KASAN: use-after-free Read in usb_anchor_resume_wakeups (2)
22 views
Skip to first unread message
syzbot
Jan 11, 2021, 11:11:28 AM1/11/21
to a.da...@linutronix.de, allen...@gmail.com, andre...@google.com, dvy...@google.com, el...@google.com, gre...@linuxfoundation.org, gusta...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzbot found the following issue on:
HEAD commit: 841081d8 usb: usbip: Use DEFINE_SPINLOCK() for spinlock
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=12f42a3f500000
kernel config: https://syzkaller.appspot.com/x/.config?x=6f9911c273a88e5
dashboard link: https://syzkaller.appspot.com/bug?extid=39c636a0650bcbb172ec
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+39c636...@syzkaller.appspotmail.com
xpad 6-1:0.65: xpad_irq_in - usb_submit_urb failed with result -19
xpad 6-1:0.65: xpad_irq_out - usb_submit_urb failed with result -19
==================================================================
BUG: KASAN: use-after-free in register_lock_class+0xecc/0x1100 kernel/locking/lockdep.c:1291
Read of size 2 at addr ffff888137488092 by task systemd-udevd/7474
CPU: 1 PID: 7474 Comm: systemd-udevd Not tainted 5.11.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
__kasan_report mm/kasan/report.c:396 [inline]
kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
register_lock_class+0xecc/0x1100 kernel/locking/lockdep.c:1291
__lock_acquire+0x101/0x54f0 kernel/locking/lockdep.c:4711
lock_acquire kernel/locking/lockdep.c:5437 [inline]
lock_acquire+0x288/0x700 kernel/locking/lockdep.c:5402
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x36/0x50 kernel/locking/spinlock.c:159
__wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137
usb_anchor_resume_wakeups drivers/usb/core/urb.c:937 [inline]
usb_anchor_resume_wakeups+0xbe/0xe0 drivers/usb/core/urb.c:930
__usb_hcd_giveback_urb+0x2df/0x5c0 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1728
dummy_timer+0x11f4/0x32a0 drivers/usb/gadget/udc/dummy_hcd.c:1971
call_timer_fn+0x1a5/0x630 kernel/time/timer.c:1417
expire_timers kernel/time/timer.c:1462 [inline]
__run_timers.part.0+0x67c/0xa10 kernel/time/timer.c:1731
__run_timers kernel/time/timer.c:1712 [inline]
run_timer_softirq+0x80/0x120 kernel/time/timer.c:1744
__do_softirq+0x1b7/0x977 kernel/softirq.c:343
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x80/0xa0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:226 [inline]
__irq_exit_rcu kernel/softirq.c:420 [inline]
irq_exit_rcu+0x110/0x1a0 kernel/softirq.c:432
sysvec_apic_timer_interrupt+0x43/0xa0 arch/x86/kernel/apic/apic.c:1096
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628
RIP: 0010:__sanitizer_cov_trace_pc+0x37/0x60 kernel/kcov.c:197
Code: 81 e1 00 01 00 00 65 48 8b 14 25 40 ef 01 00 a9 00 01 ff 00 74 0e 85 c9 74 35 8b 82 dc 13 00 00 85 c0 74 2b 8b 82 b8 13 00 00 <83> f8 02 75 20 48 8b 8a c0 13 00 00 8b 92 bc 13 00 00 48 8b 01 48
RSP: 0018:ffffc90005f875b0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff888116d85040 RSI: ffffffff81dabe81 RDI: 0000000000000003
RBP: ffff888102c2bf00 R08: 0000000000000000 R09: 0000000000000003
R10: ffffffff81dabeba R11: 0000000000000010 R12: 0000000000000002
R13: 00000000000001cc R14: dffffc0000000000 R15: 0000000000000000
tomoyo_domain_quota_is_ok+0x2f1/0x550 security/tomoyo/util.c:1093
tomoyo_supervisor+0x2f2/0xf00 security/tomoyo/common.c:2089
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573
tomoyo_check_open_permission+0x33e/0x380 security/tomoyo/file.c:777
tomoyo_file_open security/tomoyo/tomoyo.c:313 [inline]
tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:308
security_file_open+0x52/0x4f0 security/security.c:1576
do_dentry_open+0x353/0x1090 fs/open.c:804
do_open fs/namei.c:3254 [inline]
path_openat+0x1b9a/0x2730 fs/namei.c:3371
do_filp_open+0x17e/0x3c0 fs/namei.c:3398
do_sys_openat2+0x16d/0x420 fs/open.c:1172
do_sys_open fs/open.c:1188 [inline]
__do_sys_open fs/open.c:1196 [inline]
__se_sys_open fs/open.c:1192 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1192
do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f97523546f0
Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 19 30 2c 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe 9d 01 00 48 89 04 24
RSP: 002b:00007ffda8db42a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000560343083730 RCX: 00007f97523546f0
RDX: 00000000000001b6 RSI: 0000000000080000 RDI: 00007ffda8db4450
RBP: 0000000000000008 R08: 0000000000000008 R09: 0000000000000001
R10: 0000000000080000 R11: 0000000000000246 R12: 000056034175268a
R13: 0000000000000001 R14: 000056034308c587 R15: 00007ffda8db44c0
Allocated by task 7307:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:401 [inline]
____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:682 [inline]
xpad_probe+0x26c/0x1c10 drivers/input/joystick/xpad.c:1731
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
really_probe+0x291/0xde0 drivers/base/dd.c:561
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:745
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:851
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:919
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbc4/0x1d90 drivers/base/core.c:3091
usb_set_configuration+0x113c/0x1910 drivers/usb/core/message.c:2164
usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
really_probe+0x291/0xde0 drivers/base/dd.c:561
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:745
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:851
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:919
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbc4/0x1d90 drivers/base/core.c:3091
usb_new_device.cold+0x725/0x1057 drivers/usb/core/hub.c:2555
hub_port_connect drivers/usb/core/hub.c:5223 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
port_event drivers/usb/core/hub.c:5509 [inline]
hub_event+0x2348/0x42d0 drivers/usb/core/hub.c:5591
process_one_work+0x98d/0x1580 kernel/workqueue.c:2275
process_scheduled_works kernel/workqueue.c:2337 [inline]
worker_thread+0x82b/0x1120 kernel/workqueue.c:2423
kthread+0x38c/0x460 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Freed by task 7368:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:354
____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362
kasan_slab_free include/linux/kasan.h:188 [inline]
slab_free_hook mm/slub.c:1547 [inline]
slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580
slab_free mm/slub.c:3143 [inline]
kfree+0xdb/0x390 mm/slub.c:4125
xpad_disconnect+0x1cb/0x530 drivers/input/joystick/xpad.c:1879
usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458
__device_release_driver+0x3bd/0x6f0 drivers/base/dd.c:1161
device_release_driver_internal drivers/base/dd.c:1192 [inline]
device_release_driver+0x26/0x40 drivers/base/dd.c:1215
bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:533
device_del+0x502/0xd40 drivers/base/core.c:3270
usb_disable_device+0x35b/0x7b0 drivers/usb/core/message.c:1413
usb_disconnect.cold+0x27d/0x780 drivers/usb/core/hub.c:2218
hub_port_connect drivers/usb/core/hub.c:5074 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
port_event drivers/usb/core/hub.c:5509 [inline]
hub_event+0x1c8a/0x42d0 drivers/usb/core/hub.c:5591
process_one_work+0x98d/0x1580 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x38c/0x460 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
The buggy address belongs to the object at ffff888137488000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 146 bytes inside of
1024-byte region [ffff888137488000, ffff888137488400)
The buggy address belongs to the page:
page:000000001b181346 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x137488
head:000000001b181346 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100041140
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888137487f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888137488000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888137488080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888137488100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888137488180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 841081d8 usb: usbip: Use DEFINE_SPINLOCK() for spinlock
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=12f42a3f500000
kernel config: https://syzkaller.appspot.com/x/.config?x=6f9911c273a88e5
dashboard link: https://syzkaller.appspot.com/bug?extid=39c636a0650bcbb172ec
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+39c636...@syzkaller.appspotmail.com
xpad 6-1:0.65: xpad_irq_in - usb_submit_urb failed with result -19
xpad 6-1:0.65: xpad_irq_out - usb_submit_urb failed with result -19
==================================================================
BUG: KASAN: use-after-free in register_lock_class+0xecc/0x1100 kernel/locking/lockdep.c:1291
Read of size 2 at addr ffff888137488092 by task systemd-udevd/7474
CPU: 1 PID: 7474 Comm: systemd-udevd Not tainted 5.11.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
__kasan_report mm/kasan/report.c:396 [inline]
kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
register_lock_class+0xecc/0x1100 kernel/locking/lockdep.c:1291
__lock_acquire+0x101/0x54f0 kernel/locking/lockdep.c:4711
lock_acquire kernel/locking/lockdep.c:5437 [inline]
lock_acquire+0x288/0x700 kernel/locking/lockdep.c:5402
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x36/0x50 kernel/locking/spinlock.c:159
__wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137
usb_anchor_resume_wakeups drivers/usb/core/urb.c:937 [inline]
usb_anchor_resume_wakeups+0xbe/0xe0 drivers/usb/core/urb.c:930
__usb_hcd_giveback_urb+0x2df/0x5c0 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1728
dummy_timer+0x11f4/0x32a0 drivers/usb/gadget/udc/dummy_hcd.c:1971
call_timer_fn+0x1a5/0x630 kernel/time/timer.c:1417
expire_timers kernel/time/timer.c:1462 [inline]
__run_timers.part.0+0x67c/0xa10 kernel/time/timer.c:1731
__run_timers kernel/time/timer.c:1712 [inline]
run_timer_softirq+0x80/0x120 kernel/time/timer.c:1744
__do_softirq+0x1b7/0x977 kernel/softirq.c:343
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x80/0xa0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:226 [inline]
__irq_exit_rcu kernel/softirq.c:420 [inline]
irq_exit_rcu+0x110/0x1a0 kernel/softirq.c:432
sysvec_apic_timer_interrupt+0x43/0xa0 arch/x86/kernel/apic/apic.c:1096
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628
RIP: 0010:__sanitizer_cov_trace_pc+0x37/0x60 kernel/kcov.c:197
Code: 81 e1 00 01 00 00 65 48 8b 14 25 40 ef 01 00 a9 00 01 ff 00 74 0e 85 c9 74 35 8b 82 dc 13 00 00 85 c0 74 2b 8b 82 b8 13 00 00 <83> f8 02 75 20 48 8b 8a c0 13 00 00 8b 92 bc 13 00 00 48 8b 01 48
RSP: 0018:ffffc90005f875b0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff888116d85040 RSI: ffffffff81dabe81 RDI: 0000000000000003
RBP: ffff888102c2bf00 R08: 0000000000000000 R09: 0000000000000003
R10: ffffffff81dabeba R11: 0000000000000010 R12: 0000000000000002
R13: 00000000000001cc R14: dffffc0000000000 R15: 0000000000000000
tomoyo_domain_quota_is_ok+0x2f1/0x550 security/tomoyo/util.c:1093
tomoyo_supervisor+0x2f2/0xf00 security/tomoyo/common.c:2089
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission security/tomoyo/file.c:587 [inline]
tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573
tomoyo_check_open_permission+0x33e/0x380 security/tomoyo/file.c:777
tomoyo_file_open security/tomoyo/tomoyo.c:313 [inline]
tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:308
security_file_open+0x52/0x4f0 security/security.c:1576
do_dentry_open+0x353/0x1090 fs/open.c:804
do_open fs/namei.c:3254 [inline]
path_openat+0x1b9a/0x2730 fs/namei.c:3371
do_filp_open+0x17e/0x3c0 fs/namei.c:3398
do_sys_openat2+0x16d/0x420 fs/open.c:1172
do_sys_open fs/open.c:1188 [inline]
__do_sys_open fs/open.c:1196 [inline]
__se_sys_open fs/open.c:1192 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1192
do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f97523546f0
Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 19 30 2c 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe 9d 01 00 48 89 04 24
RSP: 002b:00007ffda8db42a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000560343083730 RCX: 00007f97523546f0
RDX: 00000000000001b6 RSI: 0000000000080000 RDI: 00007ffda8db4450
RBP: 0000000000000008 R08: 0000000000000008 R09: 0000000000000001
R10: 0000000000080000 R11: 0000000000000246 R12: 000056034175268a
R13: 0000000000000001 R14: 000056034308c587 R15: 00007ffda8db44c0
Allocated by task 7307:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:401 [inline]
____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:682 [inline]
xpad_probe+0x26c/0x1c10 drivers/input/joystick/xpad.c:1731
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
really_probe+0x291/0xde0 drivers/base/dd.c:561
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:745
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:851
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:919
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbc4/0x1d90 drivers/base/core.c:3091
usb_set_configuration+0x113c/0x1910 drivers/usb/core/message.c:2164
usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
really_probe+0x291/0xde0 drivers/base/dd.c:561
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:745
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:851
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:919
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbc4/0x1d90 drivers/base/core.c:3091
usb_new_device.cold+0x725/0x1057 drivers/usb/core/hub.c:2555
hub_port_connect drivers/usb/core/hub.c:5223 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
port_event drivers/usb/core/hub.c:5509 [inline]
hub_event+0x2348/0x42d0 drivers/usb/core/hub.c:5591
process_one_work+0x98d/0x1580 kernel/workqueue.c:2275
process_scheduled_works kernel/workqueue.c:2337 [inline]
worker_thread+0x82b/0x1120 kernel/workqueue.c:2423
kthread+0x38c/0x460 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Freed by task 7368:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:354
____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362
kasan_slab_free include/linux/kasan.h:188 [inline]
slab_free_hook mm/slub.c:1547 [inline]
slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580
slab_free mm/slub.c:3143 [inline]
kfree+0xdb/0x390 mm/slub.c:4125
xpad_disconnect+0x1cb/0x530 drivers/input/joystick/xpad.c:1879
usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458
__device_release_driver+0x3bd/0x6f0 drivers/base/dd.c:1161
device_release_driver_internal drivers/base/dd.c:1192 [inline]
device_release_driver+0x26/0x40 drivers/base/dd.c:1215
bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:533
device_del+0x502/0xd40 drivers/base/core.c:3270
usb_disable_device+0x35b/0x7b0 drivers/usb/core/message.c:1413
usb_disconnect.cold+0x27d/0x780 drivers/usb/core/hub.c:2218
hub_port_connect drivers/usb/core/hub.c:5074 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
port_event drivers/usb/core/hub.c:5509 [inline]
hub_event+0x1c8a/0x42d0 drivers/usb/core/hub.c:5591
process_one_work+0x98d/0x1580 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x38c/0x460 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
The buggy address belongs to the object at ffff888137488000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 146 bytes inside of
1024-byte region [ffff888137488000, ffff888137488400)
The buggy address belongs to the page:
page:000000001b181346 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x137488
head:000000001b181346 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100041140
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888137487f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888137488000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888137488080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888137488100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888137488180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Zhang, Qiang
Jan 11, 2021, 10:28:24 PM1/11/21
to syzbot, a.da...@linutronix.de, allen...@gmail.com, andre...@google.com, dvy...@google.com, el...@google.com, gre...@linuxfoundation.org, gusta...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de
________________________________________
发件人: syzbot <syzbot+39c636...@syzkaller.appspotmail.com>
发送时间: 2021年1月12日 0:11
收件人: a.da...@linutronix.de; allen...@gmail.com; andre...@google.com; dvy...@google.com; el...@google.com; gre...@linuxfoundation.org; gusta...@kernel.org; linux-...@vger.kernel.org; linu...@vger.kernel.org; syzkall...@googlegroups.com; tg...@linutronix.de
主题: KASAN: use-after-free Read in usb_anchor_resume_wakeups (2)
Hello,
Hi
When usb's device disconnect, we call usb_wait_anchor_empty_timeout ,
if timeout , will kill urb, however,if not timeout, we also need to kill urb.
I didn't test the patch, you can test it.
diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 0687f0ed60b8..4233686d458d 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1130,7 +1130,8 @@ static void xpad_stop_output(struct usb_xpad *xpad)
dev_warn(&xpad->intf->dev,
"timed out waiting for output URB to complete, killing\n");
usb_kill_anchored_urbs(&xpad->irq_out_anchor);
- }
+ } else
+ usb_kill_urb(xpad->irq_out);
Zhang, Qiang
Jan 11, 2021, 11:55:59 PM1/11/21
to syzbot, a.da...@linutronix.de, allen...@gmail.com, andre...@google.com, dvy...@google.com, el...@google.com, gre...@linuxfoundation.org, gusta...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de
________________________________________
发件人: Zhang, Qiang <Qiang...@windriver.com>
发送时间: 2021年1月12日 11:28
收件人: syzbot; a.da...@linutronix.de; allen...@gmail.com; andre...@google.com; dvy...@google.com; el...@google.com; gre...@linuxfoundation.org; gusta...@kernel.org; linux-...@vger.kernel.org; linu...@vger.kernel.org; syzkall...@googlegroups.com; tg...@linutronix.de
主题: 回复: KASAN: use-after-free Read in usb_anchor_resume_wakeups (2)
Hello,
Hi syzbot
Sorry, please ignore the previous modification suggestions.
When usb's device disconnect, we call usb_wait_anchor_empty_timeout ,
if timeout , will kill urb, however,whether there is a timeout or not, we
will need to kill urb.
diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 0687f0ed60b8..c0d8d4b9138b 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1131,6 +1131,7 @@ static void xpad_stop_output(struct usb_xpad *xpad)
"timed out waiting for output URB to complete, killing\n");
usb_kill_anchored_urbs(&xpad->irq_out_anchor);
}
+ usb_kill_urb(xpad->irq_out);
}
}
I didn't test the patch, you can test it.
Hillf Danton
Jan 12, 2021, 4:52:07 AM1/12/21
to syzbot, andre...@google.com, gre...@linuxfoundation.org, Qiang...@windriver.com, Pavel Rojtberg, Dmitry Torokhov, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
Mon, 11 Jan 2021 08:11:26 -0800
Submitted urb is left behind alone.
xpad_stop_output() failed to wait for every urb inflight to go home.
Fix 4220f7db1e42 ("Input: xpad - workaround dead irq_out after suspend/ resume")
by adding counter of successfully submitted urbs and making no progress
in the disconnect path without waiting urbs in flight to go home.
A destroying flag is also added to signal the urb callback that xpad is
disconnecting and no urb will be submitted if it is set to shorten the
waiting as much as possible. Note this is not a necessary option.
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -589,6 +589,8 @@ struct usb_xpad {
int pad_nr; /* the order x360 pads were attached */
const char *name; /* name of the device */
struct work_struct work; /* init/remove device from callback */
+ atomic_t urb_inflight, destroying;
+ wait_queue_head_t inflight_wq;
};
static int xpad_init_input(struct usb_xpad *xpad);
@@ -1033,6 +1035,7 @@ static int xpad_try_sending_next_out_pac
return -EIO;
}
+ atomic_inc(&xpad->urb_inflight);
xpad->irq_out_active = true;
}
@@ -1070,7 +1073,7 @@ static void xpad_irq_out(struct urb *urb
break;
}
- if (xpad->irq_out_active) {
+ if (!atomic_read(&xpad->destroying) && xpad->irq_out_active) {
usb_anchor_urb(urb, &xpad->irq_out_anchor);
error = usb_submit_urb(urb, GFP_ATOMIC);
if (error) {
@@ -1079,10 +1082,14 @@ static void xpad_irq_out(struct urb *urb
__func__, error);
usb_unanchor_urb(urb);
xpad->irq_out_active = false;
- }
+ } else
+ atomic_inc(&xpad->urb_inflight);
}
spin_unlock_irqrestore(&xpad->odata_lock, flags);
+
+ if (atomic_dec_and_test(&xpad->urb_inflight))
+ wake_up(&xpad->inflight_wq);
}
static int xpad_init_output(struct usb_interface *intf, struct usb_xpad *xpad,
@@ -1754,6 +1761,7 @@ static int xpad_probe(struct usb_interfa
xpad->xtype = xpad_device[i].xtype;
xpad->name = xpad_device[i].name;
INIT_WORK(&xpad->work, xpad_presence_work);
+ init_waitqueue_head(&xpad->inflight_wq);
if (xpad->xtype == XTYPE_UNKNOWN) {
if (intf->cur_altsetting->desc.bInterfaceClass == USB_CLASS_VENDOR_SPEC) {
@@ -1859,6 +1867,8 @@ static void xpad_disconnect(struct usb_i
{
struct usb_xpad *xpad = usb_get_intfdata(intf);
+ atomic_inc(&xpad->destroying);
+
if (xpad->xtype == XTYPE_XBOX360W)
xpad360w_stop_input(xpad);
@@ -1876,6 +1886,7 @@ static void xpad_disconnect(struct usb_i
usb_free_coherent(xpad->udev, XPAD_PKT_LEN,
xpad->idata, xpad->idata_dma);
+ wait_event(xpad->inflight_wq, atomic_read(&xpad->urb_inflight) == 0);
kfree(xpad);
usb_set_intfdata(intf, NULL);
by adding counter of successfully submitted urbs and making no progress
in the disconnect path without waiting urbs in flight to go home.
A destroying flag is also added to signal the urb callback that xpad is
disconnecting and no urb will be submitted if it is set to shorten the
waiting as much as possible. Note this is not a necessary option.
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -589,6 +589,8 @@ struct usb_xpad {
int pad_nr; /* the order x360 pads were attached */
const char *name; /* name of the device */
struct work_struct work; /* init/remove device from callback */
+ atomic_t urb_inflight, destroying;
+ wait_queue_head_t inflight_wq;
};
static int xpad_init_input(struct usb_xpad *xpad);
@@ -1033,6 +1035,7 @@ static int xpad_try_sending_next_out_pac
return -EIO;
}
+ atomic_inc(&xpad->urb_inflight);
xpad->irq_out_active = true;
}
@@ -1070,7 +1073,7 @@ static void xpad_irq_out(struct urb *urb
break;
}
- if (xpad->irq_out_active) {
+ if (!atomic_read(&xpad->destroying) && xpad->irq_out_active) {
usb_anchor_urb(urb, &xpad->irq_out_anchor);
error = usb_submit_urb(urb, GFP_ATOMIC);
if (error) {
@@ -1079,10 +1082,14 @@ static void xpad_irq_out(struct urb *urb
__func__, error);
usb_unanchor_urb(urb);
xpad->irq_out_active = false;
- }
+ } else
+ atomic_inc(&xpad->urb_inflight);
}
spin_unlock_irqrestore(&xpad->odata_lock, flags);
+
+ if (atomic_dec_and_test(&xpad->urb_inflight))
+ wake_up(&xpad->inflight_wq);
}
static int xpad_init_output(struct usb_interface *intf, struct usb_xpad *xpad,
@@ -1754,6 +1761,7 @@ static int xpad_probe(struct usb_interfa
xpad->xtype = xpad_device[i].xtype;
xpad->name = xpad_device[i].name;
INIT_WORK(&xpad->work, xpad_presence_work);
+ init_waitqueue_head(&xpad->inflight_wq);
if (xpad->xtype == XTYPE_UNKNOWN) {
if (intf->cur_altsetting->desc.bInterfaceClass == USB_CLASS_VENDOR_SPEC) {
@@ -1859,6 +1867,8 @@ static void xpad_disconnect(struct usb_i
{
struct usb_xpad *xpad = usb_get_intfdata(intf);
+ atomic_inc(&xpad->destroying);
+
if (xpad->xtype == XTYPE_XBOX360W)
xpad360w_stop_input(xpad);
@@ -1876,6 +1886,7 @@ static void xpad_disconnect(struct usb_i
usb_free_coherent(xpad->udev, XPAD_PKT_LEN,
xpad->idata, xpad->idata_dma);
+ wait_event(xpad->inflight_wq, atomic_read(&xpad->urb_inflight) == 0);
kfree(xpad);
usb_set_intfdata(intf, NULL);
syzbot
Aug 21, 2021, 5:47:14 PM8/21/21
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages