KASAN: use-after-free Write in keyspan_close

From: Rondreis
Date: Tue Sep 20 2022 - 10:48:14 EST


Hello,

When fuzzing the Linux kernel driver v6.0-rc6, the following crash was
triggered.

HEAD commit: 521a547ced6477c54b4b0cc206000406c221b4d6
git tree: upstream

kernel config: https://pastebin.com/raw/hekxU61F
console output: https://pastebin.com/raw/gvADdA0t

Sorry for failing to extract the reproducer. But on other versions of
Linux, I also triggered this crash.

I would appreciate it if you have any idea how to solve this bug.

The crash report is as follows:
==================================================================
BUG: KASAN: use-after-free in keyspan_close+0x240/0x260
drivers/usb/serial/keyspan.c:1589
Write of size 4 at addr ffff88805a1e7104 by task syz-executor.5/27414

CPU: 1 PID: 27414 Comm: syz-executor.5 Not tainted 6.0.0-rc4+ #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0xe5/0x66d mm/kasan/report.c:433
kasan_report+0x8a/0x1b0 mm/kasan/report.c:495
keyspan_close+0x240/0x260 drivers/usb/serial/keyspan.c:1589
serial_port_shutdown+0x89/0x110 drivers/usb/serial/usb-serial.c:309
tty_port_shutdown+0x1ec/0x270 drivers/tty/tty_port.c:379
tty_port_hangup+0x103/0x170 drivers/tty/tty_port.c:407
__tty_hangup.part.0+0x65b/0x770 drivers/tty/tty_io.c:660
__tty_hangup drivers/tty/tty_io.c:592 [inline]
tty_vhangup drivers/tty/tty_io.c:707 [inline]
tty_ioctl+0x956/0x1430 drivers/tty/tty_io.c:2718
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff1e4ca80fd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff1e5421bf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff1e4d9c4e0 RCX: 00007ff1e4ca80fd
RDX: 0000000000000000 RSI: 0000000000005437 RDI: 0000000000000003
RBP: 00007ff1e4d0b606 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffcf5e0c9f R14: 00007fffcf5e0e40 R15: 00007ff1e5421d80
</TASK>

Allocated by task 9889:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
____kasan_kmalloc mm/kasan/common.c:516 [inline]
____kasan_kmalloc mm/kasan/common.c:475 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
kasan_kmalloc include/linux/kasan.h:234 [inline]
kmem_cache_alloc_trace+0x19b/0x380 mm/slub.c:3284
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:733 [inline]
keyspan_port_probe+0xbe/0xe40 drivers/usb/serial/keyspan.c:2886
usb_serial_device_probe+0xfe/0x3d0 drivers/usb/serial/bus.c:47
call_driver_probe drivers/base/dd.c:560 [inline]
really_probe+0x249/0xa90 drivers/base/dd.c:639
__driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
__device_attach_driver+0x1da/0x2d0 drivers/base/dd.c:936
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x283/0x480 drivers/base/dd.c:1008
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xc96/0x1da0 drivers/base/core.c:3517
usb_serial_probe.cold+0x163f/0x291e drivers/usb/serial/usb-serial.c:1152
usb_probe_interface+0x361/0x800 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:560 [inline]
really_probe+0x249/0xa90 drivers/base/dd.c:639
__driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
__device_attach_driver+0x1da/0x2d0 drivers/base/dd.c:936
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x283/0x480 drivers/base/dd.c:1008
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xc96/0x1da0 drivers/base/core.c:3517
usb_set_configuration+0x1014/0x1900 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:238
usb_probe_device+0xd4/0x2a0 drivers/usb/core/driver.c:293
call_driver_probe drivers/base/dd.c:560 [inline]
really_probe+0x249/0xa90 drivers/base/dd.c:639
__driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
__device_attach_driver+0x1da/0x2d0 drivers/base/dd.c:936
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x283/0x480 drivers/base/dd.c:1008
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xc96/0x1da0 drivers/base/core.c:3517
usb_new_device.cold+0x69d/0x10ef drivers/usb/core/hub.c:2573
hub_port_connect drivers/usb/core/hub.c:5353 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
port_event drivers/usb/core/hub.c:5653 [inline]
hub_event+0x23bd/0x4260 drivers/usb/core/hub.c:5735
process_one_work+0x9c7/0x1650 kernel/workqueue.c:2289
worker_thread+0x623/0x1070 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 9889:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:367 [inline]
____kasan_slab_free mm/kasan/common.c:329 [inline]
__kasan_slab_free+0x11d/0x1b0 mm/kasan/common.c:375
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1754 [inline]
slab_free_freelist_hook mm/slub.c:1780 [inline]
slab_free mm/slub.c:3534 [inline]
kfree+0xe9/0x650 mm/slub.c:4562
usb_serial_device_remove+0x13f/0x1a0 drivers/usb/serial/bus.c:97
device_remove+0xc8/0x170 drivers/base/dd.c:548
__device_release_driver drivers/base/dd.c:1249 [inline]
device_release_driver_internal+0x1a7/0x360 drivers/base/dd.c:1275
bus_remove_device+0x2e3/0x590 drivers/base/bus.c:529
device_del+0x5d2/0xe80 drivers/base/core.c:3704
usb_serial_disconnect+0x23e/0x3b0 drivers/usb/serial/usb-serial.c:1205
usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:550 [inline]
device_remove+0x11f/0x170 drivers/base/dd.c:542
__device_release_driver drivers/base/dd.c:1249 [inline]
device_release_driver_internal+0x1a7/0x360 drivers/base/dd.c:1275
bus_remove_device+0x2e3/0x590 drivers/base/bus.c:529
device_del+0x5d2/0xe80 drivers/base/core.c:3704
usb_disable_device+0x214/0x600 drivers/usb/core/message.c:1419
usb_disconnect+0x285/0x860 drivers/usb/core/hub.c:2235
hub_port_connect drivers/usb/core/hub.c:5197 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
port_event drivers/usb/core/hub.c:5653 [inline]
hub_event+0x1c1b/0x4260 drivers/usb/core/hub.c:5735
process_one_work+0x9c7/0x1650 kernel/workqueue.c:2289
worker_thread+0x623/0x1070 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
insert_work+0x4a/0x390 kernel/workqueue.c:1358
__queue_work+0x4d4/0x1200 kernel/workqueue.c:1517
queue_work_on+0xee/0x110 kernel/workqueue.c:1545
queue_work include/linux/workqueue.h:503 [inline]
call_usermodehelper_exec+0x1cc/0x490 kernel/umh.c:435
kobject_uevent_env+0xf14/0x1640 lib/kobject_uevent.c:618
kset_register+0x49/0x60 lib/kobject.c:849
__class_register+0x20b/0x4a0 drivers/base/class.c:188
__class_create+0xca/0x140 drivers/base/class.c:242
ghid_setup+0x71/0x150 drivers/usb/gadget/function/f_hid.c:1322
hidg_alloc_inst+0x179/0x250 drivers/usb/gadget/function/f_hid.c:1217
try_get_usb_function_instance+0x122/0x1e0 drivers/usb/gadget/functions.c:28
usb_get_function_instance+0x13/0xa0 drivers/usb/gadget/functions.c:44
function_make+0x105/0x3e0 drivers/usb/gadget/configfs.c:617
configfs_mkdir+0x46a/0xb90 fs/configfs/dir.c:1327
vfs_mkdir+0x69f/0xa30 fs/namei.c:4013
do_mkdirat+0x249/0x2c0 fs/namei.c:4038
__do_sys_mkdir fs/namei.c:4058 [inline]
__se_sys_mkdir fs/namei.c:4056 [inline]
__x64_sys_mkdir+0x61/0x80 fs/namei.c:4056
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
insert_work+0x4a/0x390 kernel/workqueue.c:1358
__queue_work+0x4d4/0x1200 kernel/workqueue.c:1517
queue_work_on+0xee/0x110 kernel/workqueue.c:1545
queue_work include/linux/workqueue.h:503 [inline]
call_usermodehelper_exec+0x1cc/0x490 kernel/umh.c:435
kobject_uevent_env+0xf14/0x1640 lib/kobject_uevent.c:618
netdev_queue_add_kobject net/core/net-sysfs.c:1677 [inline]
netdev_queue_update_kobjects+0x3ba/0x4d0 net/core/net-sysfs.c:1718
register_queue_kobjects net/core/net-sysfs.c:1779 [inline]
netdev_register_kobject+0x333/0x400 net/core/net-sysfs.c:2019
register_netdevice+0xbe9/0x1370 net/core/dev.c:10070
__ip_tunnel_create+0x398/0x580 net/ipv4/ip_tunnel.c:267
ip_tunnel_init_net+0x32c/0xa40 net/ipv4/ip_tunnel.c:1073
ops_init+0xaf/0x420 net/core/net_namespace.c:135
setup_net+0x415/0xa40 net/core/net_namespace.c:326
copy_net_ns+0x2d9/0x660 net/core/net_namespace.c:472
create_new_namespaces.isra.0+0x3cb/0xae0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc8/0x1f0 kernel/nsproxy.c:227
ksys_unshare+0x450/0x920 kernel/fork.c:3183
__do_sys_unshare kernel/fork.c:3254 [inline]
__se_sys_unshare kernel/fork.c:3252 [inline]
__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3252
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88805a1e7100
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 4 bytes inside of
192-byte region [ffff88805a1e7100, ffff88805a1e71c0)

The buggy address belongs to the physical page:
page:ffffea00016879c0 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x5a1e7
flags: 0x4fff00000000200(slab|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000200 0000000000000000 dead000000000001 ffff888011c41a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 6450, tgid 6450
(syz-executor.1), ts 146447587150, free_ts 146293511182
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2525 [inline]
prep_new_page+0x2c6/0x350 mm/page_alloc.c:2532
get_page_from_freelist+0xae9/0x3a80 mm/page_alloc.c:4283
__alloc_pages+0x321/0x710 mm/page_alloc.c:5515
alloc_pages+0x117/0x2f0 mm/mempolicy.c:2270
alloc_slab_page mm/slub.c:1824 [inline]
allocate_slab mm/slub.c:1969 [inline]
new_slab+0x246/0x3a0 mm/slub.c:2029
___slab_alloc+0xa50/0x1060 mm/slub.c:3031
__slab_alloc.isra.0+0x4d/0xa0 mm/slub.c:3118
slab_alloc_node mm/slub.c:3209 [inline]
slab_alloc mm/slub.c:3251 [inline]
kmem_cache_alloc_trace+0x35b/0x380 mm/slub.c:3282
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:733 [inline]
call_usermodehelper_setup+0x97/0x340 kernel/umh.c:365
kobject_uevent_env+0xef5/0x1640 lib/kobject_uevent.c:614
netdev_queue_add_kobject net/core/net-sysfs.c:1677 [inline]
netdev_queue_update_kobjects+0x3ba/0x4d0 net/core/net-sysfs.c:1718
register_queue_kobjects net/core/net-sysfs.c:1779 [inline]
netdev_register_kobject+0x333/0x400 net/core/net-sysfs.c:2019
register_netdevice+0xbe9/0x1370 net/core/dev.c:10070
veth_newlink+0x4d6/0x9a0 drivers/net/veth.c:1795
rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]
__rtnl_newlink+0xfbc/0x16f0 net/core/rtnetlink.c:3580
rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1449 [inline]
free_pcp_prepare+0x5ab/0xd00 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x19/0x410 mm/page_alloc.c:3476
__vunmap+0x6ff/0xaa0 mm/vmalloc.c:2696
free_work+0x58/0x70 mm/vmalloc.c:97
process_one_work+0x9c7/0x1650 kernel/workqueue.c:2289
worker_thread+0x623/0x1070 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Memory state around the buggy address:
ffff88805a1e7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88805a1e7080: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805a1e7100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805a1e7180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88805a1e7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================