Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3118855yba; Sat, 18 May 2019 09:38:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqz4xzHfRd14IU6J+O0Ts6DXctkcgbqJRzo7tt+TKCkfgDbo65ji2KcXPlBl58YVGbfLJB0A X-Received: by 2002:a62:4ece:: with SMTP id c197mr68875912pfb.139.1558197532972; Sat, 18 May 2019 09:38:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558197532; cv=none; d=google.com; s=arc-20160816; b=hJxMGK8AQuXOXYuanRixYFGV8sDmqzyCoLfYhdu9yynKxCNe0PSpHTYPCXdpUHHB7j wow17MtVS9UW/TErnHz9hmuRooFdIYNlik5k/w3K3sKmCTAd0cLWb1vHtPdG6HEk8g+X CTiNIO1jA50N85emkNnSUVsHWIXZ4Gi+bmc7lvqDyxAQJU51PB79D3Li+cUOTRM756Kr CD74Qe+U1UOX8YCdgLbA8AVOxGY1mKfSgg0++CD7iSqTy6aaDUiaVUbYa49icKSxJYP8 MA/mmVK/1sh0cADPzXrUOCzpNreoIYqC/qx2hbBfs9J+YYKdQcCk2y/m3kaOT/lN6egQ c6hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:from:subject:message-id:in-reply-to :date:mime-version; bh=XQeWzljs1DH6t0S4944Drg1GlykramoA+3gl7La3QNE=; b=Hu6LM0gsdhLK0jykZUJKaSPTfILugYurDGDh0/67UY5x6dAfhqBcfBdL6ElY4V7CTH Um5tZ9LRYWxpyps8aOLXcbl7OSBKzKviZIQJgjgGdVshKsY+q8qBMm4YjBev2YupiB7G bAhTuhTxnj0iMO2KBUSqs5XR0Zu/MxUwJSe8Ek5HrOcUWavZn/+P39YrpPhXokGwfZyg FfE+FN1Iy/36fRvh0NrH4CCLhE5BwUcGFvb/umrGmShFXO7+y6dUbW0d4OH1crcObLN9 V2v+JjUtmSiVd/K3VQcssiaj6YIZf9hzTPQ4brSv6fDFQS5l7jm12rs9QFUqqHE4N5Vf 9k2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l190si12285397pga.255.2019.05.18.09.38.27; Sat, 18 May 2019 09:38:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729354AbfERPuC (ORCPT + 99 others); Sat, 18 May 2019 11:50:02 -0400 Received: from mail-it1-f197.google.com ([209.85.166.197]:37660 "EHLO mail-it1-f197.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729323AbfERPuC (ORCPT ); Sat, 18 May 2019 11:50:02 -0400 Received: by mail-it1-f197.google.com with SMTP id n10so3161794ita.2 for ; Sat, 18 May 2019 08:50:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:in-reply-to:message-id:subject :from:to; bh=XQeWzljs1DH6t0S4944Drg1GlykramoA+3gl7La3QNE=; b=Y935JU/SbD/G5k1Uq16su1w9G0L4jd2BcGmlpUaKeCZO2KShwrDXm9sYwXfGbWVKNg vXrCTpbtUzA02LYXmHWV3wFIxwZHdEnsfPKxjoF2I79ofu8a+F+JPs71cyXBcT4tQdNq cUVdh3MwxSh2u9AT2RxJXP12+orsgL6/WVvYTGnh3JIoeoPh0Vrd3r5iLUqyq5uwbB1y evpQRbukG4ocYhTe9+ML5DTUk5cQF3MM+EqBENLq2waVkjIbZAT80adDLKbZ8Eu0wn2W m7AgFsnQ+LsxvWP7GAn9oshSAQpZO5+lFHCKRjRKPFFWqb8/lgS9XGiqynsA0eoGNGzc 8sgQ== X-Gm-Message-State: APjAAAWqGFjPVV4VhO/LjFvmFtb5LbvhKQsZOEDWNGLHRLTiDlfoNweq CY5YvBjC1iLEnVeAFBxvP3fBuNK+VQ5u65eeP9+iBYXsQlaX MIME-Version: 1.0 X-Received: by 2002:a02:412:: with SMTP id 18mr5592188jab.82.1558194600923; Sat, 18 May 2019 08:50:00 -0700 (PDT) Date: Sat, 18 May 2019 08:50:00 -0700 In-Reply-To: X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <000000000000add98105892b73ec@google.com> Subject: Re: KASAN: use-after-free Read in p54u_load_firmware_cb From: syzbot To: andreyknvl@google.com, chunkeey@gmail.com, chunkeey@googlemail.com, davem@davemloft.net, kvalo@codeaurora.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, oneukum@suse.com, stern@rowland.harvard.edu, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hello, syzbot has tested the proposed patch but the reproducer still triggered crash: KASAN: slab-out-of-bounds Read in p54u_load_firmware_cb usb 6-1: Direct firmware load for isl3887usb failed with error -2 p54u_load_firmware_cb: priv->udev = ffff88809ad5bb80 usb 6-1: Firmware not found. ================================================================== BUG: KASAN: slab-out-of-bounds in p54u_load_firmware_cb+0x3c9/0x45f drivers/net/wireless/intersil/p54/p54usb.c:937 Read of size 8 at addr ffff88809abab588 by task kworker/1:8/5526 CPU: 1 PID: 5526 Comm: kworker/1:8 Not tainted 5.1.0-rc3-g43151d6-dirty #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xe8/0x16e lib/dump_stack.c:113 print_address_description+0x6c/0x236 mm/kasan/report.c:187 kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 p54u_load_firmware_cb+0x3c9/0x45f drivers/net/wireless/intersil/p54/p54usb.c:937 request_firmware_work_func+0x12d/0x249 drivers/base/firmware_loader/main.c:785 process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 kthread+0x313/0x420 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Allocated by task 5503: set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc mm/kasan/common.c:497 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470 slab_post_alloc_hook mm/slab.h:437 [inline] slab_alloc_node mm/slub.c:2756 [inline] __kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372 __kmalloc_reserve.isra.0+0x3e/0xf0 net/core/skbuff.c:140 __alloc_skb+0xf4/0x5a0 net/core/skbuff.c:208 alloc_skb include/linux/skbuff.h:1058 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] netlink_sendmsg+0x8db/0xcd0 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xda/0x130 net/socket.c:661 ___sys_sendmsg+0x80b/0x930 net/socket.c:2260 __sys_sendmsg+0xf1/0x1b0 net/socket.c:2298 do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 5503: set_track mm/kasan/common.c:87 [inline] __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459 slab_free_hook mm/slub.c:1429 [inline] slab_free_freelist_hook+0x5e/0x140 mm/slub.c:1456 slab_free mm/slub.c:3003 [inline] kfree+0xce/0x290 mm/slub.c:3958 skb_free_head+0x90/0xb0 net/core/skbuff.c:557 skb_release_data+0x543/0x8b0 net/core/skbuff.c:577 skb_release_all+0x4b/0x60 net/core/skbuff.c:631 __kfree_skb net/core/skbuff.c:645 [inline] consume_skb net/core/skbuff.c:705 [inline] consume_skb+0xc5/0x2f0 net/core/skbuff.c:699 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x4e2/0x690 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x810/0xcd0 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xda/0x130 net/socket.c:661 ___sys_sendmsg+0x80b/0x930 net/socket.c:2260 __sys_sendmsg+0xf1/0x1b0 net/socket.c:2298 do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88809abab180 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 8 bytes to the right of 1024-byte region [ffff88809abab180, ffff88809abab580) The buggy address belongs to the page: page:ffffea00026aea00 count:1 mapcount:0 mapping:ffff88812c3f4a00 index:0x0 compound_mapcount: 0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 dead000000000100 dead000000000200 ffff88812c3f4a00 raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809abab480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809abab500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88809abab580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88809abab600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809abab680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=108a0108a00000 kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234 compiler: gcc (GCC) 9.0.0 20181231 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=1292f852a00000