* KASAN: use-after-free Read in uvc_probe
@ 2020-01-13 12:24 syzbot
2020-02-10 14:13 ` Oliver Neukum
2020-06-19 16:10 ` Andrey Konovalov
0 siblings, 2 replies; 8+ messages in thread
From: syzbot @ 2020-01-13 12:24 UTC (permalink / raw)
To: andreyknvl, laurent.pinchart, linux-kernel, linux-media,
linux-usb, mchehab, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: ae179410 usb: gadget: add raw-gadget interface
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=132223fee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57
dashboard link: https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16857325e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142e069ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9a48339b077c5a80b869@syzkaller.appspotmail.com
usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555,
bcdDevice=69.6a
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
usb 1-1: string descriptor 0 read error: -71
uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555)
==================================================================
BUG: KASAN: use-after-free in uvc_register_terms
drivers/media/usb/uvc/uvc_driver.c:2038 [inline]
BUG: KASAN: use-after-free in uvc_register_chains
drivers/media/usb/uvc/uvc_driver.c:2070 [inline]
BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29de
drivers/media/usb/uvc/uvc_driver.c:2201
Read of size 2 at addr ffff8881d4f1bc2e by task kworker/1:2/94
CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.5.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x85 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:639
uvc_register_terms drivers/media/usb/uvc/uvc_driver.c:2038 [inline]
uvc_register_chains drivers/media/usb/uvc/uvc_driver.c:2070 [inline]
uvc_probe.cold+0x2193/0x29de drivers/media/usb/uvc/uvc_driver.c:2201
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361
really_probe+0x290/0xad0 drivers/base/dd.c:548
driver_probe_device+0x223/0x350 drivers/base/dd.c:721
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
__device_attach+0x217/0x390 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
device_add+0x1459/0x1bf0 drivers/base/core.c:2487
usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266
really_probe+0x290/0xad0 drivers/base/dd.c:548
driver_probe_device+0x223/0x350 drivers/base/dd.c:721
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
__device_attach+0x217/0x390 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
device_add+0x1459/0x1bf0 drivers/base/core.c:2487
usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537
hub_port_connect drivers/usb/core/hub.c:5184 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5324 [inline]
port_event drivers/usb/core/hub.c:5470 [inline]
hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552
process_one_work+0x945/0x15c0 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 94:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:513 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:486
kmalloc include/linux/slab.h:556 [inline]
kzalloc include/linux/slab.h:670 [inline]
uvc_alloc_chain+0x48/0xfa drivers/media/usb/uvc/uvc_driver.c:1692
uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1818 [inline]
uvc_probe.cold+0x15f0/0x29de drivers/media/usb/uvc/uvc_driver.c:2197
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361
really_probe+0x290/0xad0 drivers/base/dd.c:548
driver_probe_device+0x223/0x350 drivers/base/dd.c:721
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
__device_attach+0x217/0x390 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
device_add+0x1459/0x1bf0 drivers/base/core.c:2487
usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266
really_probe+0x290/0xad0 drivers/base/dd.c:548
driver_probe_device+0x223/0x350 drivers/base/dd.c:721
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
__device_attach+0x217/0x390 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
device_add+0x1459/0x1bf0 drivers/base/core.c:2487
usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537
hub_port_connect drivers/usb/core/hub.c:5184 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5324 [inline]
port_event drivers/usb/core/hub.c:5470 [inline]
hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552
process_one_work+0x945/0x15c0 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 94:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:335 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:474
slab_free_hook mm/slub.c:1425 [inline]
slab_free_freelist_hook mm/slub.c:1458 [inline]
slab_free mm/slub.c:3005 [inline]
kfree+0xd5/0x300 mm/slub.c:3957
uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1825 [inline]
uvc_probe.cold+0x16fd/0x29de drivers/media/usb/uvc/uvc_driver.c:2197
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361
really_probe+0x290/0xad0 drivers/base/dd.c:548
driver_probe_device+0x223/0x350 drivers/base/dd.c:721
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
__device_attach+0x217/0x390 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
device_add+0x1459/0x1bf0 drivers/base/core.c:2487
usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266
really_probe+0x290/0xad0 drivers/base/dd.c:548
driver_probe_device+0x223/0x350 drivers/base/dd.c:721
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
__device_attach+0x217/0x390 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
device_add+0x1459/0x1bf0 drivers/base/core.c:2487
usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537
hub_port_connect drivers/usb/core/hub.c:5184 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5324 [inline]
port_event drivers/usb/core/hub.c:5470 [inline]
hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552
process_one_work+0x945/0x15c0 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881d4f1bc00
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 46 bytes inside of
256-byte region [ffff8881d4f1bc00, ffff8881d4f1bd00)
The buggy address belongs to the page:
page:ffffea000753c680 refcount:1 mapcount:0 mapping:ffff8881da002780
index:0x0 compound_mapcount: 0
raw: 0200000000010200 ffffea000753c600 0000000300000003 ffff8881da002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d4f1bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881d4f1bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8881d4f1bc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d4f1bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d4f1bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: use-after-free Read in uvc_probe 2020-01-13 12:24 KASAN: use-after-free Read in uvc_probe syzbot @ 2020-02-10 14:13 ` Oliver Neukum 2020-02-10 14:18 ` Laurent Pinchart 2020-02-10 15:51 ` syzbot 2020-06-19 16:10 ` Andrey Konovalov 1 sibling, 2 replies; 8+ messages in thread From: Oliver Neukum @ 2020-02-10 14:13 UTC (permalink / raw) To: syzbot, andreyknvl, laurent.pinchart, linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs Am Montag, den 13.01.2020, 04:24 -0800 schrieb syzbot: > Hello, > > syzbot found the following crash on: > > HEAD commit: ae179410 usb: gadget: add raw-gadget interface > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=132223fee00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57 > dashboard link: https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16857325e00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142e069ee00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+9a48339b077c5a80b869@syzkaller.appspotmail.com > > usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, > bcdDevice=69.6a > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > usb 1-1: config 0 descriptor?? > usb 1-1: string descriptor 0 read error: -71 > uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555) > ================================================================== > BUG: KASAN: use-after-free in uvc_register_terms > drivers/media/usb/uvc/uvc_driver.c:2038 [inline] > BUG: KASAN: use-after-free in uvc_register_chains > drivers/media/usb/uvc/uvc_driver.c:2070 [inline] > BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29de > drivers/media/usb/uvc/uvc_driver.c:2201 > Read of size 2 at addr ffff8881d4f1bc2e by task kworker/1:2/94 #syz test: https://github.com/google/kasan.git ae179410 From db844641a5e30f3cfc0ce9cde156b3cc356b6c0c Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum@suse.com> Date: Mon, 10 Feb 2020 15:10:36 +0100 Subject: [PATCH] UVC: deal with unnamed streams The pointer can be NULL Signed-off-by: Oliver Neukum <oneukum@suse.com> --- drivers/media/usb/uvc/uvc_driver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 99883550375e..26558a89f2fe 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -2069,7 +2069,8 @@ static int uvc_register_terms(struct uvc_device *dev, stream = uvc_stream_by_id(dev, term->id); if (stream == NULL) { uvc_printk(KERN_INFO, "No streaming interface found " - "for terminal %u.", term->id); + "for terminal %u.", + term->id ? term->id : "(Unnamed)"); continue; } -- 2.16.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: KASAN: use-after-free Read in uvc_probe 2020-02-10 14:13 ` Oliver Neukum @ 2020-02-10 14:18 ` Laurent Pinchart 2020-02-11 14:31 ` Oliver Neukum 2020-02-10 15:51 ` syzbot 1 sibling, 1 reply; 8+ messages in thread From: Laurent Pinchart @ 2020-02-10 14:18 UTC (permalink / raw) To: Oliver Neukum Cc: syzbot, andreyknvl, linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs Hi Oliver, Thank you for the patch. On Mon, Feb 10, 2020 at 03:13:26PM +0100, Oliver Neukum wrote: > Am Montag, den 13.01.2020, 04:24 -0800 schrieb syzbot: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: ae179410 usb: gadget: add raw-gadget interface > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=132223fee00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57 > > dashboard link: https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16857325e00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142e069ee00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+9a48339b077c5a80b869@syzkaller.appspotmail.com > > > > usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, > > bcdDevice=69.6a > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > usb 1-1: config 0 descriptor?? > > usb 1-1: string descriptor 0 read error: -71 > > uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555) > > ================================================================== > > BUG: KASAN: use-after-free in uvc_register_terms > > drivers/media/usb/uvc/uvc_driver.c:2038 [inline] > > BUG: KASAN: use-after-free in uvc_register_chains > > drivers/media/usb/uvc/uvc_driver.c:2070 [inline] > > BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29de > > drivers/media/usb/uvc/uvc_driver.c:2201 > > Read of size 2 at addr ffff8881d4f1bc2e by task kworker/1:2/94 > > #syz test: https://github.com/google/kasan.git ae179410 > > From db844641a5e30f3cfc0ce9cde156b3cc356b6c0c Mon Sep 17 00:00:00 2001 > From: Oliver Neukum <oneukum@suse.com> > Date: Mon, 10 Feb 2020 15:10:36 +0100 > Subject: [PATCH] UVC: deal with unnamed streams > > The pointer can be NULL > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > --- > drivers/media/usb/uvc/uvc_driver.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c > index 99883550375e..26558a89f2fe 100644 > --- a/drivers/media/usb/uvc/uvc_driver.c > +++ b/drivers/media/usb/uvc/uvc_driver.c > @@ -2069,7 +2069,8 @@ static int uvc_register_terms(struct uvc_device *dev, > stream = uvc_stream_by_id(dev, term->id); > if (stream == NULL) { > uvc_printk(KERN_INFO, "No streaming interface found " > - "for terminal %u.", term->id); > + "for terminal %u.", > + term->id ? term->id : "(Unnamed)"); Have you tried compiling this ? > continue; > } > -- Regards, Laurent Pinchart ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: use-after-free Read in uvc_probe 2020-02-10 14:18 ` Laurent Pinchart @ 2020-02-11 14:31 ` Oliver Neukum 2020-02-11 15:38 ` Laurent Pinchart 0 siblings, 1 reply; 8+ messages in thread From: Oliver Neukum @ 2020-02-11 14:31 UTC (permalink / raw) To: Laurent Pinchart Cc: syzbot, andreyknvl, linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs Am Montag, den 10.02.2020, 16:18 +0200 schrieb Laurent Pinchart: > Hi Oliver, > > Thank you for the patch. > > On Mon, Feb 10, 2020 at 03:13:26PM +0100, Oliver Neukum wrote: > > Am Montag, den 13.01.2020, 04:24 -0800 schrieb syzbot: > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: ae179410 usb: gadget: add raw-gadget interface > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > console output: https://syzkaller.appspot.com/x/log.txt?x=132223fee00000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16857325e00000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142e069ee00000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+9a48339b077c5a80b869@syzkaller.appspotmail.com > > > > > > usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, > > > bcdDevice=69.6a > > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > > usb 1-1: config 0 descriptor?? > > > usb 1-1: string descriptor 0 read error: -71 > > > uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555) > > > ================================================================== > > > BUG: KASAN: use-after-free in uvc_register_terms > > > drivers/media/usb/uvc/uvc_driver.c:2038 [inline] > > > BUG: KASAN: use-after-free in uvc_register_chains > > > drivers/media/usb/uvc/uvc_driver.c:2070 [inline] > > > BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29de > > > drivers/media/usb/uvc/uvc_driver.c:2201 > > > Read of size 2 at addr ffff8881d4f1bc2e by task kworker/1:2/94 > > > > #syz test: https://github.com/google/kasan.git ae179410 > > > > From db844641a5e30f3cfc0ce9cde156b3cc356b6c0c Mon Sep 17 00:00:00 2001 > > From: Oliver Neukum <oneukum@suse.com> > > Date: Mon, 10 Feb 2020 15:10:36 +0100 > > Subject: [PATCH] UVC: deal with unnamed streams > > > > The pointer can be NULL > > > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > > --- > > drivers/media/usb/uvc/uvc_driver.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c > > index 99883550375e..26558a89f2fe 100644 > > --- a/drivers/media/usb/uvc/uvc_driver.c > > +++ b/drivers/media/usb/uvc/uvc_driver.c > > @@ -2069,7 +2069,8 @@ static int uvc_register_terms(struct uvc_device *dev, > > stream = uvc_stream_by_id(dev, term->id); > > if (stream == NULL) { > > uvc_printk(KERN_INFO, "No streaming interface found " > > - "for terminal %u.", term->id); > > + "for terminal %u.", > > + term->id ? term->id : "(Unnamed)"); > > Have you tried compiling this ? Yes. It does compile. Why? Regards Oliver ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: use-after-free Read in uvc_probe 2020-02-11 14:31 ` Oliver Neukum @ 2020-02-11 15:38 ` Laurent Pinchart 2020-02-12 13:58 ` Oliver Neukum 0 siblings, 1 reply; 8+ messages in thread From: Laurent Pinchart @ 2020-02-11 15:38 UTC (permalink / raw) To: Oliver Neukum Cc: syzbot, andreyknvl, linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs Hi Oliver, On Tue, Feb 11, 2020 at 03:31:30PM +0100, Oliver Neukum wrote: > Am Montag, den 10.02.2020, 16:18 +0200 schrieb Laurent Pinchart: > > On Mon, Feb 10, 2020 at 03:13:26PM +0100, Oliver Neukum wrote: > > > Am Montag, den 13.01.2020, 04:24 -0800 schrieb syzbot: > > > > Hello, > > > > > > > > syzbot found the following crash on: > > > > > > > > HEAD commit: ae179410 usb: gadget: add raw-gadget interface > > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=132223fee00000 > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57 > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16857325e00000 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142e069ee00000 > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > > Reported-by: syzbot+9a48339b077c5a80b869@syzkaller.appspotmail.com > > > > > > > > usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, > > > > bcdDevice=69.6a > > > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > > > usb 1-1: config 0 descriptor?? > > > > usb 1-1: string descriptor 0 read error: -71 > > > > uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555) > > > > ================================================================== > > > > BUG: KASAN: use-after-free in uvc_register_terms > > > > drivers/media/usb/uvc/uvc_driver.c:2038 [inline] > > > > BUG: KASAN: use-after-free in uvc_register_chains > > > > drivers/media/usb/uvc/uvc_driver.c:2070 [inline] > > > > BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29de > > > > drivers/media/usb/uvc/uvc_driver.c:2201 > > > > Read of size 2 at addr ffff8881d4f1bc2e by task kworker/1:2/94 > > > > > > #syz test: https://github.com/google/kasan.git ae179410 > > > > > > From db844641a5e30f3cfc0ce9cde156b3cc356b6c0c Mon Sep 17 00:00:00 2001 > > > From: Oliver Neukum <oneukum@suse.com> > > > Date: Mon, 10 Feb 2020 15:10:36 +0100 > > > Subject: [PATCH] UVC: deal with unnamed streams > > > > > > The pointer can be NULL > > > > > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > > > --- > > > drivers/media/usb/uvc/uvc_driver.c | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c > > > index 99883550375e..26558a89f2fe 100644 > > > --- a/drivers/media/usb/uvc/uvc_driver.c > > > +++ b/drivers/media/usb/uvc/uvc_driver.c > > > @@ -2069,7 +2069,8 @@ static int uvc_register_terms(struct uvc_device *dev, > > > stream = uvc_stream_by_id(dev, term->id); > > > if (stream == NULL) { > > > uvc_printk(KERN_INFO, "No streaming interface found " > > > - "for terminal %u.", term->id); > > > + "for terminal %u.", > > > + term->id ? term->id : "(Unnamed)"); > > > > Have you tried compiling this ? > > Yes. It does compile. Why? Because term->id is a u8, "(Unnamed)" is a const char *, and %u requires an integer. I'm surprised the compiler doesn't complain, but in any case, it's not right :-) -- Regards, Laurent Pinchart ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: use-after-free Read in uvc_probe 2020-02-11 15:38 ` Laurent Pinchart @ 2020-02-12 13:58 ` Oliver Neukum 0 siblings, 0 replies; 8+ messages in thread From: Oliver Neukum @ 2020-02-12 13:58 UTC (permalink / raw) To: Laurent Pinchart Cc: syzbot, andreyknvl, linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs Am Dienstag, den 11.02.2020, 17:38 +0200 schrieb Laurent Pinchart: > Hi Oliver, > > On Tue, Feb 11, 2020 at 03:31:30PM +0100, Oliver Neukum wrote: > > Am Montag, den 10.02.2020, 16:18 +0200 schrieb Laurent Pinchart: > > > On Mon, Feb 10, 2020 at 03:13:26PM +0100, Oliver Neukum wrote: > > > > Am Montag, den 13.01.2020, 04:24 -0800 schrieb syzbot: > > > > > Hello, > > > > > > > > > > syzbot found the following crash on: > > > > > > > > > > HEAD commit: ae179410 usb: gadget: add raw-gadget interface > > > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=132223fee00000 > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57 > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 > > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16857325e00000 > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142e069ee00000 > > > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > > > Reported-by: syzbot+9a48339b077c5a80b869@syzkaller.appspotmail.com > > > > > > > > > > usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, > > > > > bcdDevice=69.6a > > > > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > > > > usb 1-1: config 0 descriptor?? > > > > > usb 1-1: string descriptor 0 read error: -71 > > > > > uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555) > > > > > ================================================================== > > > > > BUG: KASAN: use-after-free in uvc_register_terms > > > > > drivers/media/usb/uvc/uvc_driver.c:2038 [inline] > > > > > BUG: KASAN: use-after-free in uvc_register_chains > > > > > drivers/media/usb/uvc/uvc_driver.c:2070 [inline] > > > > > BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29de > > > > > drivers/media/usb/uvc/uvc_driver.c:2201 > > > > > Read of size 2 at addr ffff8881d4f1bc2e by task kworker/1:2/94 > > > > > > > > #syz test: https://github.com/google/kasan.git ae179410 > > > > > > > > From db844641a5e30f3cfc0ce9cde156b3cc356b6c0c Mon Sep 17 00:00:00 2001 > > > > From: Oliver Neukum <oneukum@suse.com> > > > > Date: Mon, 10 Feb 2020 15:10:36 +0100 > > > > Subject: [PATCH] UVC: deal with unnamed streams > > > > > > > > The pointer can be NULL > > > > > > > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > > > > --- > > > > drivers/media/usb/uvc/uvc_driver.c | 3 ++- > > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c > > > > index 99883550375e..26558a89f2fe 100644 > > > > --- a/drivers/media/usb/uvc/uvc_driver.c > > > > +++ b/drivers/media/usb/uvc/uvc_driver.c > > > > @@ -2069,7 +2069,8 @@ static int uvc_register_terms(struct uvc_device *dev, > > > > stream = uvc_stream_by_id(dev, term->id); > > > > if (stream == NULL) { > > > > uvc_printk(KERN_INFO, "No streaming interface found " > > > > - "for terminal %u.", term->id); > > > > + "for terminal %u.", > > > > + term->id ? term->id : "(Unnamed)"); > > > > > > Have you tried compiling this ? > > > > Yes. It does compile. Why? > > Because term->id is a u8, "(Unnamed)" is a const char *, and %u requires > an integer. I'm surprised the compiler doesn't complain, but in any > case, it's not right :-) > Oi, damnation, you are right. For some reason I saw a %s there. Sorry Oliver ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: use-after-free Read in uvc_probe 2020-02-10 14:13 ` Oliver Neukum 2020-02-10 14:18 ` Laurent Pinchart @ 2020-02-10 15:51 ` syzbot 1 sibling, 0 replies; 8+ messages in thread From: syzbot @ 2020-02-10 15:51 UTC (permalink / raw) To: andreyknvl, laurent.pinchart, linux-kernel, linux-media, linux-usb, mchehab, oneukum, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer still triggered crash: KASAN: use-after-free Read in uvc_probe usb 2-1: string descriptor 0 read error: -71 uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555) ================================================================== BUG: KASAN: use-after-free in uvc_register_terms drivers/media/usb/uvc/uvc_driver.c:2038 [inline] BUG: KASAN: use-after-free in uvc_register_chains drivers/media/usb/uvc/uvc_driver.c:2071 [inline] BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29fe drivers/media/usb/uvc/uvc_driver.c:2202 Read of size 2 at addr ffff8881d933182e by task kworker/0:2/95 CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.5.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374 __kasan_report.cold+0x37/0x85 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:639 uvc_register_terms drivers/media/usb/uvc/uvc_driver.c:2038 [inline] uvc_register_chains drivers/media/usb/uvc/uvc_driver.c:2071 [inline] uvc_probe.cold+0x2193/0x29fe drivers/media/usb/uvc/uvc_driver.c:2202 usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361 really_probe+0x290/0xad0 drivers/base/dd.c:548 driver_probe_device+0x223/0x350 drivers/base/dd.c:721 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 __device_attach+0x217/0x390 drivers/base/dd.c:894 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 device_add+0x1459/0x1bf0 drivers/base/core.c:2487 usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266 really_probe+0x290/0xad0 drivers/base/dd.c:548 driver_probe_device+0x223/0x350 drivers/base/dd.c:721 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 __device_attach+0x217/0x390 drivers/base/dd.c:894 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 device_add+0x1459/0x1bf0 drivers/base/core.c:2487 usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537 hub_port_connect drivers/usb/core/hub.c:5184 [inline] hub_port_connect_change drivers/usb/core/hub.c:5324 [inline] port_event drivers/usb/core/hub.c:5470 [inline] hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552 process_one_work+0x945/0x15c0 kernel/workqueue.c:2264 worker_thread+0x96/0xe20 kernel/workqueue.c:2410 kthread+0x318/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 95: save_stack+0x1b/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:486 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:670 [inline] uvc_alloc_chain+0x48/0xfa drivers/media/usb/uvc/uvc_driver.c:1692 uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1818 [inline] uvc_probe.cold+0x15f0/0x29fe drivers/media/usb/uvc/uvc_driver.c:2198 usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361 really_probe+0x290/0xad0 drivers/base/dd.c:548 driver_probe_device+0x223/0x350 drivers/base/dd.c:721 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 __device_attach+0x217/0x390 drivers/base/dd.c:894 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 device_add+0x1459/0x1bf0 drivers/base/core.c:2487 usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266 really_probe+0x290/0xad0 drivers/base/dd.c:548 driver_probe_device+0x223/0x350 drivers/base/dd.c:721 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 __device_attach+0x217/0x390 drivers/base/dd.c:894 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 device_add+0x1459/0x1bf0 drivers/base/core.c:2487 usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537 hub_port_connect drivers/usb/core/hub.c:5184 [inline] hub_port_connect_change drivers/usb/core/hub.c:5324 [inline] port_event drivers/usb/core/hub.c:5470 [inline] hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552 process_one_work+0x945/0x15c0 kernel/workqueue.c:2264 worker_thread+0x96/0xe20 kernel/workqueue.c:2410 kthread+0x318/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 95: save_stack+0x1b/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x117/0x160 mm/kasan/common.c:474 slab_free_hook mm/slub.c:1425 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3005 [inline] kfree+0xd5/0x300 mm/slub.c:3957 uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1825 [inline] uvc_probe.cold+0x16fd/0x29fe drivers/media/usb/uvc/uvc_driver.c:2198 usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361 really_probe+0x290/0xad0 drivers/base/dd.c:548 driver_probe_device+0x223/0x350 drivers/base/dd.c:721 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 __device_attach+0x217/0x390 drivers/base/dd.c:894 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 device_add+0x1459/0x1bf0 drivers/base/core.c:2487 usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266 really_probe+0x290/0xad0 drivers/base/dd.c:548 driver_probe_device+0x223/0x350 drivers/base/dd.c:721 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 __device_attach+0x217/0x390 drivers/base/dd.c:894 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 device_add+0x1459/0x1bf0 drivers/base/core.c:2487 usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537 hub_port_connect drivers/usb/core/hub.c:5184 [inline] hub_port_connect_change drivers/usb/core/hub.c:5324 [inline] port_event drivers/usb/core/hub.c:5470 [inline] hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552 process_one_work+0x945/0x15c0 kernel/workqueue.c:2264 worker_thread+0x96/0xe20 kernel/workqueue.c:2410 kthread+0x318/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8881d9331800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 46 bytes inside of 256-byte region [ffff8881d9331800, ffff8881d9331900) The buggy address belongs to the page: page:ffffea000764cc00 refcount:1 mapcount:0 mapping:ffff8881da002780 index:0x0 compound_mapcount: 0 raw: 0200000000010200 ffffea0007648d80 0000000e0000000e ffff8881da002780 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d9331700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881d9331780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881d9331800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881d9331880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881d9331900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Tested on: commit: ae179410 usb: gadget: add raw-gadget interface git tree: https://github.com/google/kasan.git console output: https://syzkaller.appspot.com/x/log.txt?x=13d466e9e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57 dashboard link: https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 compiler: gcc (GCC) 9.0.0 20181231 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=16022395e00000 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: KASAN: use-after-free Read in uvc_probe 2020-01-13 12:24 KASAN: use-after-free Read in uvc_probe syzbot 2020-02-10 14:13 ` Oliver Neukum @ 2020-06-19 16:10 ` Andrey Konovalov 1 sibling, 0 replies; 8+ messages in thread From: Andrey Konovalov @ 2020-06-19 16:10 UTC (permalink / raw) To: syzbot Cc: Laurent Pinchart, LKML, linux-media, USB list, Mauro Carvalho Chehab, syzkaller-bugs On Mon, Jan 13, 2020 at 1:24 PM syzbot <syzbot+9a48339b077c5a80b869@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: ae179410 usb: gadget: add raw-gadget interface > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=132223fee00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=ad1d751a3a72ae57 > dashboard link: https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16857325e00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142e069ee00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+9a48339b077c5a80b869@syzkaller.appspotmail.com > > usb 1-1: New USB device found, idVendor=0bd3, idProduct=0555, > bcdDevice=69.6a > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > usb 1-1: config 0 descriptor?? > usb 1-1: string descriptor 0 read error: -71 > uvcvideo: Found UVC 0.00 device <unnamed> (0bd3:0555) > ================================================================== > BUG: KASAN: use-after-free in uvc_register_terms > drivers/media/usb/uvc/uvc_driver.c:2038 [inline] > BUG: KASAN: use-after-free in uvc_register_chains > drivers/media/usb/uvc/uvc_driver.c:2070 [inline] > BUG: KASAN: use-after-free in uvc_probe.cold+0x2193/0x29de > drivers/media/usb/uvc/uvc_driver.c:2201 > Read of size 2 at addr ffff8881d4f1bc2e by task kworker/1:2/94 > > CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.5.0-rc3-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xef/0x16e lib/dump_stack.c:118 > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374 > __kasan_report.cold+0x37/0x85 mm/kasan/report.c:506 > kasan_report+0xe/0x20 mm/kasan/common.c:639 > uvc_register_terms drivers/media/usb/uvc/uvc_driver.c:2038 [inline] > uvc_register_chains drivers/media/usb/uvc/uvc_driver.c:2070 [inline] > uvc_probe.cold+0x2193/0x29de drivers/media/usb/uvc/uvc_driver.c:2201 > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361 > really_probe+0x290/0xad0 drivers/base/dd.c:548 > driver_probe_device+0x223/0x350 drivers/base/dd.c:721 > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 > __device_attach+0x217/0x390 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 > device_add+0x1459/0x1bf0 drivers/base/core.c:2487 > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266 > really_probe+0x290/0xad0 drivers/base/dd.c:548 > driver_probe_device+0x223/0x350 drivers/base/dd.c:721 > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 > __device_attach+0x217/0x390 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 > device_add+0x1459/0x1bf0 drivers/base/core.c:2487 > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537 > hub_port_connect drivers/usb/core/hub.c:5184 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5324 [inline] > port_event drivers/usb/core/hub.c:5470 [inline] > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552 > process_one_work+0x945/0x15c0 kernel/workqueue.c:2264 > worker_thread+0x96/0xe20 kernel/workqueue.c:2410 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Allocated by task 94: > save_stack+0x1b/0x80 mm/kasan/common.c:72 > set_track mm/kasan/common.c:80 [inline] > __kasan_kmalloc mm/kasan/common.c:513 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:486 > kmalloc include/linux/slab.h:556 [inline] > kzalloc include/linux/slab.h:670 [inline] > uvc_alloc_chain+0x48/0xfa drivers/media/usb/uvc/uvc_driver.c:1692 > uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1818 [inline] > uvc_probe.cold+0x15f0/0x29de drivers/media/usb/uvc/uvc_driver.c:2197 > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361 > really_probe+0x290/0xad0 drivers/base/dd.c:548 > driver_probe_device+0x223/0x350 drivers/base/dd.c:721 > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 > __device_attach+0x217/0x390 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 > device_add+0x1459/0x1bf0 drivers/base/core.c:2487 > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266 > really_probe+0x290/0xad0 drivers/base/dd.c:548 > driver_probe_device+0x223/0x350 drivers/base/dd.c:721 > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 > __device_attach+0x217/0x390 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 > device_add+0x1459/0x1bf0 drivers/base/core.c:2487 > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537 > hub_port_connect drivers/usb/core/hub.c:5184 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5324 [inline] > port_event drivers/usb/core/hub.c:5470 [inline] > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552 > process_one_work+0x945/0x15c0 kernel/workqueue.c:2264 > worker_thread+0x96/0xe20 kernel/workqueue.c:2410 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 94: > save_stack+0x1b/0x80 mm/kasan/common.c:72 > set_track mm/kasan/common.c:80 [inline] > kasan_set_free_info mm/kasan/common.c:335 [inline] > __kasan_slab_free+0x117/0x160 mm/kasan/common.c:474 > slab_free_hook mm/slub.c:1425 [inline] > slab_free_freelist_hook mm/slub.c:1458 [inline] > slab_free mm/slub.c:3005 [inline] > kfree+0xd5/0x300 mm/slub.c:3957 > uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1825 [inline] > uvc_probe.cold+0x16fd/0x29de drivers/media/usb/uvc/uvc_driver.c:2197 > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:361 > really_probe+0x290/0xad0 drivers/base/dd.c:548 > driver_probe_device+0x223/0x350 drivers/base/dd.c:721 > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 > __device_attach+0x217/0x390 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 > device_add+0x1459/0x1bf0 drivers/base/core.c:2487 > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0xaf/0x140 drivers/usb/core/driver.c:266 > really_probe+0x290/0xad0 drivers/base/dd.c:548 > driver_probe_device+0x223/0x350 drivers/base/dd.c:721 > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430 > __device_attach+0x217/0x390 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490 > device_add+0x1459/0x1bf0 drivers/base/core.c:2487 > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2537 > hub_port_connect drivers/usb/core/hub.c:5184 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5324 [inline] > port_event drivers/usb/core/hub.c:5470 [inline] > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5552 > process_one_work+0x945/0x15c0 kernel/workqueue.c:2264 > worker_thread+0x96/0xe20 kernel/workqueue.c:2410 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > The buggy address belongs to the object at ffff8881d4f1bc00 > which belongs to the cache kmalloc-256 of size 256 > The buggy address is located 46 bytes inside of > 256-byte region [ffff8881d4f1bc00, ffff8881d4f1bd00) > The buggy address belongs to the page: > page:ffffea000753c680 refcount:1 mapcount:0 mapping:ffff8881da002780 > index:0x0 compound_mapcount: 0 > raw: 0200000000010200 ffffea000753c600 0000000300000003 ffff8881da002780 > raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff8881d4f1bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff8881d4f1bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ffff8881d4f1bc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff8881d4f1bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff8881d4f1bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches Fixed by something. #syz invalid ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-06-19 16:10 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-01-13 12:24 KASAN: use-after-free Read in uvc_probe syzbot 2020-02-10 14:13 ` Oliver Neukum 2020-02-10 14:18 ` Laurent Pinchart 2020-02-11 14:31 ` Oliver Neukum 2020-02-11 15:38 ` Laurent Pinchart 2020-02-12 13:58 ` Oliver Neukum 2020-02-10 15:51 ` syzbot 2020-06-19 16:10 ` Andrey Konovalov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).