KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b51594df Merge tag 'docs-5.9-3' of git://git.lwn.net/linux
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=149d38ae900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3c5f6ce8d5b68299
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler:       gcc (GCC) 10.1.0-syz 20200507

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:406 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:775
Write of size 2 at addr ffff88809f5ef480 by task syz-executor.4/6857

CPU: 1 PID: 6857 Comm: syz-executor.4 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 memcpy+0x39/0x60 mm/kasan/common.c:106
 memcpy include/linux/string.h:406 [inline]
 usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:775
 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413
 expire_timers kernel/time/timer.c:1458 [inline]
 __run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755
 __run_timers kernel/time/timer.c:1736 [inline]
 run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1768
 __do_softirq+0x1f7/0xa91 kernel/softirq.c:298
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:393 [inline]
 __irq_exit_rcu kernel/softirq.c:423 [inline]
 irq_exit_rcu+0x235/0x280 kernel/softirq.c:435
 sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1091
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:770 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x4d/0x90 kernel/locking/spinlock.c:191
Code: 48 c7 c0 48 3c b6 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 3c 48 83 3d 12 f5 bf 01 00 74 29 48 89 df 57 9d <0f> 1f 44 00 00 bf 01 00 00 00 e8 f4 6d 59 f9 65 8b 05 2d b7 0b 78
RSP: 0018:ffffc90004e0f740 EFLAGS: 00000282
RAX: 1ffffffff136c789 RBX: 0000000000000282 RCX: 1ffffffff1563f69
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffffffff8cc156b8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888037a37270
R13: 1ffff920009c1efa R14: ffffffff8cc156b8 R15: ffffffff8cc156b0
 __debug_object_init+0x401/0xce0 lib/debugobjects.c:580
 debug_object_init lib/debugobjects.c:595 [inline]
 debug_object_activate+0x32c/0x3e0 lib/debugobjects.c:681
 debug_rcu_head_queue kernel/rcu/rcu.h:176 [inline]
 __call_rcu kernel/rcu/tree.c:2880 [inline]
 call_rcu+0x2c/0x7b0 kernel/rcu/tree.c:2968
 destroy_inode+0x129/0x1b0 fs/inode.c:287
 iput_final fs/inode.c:1652 [inline]
 iput.part.0+0x424/0x850 fs/inode.c:1678
 iput+0x58/0x70 fs/inode.c:1668
 proc_invalidate_siblings_dcache+0x28d/0x600 fs/proc/inode.c:160
 release_task+0xc63/0x14d0 kernel/exit.c:221
 wait_task_zombie kernel/exit.c:1088 [inline]
 wait_consider_task+0x2fb3/0x3b20 kernel/exit.c:1315
 do_wait_thread kernel/exit.c:1378 [inline]
 do_wait+0x36a/0x9e0 kernel/exit.c:1449
 kernel_wait4+0x14c/0x260 kernel/exit.c:1621
 __do_sys_wait4+0x13f/0x150 kernel/exit.c:1649
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4171fb
Code: 54 55 41 89 d4 53 48 89 f5 89 fb 48 83 ec 10 e8 1b f9 ff ff 45 31 d2 41 89 c0 49 63 d4 48 89 ee 48 63 fb b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 19 44 89 c7 89 44 24 0c e8 51 f9 ff ff 8b 44
RSP: 002b:00007ffff8e9d6c0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00000000004171fb
RDX: 0000000040000001 RSI: 00007ffff8e9d720 RDI: ffffffffffffffff
RBP: 00007ffff8e9d720 R08: 0000000000000000 R09: 000000000267c940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000040000001
R13: 00007ffff8e9d720 R14: 000000000012605c R15: 00007ffff8e9d730

Allocated by task 31714:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x1b0/0x310 mm/slab.c:3664
 kmalloc include/linux/slab.h:559 [inline]
 proc_do_submiturb+0x29a3/0x34d0 drivers/usb/core/devio.c:1733
 proc_submiturb drivers/usb/core/devio.c:1892 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2588 [inline]
 usbdev_ioctl+0x682/0x3360 drivers/usb/core/devio.c:2708
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88809f5ef480
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff88809f5ef480, ffff88809f5ef4a0)
The buggy address belongs to the page:
page:00000000686f7d13 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809f5effc1 pfn:0x9f5ef
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00029f1e08 ffffea0002684648 ffff8880aa040100
raw: ffff88809f5effc1 ffff88809f5ef000 000000010000003b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f5ef380: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
 ffff88809f5ef400: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
>ffff88809f5ef480: 01 fc fc fc fc fc fc fc 00 00 00 fc fc fc fc fc
                   ^
 ffff88809f5ef500: fa fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
 ffff88809f5ef580: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1696bbfbb00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2ebd4b29568807bc
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11b14c1bb00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12ab99edb00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff88801dd0d780 by task syz-executor046/3607

CPU: 1 PID: 3607 Comm: syz-executor046 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
 print_address_description+0x65/0x380 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450
 kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
 memcpy+0x3c/0x60 mm/kasan/shadow.c:66
 usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
 call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers+0x71a/0x910 kernel/time/timer.c:1734
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
 __do_softirq+0x392/0x7a3 kernel/softirq.c:558
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:console_unlock+0xc88/0xe90 kernel/printk/printk.c:2716
Code: 00 e9 71 fa ff ff e8 a7 70 1a 00 e8 62 4b a0 08 48 83 7c 24 38 00 74 dd 66 2e 0f 1f 84 00 00 00 00 00 e8 8b 70 1a 00 fb 31 ff <44> 89 f6 e8 90 74 1a 00 31 db 45 85 f6 0f 95 c0 89 c1 0a 4c 24 0f
RSP: 0018:ffffc90001a8f0e0 EFLAGS: 00000246
RAX: ffffffff816a0d85 RBX: 0000000000000000 RCX: ffff888018638000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001a8f2f0 R08: ffffffff816a0d3c R09: fffffbfff1bfd566
R10: fffffbfff1bfd566 R11: 0000000000000000 R12: ffffffff8d3ec5e8
R13: ffffffff8d3ec5b0 R14: 0000000000000001 R15: ffffc90001a8f160
 vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
 dev_vprintk_emit+0x2e4/0x35d drivers/base/core.c:4594
 dev_printk_emit+0xd9/0x118 drivers/base/core.c:4605
 _dev_warn+0x11e/0x165 drivers/base/core.c:4661
 checkintf drivers/usb/core/devio.c:826 [inline]
 do_proc_bulk+0x81c/0x15d0 drivers/usb/core/devio.c:1268
 proc_bulk drivers/usb/core/devio.c:1351 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
 usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc8c54137a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe10cef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc8c54570b0 RCX: 00007fc8c54137a9
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007ffe10cef0f0 R08: 00007ffe10ceeb40 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 00007fc8c53d2780
R13: 0000000000000000 R14: 00007ffe10cef0f0 R15: 00007ffe10cef0e0
 </TASK>

Allocated by task 3616:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:269 [inline]
 __kmalloc+0x253/0x380 mm/slub.c:4423
 kmalloc include/linux/slab.h:595 [inline]
 do_proc_bulk+0x858/0x15d0 drivers/usb/core/devio.c:1292
 proc_bulk drivers/usb/core/devio.c:1351 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
 usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801dd0d780
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 8-byte region [ffff88801dd0d780, ffff88801dd0d788)
The buggy address belongs to the page:
page:ffffea0000774340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1dd0d
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000077d900 dead000000000002 ffff888011441280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 22, ts 8565550793, free_ts 8556148454
 prep_new_page mm/page_alloc.c:2418 [inline]
 get_page_from_freelist+0x729/0x9e0 mm/page_alloc.c:4149
 __alloc_pages+0x255/0x580 mm/page_alloc.c:5369
 alloc_slab_page mm/slub.c:1793 [inline]
 allocate_slab+0xcc/0x540 mm/slub.c:1930
 new_slab mm/slub.c:1993 [inline]
 ___slab_alloc+0x41e/0xc40 mm/slub.c:3022
 __slab_alloc mm/slub.c:3109 [inline]
 slab_alloc_node mm/slub.c:3200 [inline]
 slab_alloc mm/slub.c:3242 [inline]
 __kmalloc+0x2eb/0x380 mm/slub.c:4419
 kmalloc include/linux/slab.h:595 [inline]
 kzalloc include/linux/slab.h:724 [inline]
 smk_parse_smack+0x18e/0x220 security/smack/smack_access.c:468
 smk_import_entry+0x22/0x400 security/smack/smack_access.c:566
 smk_fetch security/smack/smack_lsm.c:300 [inline]
 smack_d_instantiate+0x6ac/0xd10 security/smack/smack_lsm.c:3417
 security_d_instantiate+0xa5/0x100 security/security.c:2040
 d_instantiate+0x51/0x90 fs/dcache.c:2008
 shmem_mknod+0x165/0x1b0 mm/shmem.c:2842
 shmem_mkdir+0x2e/0x60 mm/shmem.c:2881
 vfs_mkdir+0x44d/0x680 fs/namei.c:3883
 dev_mkdir drivers/base/devtmpfs.c:165 [inline]
 create_path drivers/base/devtmpfs.c:190 [inline]
 handle_create drivers/base/devtmpfs.c:209 [inline]
 handle drivers/base/devtmpfs.c:380 [inline]
 devtmpfs_work_loop+0x386/0x1080 drivers/base/devtmpfs.c:395
 devtmpfsd+0x44/0x50 drivers/base/devtmpfs.c:437
 kthread+0x468/0x490 kernel/kthread.c:327
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0xd1c/0xe00 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3309 [inline]
 free_unref_page_list+0x11f/0xa50 mm/page_alloc.c:3425
 release_pages+0x15a7/0x17d0 mm/swap.c:980
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
 tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249
 tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:340
 exit_mmap+0x3dd/0x6f0 mm/mmap.c:3172
 __mmput+0x111/0x3a0 kernel/fork.c:1113
 free_bprm+0x136/0x2f0 fs/exec.c:1481
 kernel_execve+0x740/0x9a0 fs/exec.c:1978
 call_usermodehelper_exec_async+0x262/0x3b0 kernel/umh.c:112
 ret_from_fork+0x1f/0x30

Memory state around the buggy address:
 ffff88801dd0d680: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc
 ffff88801dd0d700: fc 00 fc fc fc fc 00 fc fc fc fc fb fc fc fc fc
>ffff88801dd0d780: 01 fc fc fc fc 00 fc fc fc fc fa fc fc fc fc fa
                   ^
 ffff88801dd0d800: fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc
 ffff88801dd0d880: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e9 71 fa ff ff       	jmpq   0xfffffa76
   5:	e8 a7 70 1a 00       	callq  0x1a70b1
   a:	e8 62 4b a0 08       	callq  0x8a04b71
   f:	48 83 7c 24 38 00    	cmpq   $0x0,0x38(%rsp)
  15:	74 dd                	je     0xfffffff4
  17:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  1e:	00 00 00
  21:	e8 8b 70 1a 00       	callq  0x1a70b1
  26:	fb                   	sti
  27:	31 ff                	xor    %edi,%edi
* 29:	44 89 f6             	mov    %r14d,%esi <-- trapping instruction
  2c:	e8 90 74 1a 00       	callq  0x1a74c1
  31:	31 db                	xor    %ebx,%ebx
  33:	45 85 f6             	test   %r14d,%r14d
  36:	0f 95 c0             	setne  %al
  39:	89 c1                	mov    %eax,%ecx
  3b:	0a 4c 24 0f          	or     0xf(%rsp),%cl

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[Alan Stern]

On Thu, Dec 30, 2021 at 07:47:18AM -0800, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1696bbfbb00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2ebd4b29568807bc
> dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
> compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11b14c1bb00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12ab99edb00000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
> Write of size 2 at addr ffff88801dd0d780 by task syz-executor046/3607
> 
> CPU: 1 PID: 3607 Comm: syz-executor046 Not tainted 5.16.0-rc7-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
>  print_address_description+0x65/0x380 mm/kasan/report.c:247
>  __kasan_report mm/kasan/report.c:433 [inline]
>  kasan_report+0x19a/0x1f0 mm/kasan/report.c:450
>  kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
>  memcpy+0x3c/0x60 mm/kasan/shadow.c:66
>  usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
>  call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
>  expire_timers kernel/time/timer.c:1466 [inline]
>  __run_timers+0x71a/0x910 kernel/time/timer.c:1734
>  run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
>  __do_softirq+0x392/0x7a3 kernel/softirq.c:558
>  __irq_exit_rcu+0xec/0x170 kernel/softirq.c:637
>  irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
>  sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
>  </IRQ>
>  <TASK>
>  asm_sysvec_apic_timer_interrupt+0x12/0x20
> RIP: 0010:console_unlock+0xc88/0xe90 kernel/printk/printk.c:2716
> Code: 00 e9 71 fa ff ff e8 a7 70 1a 00 e8 62 4b a0 08 48 83 7c 24 38 00 74 dd 66 2e 0f 1f 84 00 00 00 00 00 e8 8b 70 1a 00 fb 31 ff <44> 89 f6 e8 90 74 1a 00 31 db 45 85 f6 0f 95 c0 89 c1 0a 4c 24 0f
> RSP: 0018:ffffc90001a8f0e0 EFLAGS: 00000246
> RAX: ffffffff816a0d85 RBX: 0000000000000000 RCX: ffff888018638000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: ffffc90001a8f2f0 R08: ffffffff816a0d3c R09: fffffbfff1bfd566
> R10: fffffbfff1bfd566 R11: 0000000000000000 R12: ffffffff8d3ec5e8
> R13: ffffffff8d3ec5b0 R14: 0000000000000001 R15: ffffc90001a8f160
>  vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
>  dev_vprintk_emit+0x2e4/0x35d drivers/base/core.c:4594
>  dev_printk_emit+0xd9/0x118 drivers/base/core.c:4605
>  _dev_warn+0x11e/0x165 drivers/base/core.c:4661
>  checkintf drivers/usb/core/devio.c:826 [inline]
>  do_proc_bulk+0x81c/0x15d0 drivers/usb/core/devio.c:1268
>  proc_bulk drivers/usb/core/devio.c:1351 [inline]
>  usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
>  usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:874 [inline]
>  __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7fc8c54137a9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe10cef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fc8c54570b0 RCX: 00007fc8c54137a9
> RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
> RBP: 00007ffe10cef0f0 R08: 00007ffe10ceeb40 R09: 0000000000000000
> R10: 000000000000ffff R11: 0000000000000246 R12: 00007fc8c53d2780
> R13: 0000000000000000 R14: 00007ffe10cef0f0 R15: 00007ffe10cef0e0
>  </TASK>
> 
> Allocated by task 3616:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track mm/kasan/common.c:46 [inline]
>  set_alloc_info mm/kasan/common.c:434 [inline]
>  ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:513
>  kasan_kmalloc include/linux/kasan.h:269 [inline]
>  __kmalloc+0x253/0x380 mm/slub.c:4423
>  kmalloc include/linux/slab.h:595 [inline]
>  do_proc_bulk+0x858/0x15d0 drivers/usb/core/devio.c:1292
>  proc_bulk drivers/usb/core/devio.c:1351 [inline]
>  usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
>  usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:874 [inline]
>  __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae

Diagnostic patch.

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e

Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
 	u8 bulk_status;
 };
 
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
 

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status

==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087

CPU: 1 PID: 4087 Comm: syz-executor189 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:225 [inline]
 usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:166 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:200
Code: 48 89 ef 5d e9 b1 1c 46 00 5d be 03 00 00 00 e9 46 8c 63 02 66 0f 1f 44 00 00 48 8b be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 c9 dd 8a 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
RSP: 0018:ffffc900027ef930 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801b413a00 RSI: ffffffff815efbe1 RDI: 0000000000000003
RBP: ffffc900027ef970 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff815efbd7 R11: 0000000000000000 R12: 000000000000001f
R13: ffff88801fbc1d00 R14: 0000000000000200 R15: ffffc900027efa90
 console_trylock_spinning kernel/printk/printk.c:1885 [inline]
 vprintk_emit+0x377/0x4f0 kernel/printk/printk.c:2244
 dev_vprintk_emit+0x36e/0x3b2 drivers/base/core.c:4594
 dev_printk_emit+0xba/0xf1 drivers/base/core.c:4605
 __dev_printk+0xcf/0xf5 drivers/base/core.c:4617
 _dev_info+0xd7/0x109 drivers/base/core.c:4663
 usbdev_do_ioctl drivers/usb/core/devio.c:2624 [inline]
 usbdev_ioctl.cold+0x7c2/0x83c drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7faa77f20799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd37de1eb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007faa77f64098 RCX: 00007faa77f20799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007ffd37de1ee0 R08: 00007ffd37de1930 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 000000000001297d
R13: 00007ffd37de1ec4 R14: 00007ffd37de1ee0 R15: 00007ffd37de1ed0
 </TASK>

Allocated by task 4081:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:595 [inline]
 do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
 proc_bulk drivers/usb/core/devio.c:1351 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
 usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880121ae230
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 8-byte region [ffff8880121ae230, ffff8880121ae238)
The buggy address belongs to the page:
page:ffffea0000486b80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121ae
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2449997177, free_ts 0
 prep_new_page mm/page_alloc.c:2418 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
 alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2036
 alloc_pages+0x29f/0x300 mm/mempolicy.c:2185
 alloc_slab_page mm/slub.c:1793 [inline]
 allocate_slab mm/slub.c:1930 [inline]
 new_slab+0x32d/0x4a0 mm/slub.c:1993
 ___slab_alloc+0x918/0xfe0 mm/slub.c:3022
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
 slab_alloc_node mm/slub.c:3200 [inline]
 slab_alloc mm/slub.c:3242 [inline]
 __kmalloc+0x2fb/0x340 mm/slub.c:4419
 acpi_ns_internalize_name drivers/acpi/acpica/nsutils.c:331 [inline]
 acpi_ns_internalize_name+0xf2/0x1a1 drivers/acpi/acpica/nsutils.c:312
 acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
 acpi_ns_get_node_unlocked+0x1d8/0x278 drivers/acpi/acpica/nsutils.c:635
 acpi_ns_get_node+0x4b/0x6a drivers/acpi/acpica/nsutils.c:726
 acpi_ns_evaluate+0xd2/0x966 drivers/acpi/acpica/nseval.c:62
 acpi_evaluate_object+0x3db/0x7f5 drivers/acpi/acpica/nsxfeval.c:354
 acpi_evaluate_dsm+0x188/0x270 drivers/acpi/utils.c:678
 acpi_check_dsm drivers/acpi/utils.c:710 [inline]
 acpi_check_dsm+0x60/0x260 drivers/acpi/utils.c:701
 device_has_acpi_name drivers/pci/pci-label.c:44 [inline]
 acpi_attr_is_visible+0xaf/0x130 drivers/pci/pci-label.c:221
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880121ae100: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc
 ffff8880121ae180: fc fc fa fc fc fc fc 00 fc fc fc fc 00 fc fc fc
>ffff8880121ae200: fc fb fc fc fc fc 01 fc fc fc fc fb fc fc fc fc
                                     ^
 ffff8880121ae280: fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb
 ffff8880121ae300: fc fc fc fc fb fc fc fc fc fb fc fc fc fc 00 fc
==================================================================
----------------
Code disassembly (best guess):
   0:	48 89 ef             	mov    %rbp,%rdi
   3:	5d                   	pop    %rbp
   4:	e9 b1 1c 46 00       	jmpq   0x461cba
   9:	5d                   	pop    %rbp
   a:	be 03 00 00 00       	mov    $0x3,%esi
   f:	e9 46 8c 63 02       	jmpq   0x2638c5a
  14:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  1a:	48 8b be b0 01 00 00 	mov    0x1b0(%rsi),%rdi
  21:	e8 b4 ff ff ff       	callq  0xffffffda
  26:	31 c0                	xor    %eax,%eax
  28:	c3                   	retq
  29:	90                   	nop
* 2a:	65 8b 05 c9 dd 8a 7e 	mov    %gs:0x7e8addc9(%rip),%eax        # 0x7e8addfa <-- trapping instruction
  31:	89 c1                	mov    %eax,%ecx
  33:	48 8b 34 24          	mov    (%rsp),%rsi
  37:	81 e1 00 01 00 00    	and    $0x100,%ecx
  3d:	65                   	gs
  3e:	48                   	rex.W
  3f:	8b                   	.byte 0x8b


Tested on:

commit:         eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=13e94c1bb00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1798d2c3b00000

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[Alan Stern]

[Trimmed CC: list]

On Thu, Dec 30, 2021 at 04:49:18PM -0800, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
...
> Tested on:
> 
> commit:         eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

I'm glad to see that the git tree is reported properly, but the commit 
label is too short.  The reproducer bug report had exactly the opposite 
problems!  It said:

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:    eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> git tree:       upstream

Andrey or Dmitry?  Can you guys unify these two outputs to make both 
lines correct always?

Moving on...  Important lines from the console log:

[   76.919138][ T4081] usb usb9: usbdev_do_ioctl: BULK
[   76.924966][ T4081] usb usb9: usbfs: process 4081 (syz-executor189) did not claim interface 0 before use
[   76.935186][ T4081] usb usb9: ep1 int-in, length 1, timeout 9
[   76.941355][ T4099] usb usb9: opened by process 4099: syz-executor189
[   76.942606][ T4087] usb usb9: usbdev_do_ioctl: BULK
[   76.949968][    C1] 
==================================================================
[   76.950070][    C1] BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780
[   76.950102][    C1] Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087

It's hard to tell what's really happening.  The suspicious part is the 
"length 1" combined with the "Write of size 2" -- but they refer to 
different processes!

Maybe this diagnostic patch will help a little.

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e

Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
 	u8 bulk_status;
 };
 
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
 
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -809,8 +809,10 @@ static int rh_queue_status (struct usb_h
 	unsigned	len = 1 + (urb->dev->maxchild / 8);
 
 	spin_lock_irqsave (&hcd_root_hub_lock, flags);
+	dev_info(hcd->self.controller, "rh_queue_status: len %d tblen %d\n",
+			len, urb->transfer_buffer_length);
 	if (hcd->status_urb || urb->transfer_buffer_length < len) {
-		dev_dbg (hcd->self.controller, "not queuing rh status urb\n");
+		dev_info(hcd->self.controller, "not queuing rh status urb\n");
 		retval = -EINVAL;
 		goto done;
 	}

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status

==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff8880127f7028 by task syz-executor029/4082

CPU: 1 PID: 4082 Comm: syz-executor029 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:225 [inline]
 usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 aa db 15 f8 48 89 ef e8 62 51 16 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> a3 1b 09 f8 65 8b 05 bc a0 bb 76 85 c0 74 0a 5b 5d c3 e8 d0 02
RSP: 0018:ffffc9000283f8b0 EFLAGS: 00000206
RAX: 0000000000000002 RBX: 0000000000000200 RCX: 1ffffffff1b22571
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff8ca3bc60 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817dd258 R11: 0000000000000000 R12: ffff88801cffc240
R13: ffff88801dba4000 R14: ffff88801dba4180 R15: 0000000000000000
 spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
 rh_queue_status drivers/usb/core/hcd.c:834 [inline]
 rh_urb_enqueue drivers/usb/core/hcd.c:841 [inline]
 usb_hcd_submit_urb+0x155c/0x2300 drivers/usb/core/hcd.c:1546
 usb_submit_urb+0x86d/0x18a0 drivers/usb/core/urb.c:594
 usbfs_start_wait_urb+0x128/0x3d0 drivers/usb/core/devio.c:1125
 do_proc_bulk+0x535/0xba0 drivers/usb/core/devio.c:1313
 proc_bulk drivers/usb/core/devio.c:1351 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
 usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fe659509799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffbcc163b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fe65954d098 RCX: 00007fe659509799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007fffbcc163e0 R08: 00007fffbcc15e30 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 0000000000012b3a
R13: 00007fffbcc163c4 R14: 00007fffbcc163e0 R15: 00007fffbcc163d0
 </TASK>

Allocated by task 4082:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:595 [inline]
 do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
 proc_bulk drivers/usb/core/devio.c:1351 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
 usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880127f7028
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 8-byte region [ffff8880127f7028, ffff8880127f7030)
The buggy address belongs to the page:
page:ffffea000049fdc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127f7
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2292076002, free_ts 0
 prep_new_page mm/page_alloc.c:2418 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
 alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2036
 alloc_pages+0x29f/0x300 mm/mempolicy.c:2185
 alloc_slab_page mm/slub.c:1793 [inline]
 allocate_slab mm/slub.c:1930 [inline]
 new_slab+0x32d/0x4a0 mm/slub.c:1993
 ___slab_alloc+0x918/0xfe0 mm/slub.c:3022
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
 slab_alloc_node mm/slub.c:3200 [inline]
 slab_alloc mm/slub.c:3242 [inline]
 __kmalloc+0x2fb/0x340 mm/slub.c:4419
 acpi_ns_internalize_name drivers/acpi/acpica/nsutils.c:331 [inline]
 acpi_ns_internalize_name+0xf2/0x1a1 drivers/acpi/acpica/nsutils.c:312
 acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
 acpi_ns_get_node_unlocked+0x1d8/0x278 drivers/acpi/acpica/nsutils.c:635
 acpi_ns_get_node+0x4b/0x6a drivers/acpi/acpica/nsutils.c:726
 acpi_get_handle+0x129/0x211 drivers/acpi/acpica/nsxfname.c:98
 acpi_has_method+0x6e/0xb0 drivers/acpi/utils.c:553
 acpi_is_video_device+0x154/0x210 drivers/acpi/scan.c:1226
 acpi_set_pnp_ids drivers/acpi/scan.c:1365 [inline]
 acpi_init_device_object+0xee0/0x1a60 drivers/acpi/scan.c:1747
 acpi_add_single_object+0xe4/0x1aa0 drivers/acpi/scan.c:1793
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880127f6f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
 ffff8880127f6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880127f7000: fb fc fc fc fc 01 fc fc fc fc fa fc fc fc fc 00
                                  ^
 ffff8880127f7080: fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc
 ffff8880127f7100: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	74 24                	je     0x26
   2:	10 e8                	adc    %ch,%al
   4:	aa                   	stos   %al,%es:(%rdi)
   5:	db 15 f8 48 89 ef    	fistl  -0x1076b708(%rip)        # 0xef894903
   b:	e8 62 51 16 f8       	callq  0xf8165172
  10:	81 e3 00 02 00 00    	and    $0x200,%ebx
  16:	75 25                	jne    0x3d
  18:	9c                   	pushfq
  19:	58                   	pop    %rax
  1a:	f6 c4 02             	test   $0x2,%ah
  1d:	75 2d                	jne    0x4c
  1f:	48 85 db             	test   %rbx,%rbx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 a3 1b 09 f8       	callq  0xf8091bd2 <-- trapping instruction
  2f:	65 8b 05 bc a0 bb 76 	mov    %gs:0x76bba0bc(%rip),%eax        # 0x76bba0f2
  36:	85 c0                	test   %eax,%eax
  38:	74 0a                	je     0x44
  3a:	5b                   	pop    %rbx
  3b:	5d                   	pop    %rbp
  3c:	c3                   	retq
  3d:	e8                   	.byte 0xe8
  3e:	d0 02                	rolb   (%rdx)


Tested on:

commit:         eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=12ab1f85b00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14522335b00000

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[Alan Stern]

On Thu, Dec 30, 2021 at 09:24:09PM -0800, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
> 
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
> Write of size 2 at addr ffff8880127f7028 by task syz-executor029/4082

Still not enough information.

Alan Stern


#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e

Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
 	u8 bulk_status;
 };
 
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
 module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
 
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -771,6 +771,8 @@ void usb_hcd_poll_rh_status(struct usb_h
 			clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
 			hcd->status_urb = NULL;
 			urb->actual_length = length;
+			dev_info(hcd->self.controller, "poll_rh_status: len %d maxch %d tblen %d\n",
+					length, urb->dev->maxchild, urb->transfer_buffer_length);
 			memcpy(urb->transfer_buffer, buffer, length);
 
 			usb_hcd_unlink_urb_from_ep(hcd, urb);
@@ -809,8 +811,10 @@ static int rh_queue_status (struct usb_h
 	unsigned	len = 1 + (urb->dev->maxchild / 8);
 
 	spin_lock_irqsave (&hcd_root_hub_lock, flags);
+	dev_info(hcd->self.controller, "rh_queue_status: len %d maxch %d tblen %d\n",
+			len, urb->dev->maxchild, urb->transfer_buffer_length);
 	if (hcd->status_urb || urb->transfer_buffer_length < len) {
-		dev_dbg (hcd->self.controller, "not queuing rh status urb\n");
+		dev_info(hcd->self.controller, "not queuing rh status urb\n");
 		retval = -EINVAL;
 		goto done;
 	}

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status

vhci_hcd vhci_hcd.0: poll_rh_status: len 2 maxch 0 tblen 1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062

CPU: 1 PID: 4062 Comm: syz-executor133 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:225 [inline]
 usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 ca db 15 f8 48 89 ef e8 82 51 16 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> c3 1b 09 f8 65 8b 05 dc a0 bb 76 85 c0 74 0a 5b 5d c3 e8 f0 02
RSP: 0018:ffffc9000289f8b0 EFLAGS: 00000206
RAX: 0000000000000002 RBX: 0000000000000200 RCX: 1ffffffff1b22579
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff8ca3bc60 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817dd258 R11: 0000000000000000 R12: ffff88801d9a7d40
R13: ffff888147c88000 R14: ffff888147c88180 R15: 0000000000000000
 spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
 rh_queue_status drivers/usb/core/hcd.c:836 [inline]
 rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline]
 usb_hcd_submit_urb+0x15ac/0x2390 drivers/usb/core/hcd.c:1548
 usb_submit_urb+0x86d/0x18a0 drivers/usb/core/urb.c:594
 usbfs_start_wait_urb+0x128/0x3d0 drivers/usb/core/devio.c:1125
 do_proc_bulk+0x535/0xba0 drivers/usb/core/devio.c:1313
 proc_bulk drivers/usb/core/devio.c:1351 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
 usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fecb7004799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb13c1078 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fecb7048098 RCX: 00007fecb7004799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007fffb13c10a0 R08: 00007fffb13c0af0 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 00007fecb6fc3770
R13: 0000000000000000 R14: 00007fffb13c10a0 R15: 00007fffb13c1090
 </TASK>

Allocated by task 4062:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:595 [inline]
 do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
 proc_bulk drivers/usb/core/devio.c:1351 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
 usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801da403c0
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 8-byte region [ffff88801da403c0, ffff88801da403c8)
The buggy address belongs to the page:
page:ffffea0000769000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1da40
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2973, ts 21401832644, free_ts 18932450065
 prep_new_page mm/page_alloc.c:2418 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2190
 alloc_slab_page mm/slub.c:1793 [inline]
 allocate_slab mm/slub.c:1930 [inline]
 new_slab+0x32d/0x4a0 mm/slub.c:1993
 ___slab_alloc+0x918/0xfe0 mm/slub.c:3022
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
 slab_alloc_node mm/slub.c:3200 [inline]
 slab_alloc mm/slub.c:3242 [inline]
 __kmalloc+0x2fb/0x340 mm/slub.c:4419
 kmalloc include/linux/slab.h:595 [inline]
 kernfs_fop_write_iter+0x231/0x500 fs/kernfs/file.c:273
 call_write_iter include/linux/fs.h:2162 [inline]
 new_sync_write+0x429/0x660 fs/read_write.c:503
 vfs_write+0x7cd/0xae0 fs/read_write.c:590
 ksys_write+0x12d/0x250 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3309 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3388
 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:380
 apply_to_pte_range mm/memory.c:2518 [inline]
 apply_to_pmd_range mm/memory.c:2562 [inline]
 apply_to_pud_range mm/memory.c:2598 [inline]
 apply_to_p4d_range mm/memory.c:2634 [inline]
 __apply_to_page_range+0x686/0x1030 mm/memory.c:2668
 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:490
 __purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1708
 _vm_unmap_aliases.part.0+0x3f0/0x500 mm/vmalloc.c:2111
 _vm_unmap_aliases mm/vmalloc.c:2085 [inline]
 vm_unmap_aliases+0x45/0x50 mm/vmalloc.c:2134
 change_page_attr_set_clr+0x241/0x500 arch/x86/mm/pat/set_memory.c:1743
 change_page_attr_set arch/x86/mm/pat/set_memory.c:1793 [inline]
 set_memory_nx+0xb2/0x110 arch/x86/mm/pat/set_memory.c:1941
 free_init_pages+0x73/0xc0 arch/x86/mm/init.c:894
 kernel_init+0x2e/0x1d0 init/main.c:1508
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff88801da40280: fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc fa
 ffff88801da40300: fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc
>ffff88801da40380: fc fc fc 00 fc fc fc fc 01 fc fc fc fc fb fc fc
                                           ^
 ffff88801da40400: fc fc fb fc fc fc fc fb fc fc fc fc fb fc fc fc
 ffff88801da40480: fc fb fc fc fc fc fa fc fc fc fc fb fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	74 24                	je     0x26
   2:	10 e8                	adc    %ch,%al
   4:	ca db 15             	lret   $0x15db
   7:	f8                   	clc
   8:	48 89 ef             	mov    %rbp,%rdi
   b:	e8 82 51 16 f8       	callq  0xf8165192
  10:	81 e3 00 02 00 00    	and    $0x200,%ebx
  16:	75 25                	jne    0x3d
  18:	9c                   	pushfq
  19:	58                   	pop    %rax
  1a:	f6 c4 02             	test   $0x2,%ah
  1d:	75 2d                	jne    0x4c
  1f:	48 85 db             	test   %rbx,%rbx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 c3 1b 09 f8       	callq  0xf8091bf2 <-- trapping instruction
  2f:	65 8b 05 dc a0 bb 76 	mov    %gs:0x76bba0dc(%rip),%eax        # 0x76bba112
  36:	85 c0                	test   %eax,%eax
  38:	74 0a                	je     0x44
  3a:	5b                   	pop    %rbx
  3b:	5d                   	pop    %rbp
  3c:	c3                   	retq
  3d:	e8                   	.byte 0xe8
  3e:	f0                   	lock
  3f:	02                   	.byte 0x2


Tested on:

commit:         eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=1562008db00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=177bd55db00000

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[Alan Stern]

On Fri, Dec 31, 2021 at 09:44:06AM -0800, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
> 
> vhci_hcd vhci_hcd.0: poll_rh_status: len 2 maxch 0 tblen 1
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
> Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062

I think I understand the problem.  This patch is intended to fix it.

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e

Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -753,6 +753,7 @@ void usb_hcd_poll_rh_status(struct usb_h
 {
 	struct urb	*urb;
 	int		length;
+	int		status;
 	unsigned long	flags;
 	char		buffer[6];	/* Any root hubs with > 31 ports? */
 
@@ -770,11 +771,17 @@ void usb_hcd_poll_rh_status(struct usb_h
 		if (urb) {
 			clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
 			hcd->status_urb = NULL;
+			if (urb->transfer_buffer_length >= length) {
+				status = 0;
+			} else {
+				status = -EOVERFLOW;
+				length = urb->transfer_buffer_length;
+			}
 			urb->actual_length = length;
 			memcpy(urb->transfer_buffer, buffer, length);
 
 			usb_hcd_unlink_urb_from_ep(hcd, urb);
-			usb_hcd_giveback_urb(hcd, urb, 0);
+			usb_hcd_giveback_urb(hcd, urb, status);
 		} else {
 			length = 0;
 			set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com

Tested on:

commit:         eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config:  https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=148e8e35b00000

Note: testing is done by a robot and is best-effort only.

[PATCH] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status

[Alan Stern]

When the USB core code for getting root-hub status reports was
originally written, it was assumed that the hub driver would be its
only caller.  But this isn't true now; user programs can use usbfs to
communicate with root hubs and get status reports.  When they do this,
they may use a transfer_buffer that is smaller than the data returned
by the HCD, which will lead to a buffer overflow error when
usb_hcd_poll_rh_status() tries to store the status data.  This was
discovered by syzbot:

BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062

This patch fixes the bug by reducing the amount of status data if it
won't fit in the transfer_buffer.  If some data gets discarded then
the URB's completion status is set to -EOVERFLOW rather than 0, to let
the user know what happened.

Reported-and-tested-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: <stable@vger.kernel.org>

---


[as1966]


 drivers/usb/core/hcd.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -753,6 +753,7 @@ void usb_hcd_poll_rh_status(struct usb_h
 {
 	struct urb	*urb;
 	int		length;
+	int		status;
 	unsigned long	flags;
 	char		buffer[6];	/* Any root hubs with > 31 ports? */
 
@@ -770,11 +771,17 @@ void usb_hcd_poll_rh_status(struct usb_h
 		if (urb) {
 			clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
 			hcd->status_urb = NULL;
+			if (urb->transfer_buffer_length >= length) {
+				status = 0;
+			} else {
+				status = -EOVERFLOW;
+				length = urb->transfer_buffer_length;
+			}
 			urb->actual_length = length;
 			memcpy(urb->transfer_buffer, buffer, length);
 
 			usb_hcd_unlink_urb_from_ep(hcd, urb);
-			usb_hcd_giveback_urb(hcd, urb, 0);
+			usb_hcd_giveback_urb(hcd, urb, status);
 		} else {
 			length = 0;
 			set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);

Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)

[Dmitry Vyukov]

On Fri, 31 Dec 2021 at 03:31, Alan Stern <stern@rowland.harvard.edu> wrote:
>
> [Trimmed CC: list]
>
> On Thu, Dec 30, 2021 at 04:49:18PM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
> ...
> > Tested on:
> >
> > commit:         eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
>
> I'm glad to see that the git tree is reported properly, but the commit
> label is too short.  The reproducer bug report had exactly the opposite
> problems!  It said:
>
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit:    eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> > git tree:       upstream
>
> Andrey or Dmitry?  Can you guys unify these two outputs to make both
> lines correct always?

Hi Alan,

This got lost on the mailing list. Filed
https://github.com/google/syzkaller/issues/3147 to track this request.

Thanks

> Moving on...  Important lines from the console log:
>
> [   76.919138][ T4081] usb usb9: usbdev_do_ioctl: BULK
> [   76.924966][ T4081] usb usb9: usbfs: process 4081 (syz-executor189) did not claim interface 0 before use
> [   76.935186][ T4081] usb usb9: ep1 int-in, length 1, timeout 9
> [   76.941355][ T4099] usb usb9: opened by process 4099: syz-executor189
> [   76.942606][ T4087] usb usb9: usbdev_do_ioctl: BULK
> [   76.949968][    C1]
> ==================================================================
> [   76.950070][    C1] BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780
> [   76.950102][    C1] Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087
>
> It's hard to tell what's really happening.  The suspicious part is the
> "length 1" combined with the "Write of size 2" -- but they refer to
> different processes!
>
> Maybe this diagnostic patch will help a little.
>
> Alan Stern
>
> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
>
> Index: usb-devel/drivers/usb/core/devio.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/devio.c
> +++ usb-devel/drivers/usb/core/devio.c
> @@ -109,7 +109,7 @@ struct async {
>         u8 bulk_status;
>  };
>
> -static bool usbfs_snoop;
> +static bool usbfs_snoop = true;
>  module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
>  MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
>
> Index: usb-devel/drivers/usb/core/hcd.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/hcd.c
> +++ usb-devel/drivers/usb/core/hcd.c
> @@ -809,8 +809,10 @@ static int rh_queue_status (struct usb_h
>         unsigned        len = 1 + (urb->dev->maxchild / 8);
>
>         spin_lock_irqsave (&hcd_root_hub_lock, flags);
> +       dev_info(hcd->self.controller, "rh_queue_status: len %d tblen %d\n",
> +                       len, urb->transfer_buffer_length);
>         if (hcd->status_urb || urb->transfer_buffer_length < len) {
> -               dev_dbg (hcd->self.controller, "not queuing rh status urb\n");
> +               dev_info(hcd->self.controller, "not queuing rh status urb\n");
>                 retval = -EINVAL;
>                 goto done;
>         }
>