From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753759AbdCWMRd (ORCPT ); Thu, 23 Mar 2017 08:17:33 -0400 Received: from mail-ua0-f171.google.com ([209.85.217.171]:33805 "EHLO mail-ua0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751304AbdCWMRb (ORCPT ); Thu, 23 Mar 2017 08:17:31 -0400 MIME-Version: 1.0 From: Dmitry Vyukov Date: Thu, 23 Mar 2017 13:17:09 +0100 Message-ID: Subject: usb: use-after-free write in usb_hcd_link_urb_to_ep To: Greg Kroah-Hartman , mathias.nyman@linux.intel.com, baoyou.xie@linaro.org, peter.chen@nxp.com, wulf@rock-chips.com, wsa-dev@sang-engineering.com, Alan Stern , javier@osg.samsung.com, chris.bainbridge@gmail.com, USB list , LKML Cc: syzkaller Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, I've got the following report while running syzkaller fuzzer on 093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Not the preceding injected kmalloc failure, most likely it's the root cause. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 3348 Comm: syz-executor7 Not tainted 4.11.0-rc3+ #364 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x1b8/0x28d lib/dump_stack.c:52 fail_dump lib/fault-inject.c:45 [inline] should_fail+0x78a/0x870 lib/fault-inject.c:154 should_failslab+0xec/0x120 mm/failslab.c:31 slab_pre_alloc_hook mm/slab.h:434 [inline] slab_alloc mm/slab.c:3394 [inline] __do_kmalloc mm/slab.c:3734 [inline] __kmalloc+0x220/0x730 mm/slab.c:3745 kmalloc include/linux/slab.h:495 [inline] kzalloc include/linux/slab.h:663 [inline] rh_call_control drivers/usb/core/hcd.c:522 [inline] rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline] usb_hcd_submit_urb+0x693/0x1e40 drivers/usb/core/hcd.c:1646 usb_submit_urb+0x8d4/0x1030 drivers/usb/core/urb.c:542 usb_start_wait_urb+0x135/0x320 drivers/usb/core/message.c:56 usb_internal_control_msg drivers/usb/core/message.c:100 [inline] usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151 get_port_status drivers/usb/core/hub.c:554 [inline] hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571 hub_port_status drivers/usb/core/hub.c:593 [inline] hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068 hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595 usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260 usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402 usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856 __rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334 rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464 rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818 __pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039 pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline] usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581 usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011 chrdev_open+0x257/0x730 fs/char_dev.c:392 do_dentry_open+0x710/0xc80 fs/open.c:751 vfs_open+0x105/0x220 fs/open.c:864 do_last fs/namei.c:3349 [inline] path_openat+0x1151/0x35b0 fs/namei.c:3490 do_filp_open+0x249/0x370 fs/namei.c:3525 do_sys_open+0x502/0x6d0 fs/open.c:1051 SYSC_open fs/open.c:1069 [inline] SyS_open+0x2d/0x40 fs/open.c:1064 entry_SYSCALL_64_fastpath+0x1f/0xc2 ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0xc6/0xd0 lib/list_debug.c:26 at addr ffff88003c377a20 Read of size 8 by task syz-executor7/3348 CPU: 3 PID: 3348 Comm: syz-executor7 Not tainted 4.11.0-rc3+ #364 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x1b8/0x28d lib/dump_stack.c:52 kasan_object_err+0x1c/0x70 mm/kasan/report.c:166 print_address_description mm/kasan/report.c:210 [inline] kasan_report_error mm/kasan/report.c:294 [inline] kasan_report.part.2+0x1be/0x480 mm/kasan/report.c:316 kasan_report mm/kasan/report.c:337 [inline] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:337 __list_add_valid+0xc6/0xd0 lib/list_debug.c:26 __list_add include/linux/list.h:59 [inline] list_add_tail include/linux/list.h:92 [inline] usb_hcd_link_urb_to_ep+0x281/0x4e0 drivers/usb/core/hcd.c:1275 rh_call_control drivers/usb/core/hcd.c:502 [inline] rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline] usb_hcd_submit_urb+0x403/0x1e40 drivers/usb/core/hcd.c:1646 usb_submit_urb+0x8d4/0x1030 drivers/usb/core/urb.c:542 usb_start_wait_urb+0x135/0x320 drivers/usb/core/message.c:56 usb_internal_control_msg drivers/usb/core/message.c:100 [inline] usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151 get_port_status drivers/usb/core/hub.c:554 [inline] hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571 hub_port_status drivers/usb/core/hub.c:593 [inline] hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068 hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595 usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260 usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402 usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856 __rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334 rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464 rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818 __pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039 pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline] usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581 usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011 chrdev_open+0x257/0x730 fs/char_dev.c:392 do_dentry_open+0x710/0xc80 fs/open.c:751 vfs_open+0x105/0x220 fs/open.c:864 do_last fs/namei.c:3349 [inline] path_openat+0x1151/0x35b0 fs/namei.c:3490 do_filp_open+0x249/0x370 fs/namei.c:3525 do_sys_open+0x502/0x6d0 fs/open.c:1051 SYSC_open fs/open.c:1069 [inline] SyS_open+0x2d/0x40 fs/open.c:1064 entry_SYSCALL_64_fastpath+0x1f/0xc2 RIP: 0033:0x40b3f1 RSP: 002b:00007f642ad93410 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: cccccccccccccccd RCX: 000000000040b3f1 RDX: 0000000000000000 RSI: 00000000001cd000 RDI: 00007f642ad93440 RBP: 0000000000000086 R08: 0000000000000000 R09: 00000000000000fb R10: ffffffffffffffff R11: 0000000000000293 R12: 00000000004a7e31 R13: 0000000000000000 R14: 00007f642ad93618 R15: 00007f642ad93788 Object at ffff88003c377a00, in cache kmalloc-192 size: 192 Allocated: PID = 3348 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:517 set_track mm/kasan/kasan.c:529 [inline] kasan_kmalloc+0xbc/0xf0 mm/kasan/kasan.c:620 __do_kmalloc mm/slab.c:3736 [inline] __kmalloc+0x13c/0x730 mm/slab.c:3745 kmalloc include/linux/slab.h:495 [inline] usb_alloc_urb+0x24/0x50 drivers/usb/core/urb.c:73 usb_internal_control_msg drivers/usb/core/message.c:93 [inline] usb_control_msg+0x1d7/0x460 drivers/usb/core/message.c:151 get_port_status drivers/usb/core/hub.c:554 [inline] hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571 hub_port_status drivers/usb/core/hub.c:593 [inline] hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068 hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595 usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260 usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402 usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856 __rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334 rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464 rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818 __pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039 pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline] usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581 usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011 chrdev_open+0x257/0x730 fs/char_dev.c:392 do_dentry_open+0x710/0xc80 fs/open.c:751 vfs_open+0x105/0x220 fs/open.c:864 do_last fs/namei.c:3349 [inline] path_openat+0x1151/0x35b0 fs/namei.c:3490 do_filp_open+0x249/0x370 fs/namei.c:3525 do_sys_open+0x502/0x6d0 fs/open.c:1051 SYSC_open fs/open.c:1069 [inline] SyS_open+0x2d/0x40 fs/open.c:1064 entry_SYSCALL_64_fastpath+0x1f/0xc2 Freed: PID = 3348 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:517 set_track mm/kasan/kasan.c:529 [inline] kasan_slab_free+0x81/0xc0 mm/kasan/kasan.c:593 __cache_free mm/slab.c:3514 [inline] kfree+0xd7/0x250 mm/slab.c:3831 urb_destroy+0x4a/0xa0 drivers/usb/core/urb.c:26 kref_put include/linux/kref.h:72 [inline] usb_free_urb+0x30/0x40 drivers/usb/core/urb.c:96 usb_start_wait_urb+0x234/0x320 drivers/usb/core/message.c:78 usb_internal_control_msg drivers/usb/core/message.c:100 [inline] usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151 get_port_status drivers/usb/core/hub.c:554 [inline] hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571 hub_port_status drivers/usb/core/hub.c:593 [inline] hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068 hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595 usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260 usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402 usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856 __rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334 rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464 rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818 __pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039 pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline] usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581 usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011 chrdev_open+0x257/0x730 fs/char_dev.c:392 do_dentry_open+0x710/0xc80 fs/open.c:751 vfs_open+0x105/0x220 fs/open.c:864 do_last fs/namei.c:3349 [inline] path_openat+0x1151/0x35b0 fs/namei.c:3490 do_filp_open+0x249/0x370 fs/namei.c:3525 do_sys_open+0x502/0x6d0 fs/open.c:1051 SYSC_open fs/open.c:1069 [inline] SyS_open+0x2d/0x40 fs/open.c:1064 entry_SYSCALL_64_fastpath+0x1f/0xc2 Memory state around the buggy address: ffff88003c377900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88003c377980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88003c377a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88003c377a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88003c377b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================