From: Dmitry Vyukov <dvyukov@google.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
mathias.nyman@linux.intel.com, baoyou.xie@linaro.org,
peter.chen@nxp.com, wulf@rock-chips.com,
wsa-dev@sang-engineering.com,
Alan Stern <stern@rowland.harvard.edu>,
javier@osg.samsung.com, chris.bainbridge@gmail.com,
USB list <linux-usb@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Subject: usb: use-after-free write in usb_hcd_link_urb_to_ep
Date: Thu, 23 Mar 2017 13:17:09 +0100 [thread overview]
Message-ID: <CACT4Y+Y_EUwB_e=0Ot2uMX=-cvyi9DyBso=h+X9EJsamr4x7WQ@mail.gmail.com> (raw)
Hello,
I've got the following report while running syzkaller fuzzer on
093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Not the preceding injected
kmalloc failure, most likely it's the root cause.
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 3348 Comm: syz-executor7 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x1b8/0x28d lib/dump_stack.c:52
fail_dump lib/fault-inject.c:45 [inline]
should_fail+0x78a/0x870 lib/fault-inject.c:154
should_failslab+0xec/0x120 mm/failslab.c:31
slab_pre_alloc_hook mm/slab.h:434 [inline]
slab_alloc mm/slab.c:3394 [inline]
__do_kmalloc mm/slab.c:3734 [inline]
__kmalloc+0x220/0x730 mm/slab.c:3745
kmalloc include/linux/slab.h:495 [inline]
kzalloc include/linux/slab.h:663 [inline]
rh_call_control drivers/usb/core/hcd.c:522 [inline]
rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline]
usb_hcd_submit_urb+0x693/0x1e40 drivers/usb/core/hcd.c:1646
usb_submit_urb+0x8d4/0x1030 drivers/usb/core/urb.c:542
usb_start_wait_urb+0x135/0x320 drivers/usb/core/message.c:56
usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151
get_port_status drivers/usb/core/hub.c:554 [inline]
hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571
hub_port_status drivers/usb/core/hub.c:593 [inline]
hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068
hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595
usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260
usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402
usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856
__rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334
rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464
rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818
__pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039
pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline]
usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581
usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011
chrdev_open+0x257/0x730 fs/char_dev.c:392
do_dentry_open+0x710/0xc80 fs/open.c:751
vfs_open+0x105/0x220 fs/open.c:864
do_last fs/namei.c:3349 [inline]
path_openat+0x1151/0x35b0 fs/namei.c:3490
do_filp_open+0x249/0x370 fs/namei.c:3525
do_sys_open+0x502/0x6d0 fs/open.c:1051
SYSC_open fs/open.c:1069 [inline]
SyS_open+0x2d/0x40 fs/open.c:1064
entry_SYSCALL_64_fastpath+0x1f/0xc2
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0xc6/0xd0
lib/list_debug.c:26 at addr ffff88003c377a20
Read of size 8 by task syz-executor7/3348
CPU: 3 PID: 3348 Comm: syz-executor7 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x1b8/0x28d lib/dump_stack.c:52
kasan_object_err+0x1c/0x70 mm/kasan/report.c:166
print_address_description mm/kasan/report.c:210 [inline]
kasan_report_error mm/kasan/report.c:294 [inline]
kasan_report.part.2+0x1be/0x480 mm/kasan/report.c:316
kasan_report mm/kasan/report.c:337 [inline]
__asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:337
__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
__list_add include/linux/list.h:59 [inline]
list_add_tail include/linux/list.h:92 [inline]
usb_hcd_link_urb_to_ep+0x281/0x4e0 drivers/usb/core/hcd.c:1275
rh_call_control drivers/usb/core/hcd.c:502 [inline]
rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline]
usb_hcd_submit_urb+0x403/0x1e40 drivers/usb/core/hcd.c:1646
usb_submit_urb+0x8d4/0x1030 drivers/usb/core/urb.c:542
usb_start_wait_urb+0x135/0x320 drivers/usb/core/message.c:56
usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151
get_port_status drivers/usb/core/hub.c:554 [inline]
hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571
hub_port_status drivers/usb/core/hub.c:593 [inline]
hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068
hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595
usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260
usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402
usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856
__rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334
rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464
rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818
__pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039
pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline]
usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581
usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011
chrdev_open+0x257/0x730 fs/char_dev.c:392
do_dentry_open+0x710/0xc80 fs/open.c:751
vfs_open+0x105/0x220 fs/open.c:864
do_last fs/namei.c:3349 [inline]
path_openat+0x1151/0x35b0 fs/namei.c:3490
do_filp_open+0x249/0x370 fs/namei.c:3525
do_sys_open+0x502/0x6d0 fs/open.c:1051
SYSC_open fs/open.c:1069 [inline]
SyS_open+0x2d/0x40 fs/open.c:1064
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x40b3f1
RSP: 002b:00007f642ad93410 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: cccccccccccccccd RCX: 000000000040b3f1
RDX: 0000000000000000 RSI: 00000000001cd000 RDI: 00007f642ad93440
RBP: 0000000000000086 R08: 0000000000000000 R09: 00000000000000fb
R10: ffffffffffffffff R11: 0000000000000293 R12: 00000000004a7e31
R13: 0000000000000000 R14: 00007f642ad93618 R15: 00007f642ad93788
Object at ffff88003c377a00, in cache kmalloc-192 size: 192
Allocated:
PID = 3348
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:517
set_track mm/kasan/kasan.c:529 [inline]
kasan_kmalloc+0xbc/0xf0 mm/kasan/kasan.c:620
__do_kmalloc mm/slab.c:3736 [inline]
__kmalloc+0x13c/0x730 mm/slab.c:3745
kmalloc include/linux/slab.h:495 [inline]
usb_alloc_urb+0x24/0x50 drivers/usb/core/urb.c:73
usb_internal_control_msg drivers/usb/core/message.c:93 [inline]
usb_control_msg+0x1d7/0x460 drivers/usb/core/message.c:151
get_port_status drivers/usb/core/hub.c:554 [inline]
hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571
hub_port_status drivers/usb/core/hub.c:593 [inline]
hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068
hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595
usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260
usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402
usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856
__rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334
rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464
rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818
__pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039
pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline]
usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581
usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011
chrdev_open+0x257/0x730 fs/char_dev.c:392
do_dentry_open+0x710/0xc80 fs/open.c:751
vfs_open+0x105/0x220 fs/open.c:864
do_last fs/namei.c:3349 [inline]
path_openat+0x1151/0x35b0 fs/namei.c:3490
do_filp_open+0x249/0x370 fs/namei.c:3525
do_sys_open+0x502/0x6d0 fs/open.c:1051
SYSC_open fs/open.c:1069 [inline]
SyS_open+0x2d/0x40 fs/open.c:1064
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 3348
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:517
set_track mm/kasan/kasan.c:529 [inline]
kasan_slab_free+0x81/0xc0 mm/kasan/kasan.c:593
__cache_free mm/slab.c:3514 [inline]
kfree+0xd7/0x250 mm/slab.c:3831
urb_destroy+0x4a/0xa0 drivers/usb/core/urb.c:26
kref_put include/linux/kref.h:72 [inline]
usb_free_urb+0x30/0x40 drivers/usb/core/urb.c:96
usb_start_wait_urb+0x234/0x320 drivers/usb/core/message.c:78
usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151
get_port_status drivers/usb/core/hub.c:554 [inline]
hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571
hub_port_status drivers/usb/core/hub.c:593 [inline]
hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068
hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595
usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260
usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402
usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856
__rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334
rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464
rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818
__pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039
pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline]
usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581
usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011
chrdev_open+0x257/0x730 fs/char_dev.c:392
do_dentry_open+0x710/0xc80 fs/open.c:751
vfs_open+0x105/0x220 fs/open.c:864
do_last fs/namei.c:3349 [inline]
path_openat+0x1151/0x35b0 fs/namei.c:3490
do_filp_open+0x249/0x370 fs/namei.c:3525
do_sys_open+0x502/0x6d0 fs/open.c:1051
SYSC_open fs/open.c:1069 [inline]
SyS_open+0x2d/0x40 fs/open.c:1064
entry_SYSCALL_64_fastpath+0x1f/0xc2
Memory state around the buggy address:
ffff88003c377900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88003c377980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88003c377a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88003c377a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88003c377b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
next reply other threads:[~2017-03-23 12:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-23 12:17 Dmitry Vyukov [this message]
2017-03-23 14:34 ` usb: use-after-free write in usb_hcd_link_urb_to_ep Alan Stern
2017-03-23 14:39 ` Dmitry Vyukov
2017-03-23 15:04 ` Alan Stern
2017-03-23 15:22 ` Dmitry Vyukov
2017-03-24 10:32 ` Dmitry Vyukov
2017-03-24 14:27 ` Alan Stern
2017-03-24 17:11 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+Y_EUwB_e=0Ot2uMX=-cvyi9DyBso=h+X9EJsamr4x7WQ@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=baoyou.xie@linaro.org \
--cc=chris.bainbridge@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=javier@osg.samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=peter.chen@nxp.com \
--cc=stern@rowland.harvard.edu \
--cc=syzkaller@googlegroups.com \
--cc=wsa-dev@sang-engineering.com \
--cc=wulf@rock-chips.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.