Dear developers and maintainers,
We encountered a slab-out-of-bounds bug while using our modified
syzkaller. It was tested against the latest upstream kernel (6.9). The
kernel was compiled by clang 14.0.0, and kernel config and C repro are
attached to this email. Kernel crash log is listed below.
==================================================================
BUG: KASAN: slab-out-of-bounds in asus_report_fixup+0x855/0xfe0
drivers/hid/hid-asus.c:1210
Read of size 1 at addr ffff888066e5a4cb by task kworker/1:2/783
CPU: 1 PID: 783 Comm: kworker/1:2 Not tainted 6.9.0-05151-g1b294a1f3561 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
print_address_description+0x7b/0x360 mm/kasan/report.c:377
print_report+0xfd/0x1e0 mm/kasan/report.c:488
kasan_report+0xce/0x100 mm/kasan/report.c:601
asus_report_fixup+0x855/0xfe0 drivers/hid/hid-asus.c:1210
hid_open_report+0x1ab/0x1540 drivers/hid/hid-core.c:1235
hid_parse include/linux/hid.h:1118 [inline]
asus_probe+0x844/0xcd0 drivers/hid/hid-asus.c:1065
__hid_device_probe drivers/hid/hid-core.c:2633 [inline]
hid_device_probe+0x2cd/0x4c0 drivers/hid/hid-core.c:2670
call_driver_probe+0x98/0x1c0
really_probe+0x278/0x8e0 drivers/base/dd.c:656
__driver_probe_device+0x199/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x240 drivers/base/dd.c:828
__device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
__device_attach+0x317/0x500 drivers/base/dd.c:1028
bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
device_add+0x8fc/0xca0 drivers/base/core.c:3720
hid_add_device+0x3a7/0x510 drivers/hid/hid-core.c:2816
usbhid_probe+0xdc7/0x1220 drivers/hid/usbhid/hid-core.c:1429
usb_probe_interface+0x6ad/0xc60 drivers/usb/core/driver.c:399
call_driver_probe+0x98/0x1c0
really_probe+0x278/0x8e0 drivers/base/dd.c:656
__driver_probe_device+0x199/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x240 drivers/base/dd.c:828
__device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
__device_attach+0x317/0x500 drivers/base/dd.c:1028
bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
device_add+0x8fc/0xca0 drivers/base/core.c:3720
usb_set_configuration+0x1a53/0x20b0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x86/0x140 drivers/usb/core/generic.c:254
usb_probe_device+0x1a8/0x360 drivers/usb/core/driver.c:294
call_driver_probe+0x98/0x1c0
really_probe+0x278/0x8e0 drivers/base/dd.c:656
__driver_probe_device+0x199/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x240 drivers/base/dd.c:828
__device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
__device_attach+0x317/0x500 drivers/base/dd.c:1028
bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
device_add+0x8fc/0xca0 drivers/base/core.c:3720
usb_new_device+0x1015/0x1950 drivers/usb/core/hub.c:2652
hub_port_connect+0xf28/0x2090 drivers/usb/core/hub.c:5522
hub_port_connect_change+0x53f/0x8f0 drivers/usb/core/hub.c:5662
port_event+0xdcf/0x12c0 drivers/usb/core/hub.c:5822
hub_event+0x55a/0xc70 drivers/usb/core/hub.c:5904
process_one_work kernel/workqueue.c:3267 [inline]
process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3348
worker_thread+0x85c/0xd50 kernel/workqueue.c:3429
kthread+0x2ed/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 783:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:4039 [inline]
__kmalloc_node_track_caller+0x254/0x4f0 mm/slub.c:4059
kmemdup+0x2a/0x70 mm/util.c:131
_Z7kmemdupPKvU25pass_dynamic_object_size0mj
include/linux/fortify-string.h:743 [inline]
call_hid_bpf_rdesc_fixup include/linux/hid_bpf.h:157 [inline]
hid_open_report+0x140/0x1540 drivers/hid/hid-core.c:1230
hid_parse include/linux/hid.h:1118 [inline]
asus_probe+0x844/0xcd0 drivers/hid/hid-asus.c:1065
__hid_device_probe drivers/hid/hid-core.c:2633 [inline]
hid_device_probe+0x2cd/0x4c0 drivers/hid/hid-core.c:2670
call_driver_probe+0x98/0x1c0
really_probe+0x278/0x8e0 drivers/base/dd.c:656
__driver_probe_device+0x199/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x240 drivers/base/dd.c:828
__device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
__device_attach+0x317/0x500 drivers/base/dd.c:1028
bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
device_add+0x8fc/0xca0 drivers/base/core.c:3720
hid_add_device+0x3a7/0x510 drivers/hid/hid-core.c:2816
usbhid_probe+0xdc7/0x1220 drivers/hid/usbhid/hid-core.c:1429
usb_probe_interface+0x6ad/0xc60 drivers/usb/core/driver.c:399
call_driver_probe+0x98/0x1c0
really_probe+0x278/0x8e0 drivers/base/dd.c:656
__driver_probe_device+0x199/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x240 drivers/base/dd.c:828
__device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
__device_attach+0x317/0x500 drivers/base/dd.c:1028
bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
device_add+0x8fc/0xca0 drivers/base/core.c:3720
usb_set_configuration+0x1a53/0x20b0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x86/0x140 drivers/usb/core/generic.c:254
usb_probe_device+0x1a8/0x360 drivers/usb/core/driver.c:294
call_driver_probe+0x98/0x1c0
really_probe+0x278/0x8e0 drivers/base/dd.c:656
__driver_probe_device+0x199/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x240 drivers/base/dd.c:828
__device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
__device_attach+0x317/0x500 drivers/base/dd.c:1028
bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
device_add+0x8fc/0xca0 drivers/base/core.c:3720
usb_new_device+0x1015/0x1950 drivers/usb/core/hub.c:2652
hub_port_connect+0xf28/0x2090 drivers/usb/core/hub.c:5522
hub_port_connect_change+0x53f/0x8f0 drivers/usb/core/hub.c:5662
port_event+0xdcf/0x12c0 drivers/usb/core/hub.c:5822
hub_event+0x55a/0xc70 drivers/usb/core/hub.c:5904
process_one_work kernel/workqueue.c:3267 [inline]
process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3348
worker_thread+0x85c/0xd50 kernel/workqueue.c:3429
kthread+0x2ed/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff888066e5a480
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 0 bytes to the right of
allocated 75-byte region [ffff888066e5a480, ffff888066e5a4cb)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66e5a
flags: 0x4fff00000000800(slab|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 04fff00000000800 ffff888013441280 ffffea0001949700 dead000000000002
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid
4804, tgid 4804 (systemd-udevd), ts 38895358525, free_ts 37534477740
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0x7d2/0x850 mm/page_alloc.c:3317
__alloc_pages+0x25e/0x580 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page+0x6b/0x1a0 mm/slub.c:2190
allocate_slab+0x5d/0x200 mm/slub.c:2353
new_slab mm/slub.c:2406 [inline]
___slab_alloc+0xa95/0xf20 mm/slub.c:3592
__slab_alloc mm/slub.c:3682 [inline]
__slab_alloc_node mm/slub.c:3735 [inline]
slab_alloc_node mm/slub.c:3908 [inline]
__do_kmalloc_node mm/slub.c:4038 [inline]
__kmalloc_node+0x2dd/0x4f0 mm/slub.c:4046
kmalloc_array_node include/linux/slab.h:726 [inline]
kcalloc_node include/linux/slab.h:731 [inline]
memcg_alloc_slab_cgroups+0x80/0x120 mm/memcontrol.c:3015
account_slab mm/slub.c:2316 [inline]
allocate_slab+0x99/0x200 mm/slub.c:2371
new_slab mm/slub.c:2406 [inline]
___slab_alloc+0xa95/0xf20 mm/slub.c:3592
__slab_alloc mm/slub.c:3682 [inline]
__slab_alloc_node mm/slub.c:3735 [inline]
slab_alloc_node mm/slub.c:3908 [inline]
kmem_cache_alloc_lru+0x24d/0x370 mm/slub.c:3937
alloc_inode_sb include/linux/fs.h:3107 [inline]
alloc_inode fs/inode.c:263 [inline]
iget_locked+0x1f2/0x810 fs/inode.c:1280
kernfs_get_inode+0x51/0x750 fs/kernfs/inode.c:251
kernfs_iop_lookup+0x263/0x380 fs/kernfs/dir.c:1214
__lookup_slow+0x274/0x3b0 fs/namei.c:1692
lookup_slow+0x53/0x70 fs/namei.c:1709
page last free pid 4804 tgid 4804 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x72f/0x7c0 mm/page_alloc.c:2347
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
__folio_put_small mm/swap.c:119 [inline]
__folio_put+0x20b/0x360 mm/swap.c:142
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x75/0xf0 mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0xa43/0x1740 kernel/rcu/tree.c:2809
handle_softirqs+0x274/0x730 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xd7/0x1a0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x20 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Memory state around the buggy address:
ffff888066e5a380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff888066e5a400: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff888066e5a480: 00 00 00 00 00 00 00 00 00 03 fc fc fc fc fc fc
^
ffff888066e5a500: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff888066e5a580: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================
If you have any questions, please contact us.
Reported by Yue Sun <[email protected]>
Reported by xingwei lee <[email protected]>
Best Regards,
Yue