From: syzbot <syzbot+4b677cfa21f5bd6295cd@syzkaller.appspotmail.com>
To: cai.huoqing@linux.dev, linux-kernel@vger.kernel.org,
linux-media@vger.kernel.org, linux-usb@vger.kernel.org,
mchehab@kernel.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] KASAN: use-after-free Read in dvb_devnode
Date: Fri, 07 Oct 2022 07:20:39 -0700 [thread overview]
Message-ID: <000000000000a178f505ea72837a@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 00988f70a076 Merge tag 'usb-serial-6.0-rc8' of https://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=145efc82880000
kernel config: https://syzkaller.appspot.com/x/.config?x=f64cd66daa10a81a
dashboard link: https://syzkaller.appspot.com/bug?extid=4b677cfa21f5bd6295cd
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4b677cfa21f5bd6295cd@syzkaller.appspotmail.com
BUG: KASAN: use-after-free in dvb_devnode+0x122/0x1b0 drivers/media/dvb-core/dvbdev.c:1025
Read of size 4 at addr ffff888113a1d860 by task udevd/1179
CPU: 0 PID: 1179 Comm: udevd Not tainted 6.0.0-rc7-syzkaller-00946-g00988f70a076 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
dvb_devnode+0x122/0x1b0 drivers/media/dvb-core/dvbdev.c:1025
device_get_devnode+0x154/0x2b0 drivers/base/core.c:3796
dev_uevent+0x40d/0x770 drivers/base/core.c:2404
uevent_show+0x1b8/0x380 drivers/base/core.c:2492
dev_attr_show+0x4b/0x90 drivers/base/core.c:2195
sysfs_kf_seq_show+0x219/0x3d0 fs/sysfs/file.c:59
kernfs_seq_show+0x169/0x1e0 fs/kernfs/file.c:217
seq_read_iter+0x4f5/0x1280 fs/seq_file.c:230
kernfs_fop_read_iter+0x523/0x710 fs/kernfs/file.c:299
call_read_iter include/linux/fs.h:2181 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x67d/0x930 fs/read_write.c:470
ksys_read+0x127/0x250 fs/read_write.c:607
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f28d98228fe
Code: c0 e9 e6 fe ff ff 50 48 8d 3d 0e c7 09 00 e8 c9 cf 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
RSP: 002b:00007ffcef6cb338 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000559cdeb69680 RCX: 00007f28d98228fe
RDX: 0000000000001000 RSI: 0000559cdeb746f0 RDI: 000000000000000c
RBP: 00007f28d98ef380 R08: 000000000000000c R09: 00007f28d98f2a60
R10: 0000000000000008 R11: 0000000000000246 R12: 0000559cdeb69680
R13: 0000000000000d68 R14: 00007f28d98ee780 R15: 0000000000000d68
</TASK>
The buggy address belongs to the physical page:
page:ffffea00044e8740 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113a1d
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 ffffffff00000201 0000000000000000
raw: 0000000000000000 0000000000110000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x140dc0(GFP_USER|__GFP_COMP|__GFP_ZERO), pid 28063, tgid 28063 (kworker/0:5), ts 3378237051573, free_ts 3378714082458
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x11cc/0x2a20 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270
kmalloc_order+0x34/0xf0 mm/slab_common.c:933
kmalloc_order_trace+0x13/0x120 mm/slab_common.c:949
kmalloc_large include/linux/slab.h:529 [inline]
kmalloc include/linux/slab.h:593 [inline]
kzalloc include/linux/slab.h:733 [inline]
dvb_usb_device_init+0x113/0x640 drivers/media/usb/dvb-usb/dvb-usb-init.c:279
usb_probe_interface+0x30b/0x7f0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:560 [inline]
really_probe+0x249/0xb90 drivers/base/dd.c:639
__driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
__device_attach_driver+0x1d0/0x2e0 drivers/base/dd.c:936
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x1e4/0x530 drivers/base/dd.c:1008
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xbd5/0x1e90 drivers/base/core.c:3517
usb_set_configuration+0x1019/0x1900 drivers/usb/core/message.c:2170
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1449 [inline]
free_pcp_prepare+0x5d2/0xb80 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x19/0x420 mm/page_alloc.c:3476
dvb_usb_device_init+0x50e/0x640 drivers/media/usb/dvb-usb/dvb-usb-init.c:322
usb_probe_interface+0x30b/0x7f0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:560 [inline]
really_probe+0x249/0xb90 drivers/base/dd.c:639
__driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
__device_attach_driver+0x1d0/0x2e0 drivers/base/dd.c:936
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x1e4/0x530 drivers/base/dd.c:1008
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xbd5/0x1e90 drivers/base/core.c:3517
usb_set_configuration+0x1019/0x1900 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
usb_probe_device+0xd4/0x2c0 drivers/usb/core/driver.c:293
call_driver_probe drivers/base/dd.c:560 [inline]
really_probe+0x249/0xb90 drivers/base/dd.c:639
Memory state around the buggy address:
ffff888113a1d700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888113a1d780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888113a1d800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888113a1d880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888113a1d900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
reply other threads:[~2022-10-07 14:20 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000a178f505ea72837a@google.com \
--to=syzbot+4b677cfa21f5bd6295cd@syzkaller.appspotmail.com \
--cc=cai.huoqing@linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.