KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
56 views
Skip to first unread message
syzbot
Sep 8, 2020, 3:37:21 AM9/8/20
to ak...@linux-foundation.org, andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, gusta...@kernel.org, kees...@chromium.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, m.szyp...@samsung.com, nor...@nocrew.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b51594df Merge tag 'docs-5.9-3' of git://git.lwn.net/linux
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=149d38ae900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3c5f6ce8d5b68299
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:406 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:775
Write of size 2 at addr ffff88809f5ef480 by task syz-executor.4/6857
CPU: 1 PID: 6857 Comm: syz-executor.4 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
check_memory_region_inline mm/kasan/generic.c:186 [inline]
check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
memcpy+0x39/0x60 mm/kasan/common.c:106
memcpy include/linux/string.h:406 [inline]
usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:775
call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413
expire_timers kernel/time/timer.c:1458 [inline]
__run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755
__run_timers kernel/time/timer.c:1736 [inline]
run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1768
__do_softirq+0x1f7/0xa91 kernel/softirq.c:298
asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu kernel/softirq.c:423 [inline]
irq_exit_rcu+0x235/0x280 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1091
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:770 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x4d/0x90 kernel/locking/spinlock.c:191
Code: 48 c7 c0 48 3c b6 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 3c 48 83 3d 12 f5 bf 01 00 74 29 48 89 df 57 9d <0f> 1f 44 00 00 bf 01 00 00 00 e8 f4 6d 59 f9 65 8b 05 2d b7 0b 78
RSP: 0018:ffffc90004e0f740 EFLAGS: 00000282
RAX: 1ffffffff136c789 RBX: 0000000000000282 RCX: 1ffffffff1563f69
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffffffff8cc156b8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888037a37270
R13: 1ffff920009c1efa R14: ffffffff8cc156b8 R15: ffffffff8cc156b0
__debug_object_init+0x401/0xce0 lib/debugobjects.c:580
debug_object_init lib/debugobjects.c:595 [inline]
debug_object_activate+0x32c/0x3e0 lib/debugobjects.c:681
debug_rcu_head_queue kernel/rcu/rcu.h:176 [inline]
__call_rcu kernel/rcu/tree.c:2880 [inline]
call_rcu+0x2c/0x7b0 kernel/rcu/tree.c:2968
destroy_inode+0x129/0x1b0 fs/inode.c:287
iput_final fs/inode.c:1652 [inline]
iput.part.0+0x424/0x850 fs/inode.c:1678
iput+0x58/0x70 fs/inode.c:1668
proc_invalidate_siblings_dcache+0x28d/0x600 fs/proc/inode.c:160
release_task+0xc63/0x14d0 kernel/exit.c:221
wait_task_zombie kernel/exit.c:1088 [inline]
wait_consider_task+0x2fb3/0x3b20 kernel/exit.c:1315
do_wait_thread kernel/exit.c:1378 [inline]
do_wait+0x36a/0x9e0 kernel/exit.c:1449
kernel_wait4+0x14c/0x260 kernel/exit.c:1621
__do_sys_wait4+0x13f/0x150 kernel/exit.c:1649
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4171fb
Code: 54 55 41 89 d4 53 48 89 f5 89 fb 48 83 ec 10 e8 1b f9 ff ff 45 31 d2 41 89 c0 49 63 d4 48 89 ee 48 63 fb b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 19 44 89 c7 89 44 24 0c e8 51 f9 ff ff 8b 44
RSP: 002b:00007ffff8e9d6c0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00000000004171fb
RDX: 0000000040000001 RSI: 00007ffff8e9d720 RDI: ffffffffffffffff
RBP: 00007ffff8e9d720 R08: 0000000000000000 R09: 000000000267c940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000040000001
R13: 00007ffff8e9d720 R14: 000000000012605c R15: 00007ffff8e9d730
Allocated by task 31714:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
__do_kmalloc mm/slab.c:3655 [inline]
__kmalloc+0x1b0/0x310 mm/slab.c:3664
kmalloc include/linux/slab.h:559 [inline]
proc_do_submiturb+0x29a3/0x34d0 drivers/usb/core/devio.c:1733
proc_submiturb drivers/usb/core/devio.c:1892 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2588 [inline]
usbdev_ioctl+0x682/0x3360 drivers/usb/core/devio.c:2708
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88809f5ef480
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff88809f5ef480, ffff88809f5ef4a0)
The buggy address belongs to the page:
page:00000000686f7d13 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809f5effc1 pfn:0x9f5ef
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00029f1e08 ffffea0002684648 ffff8880aa040100
raw: ffff88809f5effc1 ffff88809f5ef000 000000010000003b 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809f5ef380: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff88809f5ef400: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
>ffff88809f5ef480: 01 fc fc fc fc fc fc fc 00 00 00 fc fc fc fc fc
^
ffff88809f5ef500: fa fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
ffff88809f5ef580: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: b51594df Merge tag 'docs-5.9-3' of git://git.lwn.net/linux
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=149d38ae900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3c5f6ce8d5b68299
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:406 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:775
Write of size 2 at addr ffff88809f5ef480 by task syz-executor.4/6857
CPU: 1 PID: 6857 Comm: syz-executor.4 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
check_memory_region_inline mm/kasan/generic.c:186 [inline]
check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
memcpy+0x39/0x60 mm/kasan/common.c:106
memcpy include/linux/string.h:406 [inline]
usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:775
call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413
expire_timers kernel/time/timer.c:1458 [inline]
__run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755
__run_timers kernel/time/timer.c:1736 [inline]
run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1768
__do_softirq+0x1f7/0xa91 kernel/softirq.c:298
asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu kernel/softirq.c:423 [inline]
irq_exit_rcu+0x235/0x280 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1091
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:770 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x4d/0x90 kernel/locking/spinlock.c:191
Code: 48 c7 c0 48 3c b6 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 3c 48 83 3d 12 f5 bf 01 00 74 29 48 89 df 57 9d <0f> 1f 44 00 00 bf 01 00 00 00 e8 f4 6d 59 f9 65 8b 05 2d b7 0b 78
RSP: 0018:ffffc90004e0f740 EFLAGS: 00000282
RAX: 1ffffffff136c789 RBX: 0000000000000282 RCX: 1ffffffff1563f69
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffffffff8cc156b8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888037a37270
R13: 1ffff920009c1efa R14: ffffffff8cc156b8 R15: ffffffff8cc156b0
__debug_object_init+0x401/0xce0 lib/debugobjects.c:580
debug_object_init lib/debugobjects.c:595 [inline]
debug_object_activate+0x32c/0x3e0 lib/debugobjects.c:681
debug_rcu_head_queue kernel/rcu/rcu.h:176 [inline]
__call_rcu kernel/rcu/tree.c:2880 [inline]
call_rcu+0x2c/0x7b0 kernel/rcu/tree.c:2968
destroy_inode+0x129/0x1b0 fs/inode.c:287
iput_final fs/inode.c:1652 [inline]
iput.part.0+0x424/0x850 fs/inode.c:1678
iput+0x58/0x70 fs/inode.c:1668
proc_invalidate_siblings_dcache+0x28d/0x600 fs/proc/inode.c:160
release_task+0xc63/0x14d0 kernel/exit.c:221
wait_task_zombie kernel/exit.c:1088 [inline]
wait_consider_task+0x2fb3/0x3b20 kernel/exit.c:1315
do_wait_thread kernel/exit.c:1378 [inline]
do_wait+0x36a/0x9e0 kernel/exit.c:1449
kernel_wait4+0x14c/0x260 kernel/exit.c:1621
__do_sys_wait4+0x13f/0x150 kernel/exit.c:1649
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4171fb
Code: 54 55 41 89 d4 53 48 89 f5 89 fb 48 83 ec 10 e8 1b f9 ff ff 45 31 d2 41 89 c0 49 63 d4 48 89 ee 48 63 fb b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 19 44 89 c7 89 44 24 0c e8 51 f9 ff ff 8b 44
RSP: 002b:00007ffff8e9d6c0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00000000004171fb
RDX: 0000000040000001 RSI: 00007ffff8e9d720 RDI: ffffffffffffffff
RBP: 00007ffff8e9d720 R08: 0000000000000000 R09: 000000000267c940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000040000001
R13: 00007ffff8e9d720 R14: 000000000012605c R15: 00007ffff8e9d730
Allocated by task 31714:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
__do_kmalloc mm/slab.c:3655 [inline]
__kmalloc+0x1b0/0x310 mm/slab.c:3664
kmalloc include/linux/slab.h:559 [inline]
proc_do_submiturb+0x29a3/0x34d0 drivers/usb/core/devio.c:1733
proc_submiturb drivers/usb/core/devio.c:1892 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2588 [inline]
usbdev_ioctl+0x682/0x3360 drivers/usb/core/devio.c:2708
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88809f5ef480
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff88809f5ef480, ffff88809f5ef4a0)
The buggy address belongs to the page:
page:00000000686f7d13 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809f5effc1 pfn:0x9f5ef
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00029f1e08 ffffea0002684648 ffff8880aa040100
raw: ffff88809f5effc1 ffff88809f5ef000 000000010000003b 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809f5ef380: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff88809f5ef400: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
>ffff88809f5ef480: 01 fc fc fc fc fc fc fc 00 00 00 fc fc fc fc fc
^
ffff88809f5ef500: fa fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
ffff88809f5ef580: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 30, 2021, 10:47:19 AM12/30/21
to ak...@linux-foundation.org, andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, gusta...@kernel.org, jun...@nxp.com, kees...@chromium.org, kis...@ti.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, m.szyp...@samsung.com, nor...@nocrew.org, pastor....@holytabernacleint.org, peter...@nxp.com, st...@rowland.harvard.edu, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1696bbfbb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2ebd4b29568807bc
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b14c1bb00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12ab99edb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff88801dd0d780 by task syz-executor046/3607
CPU: 1 PID: 3607 Comm: syz-executor046 Not tainted 5.16.0-rc7-syzkaller #0
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
print_address_description+0x65/0x380 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report+0x19a/0x1f0 mm/kasan/report.c:450
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
memcpy+0x3c/0x60 mm/kasan/shadow.c:66
usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers+0x71a/0x910 kernel/time/timer.c:1734
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
__do_softirq+0x392/0x7a3 kernel/softirq.c:558
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:console_unlock+0xc88/0xe90 kernel/printk/printk.c:2716
Code: 00 e9 71 fa ff ff e8 a7 70 1a 00 e8 62 4b a0 08 48 83 7c 24 38 00 74 dd 66 2e 0f 1f 84 00 00 00 00 00 e8 8b 70 1a 00 fb 31 ff <44> 89 f6 e8 90 74 1a 00 31 db 45 85 f6 0f 95 c0 89 c1 0a 4c 24 0f
RSP: 0018:ffffc90001a8f0e0 EFLAGS: 00000246
RAX: ffffffff816a0d85 RBX: 0000000000000000 RCX: ffff888018638000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001a8f2f0 R08: ffffffff816a0d3c R09: fffffbfff1bfd566
R10: fffffbfff1bfd566 R11: 0000000000000000 R12: ffffffff8d3ec5e8
R13: ffffffff8d3ec5b0 R14: 0000000000000001 R15: ffffc90001a8f160
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
dev_vprintk_emit+0x2e4/0x35d drivers/base/core.c:4594
dev_printk_emit+0xd9/0x118 drivers/base/core.c:4605
_dev_warn+0x11e/0x165 drivers/base/core.c:4661
checkintf drivers/usb/core/devio.c:826 [inline]
do_proc_bulk+0x81c/0x15d0 drivers/usb/core/devio.c:1268
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc8c54137a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe10cef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc8c54570b0 RCX: 00007fc8c54137a9
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007ffe10cef0f0 R08: 00007ffe10ceeb40 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 00007fc8c53d2780
R13: 0000000000000000 R14: 00007ffe10cef0f0 R15: 00007ffe10cef0e0
</TASK>
Allocated by task 3616:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:269 [inline]
__kmalloc+0x253/0x380 mm/slub.c:4423
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x858/0x15d0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88801dd0d780
which belongs to the cache kmalloc-8 of size 8
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000077d900 dead000000000002 ffff888011441280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 22, ts 8565550793, free_ts 8556148454
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0x729/0x9e0 mm/page_alloc.c:4149
__alloc_pages+0x255/0x580 mm/page_alloc.c:5369
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab+0xcc/0x540 mm/slub.c:1930
new_slab mm/slub.c:1993 [inline]
___slab_alloc+0x41e/0xc40 mm/slub.c:3022
__slab_alloc mm/slub.c:3109 [inline]
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2eb/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
kzalloc include/linux/slab.h:724 [inline]
smk_parse_smack+0x18e/0x220 security/smack/smack_access.c:468
smk_import_entry+0x22/0x400 security/smack/smack_access.c:566
smk_fetch security/smack/smack_lsm.c:300 [inline]
smack_d_instantiate+0x6ac/0xd10 security/smack/smack_lsm.c:3417
security_d_instantiate+0xa5/0x100 security/security.c:2040
d_instantiate+0x51/0x90 fs/dcache.c:2008
shmem_mknod+0x165/0x1b0 mm/shmem.c:2842
shmem_mkdir+0x2e/0x60 mm/shmem.c:2881
vfs_mkdir+0x44d/0x680 fs/namei.c:3883
dev_mkdir drivers/base/devtmpfs.c:165 [inline]
create_path drivers/base/devtmpfs.c:190 [inline]
handle_create drivers/base/devtmpfs.c:209 [inline]
handle drivers/base/devtmpfs.c:380 [inline]
devtmpfs_work_loop+0x386/0x1080 drivers/base/devtmpfs.c:395
devtmpfsd+0x44/0x50 drivers/base/devtmpfs.c:437
kthread+0x468/0x490 kernel/kthread.c:327
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0xd1c/0xe00 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page_list+0x11f/0xa50 mm/page_alloc.c:3425
release_pages+0x15a7/0x17d0 mm/swap.c:980
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249
tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:340
exit_mmap+0x3dd/0x6f0 mm/mmap.c:3172
__mmput+0x111/0x3a0 kernel/fork.c:1113
free_bprm+0x136/0x2f0 fs/exec.c:1481
kernel_execve+0x740/0x9a0 fs/exec.c:1978
call_usermodehelper_exec_async+0x262/0x3b0 kernel/umh.c:112
ret_from_fork+0x1f/0x30
Memory state around the buggy address:
ffff88801dd0d680: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc
ffff88801dd0d700: fc 00 fc fc fc fc 00 fc fc fc fc fb fc fc fc fc
>ffff88801dd0d780: 01 fc fc fc fc 00 fc fc fc fc fa fc fc fc fc fa
^
ffff88801dd0d800: fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc
ffff88801dd0d880: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: e9 71 fa ff ff jmpq 0xfffffa76
5: e8 a7 70 1a 00 callq 0x1a70b1
a: e8 62 4b a0 08 callq 0x8a04b71
f: 48 83 7c 24 38 00 cmpq $0x0,0x38(%rsp)
15: 74 dd je 0xfffffff4
17: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
1e: 00 00 00
21: e8 8b 70 1a 00 callq 0x1a70b1
26: fb sti
27: 31 ff xor %edi,%edi
* 29: 44 89 f6 mov %r14d,%esi <-- trapping instruction
2c: e8 90 74 1a 00 callq 0x1a74c1
31: 31 db xor %ebx,%ebx
33: 45 85 f6 test %r14d,%r14d
36: 0f 95 c0 setne %al
39: 89 c1 mov %eax,%ecx
3b: 0a 4c 24 0f or 0xf(%rsp),%cl
HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1696bbfbb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2ebd4b29568807bc
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b14c1bb00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12ab99edb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2...@syzkaller.appspotmail.com
==================================================================
Write of size 2 at addr ffff88801dd0d780 by task syz-executor046/3607
CPU: 1 PID: 3607 Comm: syz-executor046 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
Call Trace:
<IRQ>
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
print_address_description+0x65/0x380 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report+0x19a/0x1f0 mm/kasan/report.c:450
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
memcpy+0x3c/0x60 mm/kasan/shadow.c:66
usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers+0x71a/0x910 kernel/time/timer.c:1734
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
__do_softirq+0x392/0x7a3 kernel/softirq.c:558
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:console_unlock+0xc88/0xe90 kernel/printk/printk.c:2716
Code: 00 e9 71 fa ff ff e8 a7 70 1a 00 e8 62 4b a0 08 48 83 7c 24 38 00 74 dd 66 2e 0f 1f 84 00 00 00 00 00 e8 8b 70 1a 00 fb 31 ff <44> 89 f6 e8 90 74 1a 00 31 db 45 85 f6 0f 95 c0 89 c1 0a 4c 24 0f
RSP: 0018:ffffc90001a8f0e0 EFLAGS: 00000246
RAX: ffffffff816a0d85 RBX: 0000000000000000 RCX: ffff888018638000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001a8f2f0 R08: ffffffff816a0d3c R09: fffffbfff1bfd566
R10: fffffbfff1bfd566 R11: 0000000000000000 R12: ffffffff8d3ec5e8
R13: ffffffff8d3ec5b0 R14: 0000000000000001 R15: ffffc90001a8f160
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
dev_vprintk_emit+0x2e4/0x35d drivers/base/core.c:4594
dev_printk_emit+0xd9/0x118 drivers/base/core.c:4605
_dev_warn+0x11e/0x165 drivers/base/core.c:4661
checkintf drivers/usb/core/devio.c:826 [inline]
do_proc_bulk+0x81c/0x15d0 drivers/usb/core/devio.c:1268
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc8c54137a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe10cef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc8c54570b0 RCX: 00007fc8c54137a9
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007ffe10cef0f0 R08: 00007ffe10ceeb40 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 00007fc8c53d2780
R13: 0000000000000000 R14: 00007ffe10cef0f0 R15: 00007ffe10cef0e0
</TASK>
Allocated by task 3616:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:269 [inline]
__kmalloc+0x253/0x380 mm/slub.c:4423
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x858/0x15d0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88801dd0d780
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff88801dd0d780, ffff88801dd0d788)
The buggy address belongs to the page:
page:ffffea0000774340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1dd0d
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000077d900 dead000000000002 ffff888011441280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 22, ts 8565550793, free_ts 8556148454
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0x729/0x9e0 mm/page_alloc.c:4149
__alloc_pages+0x255/0x580 mm/page_alloc.c:5369
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab+0xcc/0x540 mm/slub.c:1930
new_slab mm/slub.c:1993 [inline]
___slab_alloc+0x41e/0xc40 mm/slub.c:3022
__slab_alloc mm/slub.c:3109 [inline]
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2eb/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
kzalloc include/linux/slab.h:724 [inline]
smk_parse_smack+0x18e/0x220 security/smack/smack_access.c:468
smk_import_entry+0x22/0x400 security/smack/smack_access.c:566
smk_fetch security/smack/smack_lsm.c:300 [inline]
smack_d_instantiate+0x6ac/0xd10 security/smack/smack_lsm.c:3417
security_d_instantiate+0xa5/0x100 security/security.c:2040
d_instantiate+0x51/0x90 fs/dcache.c:2008
shmem_mknod+0x165/0x1b0 mm/shmem.c:2842
shmem_mkdir+0x2e/0x60 mm/shmem.c:2881
vfs_mkdir+0x44d/0x680 fs/namei.c:3883
dev_mkdir drivers/base/devtmpfs.c:165 [inline]
create_path drivers/base/devtmpfs.c:190 [inline]
handle_create drivers/base/devtmpfs.c:209 [inline]
handle drivers/base/devtmpfs.c:380 [inline]
devtmpfs_work_loop+0x386/0x1080 drivers/base/devtmpfs.c:395
devtmpfsd+0x44/0x50 drivers/base/devtmpfs.c:437
kthread+0x468/0x490 kernel/kthread.c:327
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0xd1c/0xe00 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page_list+0x11f/0xa50 mm/page_alloc.c:3425
release_pages+0x15a7/0x17d0 mm/swap.c:980
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249
tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:340
exit_mmap+0x3dd/0x6f0 mm/mmap.c:3172
__mmput+0x111/0x3a0 kernel/fork.c:1113
free_bprm+0x136/0x2f0 fs/exec.c:1481
kernel_execve+0x740/0x9a0 fs/exec.c:1978
call_usermodehelper_exec_async+0x262/0x3b0 kernel/umh.c:112
ret_from_fork+0x1f/0x30
Memory state around the buggy address:
ffff88801dd0d700: fc 00 fc fc fc fc 00 fc fc fc fc fb fc fc fc fc
>ffff88801dd0d780: 01 fc fc fc fc 00 fc fc fc fc fa fc fc fc fc fa
^
ffff88801dd0d800: fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc
ffff88801dd0d880: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: e9 71 fa ff ff jmpq 0xfffffa76
5: e8 a7 70 1a 00 callq 0x1a70b1
a: e8 62 4b a0 08 callq 0x8a04b71
f: 48 83 7c 24 38 00 cmpq $0x0,0x38(%rsp)
15: 74 dd je 0xfffffff4
17: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
1e: 00 00 00
21: e8 8b 70 1a 00 callq 0x1a70b1
26: fb sti
27: 31 ff xor %edi,%edi
* 29: 44 89 f6 mov %r14d,%esi <-- trapping instruction
2c: e8 90 74 1a 00 callq 0x1a74c1
31: 31 db xor %ebx,%ebx
33: 45 85 f6 test %r14d,%r14d
36: 0f 95 c0 setne %al
39: 89 c1 mov %eax,%ecx
3b: 0a 4c 24 0f or 0xf(%rsp),%cl
Alan Stern
Dec 30, 2021, 3:08:17 PM12/30/21
to syzbot, ak...@linux-foundation.org, andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, gusta...@kernel.org, jun...@nxp.com, kees...@chromium.org, kis...@ti.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, m.szyp...@samsung.com, nor...@nocrew.org, pastor....@holytabernacleint.org, peter...@nxp.com, syzkall...@googlegroups.com
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
u8 bulk_status;
};
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
syzbot
Dec 30, 2021, 7:49:19 PM12/30/21
to ak...@linux-foundation.org, andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, gusta...@kernel.org, jun...@nxp.com, kees...@chromium.org, kis...@ti.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, m.szyp...@samsung.com, nor...@nocrew.org, pastor....@holytabernacleint.org, peter...@nxp.com, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087
CPU: 1 PID: 4087 Comm: syz-executor189 Not tainted 5.16.0-rc7-syzkaller #0
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:166 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:200
Code: 48 89 ef 5d e9 b1 1c 46 00 5d be 03 00 00 00 e9 46 8c 63 02 66 0f 1f 44 00 00 48 8b be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 c9 dd 8a 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
RSP: 0018:ffffc900027ef930 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801b413a00 RSI: ffffffff815efbe1 RDI: 0000000000000003
RBP: ffffc900027ef970 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff815efbd7 R11: 0000000000000000 R12: 000000000000001f
R13: ffff88801fbc1d00 R14: 0000000000000200 R15: ffffc900027efa90
console_trylock_spinning kernel/printk/printk.c:1885 [inline]
vprintk_emit+0x377/0x4f0 kernel/printk/printk.c:2244
dev_vprintk_emit+0x36e/0x3b2 drivers/base/core.c:4594
dev_printk_emit+0xba/0xf1 drivers/base/core.c:4605
__dev_printk+0xcf/0xf5 drivers/base/core.c:4617
_dev_info+0xd7/0x109 drivers/base/core.c:4663
usbdev_do_ioctl drivers/usb/core/devio.c:2624 [inline]
usbdev_ioctl.cold+0x7c2/0x83c drivers/usb/core/devio.c:2791
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7faa77f20799
RAX: ffffffffffffffda RBX: 00007faa77f64098 RCX: 00007faa77f20799
R10: 000000000000ffff R11: 0000000000000246 R12: 000000000001297d
R13: 00007ffd37de1ec4 R14: 00007ffd37de1ee0 R15: 00007ffd37de1ed0
</TASK>
Allocated by task 4081:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff8880121ae230
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2036
alloc_pages+0x29f/0x300 mm/mempolicy.c:2185
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
acpi_ns_internalize_name drivers/acpi/acpica/nsutils.c:331 [inline]
acpi_ns_internalize_name+0xf2/0x1a1 drivers/acpi/acpica/nsutils.c:312
acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
acpi_ns_get_node_unlocked+0x1d8/0x278 drivers/acpi/acpica/nsutils.c:635
acpi_ns_get_node+0x4b/0x6a drivers/acpi/acpica/nsutils.c:726
acpi_ns_evaluate+0xd2/0x966 drivers/acpi/acpica/nseval.c:62
acpi_evaluate_object+0x3db/0x7f5 drivers/acpi/acpica/nsxfeval.c:354
acpi_evaluate_dsm+0x188/0x270 drivers/acpi/utils.c:678
acpi_check_dsm drivers/acpi/utils.c:710 [inline]
acpi_check_dsm+0x60/0x260 drivers/acpi/utils.c:701
device_has_acpi_name drivers/pci/pci-label.c:44 [inline]
acpi_attr_is_visible+0xaf/0x130 drivers/pci/pci-label.c:221
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880121ae100: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc
ffff8880121ae180: fc fc fa fc fc fc fc 00 fc fc fc fc 00 fc fc fc
>ffff8880121ae200: fc fb fc fc fc fc 01 fc fc fc fc fb fc fc fc fc
^
ffff8880121ae280: fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb
ffff8880121ae300: fc fc fc fc fb fc fc fc fc fb fc fc fc fc 00 fc
==================================================================
----------------
Code disassembly (best guess):
0: 48 89 ef mov %rbp,%rdi
3: 5d pop %rbp
4: e9 b1 1c 46 00 jmpq 0x461cba
9: 5d pop %rbp
a: be 03 00 00 00 mov $0x3,%esi
f: e9 46 8c 63 02 jmpq 0x2638c5a
14: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
1a: 48 8b be b0 01 00 00 mov 0x1b0(%rsi),%rdi
21: e8 b4 ff ff ff callq 0xffffffda
26: 31 c0 xor %eax,%eax
28: c3 retq
29: 90 nop
* 2a: 65 8b 05 c9 dd 8a 7e mov %gs:0x7e8addc9(%rip),%eax # 0x7e8addfa <-- trapping instruction
31: 89 c1 mov %eax,%ecx
33: 48 8b 34 24 mov (%rsp),%rsi
37: 81 e1 00 01 00 00 and $0x100,%ecx
3d: 65 gs
3e: 48 rex.W
3f: 8b .byte 0x8b
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=13e94c1bb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1798d2c3b00000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087
CPU: 1 PID: 4087 Comm: syz-executor189 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:166 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:200
Code: 48 89 ef 5d e9 b1 1c 46 00 5d be 03 00 00 00 e9 46 8c 63 02 66 0f 1f 44 00 00 48 8b be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 c9 dd 8a 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
RSP: 0018:ffffc900027ef930 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801b413a00 RSI: ffffffff815efbe1 RDI: 0000000000000003
RBP: ffffc900027ef970 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff815efbd7 R11: 0000000000000000 R12: 000000000000001f
R13: ffff88801fbc1d00 R14: 0000000000000200 R15: ffffc900027efa90
console_trylock_spinning kernel/printk/printk.c:1885 [inline]
vprintk_emit+0x377/0x4f0 kernel/printk/printk.c:2244
dev_vprintk_emit+0x36e/0x3b2 drivers/base/core.c:4594
dev_printk_emit+0xba/0xf1 drivers/base/core.c:4605
__dev_printk+0xcf/0xf5 drivers/base/core.c:4617
_dev_info+0xd7/0x109 drivers/base/core.c:4663
usbdev_do_ioctl drivers/usb/core/devio.c:2624 [inline]
usbdev_ioctl.cold+0x7c2/0x83c drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7faa77f20799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd37de1eb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007faa77f64098 RCX: 00007faa77f20799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007ffd37de1ee0 R08: 00007ffd37de1930 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 000000000001297d
R13: 00007ffd37de1ec4 R14: 00007ffd37de1ee0 R15: 00007ffd37de1ed0
</TASK>
Allocated by task 4081:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff8880121ae230
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff8880121ae230, ffff8880121ae238)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
page:ffffea0000486b80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121ae
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2449997177, free_ts 0
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2036
alloc_pages+0x29f/0x300 mm/mempolicy.c:2185
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2fb/0x340 mm/slub.c:4419
slab_alloc mm/slub.c:3242 [inline]
acpi_ns_internalize_name drivers/acpi/acpica/nsutils.c:331 [inline]
acpi_ns_internalize_name+0xf2/0x1a1 drivers/acpi/acpica/nsutils.c:312
acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
acpi_ns_get_node_unlocked+0x1d8/0x278 drivers/acpi/acpica/nsutils.c:635
acpi_ns_get_node+0x4b/0x6a drivers/acpi/acpica/nsutils.c:726
acpi_ns_evaluate+0xd2/0x966 drivers/acpi/acpica/nseval.c:62
acpi_evaluate_object+0x3db/0x7f5 drivers/acpi/acpica/nsxfeval.c:354
acpi_evaluate_dsm+0x188/0x270 drivers/acpi/utils.c:678
acpi_check_dsm drivers/acpi/utils.c:710 [inline]
acpi_check_dsm+0x60/0x260 drivers/acpi/utils.c:701
device_has_acpi_name drivers/pci/pci-label.c:44 [inline]
acpi_attr_is_visible+0xaf/0x130 drivers/pci/pci-label.c:221
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880121ae180: fc fc fa fc fc fc fc 00 fc fc fc fc 00 fc fc fc
>ffff8880121ae200: fc fb fc fc fc fc 01 fc fc fc fc fb fc fc fc fc
^
ffff8880121ae280: fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb
ffff8880121ae300: fc fc fc fc fb fc fc fc fc fb fc fc fc fc 00 fc
==================================================================
----------------
Code disassembly (best guess):
0: 48 89 ef mov %rbp,%rdi
3: 5d pop %rbp
4: e9 b1 1c 46 00 jmpq 0x461cba
9: 5d pop %rbp
a: be 03 00 00 00 mov $0x3,%esi
f: e9 46 8c 63 02 jmpq 0x2638c5a
14: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
1a: 48 8b be b0 01 00 00 mov 0x1b0(%rsi),%rdi
21: e8 b4 ff ff ff callq 0xffffffda
26: 31 c0 xor %eax,%eax
28: c3 retq
29: 90 nop
* 2a: 65 8b 05 c9 dd 8a 7e mov %gs:0x7e8addc9(%rip),%eax # 0x7e8addfa <-- trapping instruction
31: 89 c1 mov %eax,%ecx
33: 48 8b 34 24 mov (%rsp),%rsi
37: 81 e1 00 01 00 00 and $0x100,%ecx
3d: 65 gs
3e: 48 rex.W
3f: 8b .byte 0x8b
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=13e94c1bb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1798d2c3b00000
Alan Stern
Dec 30, 2021, 9:31:32 PM12/30/21
to syzbot, andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
[Trimmed CC: list]
On Thu, Dec 30, 2021 at 04:49:18PM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
...
label is too short. The reproducer bug report had exactly the opposite
> git tree: upstream
Andrey or Dmitry? Can you guys unify these two outputs to make both
lines correct always?
Moving on... Important lines from the console log:
[ 76.919138][ T4081] usb usb9: usbdev_do_ioctl: BULK
[ 76.924966][ T4081] usb usb9: usbfs: process 4081 (syz-executor189) did not claim interface 0 before use
[ 76.935186][ T4081] usb usb9: ep1 int-in, length 1, timeout 9
[ 76.941355][ T4099] usb usb9: opened by process 4099: syz-executor189
[ 76.942606][ T4087] usb usb9: usbdev_do_ioctl: BULK
[ 76.949968][ C1]
==================================================================
[ 76.950070][ C1] BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780
[ 76.950102][ C1] Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087
It's hard to tell what's really happening. The suspicious part is the
"length 1" combined with the "Write of size 2" -- but they refer to
different processes!
Maybe this diagnostic patch will help a little.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
u8 bulk_status;
};
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -809,8 +809,10 @@ static int rh_queue_status (struct usb_h
unsigned len = 1 + (urb->dev->maxchild / 8);
spin_lock_irqsave (&hcd_root_hub_lock, flags);
+ dev_info(hcd->self.controller, "rh_queue_status: len %d tblen %d\n",
+ len, urb->transfer_buffer_length);
if (hcd->status_urb || urb->transfer_buffer_length < len) {
- dev_dbg (hcd->self.controller, "not queuing rh status urb\n");
+ dev_info(hcd->self.controller, "not queuing rh status urb\n");
retval = -EINVAL;
goto done;
}
On Thu, Dec 30, 2021 at 04:49:18PM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
> Tested on:
>
> commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
I'm glad to see that the git tree is reported properly, but the commit
>
> commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
label is too short. The reproducer bug report had exactly the opposite
problems! It said:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> syzbot has found a reproducer for the following issue on:
>
> git tree: upstream
Andrey or Dmitry? Can you guys unify these two outputs to make both
lines correct always?
Moving on... Important lines from the console log:
[ 76.919138][ T4081] usb usb9: usbdev_do_ioctl: BULK
[ 76.924966][ T4081] usb usb9: usbfs: process 4081 (syz-executor189) did not claim interface 0 before use
[ 76.935186][ T4081] usb usb9: ep1 int-in, length 1, timeout 9
[ 76.941355][ T4099] usb usb9: opened by process 4099: syz-executor189
[ 76.942606][ T4087] usb usb9: usbdev_do_ioctl: BULK
[ 76.949968][ C1]
==================================================================
[ 76.950070][ C1] BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780
[ 76.950102][ C1] Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087
It's hard to tell what's really happening. The suspicious part is the
"length 1" combined with the "Write of size 2" -- but they refer to
different processes!
Maybe this diagnostic patch will help a little.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
u8 bulk_status;
};
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -809,8 +809,10 @@ static int rh_queue_status (struct usb_h
unsigned len = 1 + (urb->dev->maxchild / 8);
spin_lock_irqsave (&hcd_root_hub_lock, flags);
+ dev_info(hcd->self.controller, "rh_queue_status: len %d tblen %d\n",
+ len, urb->transfer_buffer_length);
if (hcd->status_urb || urb->transfer_buffer_length < len) {
- dev_dbg (hcd->self.controller, "not queuing rh status urb\n");
+ dev_info(hcd->self.controller, "not queuing rh status urb\n");
retval = -EINVAL;
goto done;
}
syzbot
Dec 31, 2021, 12:24:09 AM12/31/21
to andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
Write of size 2 at addr ffff8880127f7028 by task syz-executor029/4082
CPU: 1 PID: 4082 Comm: syz-executor029 Not tainted 5.16.0-rc7-syzkaller #0
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 aa db 15 f8 48 89 ef e8 62 51 16 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> a3 1b 09 f8 65 8b 05 bc a0 bb 76 85 c0 74 0a 5b 5d c3 e8 d0 02
RSP: 0018:ffffc9000283f8b0 EFLAGS: 00000206
RAX: 0000000000000002 RBX: 0000000000000200 RCX: 1ffffffff1b22571
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff8ca3bc60 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817dd258 R11: 0000000000000000 R12: ffff88801cffc240
R13: ffff88801dba4000 R14: ffff88801dba4180 R15: 0000000000000000
spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
rh_queue_status drivers/usb/core/hcd.c:834 [inline]
rh_urb_enqueue drivers/usb/core/hcd.c:841 [inline]
usb_hcd_submit_urb+0x155c/0x2300 drivers/usb/core/hcd.c:1546
usb_submit_urb+0x86d/0x18a0 drivers/usb/core/urb.c:594
usbfs_start_wait_urb+0x128/0x3d0 drivers/usb/core/devio.c:1125
do_proc_bulk+0x535/0xba0 drivers/usb/core/devio.c:1313
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fe659509799
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffbcc163b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fe65954d098 RCX: 00007fe659509799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007fffbcc163e0 R08: 00007fffbcc15e30 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 0000000000012b3a
R13: 00007fffbcc163c4 R14: 00007fffbcc163e0 R15: 00007fffbcc163d0
</TASK>
Allocated by task 4082:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff8880127f7028
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff8880127f7028, ffff8880127f7030)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
page:ffffea000049fdc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127f7
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2292076002, free_ts 0
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2036
alloc_pages+0x29f/0x300 mm/mempolicy.c:2185
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2fb/0x340 mm/slub.c:4419
acpi_ns_internalize_name drivers/acpi/acpica/nsutils.c:331 [inline]
acpi_ns_internalize_name+0xf2/0x1a1 drivers/acpi/acpica/nsutils.c:312
acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
acpi_ns_get_node_unlocked+0x1d8/0x278 drivers/acpi/acpica/nsutils.c:635
acpi_ns_get_node+0x4b/0x6a drivers/acpi/acpica/nsutils.c:726
acpi_get_handle+0x129/0x211 drivers/acpi/acpica/nsxfname.c:98
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2036
alloc_pages+0x29f/0x300 mm/mempolicy.c:2185
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2fb/0x340 mm/slub.c:4419
acpi_ns_internalize_name drivers/acpi/acpica/nsutils.c:331 [inline]
acpi_ns_internalize_name+0xf2/0x1a1 drivers/acpi/acpica/nsutils.c:312
acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
acpi_ns_get_node_unlocked+0x1d8/0x278 drivers/acpi/acpica/nsutils.c:635
acpi_ns_get_node+0x4b/0x6a drivers/acpi/acpica/nsutils.c:726
acpi_has_method+0x6e/0xb0 drivers/acpi/utils.c:553
acpi_is_video_device+0x154/0x210 drivers/acpi/scan.c:1226
acpi_set_pnp_ids drivers/acpi/scan.c:1365 [inline]
acpi_init_device_object+0xee0/0x1a60 drivers/acpi/scan.c:1747
acpi_add_single_object+0xe4/0x1aa0 drivers/acpi/scan.c:1793
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880127f6f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff8880127f6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880127f7000: fb fc fc fc fc 01 fc fc fc fc fa fc fc fc fc 00
^
ffff8880127f7080: fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc
ffff8880127f7100: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 74 24 je 0x26
----------------
Code disassembly (best guess):
2: 10 e8 adc %ch,%al
4: aa stos %al,%es:(%rdi)
5: db 15 f8 48 89 ef fistl -0x1076b708(%rip) # 0xef894903
b: e8 62 51 16 f8 callq 0xf8165172
10: 81 e3 00 02 00 00 and $0x200,%ebx
16: 75 25 jne 0x3d
18: 9c pushfq
19: 58 pop %rax
1a: f6 c4 02 test $0x2,%ah
1d: 75 2d jne 0x4c
1f: 48 85 db test %rbx,%rbx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 a3 1b 09 f8 callq 0xf8091bd2 <-- trapping instruction
2f: 65 8b 05 bc a0 bb 76 mov %gs:0x76bba0bc(%rip),%eax # 0x76bba0f2
36: 85 c0 test %eax,%eax
38: 74 0a je 0x44
3a: 5b pop %rbx
3b: 5d pop %rbp
3c: c3 retq
3d: e8 .byte 0xe8
3e: d0 02 rolb (%rdx)
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14522335b00000
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Alan Stern
Dec 31, 2021, 12:33:02 PM12/31/21
to syzbot, andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, Dec 30, 2021 at 09:24:09PM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
> Write of size 2 at addr ffff8880127f7028 by task syz-executor029/4082
Still not enough information.
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
> Write of size 2 at addr ffff8880127f7028 by task syz-executor029/4082
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
u8 bulk_status;
};
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
hcd->status_urb = NULL;
urb->actual_length = length;
+ dev_info(hcd->self.controller, "poll_rh_status: len %d maxch %d tblen %d\n",
+ length, urb->dev->maxchild, urb->transfer_buffer_length);
memcpy(urb->transfer_buffer, buffer, length);
usb_hcd_unlink_urb_from_ep(hcd, urb);
@@ -809,8 +811,10 @@ static int rh_queue_status (struct usb_h
unsigned len = 1 + (urb->dev->maxchild / 8);
spin_lock_irqsave (&hcd_root_hub_lock, flags);
+ dev_info(hcd->self.controller, "rh_queue_status: len %d maxch %d tblen %d\n",
spin_lock_irqsave (&hcd_root_hub_lock, flags);
+ len, urb->dev->maxchild, urb->transfer_buffer_length);
syzbot
Dec 31, 2021, 12:44:07 PM12/31/21
to andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
vhci_hcd vhci_hcd.0: poll_rh_status: len 2 maxch 0 tblen 1
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062
CPU: 1 PID: 4062 Comm: syz-executor133 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 ca db 15 f8 48 89 ef e8 82 51 16 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> c3 1b 09 f8 65 8b 05 dc a0 bb 76 85 c0 74 0a 5b 5d c3 e8 f0 02
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
RSP: 0018:ffffc9000289f8b0 EFLAGS: 00000206
RAX: 0000000000000002 RBX: 0000000000000200 RCX: 1ffffffff1b22579
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff8ca3bc60 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817dd258 R11: 0000000000000000 R12: ffff88801d9a7d40
RBP: ffffffff8ca3bc60 R08: 0000000000000001 R09: 0000000000000001
R13: ffff888147c88000 R14: ffff888147c88180 R15: 0000000000000000
spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
rh_queue_status drivers/usb/core/hcd.c:836 [inline]
rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline]
usb_hcd_submit_urb+0x15ac/0x2390 drivers/usb/core/hcd.c:1548
usb_submit_urb+0x86d/0x18a0 drivers/usb/core/urb.c:594
usbfs_start_wait_urb+0x128/0x3d0 drivers/usb/core/devio.c:1125
do_proc_bulk+0x535/0xba0 drivers/usb/core/devio.c:1313
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fecb7004799
usbfs_start_wait_urb+0x128/0x3d0 drivers/usb/core/devio.c:1125
do_proc_bulk+0x535/0xba0 drivers/usb/core/devio.c:1313
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb13c1078 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fecb7048098 RCX: 00007fecb7004799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007fffb13c10a0 R08: 00007fffb13c0af0 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 00007fecb6fc3770
R13: 0000000000000000 R14: 00007fffb13c10a0 R15: 00007fffb13c1090
</TASK>
Allocated by task 4062:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88801da403c0
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff88801da403c0, ffff88801da403c8)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
page:ffffea0000769000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1da40
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2973, ts 21401832644, free_ts 18932450065
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2190
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2fb/0x340 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2fb/0x340 mm/slub.c:4419
kernfs_fop_write_iter+0x231/0x500 fs/kernfs/file.c:273
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write+0x429/0x660 fs/read_write.c:503
vfs_write+0x7cd/0xae0 fs/read_write.c:590
ksys_write+0x12d/0x250 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3388
kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:380
apply_to_pte_range mm/memory.c:2518 [inline]
apply_to_pmd_range mm/memory.c:2562 [inline]
apply_to_pud_range mm/memory.c:2598 [inline]
apply_to_p4d_range mm/memory.c:2634 [inline]
__apply_to_page_range+0x686/0x1030 mm/memory.c:2668
kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:490
__purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1708
_vm_unmap_aliases.part.0+0x3f0/0x500 mm/vmalloc.c:2111
_vm_unmap_aliases mm/vmalloc.c:2085 [inline]
vm_unmap_aliases+0x45/0x50 mm/vmalloc.c:2134
change_page_attr_set_clr+0x241/0x500 arch/x86/mm/pat/set_memory.c:1743
change_page_attr_set arch/x86/mm/pat/set_memory.c:1793 [inline]
set_memory_nx+0xb2/0x110 arch/x86/mm/pat/set_memory.c:1941
free_init_pages+0x73/0xc0 arch/x86/mm/init.c:894
kernel_init+0x2e/0x1d0 init/main.c:1508
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Memory state around the buggy address:
ffff88801da40300: fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc
>ffff88801da40380: fc fc fc 00 fc fc fc fc 01 fc fc fc fc fb fc fc
^
ffff88801da40400: fc fc fb fc fc fc fc fb fc fc fc fc fb fc fc fc
ffff88801da40480: fc fb fc fc fc fc fa fc fc fc fc fb fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 74 24 je 0x26
2: 10 e8 adc %ch,%al
4: ca db 15 lret $0x15db
----------------
Code disassembly (best guess):
0: 74 24 je 0x26
2: 10 e8 adc %ch,%al
7: f8 clc
8: 48 89 ef mov %rbp,%rdi
b: e8 82 51 16 f8 callq 0xf8165192
10: 81 e3 00 02 00 00 and $0x200,%ebx
16: 75 25 jne 0x3d
18: 9c pushfq
19: 58 pop %rax
1a: f6 c4 02 test $0x2,%ah
1d: 75 2d jne 0x4c
1f: 48 85 db test %rbx,%rbx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 c3 1b 09 f8 callq 0xf8091bf2 <-- trapping instruction
16: 75 25 jne 0x3d
18: 9c pushfq
19: 58 pop %rax
1a: f6 c4 02 test $0x2,%ah
1d: 75 2d jne 0x4c
1f: 48 85 db test %rbx,%rbx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
2f: 65 8b 05 dc a0 bb 76 mov %gs:0x76bba0dc(%rip),%eax # 0x76bba112
36: 85 c0 test %eax,%eax
38: 74 0a je 0x44
3a: 5b pop %rbx
3b: 5d pop %rbp
3c: c3 retq
3d: e8 .byte 0xe8
3e: f0 lock
38: 74 0a je 0x44
3a: 5b pop %rbx
3b: 5d pop %rbp
3c: c3 retq
3d: e8 .byte 0xe8
3f: 02 .byte 0x2
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=177bd55db00000
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Alan Stern
Dec 31, 2021, 3:30:49 PM12/31/21
to syzbot, andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, Dec 31, 2021 at 09:44:06AM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
>
> vhci_hcd vhci_hcd.0: poll_rh_status: len 2 maxch 0 tblen 1
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
> Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062
I think I understand the problem. This patch is intended to fix it.
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
>
> vhci_hcd vhci_hcd.0: poll_rh_status: len 2 maxch 0 tblen 1
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
> Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -753,6 +753,7 @@ void usb_hcd_poll_rh_status(struct usb_h
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
{
struct urb *urb;
int length;
+ int status;
unsigned long flags;
char buffer[6]; /* Any root hubs with > 31 ports? */
@@ -770,11 +771,17 @@ void usb_hcd_poll_rh_status(struct usb_h
if (urb) {
clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
hcd->status_urb = NULL;
+ if (urb->transfer_buffer_length >= length) {
hcd->status_urb = NULL;
+ status = 0;
+ } else {
+ status = -EOVERFLOW;
+ length = urb->transfer_buffer_length;
+ }
urb->actual_length = length;
memcpy(urb->transfer_buffer, buffer, length);
usb_hcd_unlink_urb_from_ep(hcd, urb);
- usb_hcd_giveback_urb(hcd, urb, 0);
usb_hcd_unlink_urb_from_ep(hcd, urb);
+ usb_hcd_giveback_urb(hcd, urb, status);
} else {
length = 0;
set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
syzbot
Dec 31, 2021, 3:44:06 PM12/31/21
to andre...@google.com, dvy...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+3ae6a2...@syzkaller.appspotmail.com
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+3ae6a2...@syzkaller.appspotmail.com
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=148e8e35b00000
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
Alan Stern
Dec 31, 2021, 9:07:14 PM12/31/21
to Greg KH, USB mailing list, Kernel development list, syzkall...@googlegroups.com
When the USB core code for getting root-hub status reports was
originally written, it was assumed that the hub driver would be its
only caller. But this isn't true now; user programs can use usbfs to
communicate with root hubs and get status reports. When they do this,
they may use a transfer_buffer that is smaller than the data returned
by the HCD, which will lead to a buffer overflow error when
usb_hcd_poll_rh_status() tries to store the status data. This was
discovered by syzbot:
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062
This patch fixes the bug by reducing the amount of status data if it
won't fit in the transfer_buffer. If some data gets discarded then
the URB's completion status is set to -EOVERFLOW rather than 0, to let
the user know what happened.
Reported-and-tested-by: syzbot+3ae6a2...@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Cc: <sta...@vger.kernel.org>
---
[as1966]
drivers/usb/core/hcd.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
originally written, it was assumed that the hub driver would be its
only caller. But this isn't true now; user programs can use usbfs to
communicate with root hubs and get status reports. When they do this,
they may use a transfer_buffer that is smaller than the data returned
by the HCD, which will lead to a buffer overflow error when
usb_hcd_poll_rh_status() tries to store the status data. This was
discovered by syzbot:
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062
won't fit in the transfer_buffer. If some data gets discarded then
the URB's completion status is set to -EOVERFLOW rather than 0, to let
the user know what happened.
Reported-and-tested-by: syzbot+3ae6a2...@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Cc: <sta...@vger.kernel.org>
---
[as1966]
drivers/usb/core/hcd.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Dmitry Vyukov
May 19, 2022, 8:51:37 AM5/19/22
to Alan Stern, syzbot, andre...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, 31 Dec 2021 at 03:31, Alan Stern <st...@rowland.harvard.edu> wrote:
>
> [Trimmed CC: list]
>
> On Thu, Dec 30, 2021 at 04:49:18PM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
> ...
> > Tested on:
> >
> > commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
>
> I'm glad to see that the git tree is reported properly, but the commit
> label is too short. The reproducer bug report had exactly the opposite
> problems! It said:
>
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> > git tree: upstream
>
> Andrey or Dmitry? Can you guys unify these two outputs to make both
> lines correct always?
Hi Alan,
>
> [Trimmed CC: list]
>
> On Thu, Dec 30, 2021 at 04:49:18PM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
> ...
> > Tested on:
> >
> > commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
>
> I'm glad to see that the git tree is reported properly, but the commit
> label is too short. The reproducer bug report had exactly the opposite
> problems! It said:
>
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> > git tree: upstream
>
> Andrey or Dmitry? Can you guys unify these two outputs to make both
> lines correct always?
This got lost on the mailing list. Filed
https://github.com/google/syzkaller/issues/3147 to track this request.
Thanks
Reply all
Reply to author
Forward
0 new messages