Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3118855yba;
        Sat, 18 May 2019 09:38:53 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz4xzHfRd14IU6J+O0Ts6DXctkcgbqJRzo7tt+TKCkfgDbo65ji2KcXPlBl58YVGbfLJB0A
X-Received: by 2002:a62:4ece:: with SMTP id c197mr68875912pfb.139.1558197532972;
        Sat, 18 May 2019 09:38:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558197532; cv=none;
        d=google.com; s=arc-20160816;
        b=hJxMGK8AQuXOXYuanRixYFGV8sDmqzyCoLfYhdu9yynKxCNe0PSpHTYPCXdpUHHB7j
         wow17MtVS9UW/TErnHz9hmuRooFdIYNlik5k/w3K3sKmCTAd0cLWb1vHtPdG6HEk8g+X
         CTiNIO1jA50N85emkNnSUVsHWIXZ4Gi+bmc7lvqDyxAQJU51PB79D3Li+cUOTRM756Kr
         CD74Qe+U1UOX8YCdgLbA8AVOxGY1mKfSgg0++CD7iSqTy6aaDUiaVUbYa49icKSxJYP8
         MA/mmVK/1sh0cADPzXrUOCzpNreoIYqC/qx2hbBfs9J+YYKdQcCk2y/m3kaOT/lN6egQ
         c6hA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:from:subject:message-id:in-reply-to
         :date:mime-version;
        bh=XQeWzljs1DH6t0S4944Drg1GlykramoA+3gl7La3QNE=;
        b=Hu6LM0gsdhLK0jykZUJKaSPTfILugYurDGDh0/67UY5x6dAfhqBcfBdL6ElY4V7CTH
         Um5tZ9LRYWxpyps8aOLXcbl7OSBKzKviZIQJgjgGdVshKsY+q8qBMm4YjBev2YupiB7G
         bAhTuhTxnj0iMO2KBUSqs5XR0Zu/MxUwJSe8Ek5HrOcUWavZn/+P39YrpPhXokGwfZyg
         FfE+FN1Iy/36fRvh0NrH4CCLhE5BwUcGFvb/umrGmShFXO7+y6dUbW0d4OH1crcObLN9
         V2v+JjUtmSiVd/K3VQcssiaj6YIZf9hzTPQ4brSv6fDFQS5l7jm12rs9QFUqqHE4N5Vf
         9k2Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l190si12285397pga.255.2019.05.18.09.38.27;
        Sat, 18 May 2019 09:38:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729354AbfERPuC (ORCPT <rfc822;andy.lavr@gmail.com> + 99 others);
        Sat, 18 May 2019 11:50:02 -0400
Received: from mail-it1-f197.google.com ([209.85.166.197]:37660 "EHLO
        mail-it1-f197.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729323AbfERPuC (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Sat, 18 May 2019 11:50:02 -0400
Received: by mail-it1-f197.google.com with SMTP id n10so3161794ita.2
        for <linux-wireless@vger.kernel.org>; Sat, 18 May 2019 08:50:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:date:in-reply-to:message-id:subject
         :from:to;
        bh=XQeWzljs1DH6t0S4944Drg1GlykramoA+3gl7La3QNE=;
        b=Y935JU/SbD/G5k1Uq16su1w9G0L4jd2BcGmlpUaKeCZO2KShwrDXm9sYwXfGbWVKNg
         vXrCTpbtUzA02LYXmHWV3wFIxwZHdEnsfPKxjoF2I79ofu8a+F+JPs71cyXBcT4tQdNq
         cUVdh3MwxSh2u9AT2RxJXP12+orsgL6/WVvYTGnh3JIoeoPh0Vrd3r5iLUqyq5uwbB1y
         evpQRbukG4ocYhTe9+ML5DTUk5cQF3MM+EqBENLq2waVkjIbZAT80adDLKbZ8Eu0wn2W
         m7AgFsnQ+LsxvWP7GAn9oshSAQpZO5+lFHCKRjRKPFFWqb8/lgS9XGiqynsA0eoGNGzc
         8sgQ==
X-Gm-Message-State: APjAAAWqGFjPVV4VhO/LjFvmFtb5LbvhKQsZOEDWNGLHRLTiDlfoNweq
        CY5YvBjC1iLEnVeAFBxvP3fBuNK+VQ5u65eeP9+iBYXsQlaX
MIME-Version: 1.0
X-Received: by 2002:a02:412:: with SMTP id 18mr5592188jab.82.1558194600923;
 Sat, 18 May 2019 08:50:00 -0700 (PDT)
Date:   Sat, 18 May 2019 08:50:00 -0700
In-Reply-To: <Pine.LNX.4.44L0.1905181045400.7855-100000@netrider.rowland.org>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <000000000000add98105892b73ec@google.com>
Subject: Re: KASAN: use-after-free Read in p54u_load_firmware_cb
From:   syzbot <syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com>
To:     andreyknvl@google.com, chunkeey@gmail.com, chunkeey@googlemail.com,
        davem@davemloft.net, kvalo@codeaurora.org,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        oneukum@suse.com, stern@rowland.harvard.edu,
        syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
KASAN: slab-out-of-bounds Read in p54u_load_firmware_cb

usb 6-1: Direct firmware load for isl3887usb failed with error -2
p54u_load_firmware_cb: priv->udev = ffff88809ad5bb80
usb 6-1: Firmware not found.
==================================================================
BUG: KASAN: slab-out-of-bounds in p54u_load_firmware_cb+0x3c9/0x45f  
drivers/net/wireless/intersil/p54/p54usb.c:937
Read of size 8 at addr ffff88809abab588 by task kworker/1:8/5526

CPU: 1 PID: 5526 Comm: kworker/1:8 Not tainted 5.1.0-rc3-g43151d6-dirty #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xe8/0x16e lib/dump_stack.c:113
  print_address_description+0x6c/0x236 mm/kasan/report.c:187
  kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
  p54u_load_firmware_cb+0x3c9/0x45f  
drivers/net/wireless/intersil/p54/p54usb.c:937
  request_firmware_work_func+0x12d/0x249  
drivers/base/firmware_loader/main.c:785
  process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
  worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
  kthread+0x313/0x420 kernel/kthread.c:253
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 5503:
  set_track mm/kasan/common.c:87 [inline]
  __kasan_kmalloc mm/kasan/common.c:497 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470
  slab_post_alloc_hook mm/slab.h:437 [inline]
  slab_alloc_node mm/slub.c:2756 [inline]
  __kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372
  __kmalloc_reserve.isra.0+0x3e/0xf0 net/core/skbuff.c:140
  __alloc_skb+0xf4/0x5a0 net/core/skbuff.c:208
  alloc_skb include/linux/skbuff.h:1058 [inline]
  netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
  netlink_sendmsg+0x8db/0xcd0 net/netlink/af_netlink.c:1900
  sock_sendmsg_nosec net/socket.c:651 [inline]
  sock_sendmsg+0xda/0x130 net/socket.c:661
  ___sys_sendmsg+0x80b/0x930 net/socket.c:2260
  __sys_sendmsg+0xf1/0x1b0 net/socket.c:2298
  do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 5503:
  set_track mm/kasan/common.c:87 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
  slab_free_hook mm/slub.c:1429 [inline]
  slab_free_freelist_hook+0x5e/0x140 mm/slub.c:1456
  slab_free mm/slub.c:3003 [inline]
  kfree+0xce/0x290 mm/slub.c:3958
  skb_free_head+0x90/0xb0 net/core/skbuff.c:557
  skb_release_data+0x543/0x8b0 net/core/skbuff.c:577
  skb_release_all+0x4b/0x60 net/core/skbuff.c:631
  __kfree_skb net/core/skbuff.c:645 [inline]
  consume_skb net/core/skbuff.c:705 [inline]
  consume_skb+0xc5/0x2f0 net/core/skbuff.c:699
  netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
  netlink_unicast+0x4e2/0x690 net/netlink/af_netlink.c:1336
  netlink_sendmsg+0x810/0xcd0 net/netlink/af_netlink.c:1925
  sock_sendmsg_nosec net/socket.c:651 [inline]
  sock_sendmsg+0xda/0x130 net/socket.c:661
  ___sys_sendmsg+0x80b/0x930 net/socket.c:2260
  __sys_sendmsg+0xf1/0x1b0 net/socket.c:2298
  do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809abab180
  which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 8 bytes to the right of
  1024-byte region [ffff88809abab180, ffff88809abab580)
The buggy address belongs to the page:
page:ffffea00026aea00 count:1 mapcount:0 mapping:ffff88812c3f4a00 index:0x0  
compound_mapcount: 0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000200 ffff88812c3f4a00
raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff88809abab480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88809abab500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809abab580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
  ffff88809abab600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88809abab680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         43151d6c usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=108a0108a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1292f852a00000