KASAN: use-after-free Write in ath9k_htc_rx_msg
24 views
Skip to first unread message
syzbot
Mar 26, 2020, 7:34:17 AM3/26/20
to andre...@google.com, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=13a40c13e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13790f73e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ebae75e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b1c61e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
Write of size 2 at addr ffff8881cea291f0 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff87e607c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 371:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:560 [inline]
raw_alloc_io_data drivers/usb/gadget/legacy/raw_gadget.c:556 [inline]
raw_alloc_io_data+0x150/0x1c0 drivers/usb/gadget/legacy/raw_gadget.c:538
raw_ioctl_ep0_read drivers/usb/gadget/legacy/raw_gadget.c:657 [inline]
raw_ioctl+0x686/0x1a70 drivers/usb/gadget/legacy/raw_gadget.c:1035
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 371:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3024 [inline]
kfree+0xd5/0x300 mm/slub.c:3976
raw_ioctl_ep_read drivers/usb/gadget/legacy/raw_gadget.c:961 [inline]
raw_ioctl+0x189/0x1a70 drivers/usb/gadget/legacy/raw_gadget.c:1047
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881cea29000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 496 bytes inside of
2048-byte region [ffff8881cea29000, ffff8881cea29800)
The buggy address belongs to the page:
page:ffffea00073a8a00 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cea29080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cea29100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881cea29180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cea29200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cea29280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=13a40c13e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13790f73e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ebae75e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b1c61e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
Write of size 2 at addr ffff8881cea291f0 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff87e607c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 371:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:560 [inline]
raw_alloc_io_data drivers/usb/gadget/legacy/raw_gadget.c:556 [inline]
raw_alloc_io_data+0x150/0x1c0 drivers/usb/gadget/legacy/raw_gadget.c:538
raw_ioctl_ep0_read drivers/usb/gadget/legacy/raw_gadget.c:657 [inline]
raw_ioctl+0x686/0x1a70 drivers/usb/gadget/legacy/raw_gadget.c:1035
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 371:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3024 [inline]
kfree+0xd5/0x300 mm/slub.c:3976
raw_ioctl_ep_read drivers/usb/gadget/legacy/raw_gadget.c:961 [inline]
raw_ioctl+0x189/0x1a70 drivers/usb/gadget/legacy/raw_gadget.c:1047
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881cea29000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 496 bytes inside of
2048-byte region [ffff8881cea29000, ffff8881cea29800)
The buggy address belongs to the page:
page:ffffea00073a8a00 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cea29080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cea29100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881cea29180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cea29200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cea29280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Qiujun Huang
Mar 31, 2020, 12:37:13 PM3/31/20
to syzbot, Andrey Konovalov, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, LKML, USB list, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkaller-bugs
syzbot
Mar 31, 2020, 12:50:05 PM3/31/20
to andre...@google.com, anen...@gmail.com, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:442
Write of size 2 at addr ffff8881d46881b0 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc7-syzkaller #0
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e612c0 R15: 0000000000000000
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 2593:
slab_alloc_node mm/slub.c:2786 [inline]
slab_alloc mm/slub.c:2794 [inline]
kmem_cache_alloc+0xd8/0x300 mm/slub.c:2799
getname_flags fs/namei.c:138 [inline]
getname_flags+0xd2/0x5b0 fs/namei.c:128
do_sys_openat2+0x3cf/0x740 fs/open.c:1140
do_sys_open+0xc3/0x140 fs/open.c:1162
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 2593:
kmem_cache_free+0x9b/0x360 mm/slub.c:3050
putname+0xe1/0x120 fs/namei.c:259
do_sys_openat2+0x43a/0x740 fs/open.c:1155
do_sys_open+0xc3/0x140 fs/open.c:1162
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881d4688000
which belongs to the cache names_cache of size 4096
The buggy address is located 432 bytes inside of
4096-byte region [ffff8881d4688000, ffff8881d4689000)
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da11c000
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
ffff8881d4688100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d4688180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d4688200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d4688280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
Write of size 2 at addr ffff8881d46881b0 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:442
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e612c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 2593:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
slab_post_alloc_hook mm/slab.h:584 [inline]
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
slab_alloc_node mm/slub.c:2786 [inline]
slab_alloc mm/slub.c:2794 [inline]
kmem_cache_alloc+0xd8/0x300 mm/slub.c:2799
getname_flags fs/namei.c:138 [inline]
getname_flags+0xd2/0x5b0 fs/namei.c:128
do_sys_openat2+0x3cf/0x740 fs/open.c:1140
do_sys_open+0xc3/0x140 fs/open.c:1162
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 2593:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
kmem_cache_free+0x9b/0x360 mm/slub.c:3050
putname+0xe1/0x120 fs/namei.c:259
do_sys_openat2+0x43a/0x740 fs/open.c:1155
do_sys_open+0xc3/0x140 fs/open.c:1162
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881d4688000
which belongs to the cache names_cache of size 4096
The buggy address is located 432 bytes inside of
4096-byte region [ffff8881d4688000, ffff8881d4689000)
The buggy address belongs to the page:
page:ffffea000751a200 refcount:1 mapcount:0 mapping:ffff8881da11c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da11c000
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d4688080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8881d4688100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d4688180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d4688200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d4688280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=14d6096de00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1782b063e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 1, 2020, 12:01:06 AM4/1/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:442
Write of size 2 at addr ffff8881c6ac11b0 by task swapper/1/0
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:442
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0
RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff87e612c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 2959:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2786 [inline]
slab_alloc mm/slub.c:2794 [inline]
kmem_cache_alloc+0xd8/0x300 mm/slub.c:2799
getname_flags fs/namei.c:138 [inline]
getname_flags+0xd2/0x5b0 fs/namei.c:128
do_sys_openat2+0x3cf/0x740 fs/open.c:1140
do_sys_open+0xc3/0x140 fs/open.c:1162
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 2959:
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2786 [inline]
slab_alloc mm/slub.c:2794 [inline]
kmem_cache_alloc+0xd8/0x300 mm/slub.c:2799
getname_flags fs/namei.c:138 [inline]
getname_flags+0xd2/0x5b0 fs/namei.c:128
do_sys_openat2+0x3cf/0x740 fs/open.c:1140
do_sys_open+0xc3/0x140 fs/open.c:1162
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kmem_cache_free+0x9b/0x360 mm/slub.c:3050
putname+0xe1/0x120 fs/namei.c:259
do_sys_openat2+0x43a/0x740 fs/open.c:1155
do_sys_open+0xc3/0x140 fs/open.c:1162
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881c6ac1100
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kmem_cache_free+0x9b/0x360 mm/slub.c:3050
putname+0xe1/0x120 fs/namei.c:259
do_sys_openat2+0x43a/0x740 fs/open.c:1155
do_sys_open+0xc3/0x140 fs/open.c:1162
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache names_cache of size 4096
The buggy address is located 176 bytes inside of
4096-byte region [ffff8881c6ac1100, ffff8881c6ac2100)
The buggy address belongs to the page:
page:ffffea00071ab000 refcount:1 mapcount:0 mapping:ffff8881da11c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da11c000
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c6ac1080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da11c000
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c6ac1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881c6ac1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c6ac1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c6ac1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=141ab063e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=172126bde00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 1, 2020, 1:13:04 AM4/1/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:442
Write of size 2 at addr ffff8881d8adb1b0 by task swapper/1/0
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:442
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 150:
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:560 [inline]
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
sk_prot_alloc+0x1f6/0x2c0 net/core/sock.c:1603
sk_alloc+0x36/0x710 net/core/sock.c:1657
__netlink_create+0x63/0x280 net/netlink/af_netlink.c:629
netlink_create+0x3a1/0x5d0 net/netlink/af_netlink.c:692
__sock_create+0x3d1/0x740 net/socket.c:1433
sock_create net/socket.c:1484 [inline]
__sys_socket+0xef/0x200 net/socket.c:1526
__do_sys_socket net/socket.c:1535 [inline]
__se_sys_socket net/socket.c:1533 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1533
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
sk_prot_free net/core/sock.c:1640 [inline]
__sk_destruct+0x545/0x740 net/core/sock.c:1724
sk_destruct+0xc6/0x100 net/core/sock.c:1739
__sk_free+0xef/0x3d0 net/core/sock.c:1750
sk_free+0x78/0xa0 net/core/sock.c:1761
deferred_put_nlk_sk+0x151/0x2e0 net/netlink/af_netlink.c:729
rcu_do_batch kernel/rcu/tree.c:2186 [inline]
rcu_core+0x5ae/0x1b00 kernel/rcu/tree.c:2410
__do_softirq+0x21e/0x950 kernel/softirq.c:292
The buggy address belongs to the object at ffff8881d8adb000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 432 bytes inside of
2048-byte region [ffff8881d8adb000, ffff8881d8adb800)
The buggy address belongs to the page:
page:ffffea000762b600 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d8adb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8881d8adb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d8adb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d8adb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d8adb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=12868b83e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11031edbe00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 1, 2020, 6:14:04 AM4/1/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:442
Write of size 2 at addr ffff8881c95d81b0 by task swapper/1/0
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:442
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 155:
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2786 [inline]
kmem_cache_alloc_node+0xdc/0x330 mm/slub.c:2822
slab_alloc_node mm/slub.c:2786 [inline]
alloc_task_struct_node kernel/fork.c:169 [inline]
dup_task_struct kernel/fork.c:868 [inline]
copy_process+0x4303/0x6640 kernel/fork.c:1920
_do_fork+0x12d/0xfd0 kernel/fork.c:2430
__do_sys_clone kernel/fork.c:2585 [inline]
__se_sys_clone kernel/fork.c:2566 [inline]
__x64_sys_clone+0x182/0x210 kernel/fork.c:2566
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kmem_cache_free+0x9b/0x360 mm/slub.c:3050
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
__put_task_struct+0x220/0x510 kernel/fork.c:751
put_task_struct include/linux/sched/task.h:122 [inline]
delayed_put_task_struct+0x22a/0x370 kernel/exit.c:182
rcu_do_batch kernel/rcu/tree.c:2186 [inline]
rcu_core+0x5ae/0x1b00 kernel/rcu/tree.c:2410
__do_softirq+0x21e/0x950 kernel/softirq.c:292
The buggy address belongs to the object at ffff8881c95d8000
rcu_core+0x5ae/0x1b00 kernel/rcu/tree.c:2410
__do_softirq+0x21e/0x950 kernel/softirq.c:292
which belongs to the cache task_struct of size 6016
The buggy address is located 432 bytes inside of
6016-byte region [ffff8881c95d8000, ffff8881c95d9780)
The buggy address belongs to the page:
page:ffffea0007257600 refcount:1 mapcount:0 mapping:ffff8881da116000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da116000
raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c95d8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8881c95d8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881c95d8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c95d8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c95d8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=15ba0697e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=140926bde00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 1, 2020, 7:54:04 AM4/1/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: user-memory-access Write in dup_fd
syzbot has tested the proposed patch but the reproducer still triggered crash:
==================================================================
BUG: KASAN: user-memory-access in atomic64_inc include/asm-generic/atomic-instrumented.h:1049 [inline]
BUG: KASAN: user-memory-access in atomic_long_inc include/asm-generic/atomic-long.h:160 [inline]
BUG: KASAN: user-memory-access in get_file include/linux/fs.h:986 [inline]
BUG: KASAN: user-memory-access in dup_fd+0x448/0xb80 fs/file.c:341
Write of size 8 at addr 0000004000000070 by task syz-executor.4/517
CPU: 1 PID: 517 Comm: syz-executor.4 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
__kasan_report.cold+0x75/0x77 mm/kasan/report.c:510
dump_stack+0xef/0x16e lib/dump_stack.c:118
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
atomic64_inc include/asm-generic/atomic-instrumented.h:1049 [inline]
atomic_long_inc include/asm-generic/atomic-long.h:160 [inline]
get_file include/linux/fs.h:986 [inline]
dup_fd+0x448/0xb80 fs/file.c:341
copy_files kernel/fork.c:1466 [inline]
copy_process+0x1bd5/0x6640 kernel/fork.c:2069
_do_fork+0x12d/0xfd0 kernel/fork.c:2430
__do_sys_clone kernel/fork.c:2585 [inline]
__se_sys_clone kernel/fork.c:2566 [inline]
__x64_sys_clone+0x182/0x210 kernel/fork.c:2566
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ae1a
__do_sys_clone kernel/fork.c:2585 [inline]
__se_sys_clone kernel/fork.c:2566 [inline]
__x64_sys_clone+0x182/0x210 kernel/fork.c:2566
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: f7 d8 64 89 04 25 d4 02 00 00 64 4c 8b 0c 25 10 00 00 00 31 d2 4d 8d 91 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 f5 00 00 00 85 c0 41 89 c5 0f 85 fc 00 00
RSP: 002b:00007ffc793315b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007ffc793315b0 RCX: 000000000045ae1a
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007ffc793315f0 R08: 0000000000000001 R09: 00000000013a2940
R10: 00000000013a2c10 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffc79331640
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=10e89747e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=10903e93e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 1, 2020, 9:17:11 AM4/1/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
general protection fault in usb_remove_ep_devs
syzbot has tested the proposed patch but the reproducer still triggered crash:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 3267 Comm: kworker/1:5 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_del_entry_valid+0x81/0xef lib/list_debug.c:51
Code: 0f 84 df 00 00 00 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 e0 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 97 00 00 00 49 8d 7d
RSP: 0018:ffff8881bd317990 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8881d248a010 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d248a1b8
RBP: ffff8881d248a1b0 R08: ffffffff892fb3d0 R09: fffffbfff0e86431
R10: ffff8881bd3179b0 R11: ffffffff87432187 R12: 0000000000000000
R13: ffff8881d2480000 R14: ffff8881d248a1b8 R15: ffff8881d5cbc1a0
FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe6d602698 CR3: 00000001cfce2000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:132 [inline]
list_del include/linux/list.h:146 [inline]
device_links_purge drivers/base/core.c:1119 [inline]
device_del+0x4ca/0xd30 drivers/base/core.c:2682
device_unregister+0x22/0xc0 drivers/base/core.c:2709
usb_remove_ep_devs+0x3e/0x80 drivers/usb/core/endpoint.c:215
usb_disconnect+0x4bb/0x900 drivers/usb/core/hub.c:2230
hub_port_connect drivers/usb/core/hub.c:5046 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
port_event drivers/usb/core/hub.c:5481 [inline]
hub_event+0x1a1d/0x4300 drivers/usb/core/hub.c:5563
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 36d234917fe7a90e ]---
RIP: 0010:__list_del_entry_valid+0x81/0xef lib/list_debug.c:51
Code: 0f 84 df 00 00 00 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 e0 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 97 00 00 00 49 8d 7d
RSP: 0018:ffff8881bd317990 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8881d248a010 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d248a1b8
RBP: ffff8881d248a1b0 R08: ffffffff892fb3d0 R09: fffffbfff0e86431
R10: ffff8881bd3179b0 R11: ffffffff87432187 R12: 0000000000000000
R13: ffff8881d2480000 R14: ffff8881d248a1b8 R15: ffff8881d5cbc1a0
FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe6d602698 CR3: 0000000007021000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=10a9096de00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 2, 2020, 10:07:05 AM4/2/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
Write of size 2 at addr ffff8881d8b071b0 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 4b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 37 b5 fb e9 07 00 00 00 0f 00 2d aa e0 52 00 fb f4 <65> 44 8b 2d e0 4a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff87e615c0 R15: 0000000000000000
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 3041:
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:560 [inline]
raw_alloc_io_data drivers/usb/gadget/legacy/raw_gadget.c:556 [inline]
raw_alloc_io_data+0x150/0x1c0 drivers/usb/gadget/legacy/raw_gadget.c:538
raw_ioctl_ep0_read drivers/usb/gadget/legacy/raw_gadget.c:657 [inline]
raw_ioctl+0x686/0x1a70 drivers/usb/gadget/legacy/raw_gadget.c:1035
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
raw_alloc_io_data drivers/usb/gadget/legacy/raw_gadget.c:556 [inline]
raw_alloc_io_data+0x150/0x1c0 drivers/usb/gadget/legacy/raw_gadget.c:538
raw_ioctl_ep0_read drivers/usb/gadget/legacy/raw_gadget.c:657 [inline]
raw_ioctl+0x686/0x1a70 drivers/usb/gadget/legacy/raw_gadget.c:1035
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 3041:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
raw_ioctl_ep_read drivers/usb/gadget/legacy/raw_gadget.c:961 [inline]
raw_ioctl+0x189/0x1a70 drivers/usb/gadget/legacy/raw_gadget.c:1047
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881d8b07000
raw_ioctl+0x189/0x1a70 drivers/usb/gadget/legacy/raw_gadget.c:1047
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 432 bytes inside of
2048-byte region [ffff8881d8b07000, ffff8881d8b07800)
The buggy address belongs to the page:
page:ffffea000762c000 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d8b07080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8881d8b07100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d8b07180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d8b07200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d8b07280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1732de1fe00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 2, 2020, 11:11:03 AM4/2/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
haley: dev 0xffff8881d6cb1000, urb 0xffff8881d211ad00. ath9k_hif_usb_reg_in_cb, 701
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
Write of size 2 at addr ffff8881d886f1b0 by task kworker/1:0/17
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
ath9k_hif_usb_reg_in_cb+0x1d6/0x650 drivers/net/wireless/ath/ath9k/hif_usb.c:728
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:console_unlock+0xa6b/0xca0 kernel/printk/printk.c:2481
Code: 00 89 ee 48 c7 c7 60 43 14 87 e8 10 c3 03 00 65 ff 0d c1 ed d8 7e e9 b5 f9 ff ff e8 0f 37 16 00 e8 0a 7f 1b 00 ff 74 24 30 9d <e9> fd fd ff ff e8 fb 36 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
RSP: 0018:ffff8881da267a38 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881da24b94c
RBP: 0000000000000000 R08: ffff8881da24b100 R09: fffffbfff1267085
R10: fffffbfff1267084 R11: ffffffff89338427 R12: ffffffff82a092f0
R13: ffffffff874d4830 R14: 0000000000000073 R15: dffffc0000000000
vprintk_emit+0x171/0x3d0 kernel/printk/printk.c:1996
vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386
printk+0xba/0xed kernel/printk/printk.c:2056
ath9k_hif_usb_alloc_reg_in_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:947 [inline]
ath9k_hif_usb_alloc_urbs+0x764/0xa57 drivers/net/wireless/ath/ath9k/hif_usb.c:982
ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1069 [inline]
ath9k_hif_usb_firmware_cb+0x224/0x51c drivers/net/wireless/ath/ath9k/hif_usb.c:1207
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 152:
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:560 [inline]
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:560 [inline]
sk_prot_alloc+0x1f6/0x2c0 net/core/sock.c:1603
sk_alloc+0x36/0x710 net/core/sock.c:1657
__netlink_create+0x63/0x280 net/netlink/af_netlink.c:629
netlink_create+0x3a1/0x5d0 net/netlink/af_netlink.c:692
__sock_create+0x3d1/0x740 net/socket.c:1433
sock_create net/socket.c:1484 [inline]
__sys_socket+0xef/0x200 net/socket.c:1526
__do_sys_socket net/socket.c:1535 [inline]
__se_sys_socket net/socket.c:1533 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1533
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
sk_alloc+0x36/0x710 net/core/sock.c:1657
__netlink_create+0x63/0x280 net/netlink/af_netlink.c:629
netlink_create+0x3a1/0x5d0 net/netlink/af_netlink.c:692
__sock_create+0x3d1/0x740 net/socket.c:1433
sock_create net/socket.c:1484 [inline]
__sys_socket+0xef/0x200 net/socket.c:1526
__do_sys_socket net/socket.c:1535 [inline]
__se_sys_socket net/socket.c:1533 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1533
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
sk_prot_free net/core/sock.c:1640 [inline]
__sk_destruct+0x545/0x740 net/core/sock.c:1724
sk_destruct+0xc6/0x100 net/core/sock.c:1739
__sk_free+0xef/0x3d0 net/core/sock.c:1750
sk_free+0x78/0xa0 net/core/sock.c:1761
deferred_put_nlk_sk+0x151/0x2e0 net/netlink/af_netlink.c:729
__sk_destruct+0x545/0x740 net/core/sock.c:1724
sk_destruct+0xc6/0x100 net/core/sock.c:1739
__sk_free+0xef/0x3d0 net/core/sock.c:1750
sk_free+0x78/0xa0 net/core/sock.c:1761
deferred_put_nlk_sk+0x151/0x2e0 net/netlink/af_netlink.c:729
rcu_do_batch kernel/rcu/tree.c:2186 [inline]
rcu_core+0x5ae/0x1b00 kernel/rcu/tree.c:2410
__do_softirq+0x21e/0x950 kernel/softirq.c:292
The buggy address belongs to the object at ffff8881d886f000
rcu_core+0x5ae/0x1b00 kernel/rcu/tree.c:2410
__do_softirq+0x21e/0x950 kernel/softirq.c:292
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 432 bytes inside of
2048-byte region [ffff8881d886f000, ffff8881d886f800)
The buggy address is located 432 bytes inside of
The buggy address belongs to the page:
page:ffffea0007621a00 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d886f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d886f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d886f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d886f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d886f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=14038397e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=15060d33e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 2, 2020, 1:27:03 PM4/2/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but build/boot failed:
AR drivers/hwtracing/intel_th/built-in.a
CC drivers/media/dvb-frontends/af9033.o
AR drivers/iio/common/hid-sensors/built-in.a
AR drivers/staging/hp/built-in.a
AR drivers/iio/common/ms_sensors/built-in.a
CC drivers/media/usb/gspca/mr97310a.o
CC drivers/media/dvb-frontends/as102_fe.o
AR drivers/ras/built-in.a
AR drivers/iio/common/ssp_sensors/built-in.a
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/media/usb/pvrusb2/pvrusb2-devattr.o
AR drivers/iio/common/st_sensors/built-in.a
CC drivers/media/usb/stk1160/stk1160-ac97.o
AR drivers/iio/common/built-in.a
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC drivers/iio/gyro/hid-sensor-gyro-3d.o
AR drivers/iio/frequency/built-in.a
CC drivers/staging/uwb/drp-ie.o
CC drivers/hid/hid-elo.o
CC drivers/hid/hid-ezkey.o
CC drivers/hid/hid-gembird.o
CC drivers/media/usb/cx231xx/cx231xx-cards.o
CC drivers/media/dvb-frontends/gp8psk-fe.o
CC drivers/staging/comedi/comedi_compat32.o
CC drivers/nvmem/core.o
CC drivers/nvmem/nvmem-sysfs.o
CC drivers/media/dvb-frontends/tc90522.o
CC drivers/media/usb/pvrusb2/pvrusb2-context.o
CC drivers/hid/hid-gfrm.o
CC drivers/media/usb/cx231xx/cx231xx-core.o
CC drivers/media/usb/em28xx/em28xx-i2c.o
CC drivers/staging/rtl8712/usb_halinit.o
CC drivers/staging/wusbcore/host/whci/hcd.o
CC drivers/media/usb/tm6000/tm6000-i2c.o
CC drivers/media/usb/pvrusb2/pvrusb2-io.o
AR drivers/media/usb/stk1160/built-in.a
CC drivers/hid/hid-gt683r.o
CC drivers/staging/uwb/est.o
CC drivers/staging/wusbcore/host/hwa-hc.o
CC drivers/staging/uwb/ie.o
CC drivers/hid/hid-gyration.o
AR drivers/iio/gyro/built-in.a
AR drivers/iio/health/built-in.a
CC drivers/media/usb/usbtv/usbtv-core.o
CC drivers/media/usb/cx231xx/cx231xx-avcore.o
CC drivers/hid/hid-holtek-kbd.o
CC drivers/iio/humidity/hid-sensor-humidity.o
CC drivers/media/usb/gspca/nw80x.o
AR drivers/staging/comedi/built-in.a
CC drivers/media/usb/gspca/ov519.o
AR drivers/iio/imu/bmi160/built-in.a
CC drivers/hid/hid-holtek-mouse.o
AR drivers/iio/imu/st_lsm6dsx/built-in.a
CC drivers/hid/hid-holtekff.o
AR drivers/iio/imu/inv_mpu6050/built-in.a
AR drivers/iio/imu/built-in.a
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/staging/uwb/ie-rcv.o
CC drivers/media/usb/usbtv/usbtv-video.o
CC drivers/media/usb/pvrusb2/pvrusb2-ioread.o
CC drivers/media/dvb-frontends/zd1301_demod.o
CC drivers/media/usb/go7007/go7007-v4l2.o
CC drivers/staging/wusbcore/host/whci/hw.o
CC drivers/media/usb/go7007/go7007-driver.o
CC drivers/media/usb/tm6000/tm6000-video.o
CC drivers/staging/rtl8712/usb_ops.o
CC drivers/staging/rtl8712/usb_ops_linux.o
CC drivers/staging/uwb/lc-dev.o
AR drivers/net/wireless/marvell/mwifiex/built-in.a
CC drivers/media/usb/cx231xx/cx231xx-417.o
CC drivers/staging/rtl8712/rtl871x_io.o
CC drivers/staging/rtl8712/rtl8712_io.o
CC drivers/staging/rtl8712/rtl871x_ioctl_linux.o
AR drivers/net/wireless/marvell/built-in.a
CC drivers/staging/rtl8712/rtl871x_ioctl_rtl.o
AR drivers/iio/humidity/built-in.a
AR drivers/nvmem/built-in.a
scripts/Makefile.build:505: recipe for target 'drivers/net/wireless' failed
make[2]: *** [drivers/net/wireless] Error 2
scripts/Makefile.build:505: recipe for target 'drivers/net' failed
make[1]: *** [drivers/net] Error 2
make[1]: *** Waiting for unfinished jobs....
CC drivers/media/usb/em28xx/em28xx-cards.o
CC drivers/staging/rtl8712/rtl871x_ioctl_set.o
CC drivers/staging/wusbcore/host/whci/init.o
CC drivers/iio/light/hid-sensor-als.o
CC drivers/media/usb/pvrusb2/pvrusb2-cx2584x-v4l.o
CC drivers/hid/hid-hyperv.o
CC drivers/media/usb/go7007/go7007-i2c.o
CC drivers/media/usb/go7007/go7007-fw.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC drivers/staging/wusbcore/host/whci/int.o
CC drivers/hid/hid-icade.o
CC drivers/hid/hid-ite.o
CC drivers/staging/uwb/lc-rc.o
CC drivers/media/usb/em28xx/em28xx-camera.o
AR drivers/media/dvb-frontends/built-in.a
CC drivers/iio/light/hid-sensor-prox.o
CC drivers/staging/rtl8712/rtl8712_led.o
CC drivers/staging/wusbcore/host/whci/qset.o
CC drivers/staging/wusbcore/host/whci/pzl.o
CC drivers/media/usb/usbtv/usbtv-audio.o
CC drivers/staging/wusbcore/host/whci/wusb.o
CC drivers/media/usb/em28xx/em28xx-video.o
CC drivers/media/usb/pvrusb2/pvrusb2-wm8775.o
CC drivers/hid/hid-kensington.o
CC drivers/hid/hid-keytouch.o
CC drivers/media/usb/gspca/ov534.o
CC drivers/media/usb/em28xx/em28xx-vbi.o
CC drivers/staging/uwb/neh.o
CC drivers/hid/hid-kye.o
CC drivers/iio/magnetometer/hid-sensor-magn-3d.o
CC drivers/media/usb/go7007/snd-go7007.o
CC drivers/media/usb/go7007/go7007-usb.o
CC drivers/media/usb/go7007/go7007-loader.o
CC drivers/media/usb/pvrusb2/pvrusb2-cs53l32a.o
AR drivers/iio/light/built-in.a
CC drivers/hid/hid-lcpower.o
CC drivers/staging/uwb/pal.o
CC drivers/media/usb/cx231xx/cx231xx-pcb-cfg.o
CC drivers/media/usb/cx231xx/cx231xx-vbi.o
CC drivers/media/usb/cx231xx/cx231xx-input.o
CC drivers/media/usb/em28xx/em28xx-audio.o
CC drivers/media/usb/cx231xx/cx231xx-audio.o
AR drivers/media/usb/usbtv/built-in.a
CC drivers/hid/hid-lenovo.o
CC drivers/hid/hid-lg.o
CC drivers/hid/hid-lgff.o
CC drivers/media/usb/tm6000/tm6000-stds.o
CC drivers/media/usb/go7007/s2250-board.o
CC drivers/staging/rtl8712/rtl871x_mlme.o
CC drivers/media/usb/pvrusb2/pvrusb2-dvb.o
CC drivers/media/usb/pvrusb2/pvrusb2-sysfs.o
CC drivers/hid/hid-lg2ff.o
CC drivers/staging/rtl8712/ieee80211.o
CC drivers/hid/hid-lg3ff.o
CC drivers/staging/rtl8712/rtl871x_mp_ioctl.o
AR drivers/iio/magnetometer/built-in.a
AR drivers/staging/wusbcore/host/whci/built-in.a
AR drivers/staging/wusbcore/host/built-in.a
AR drivers/iio/multiplexer/built-in.a
CC drivers/staging/uwb/radio.o
CC drivers/staging/rtl8712/rtl871x_mp.o
CC drivers/staging/wusbcore/crypto.o
CC drivers/iio/orientation/hid-sensor-incl-3d.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/staging/uwb/reset.o
CC drivers/media/usb/as102/as102_drv.o
CC drivers/media/usb/em28xx/em28xx-dvb.o
CC drivers/hid/hid-lg4ff.o
CC drivers/hid/hid-lg-g15.o
CC drivers/media/usb/cx231xx/cx231xx-dvb.o
AR drivers/iio/potentiometer/built-in.a
CC drivers/media/usb/pulse8-cec/pulse8-cec.o
CC drivers/media/usb/tm6000/tm6000-input.o
CC drivers/media/usb/rainshadow-cec/rainshadow-cec.o
CC drivers/staging/rtl8712/xmit_linux.o
CC drivers/staging/rtl8712/mlme_linux.o
CC drivers/staging/rtl8712/recv_linux.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/media/usb/em28xx/em28xx-input.o
CC drivers/staging/rtl8712/usb_intf.o
AR drivers/media/usb/go7007/built-in.a
CC drivers/staging/wusbcore/devconnect.o
CC drivers/media/usb/gspca/ov534_9.o
CC drivers/media/usb/as102/as102_fw.o
CC drivers/staging/rtl8712/os_intfs.o
CC drivers/staging/uwb/rsv.o
CC drivers/staging/rtl8712/rtl871x_pwrctrl.o
CC drivers/media/usb/tm6000/tm6000-dvb.o
CC drivers/media/usb/tm6000/tm6000-alsa.o
CC drivers/iio/orientation/hid-sensor-rotation.o
AR drivers/media/usb/pvrusb2/built-in.a
CC drivers/media/usb/as102/as10x_cmd.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/media/usb/gspca/pac207.o
CC drivers/media/usb/gspca/pac7302.o
CC drivers/hid/hid-logitech-dj.o
AR drivers/media/usb/rainshadow-cec/built-in.a
CC drivers/hid/hid-logitech-hidpp.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/staging/rtl8712/rtl8712_recv.o
CC drivers/media/usb/as102/as10x_cmd_stream.o
CC drivers/staging/uwb/scan.o
CC drivers/media/usb/as102/as102_usb_drv.o
AR drivers/iio/potentiostat/built-in.a
CC drivers/media/usb/as102/as10x_cmd_cfg.o
CC drivers/iio/pressure/hid-sensor-press.o
CC drivers/staging/uwb/uwb-debug.o
CC drivers/staging/wusbcore/dev-sysfs.o
AR drivers/media/usb/pulse8-cec/built-in.a
AR drivers/iio/orientation/built-in.a
CC drivers/staging/uwb/uwbd.o
CC drivers/staging/uwb/umc-bus.o
CC drivers/media/usb/gspca/pac7311.o
CC drivers/staging/rtl8712/rtl871x_recv.o
AR drivers/media/usb/tm6000/built-in.a
CC drivers/media/usb/gspca/se401.o
CC drivers/hid/hid-magicmouse.o
CC drivers/hid/hid-mf.o
CC drivers/hid/hid-microsoft.o
CC drivers/staging/wusbcore/mmc.o
CC drivers/hid/hid-monterey.o
CC drivers/staging/rtl8712/rtl871x_sta_mgt.o
AR drivers/media/usb/cx231xx/built-in.a
CC drivers/hid/hid-multitouch.o
CC drivers/hid/hid-nti.o
CC drivers/media/usb/gspca/sn9c2028.o
CC drivers/staging/uwb/umc-dev.o
CC drivers/staging/rtl8712/rtl871x_xmit.o
CC drivers/media/usb/gspca/sn9c20x.o
AR drivers/iio/pressure/built-in.a
CC drivers/media/usb/gspca/sonixb.o
AR drivers/iio/proximity/built-in.a
CC drivers/hid/hid-ntrig.o
CC drivers/staging/wusbcore/pal.o
CC drivers/staging/rtl8712/rtl8712_xmit.o
AR drivers/iio/resolver/built-in.a
CC drivers/media/usb/gspca/sonixj.o
AR drivers/media/usb/as102/built-in.a
CC drivers/staging/uwb/umc-drv.o
CC drivers/hid/hid-ortek.o
CC drivers/iio/temperature/hid-sensor-temperature.o
CC drivers/media/usb/gspca/spca500.o
CC drivers/hid/hid-prodikeys.o
AR drivers/media/usb/em28xx/built-in.a
CC drivers/hid/hid-pl.o
AR drivers/iio/trigger/built-in.a
CC drivers/hid/hid-penmount.o
CC drivers/iio/industrialio-core.o
CC drivers/media/usb/gspca/spca505.o
CC drivers/media/usb/gspca/spca501.o
CC drivers/staging/wusbcore/rh.o
CC drivers/hid/hid-petalynx.o
CC drivers/staging/uwb/whci.o
CC drivers/hid/hid-picolcd_core.o
CC drivers/hid/hid-picolcd_fb.o
CC drivers/staging/wusbcore/reservation.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/staging/uwb/whc-rc.o
CC drivers/iio/industrialio-event.o
CC drivers/iio/inkern.o
CC drivers/iio/industrialio-buffer.o
CC drivers/media/usb/gspca/spca506.o
CC drivers/iio/industrialio-trigger.o
AR drivers/iio/temperature/built-in.a
CC drivers/hid/hid-picolcd_backlight.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/staging/wusbcore/security.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/staging/uwb/hwa-rc.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/hid/hid-picolcd_lcd.o
CC drivers/hid/hid-picolcd_cir.o
CC drivers/hid/hid-picolcd_leds.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/media/usb/gspca/spca508.o
CC drivers/hid/hid-picolcd_debugfs.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/hid/hid-plantronics.o
CC drivers/media/usb/gspca/spca561.o
CC drivers/hid/hid-primax.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/staging/wusbcore/wa-hc.o
CC drivers/staging/wusbcore/wusbhc.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/hid/hid-retrode.o
CC drivers/hid/hid-roccat.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/staging/wusbcore/wa-nep.o
CC drivers/media/usb/gspca/spca1528.o
CC drivers/staging/wusbcore/wa-rpipe.o
CC drivers/hid/hid-roccat-common.o
CC drivers/hid/hid-roccat-arvo.o
CC drivers/media/usb/gspca/sq905.o
AR drivers/staging/rtl8712/built-in.a
CC drivers/media/usb/gspca/sq905c.o
CC drivers/media/usb/gspca/sunplus.o
CC drivers/media/usb/gspca/sq930x.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/hid/hid-roccat-isku.o
CC drivers/media/usb/gspca/stk014.o
CC drivers/media/usb/gspca/stk1135.o
AR drivers/staging/uwb/built-in.a
CC drivers/staging/wusbcore/wa-xfer.o
CC drivers/staging/wusbcore/cbaf.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
AR drivers/iio/built-in.a
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/hid/hid-roccat-kone.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/media/usb/gspca/stv0680.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC drivers/hid/hid-roccat-koneplus.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/media/usb/gspca/t613.o
CC drivers/media/usb/gspca/touptek.o
CC drivers/media/usb/gspca/topro.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/hid/hid-roccat-konepure.o
CC drivers/hid/hid-roccat-kovaplus.o
CC drivers/hid/hid-roccat-lua.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/media/usb/gspca/tv8532.o
CC drivers/media/usb/gspca/vc032x.o
CC drivers/hid/hid-roccat-pyra.o
CC drivers/hid/hid-roccat-ryos.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/media/usb/gspca/vicam.o
CC drivers/media/usb/gspca/xirlink_cit.o
CC drivers/hid/hid-roccat-savu.o
CC drivers/media/usb/gspca/zc3xx.o
CC drivers/hid/hid-rmi.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/hid/hid-saitek.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/hid/hid-samsung.o
CC drivers/hid/hid-sjoy.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/hid/hid-sony.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/hid/hid-speedlink.o
CC drivers/gpu/drm/i915/i915_vgpu.o
CC drivers/hid/hid-steelseries.o
CC drivers/hid/hid-sunplus.o
CC drivers/hid/hid-gaff.o
CC drivers/hid/hid-tmff.o
CC drivers/hid/hid-tivo.o
CC drivers/hid/hid-topseed.o
CC drivers/hid/hid-twinhan.o
CC drivers/hid/hid-uclogic-core.o
CC drivers/hid/hid-uclogic-rdesc.o
CC drivers/hid/hid-uclogic-params.o
CC drivers/hid/hid-udraw-ps3.o
CC drivers/hid/hid-led.o
CC drivers/hid/hid-xinmo.o
CC drivers/hid/hid-zpff.o
CC drivers/hid/hid-zydacron.o
CC drivers/hid/wacom_wac.o
CC drivers/hid/wacom_sys.o
CC drivers/hid/hid-waltop.o
CC drivers/hid/hid-wiimote-core.o
CC drivers/hid/hid-wiimote-modules.o
CC drivers/hid/hid-wiimote-debug.o
CC drivers/hid/hid-sensor-hub.o
CC drivers/hid/hid-sensor-custom.o
AR drivers/media/usb/gspca/built-in.a
AR drivers/staging/wusbcore/built-in.a
AR drivers/staging/built-in.a
AR drivers/media/usb/built-in.a
AR drivers/media/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
AR drivers/hid/built-in.a
Makefile:1683: recipe for target 'drivers' failed
make: *** [drivers] Error 2
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=13c56397e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
syzbot tried to test the proposed patch but build/boot failed:
AR drivers/hwtracing/intel_th/built-in.a
CC drivers/media/dvb-frontends/af9033.o
AR drivers/iio/common/hid-sensors/built-in.a
AR drivers/staging/hp/built-in.a
AR drivers/iio/common/ms_sensors/built-in.a
CC drivers/media/usb/gspca/mr97310a.o
CC drivers/media/dvb-frontends/as102_fe.o
AR drivers/ras/built-in.a
AR drivers/iio/common/ssp_sensors/built-in.a
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/media/usb/pvrusb2/pvrusb2-devattr.o
AR drivers/iio/common/st_sensors/built-in.a
CC drivers/media/usb/stk1160/stk1160-ac97.o
AR drivers/iio/common/built-in.a
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC drivers/iio/gyro/hid-sensor-gyro-3d.o
AR drivers/iio/frequency/built-in.a
CC drivers/staging/uwb/drp-ie.o
CC drivers/hid/hid-elo.o
CC drivers/hid/hid-ezkey.o
CC drivers/hid/hid-gembird.o
CC drivers/media/usb/cx231xx/cx231xx-cards.o
CC drivers/media/dvb-frontends/gp8psk-fe.o
CC drivers/staging/comedi/comedi_compat32.o
CC drivers/nvmem/core.o
CC drivers/nvmem/nvmem-sysfs.o
CC drivers/media/dvb-frontends/tc90522.o
CC drivers/media/usb/pvrusb2/pvrusb2-context.o
CC drivers/hid/hid-gfrm.o
CC drivers/media/usb/cx231xx/cx231xx-core.o
CC drivers/media/usb/em28xx/em28xx-i2c.o
CC drivers/staging/rtl8712/usb_halinit.o
CC drivers/staging/wusbcore/host/whci/hcd.o
CC drivers/media/usb/tm6000/tm6000-i2c.o
CC drivers/media/usb/pvrusb2/pvrusb2-io.o
AR drivers/media/usb/stk1160/built-in.a
CC drivers/hid/hid-gt683r.o
CC drivers/staging/uwb/est.o
CC drivers/staging/wusbcore/host/hwa-hc.o
CC drivers/staging/uwb/ie.o
CC drivers/hid/hid-gyration.o
AR drivers/iio/gyro/built-in.a
AR drivers/iio/health/built-in.a
CC drivers/media/usb/usbtv/usbtv-core.o
CC drivers/media/usb/cx231xx/cx231xx-avcore.o
CC drivers/hid/hid-holtek-kbd.o
CC drivers/iio/humidity/hid-sensor-humidity.o
CC drivers/media/usb/gspca/nw80x.o
AR drivers/staging/comedi/built-in.a
CC drivers/media/usb/gspca/ov519.o
AR drivers/iio/imu/bmi160/built-in.a
CC drivers/hid/hid-holtek-mouse.o
AR drivers/iio/imu/st_lsm6dsx/built-in.a
CC drivers/hid/hid-holtekff.o
AR drivers/iio/imu/inv_mpu6050/built-in.a
AR drivers/iio/imu/built-in.a
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/staging/uwb/ie-rcv.o
CC drivers/media/usb/usbtv/usbtv-video.o
CC drivers/media/usb/pvrusb2/pvrusb2-ioread.o
CC drivers/media/dvb-frontends/zd1301_demod.o
CC drivers/media/usb/go7007/go7007-v4l2.o
CC drivers/staging/wusbcore/host/whci/hw.o
CC drivers/media/usb/go7007/go7007-driver.o
CC drivers/media/usb/tm6000/tm6000-video.o
CC drivers/staging/rtl8712/usb_ops.o
CC drivers/staging/rtl8712/usb_ops_linux.o
CC drivers/staging/uwb/lc-dev.o
AR drivers/net/wireless/marvell/mwifiex/built-in.a
CC drivers/media/usb/cx231xx/cx231xx-417.o
CC drivers/staging/rtl8712/rtl871x_io.o
CC drivers/staging/rtl8712/rtl8712_io.o
CC drivers/staging/rtl8712/rtl871x_ioctl_linux.o
AR drivers/net/wireless/marvell/built-in.a
CC drivers/staging/rtl8712/rtl871x_ioctl_rtl.o
AR drivers/iio/humidity/built-in.a
AR drivers/nvmem/built-in.a
scripts/Makefile.build:505: recipe for target 'drivers/net/wireless' failed
make[2]: *** [drivers/net/wireless] Error 2
scripts/Makefile.build:505: recipe for target 'drivers/net' failed
make[1]: *** [drivers/net] Error 2
make[1]: *** Waiting for unfinished jobs....
CC drivers/media/usb/em28xx/em28xx-cards.o
CC drivers/staging/rtl8712/rtl871x_ioctl_set.o
CC drivers/staging/wusbcore/host/whci/init.o
CC drivers/iio/light/hid-sensor-als.o
CC drivers/media/usb/pvrusb2/pvrusb2-cx2584x-v4l.o
CC drivers/hid/hid-hyperv.o
CC drivers/media/usb/go7007/go7007-i2c.o
CC drivers/media/usb/go7007/go7007-fw.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC drivers/staging/wusbcore/host/whci/int.o
CC drivers/hid/hid-icade.o
CC drivers/hid/hid-ite.o
CC drivers/staging/uwb/lc-rc.o
CC drivers/media/usb/em28xx/em28xx-camera.o
AR drivers/media/dvb-frontends/built-in.a
CC drivers/iio/light/hid-sensor-prox.o
CC drivers/staging/rtl8712/rtl8712_led.o
CC drivers/staging/wusbcore/host/whci/qset.o
CC drivers/staging/wusbcore/host/whci/pzl.o
CC drivers/media/usb/usbtv/usbtv-audio.o
CC drivers/staging/wusbcore/host/whci/wusb.o
CC drivers/media/usb/em28xx/em28xx-video.o
CC drivers/media/usb/pvrusb2/pvrusb2-wm8775.o
CC drivers/hid/hid-kensington.o
CC drivers/hid/hid-keytouch.o
CC drivers/media/usb/gspca/ov534.o
CC drivers/media/usb/em28xx/em28xx-vbi.o
CC drivers/staging/uwb/neh.o
CC drivers/hid/hid-kye.o
CC drivers/iio/magnetometer/hid-sensor-magn-3d.o
CC drivers/media/usb/go7007/snd-go7007.o
CC drivers/media/usb/go7007/go7007-usb.o
CC drivers/media/usb/go7007/go7007-loader.o
CC drivers/media/usb/pvrusb2/pvrusb2-cs53l32a.o
AR drivers/iio/light/built-in.a
CC drivers/hid/hid-lcpower.o
CC drivers/staging/uwb/pal.o
CC drivers/media/usb/cx231xx/cx231xx-pcb-cfg.o
CC drivers/media/usb/cx231xx/cx231xx-vbi.o
CC drivers/media/usb/cx231xx/cx231xx-input.o
CC drivers/media/usb/em28xx/em28xx-audio.o
CC drivers/media/usb/cx231xx/cx231xx-audio.o
AR drivers/media/usb/usbtv/built-in.a
CC drivers/hid/hid-lenovo.o
CC drivers/hid/hid-lg.o
CC drivers/hid/hid-lgff.o
CC drivers/media/usb/tm6000/tm6000-stds.o
CC drivers/media/usb/go7007/s2250-board.o
CC drivers/staging/rtl8712/rtl871x_mlme.o
CC drivers/media/usb/pvrusb2/pvrusb2-dvb.o
CC drivers/media/usb/pvrusb2/pvrusb2-sysfs.o
CC drivers/hid/hid-lg2ff.o
CC drivers/staging/rtl8712/ieee80211.o
CC drivers/hid/hid-lg3ff.o
CC drivers/staging/rtl8712/rtl871x_mp_ioctl.o
AR drivers/iio/magnetometer/built-in.a
AR drivers/staging/wusbcore/host/whci/built-in.a
AR drivers/staging/wusbcore/host/built-in.a
AR drivers/iio/multiplexer/built-in.a
CC drivers/staging/uwb/radio.o
CC drivers/staging/rtl8712/rtl871x_mp.o
CC drivers/staging/wusbcore/crypto.o
CC drivers/iio/orientation/hid-sensor-incl-3d.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/staging/uwb/reset.o
CC drivers/media/usb/as102/as102_drv.o
CC drivers/media/usb/em28xx/em28xx-dvb.o
CC drivers/hid/hid-lg4ff.o
CC drivers/hid/hid-lg-g15.o
CC drivers/media/usb/cx231xx/cx231xx-dvb.o
AR drivers/iio/potentiometer/built-in.a
CC drivers/media/usb/pulse8-cec/pulse8-cec.o
CC drivers/media/usb/tm6000/tm6000-input.o
CC drivers/media/usb/rainshadow-cec/rainshadow-cec.o
CC drivers/staging/rtl8712/xmit_linux.o
CC drivers/staging/rtl8712/mlme_linux.o
CC drivers/staging/rtl8712/recv_linux.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/media/usb/em28xx/em28xx-input.o
CC drivers/staging/rtl8712/usb_intf.o
AR drivers/media/usb/go7007/built-in.a
CC drivers/staging/wusbcore/devconnect.o
CC drivers/media/usb/gspca/ov534_9.o
CC drivers/media/usb/as102/as102_fw.o
CC drivers/staging/rtl8712/os_intfs.o
CC drivers/staging/uwb/rsv.o
CC drivers/staging/rtl8712/rtl871x_pwrctrl.o
CC drivers/media/usb/tm6000/tm6000-dvb.o
CC drivers/media/usb/tm6000/tm6000-alsa.o
CC drivers/iio/orientation/hid-sensor-rotation.o
AR drivers/media/usb/pvrusb2/built-in.a
CC drivers/media/usb/as102/as10x_cmd.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/media/usb/gspca/pac207.o
CC drivers/media/usb/gspca/pac7302.o
CC drivers/hid/hid-logitech-dj.o
AR drivers/media/usb/rainshadow-cec/built-in.a
CC drivers/hid/hid-logitech-hidpp.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/staging/rtl8712/rtl8712_recv.o
CC drivers/media/usb/as102/as10x_cmd_stream.o
CC drivers/staging/uwb/scan.o
CC drivers/media/usb/as102/as102_usb_drv.o
AR drivers/iio/potentiostat/built-in.a
CC drivers/media/usb/as102/as10x_cmd_cfg.o
CC drivers/iio/pressure/hid-sensor-press.o
CC drivers/staging/uwb/uwb-debug.o
CC drivers/staging/wusbcore/dev-sysfs.o
AR drivers/media/usb/pulse8-cec/built-in.a
AR drivers/iio/orientation/built-in.a
CC drivers/staging/uwb/uwbd.o
CC drivers/staging/uwb/umc-bus.o
CC drivers/media/usb/gspca/pac7311.o
CC drivers/staging/rtl8712/rtl871x_recv.o
AR drivers/media/usb/tm6000/built-in.a
CC drivers/media/usb/gspca/se401.o
CC drivers/hid/hid-magicmouse.o
CC drivers/hid/hid-mf.o
CC drivers/hid/hid-microsoft.o
CC drivers/staging/wusbcore/mmc.o
CC drivers/hid/hid-monterey.o
CC drivers/staging/rtl8712/rtl871x_sta_mgt.o
AR drivers/media/usb/cx231xx/built-in.a
CC drivers/hid/hid-multitouch.o
CC drivers/hid/hid-nti.o
CC drivers/media/usb/gspca/sn9c2028.o
CC drivers/staging/uwb/umc-dev.o
CC drivers/staging/rtl8712/rtl871x_xmit.o
CC drivers/media/usb/gspca/sn9c20x.o
AR drivers/iio/pressure/built-in.a
CC drivers/media/usb/gspca/sonixb.o
AR drivers/iio/proximity/built-in.a
CC drivers/hid/hid-ntrig.o
CC drivers/staging/wusbcore/pal.o
CC drivers/staging/rtl8712/rtl8712_xmit.o
AR drivers/iio/resolver/built-in.a
CC drivers/media/usb/gspca/sonixj.o
AR drivers/media/usb/as102/built-in.a
CC drivers/staging/uwb/umc-drv.o
CC drivers/hid/hid-ortek.o
CC drivers/iio/temperature/hid-sensor-temperature.o
CC drivers/media/usb/gspca/spca500.o
CC drivers/hid/hid-prodikeys.o
AR drivers/media/usb/em28xx/built-in.a
CC drivers/hid/hid-pl.o
AR drivers/iio/trigger/built-in.a
CC drivers/hid/hid-penmount.o
CC drivers/iio/industrialio-core.o
CC drivers/media/usb/gspca/spca505.o
CC drivers/media/usb/gspca/spca501.o
CC drivers/staging/wusbcore/rh.o
CC drivers/hid/hid-petalynx.o
CC drivers/staging/uwb/whci.o
CC drivers/hid/hid-picolcd_core.o
CC drivers/hid/hid-picolcd_fb.o
CC drivers/staging/wusbcore/reservation.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/staging/uwb/whc-rc.o
CC drivers/iio/industrialio-event.o
CC drivers/iio/inkern.o
CC drivers/iio/industrialio-buffer.o
CC drivers/media/usb/gspca/spca506.o
CC drivers/iio/industrialio-trigger.o
AR drivers/iio/temperature/built-in.a
CC drivers/hid/hid-picolcd_backlight.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/staging/wusbcore/security.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/staging/uwb/hwa-rc.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/hid/hid-picolcd_lcd.o
CC drivers/hid/hid-picolcd_cir.o
CC drivers/hid/hid-picolcd_leds.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/media/usb/gspca/spca508.o
CC drivers/hid/hid-picolcd_debugfs.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/hid/hid-plantronics.o
CC drivers/media/usb/gspca/spca561.o
CC drivers/hid/hid-primax.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/staging/wusbcore/wa-hc.o
CC drivers/staging/wusbcore/wusbhc.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/hid/hid-retrode.o
CC drivers/hid/hid-roccat.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/staging/wusbcore/wa-nep.o
CC drivers/media/usb/gspca/spca1528.o
CC drivers/staging/wusbcore/wa-rpipe.o
CC drivers/hid/hid-roccat-common.o
CC drivers/hid/hid-roccat-arvo.o
CC drivers/media/usb/gspca/sq905.o
AR drivers/staging/rtl8712/built-in.a
CC drivers/media/usb/gspca/sq905c.o
CC drivers/media/usb/gspca/sunplus.o
CC drivers/media/usb/gspca/sq930x.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/hid/hid-roccat-isku.o
CC drivers/media/usb/gspca/stk014.o
CC drivers/media/usb/gspca/stk1135.o
AR drivers/staging/uwb/built-in.a
CC drivers/staging/wusbcore/wa-xfer.o
CC drivers/staging/wusbcore/cbaf.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
AR drivers/iio/built-in.a
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/hid/hid-roccat-kone.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/media/usb/gspca/stv0680.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC drivers/hid/hid-roccat-koneplus.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/media/usb/gspca/t613.o
CC drivers/media/usb/gspca/touptek.o
CC drivers/media/usb/gspca/topro.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/hid/hid-roccat-konepure.o
CC drivers/hid/hid-roccat-kovaplus.o
CC drivers/hid/hid-roccat-lua.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/media/usb/gspca/tv8532.o
CC drivers/media/usb/gspca/vc032x.o
CC drivers/hid/hid-roccat-pyra.o
CC drivers/hid/hid-roccat-ryos.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/media/usb/gspca/vicam.o
CC drivers/media/usb/gspca/xirlink_cit.o
CC drivers/hid/hid-roccat-savu.o
CC drivers/media/usb/gspca/zc3xx.o
CC drivers/hid/hid-rmi.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/hid/hid-saitek.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/hid/hid-samsung.o
CC drivers/hid/hid-sjoy.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/hid/hid-sony.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/hid/hid-speedlink.o
CC drivers/gpu/drm/i915/i915_vgpu.o
CC drivers/hid/hid-steelseries.o
CC drivers/hid/hid-sunplus.o
CC drivers/hid/hid-gaff.o
CC drivers/hid/hid-tmff.o
CC drivers/hid/hid-tivo.o
CC drivers/hid/hid-topseed.o
CC drivers/hid/hid-twinhan.o
CC drivers/hid/hid-uclogic-core.o
CC drivers/hid/hid-uclogic-rdesc.o
CC drivers/hid/hid-uclogic-params.o
CC drivers/hid/hid-udraw-ps3.o
CC drivers/hid/hid-led.o
CC drivers/hid/hid-xinmo.o
CC drivers/hid/hid-zpff.o
CC drivers/hid/hid-zydacron.o
CC drivers/hid/wacom_wac.o
CC drivers/hid/wacom_sys.o
CC drivers/hid/hid-waltop.o
CC drivers/hid/hid-wiimote-core.o
CC drivers/hid/hid-wiimote-modules.o
CC drivers/hid/hid-wiimote-debug.o
CC drivers/hid/hid-sensor-hub.o
CC drivers/hid/hid-sensor-custom.o
AR drivers/media/usb/gspca/built-in.a
AR drivers/staging/wusbcore/built-in.a
AR drivers/staging/built-in.a
AR drivers/media/usb/built-in.a
AR drivers/media/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
AR drivers/hid/built-in.a
Makefile:1683: recipe for target 'drivers' failed
make: *** [drivers] Error 2
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=13c56397e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11260d33e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 2, 2020, 8:45:06 PM4/2/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
haley: dev 0xffff8881d9954000, urb 0xffff8881c6931600. ath9k_hif_usb_reg_in_cb, 701
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in ath9k_htc_rx_msg
haley: catch 179. htc_process_conn_rsp, 119
haley: endpoint base 0xffff8881d8f19020, endpoint 0xffff8881d8f1b1b0.
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:134 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg.cold+0x70b/0x760 drivers/net/wireless/ath/ath9k/htc_hst.c:446
Write of size 2 at addr ffff8881d8f1b1b0 by task kworker/0:0/5
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:134 [inline]
Workqueue: events request_firmware_work_func
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_htc_rx_msg.cold+0x70b/0x760 drivers/net/wireless/ath/ath9k/htc_hst.c:446
ath9k_hif_usb_reg_in_cb+0x1d6/0x650 drivers/net/wireless/ath/ath9k/hif_usb.c:728
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1751 [inline]
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:vprintk_emit+0x3c8/0x3d0 kernel/printk/printk.c:1995
Code: 00 83 fb ff 75 d6 e9 e0 fc ff ff e8 42 02 16 00 e8 3d 4a 1b 00 41 56 9d e9 b6 fd ff ff e8 30 02 16 00 e8 2b 4a 1b 00 41 56 9d <e9> 2a ff ff ff 0f 1f 00 55 48 89 f5 53 48 89 fb e8 13 02 16 00 49
RSP: 0018:ffff8881da1dfac0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881da196a4c
RBP: ffff8881da1dfb08 R08: ffff8881da196200 R09: fffffbfff1267090
R10: fffffbfff126708f R11: ffffffff8933847f R12: 000000000000005b
R13: ffff8881da24b100 R14: 0000000000000293 R15: 0000000000000000
vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386
printk+0xba/0xed kernel/printk/printk.c:2056
ath9k_hif_usb_alloc_reg_in_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:947 [inline]
ath9k_hif_usb_alloc_urbs+0x764/0xa57 drivers/net/wireless/ath/ath9k/hif_usb.c:982
ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1069 [inline]
ath9k_hif_usb_firmware_cb+0x247/0x53f drivers/net/wireless/ath/ath9k/hif_usb.c:1210
printk+0xba/0xed kernel/printk/printk.c:2056
ath9k_hif_usb_alloc_reg_in_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:947 [inline]
ath9k_hif_usb_alloc_urbs+0x764/0xa57 drivers/net/wireless/ath/ath9k/hif_usb.c:982
ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1069 [inline]
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 151:
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 432 bytes inside of
2048-byte region [ffff8881d8f1b000, ffff8881d8f1b800)
The buggy address is located 432 bytes inside of
The buggy address belongs to the page:
page:ffffea000763c600 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d8f1b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d8f1b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d8f1b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d8f1b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d8f1b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=151bc5bde00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 2, 2020, 9:30:06 PM4/2/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+b1c61e...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+b1c61e...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=132d2f33e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Note: testing is done by a robot and is best-effort only.
syzbot
Apr 2, 2020, 10:07:05 PM4/2/20
to andre...@google.com, anen...@gmail.com, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+b1c61e...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=172383dbe00000
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+b1c61e...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 5:49:04 PM4/3/20
to andre...@google.com, anen...@gmail.com, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+b1c61e...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11981b1fe00000
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+b1c61e...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=b1c61e5f11be5782f192
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Reply all
Reply to author
Forward
0 new messages