrf_probe+0x4c9/0x1cf0 drivers/media/usb/hackrf/hackrf.c:1525
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff8880502e8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 200 bytes inside of
freed 8192-byte region [ffff8880502e8000, ffff8880502ea000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x502e8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042280 dead000000000100 dead000000000122
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000140ba01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (S10udev), ts 13144656310, free_ts 10453105280
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0xcb3/0x2170 security/tomoyo/audit.c:264
tomoyo_supervisor+0x30c/0xea0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x193/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0xe8e/0x2070 security/tomoyo/domain.c:881
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12b/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x1b9/0x1e0 security/security.c:1297
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve fs/exec.c:1845 [inline]
bprm_execve+0x642/0x1960 fs/exec.c:1821
do_execveat_common.isra.0+0x4f1/0x630 fs/exec.c:1952
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
free_contig_range+0x133/0x3f0 mm/page_alloc.c:6765
destroy_args+0xa87/0xe60 mm/debug_vm_pgtable.c:1017
debug_vm_pgtable+0x168e/0x31a0 mm/debug_vm_pgtable.c:1397
do_one_initcall+0x128/0x700 init/main.c:1269
do_initcall_level init/main.c:1331 [inline]
do_initcalls init/main.c:1347 [inline]
do_basic_setup init/main.c:1366 [inline]
kernel_init_freeable+0x5c7/0x900 init/main.c:1580
kernel_init+0x1c/0x2b0 init/main.c:1469
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff8880502e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880502e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880502e8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880502e8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880502e8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2024-11-19 18:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-19 18:42 syzbot [this message]
2025-01-26 16:12 ` [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release Nikita Zhandarovich
2025-01-26 16:37 ` syzbot
2025-01-27 11:23 ` Nikita Zhandarovich
2025-01-27 17:24 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=673cdc11.050a0220.102984.0000.GAE@google.com \
--to=syzbot+6b52c2b24e341804a58c@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.