Re: [PATCH] HID: USB: Fix general protection fault caused by Logitech driver
On Sat, Aug 24, 2019 at 2:41 AM wrote: > > On Thu, 22 Aug 2019, Alan Stern wrote: > > > > > > > I've ran the fuzzer with your patches applied overnight and noticed > > > > > > another fallout of similar bugs. I think they are caused by a > > > > > > similar > > > > > > issue in the sony HID driver. There's no hid_hw_stop() call in the > > > > > > "if > > > > > > (!(hdev->claimed & HID_CLAIMED_INPUT))" case in sony_probe(). Does > > > > > > it > > > > > > look like a bug to you? > > > > > > > > > > It looks like the relevant hid_hw_stop() call is the one at the end of > > > > > sony_configure_input(). But I can't tell if doing that way is valid > > > > > or > > > > > not -- in practice the code would end up calling hid_disconnect() > > > > > while > > > > > hid_connect() was still running, which doesn't seem like a good idea. > > > > > > > > > > There's a comment about this near the end of sony_probe(). I suspect > > > > > it would be better to call hid_hw_stop() in the conditional code > > > > > following that comment rather than in sony_configure_input(). > > > > > > > > > > Either way, these are all things Jiri should know about or check up > > > > > on. > > > > > > > > > > Have you gotten any test results from syzbot exercising these > > > > > pathways? > > > > > You ought to be able to tell which HID driver is involved by looking > > > > > through the console output. > > > > > > > > Yes, a typical crash is below, that's why I thought it's the sony > > > > driver. Adding hid_hw_stop() in sony_probe() stops the issue from > > > > happening, but I don't know whether it's the right fix. > > > > > > Probably you have to add hid_hw_stop() in sony_probe() and remove it > > > from sony_configure_input(). But like I said above, Jiri should look > > > into this. > > > It almost certainly is, thanks. > > > Adding Roderick to CC ... Roderick, will you be able to test and submit > > a patch fixing that? > > > > -- > > Jiri Kosina > > SUSE Labs > > Sure we will have a look and do some testing. Hopefully we can share a patch > some time next week. Hi Roderick, I was wondering if you had a chance to look into this? Once the Logitech fix is upstream, this similar Sony bug will start producing a large number of similar syzbot reports since it causes a major memory corruption and we'll need to triage them all again. It would be nice to get the Sony fix merged together with the Logitech one. Or at least to have it available so I can apply it manually until it is merged. Thanks!
Re: [PATCH] HID: USB: Fix general protection fault caused by Logitech driver
On Thu, Aug 22, 2019 at 7:11 PM Alan Stern wrote: > > On Thu, 22 Aug 2019, Andrey Konovalov wrote: > > > Hi Alan, > > > > I've ran the fuzzer with your patches applied overnight and noticed > > another fallout of similar bugs. I think they are caused by a similar > > issue in the sony HID driver. There's no hid_hw_stop() call in the "if > > (!(hdev->claimed & HID_CLAIMED_INPUT))" case in sony_probe(). Does it > > look like a bug to you? > > It looks like the relevant hid_hw_stop() call is the one at the end of > sony_configure_input(). But I can't tell if doing that way is valid or > not -- in practice the code would end up calling hid_disconnect() while > hid_connect() was still running, which doesn't seem like a good idea. > > There's a comment about this near the end of sony_probe(). I suspect > it would be better to call hid_hw_stop() in the conditional code > following that comment rather than in sony_configure_input(). > > Either way, these are all things Jiri should know about or check up on. > > Have you gotten any test results from syzbot exercising these pathways? > You ought to be able to tell which HID driver is involved by looking > through the console output. Yes, a typical crash is below, that's why I thought it's the sony driver. Adding hid_hw_stop() in sony_probe() stops the issue from happening, but I don't know whether it's the right fix. usb 1-1: new high-speed USB device number 3 using dummy_hcd usb 1-1: Using ep0 maxpacket: 8 usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing7 usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the inte9 usb 1-1: New USB device found, idVendor=054c, idProduct=024b, bcdDevice= 0.00 usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 usb 1-1: config 0 descriptor?? sony 0003:054C:024B.0002: unknown main item tag 0x0 sony 0003:054C:024B.0002: unknown main item tag 0x2 sony 0003:054C:024B.0002: unknown main item tag 0x0 sony 0003:054C:024B.0002: unknown main item tag 0x0 ... sony 0003:054C:024B.0002: unknown main item tag 0x0 == BUG: KASAN: use-after-free in usbhid_power+0xca/0xe0 Read of size 8 at addr 88805d590008 by task syz-executor/1808 CPU: 1 PID: 1808 Comm: syz-executor Not tainted 5.3.0-rc5+ #203 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 dump_stack+0xca/0x13e lib/dump_stack.c:113 print_address_description+0x6a/0x32c mm/kasan/report.c:351 __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 kasan_report+0xe/0x12 mm/kasan/common.c:612 usbhid_power+0xca/0xe0 drivers/hid/usbhid/hid-core.c:1234 hid_hw_power ./include/linux/hid.h:1038 hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282 chrdev_open+0x219/0x5c0 fs/char_dev.c:414 do_dentry_open+0x494/0x1120 fs/open.c:797 do_last fs/namei.c:3416 path_openat+0x1430/0x3f50 fs/namei.c:3533 do_filp_open+0x1a1/0x280 fs/namei.c:3563 do_sys_open+0x3c0/0x580 fs/open.c:1089 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe arch/x86/entry/entry_64.S:175 RIP: 0033:0x413a0e Code: 89 54 24 08 e8 a3 f9 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 4 RSP: 002b:7f7bf0a66730 EFLAGS: 0293 ORIG_RAX: 0101 RAX: ffda RBX: 6667 RCX: 00413a0e RDX: 0200 RSI: 7f7bf0a66840 RDI: ff9c RBP: 7f7bf0a66840 R08: R09: R10: R11: 0293 R12: 004a521c R13: 004ef7d0 R14: 004ae881 R15: 7f7bf0a676bc Allocated by task 78: save_stack+0x1b/0x80 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 __kasan_kmalloc mm/kasan/common.c:487 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 slab_post_alloc_hook mm/slab.h:520 slab_alloc_node mm/slub.c:2770 __kmalloc_node_track_caller+0xfc/0x380 mm/slub.c:4365 __kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:141 __alloc_skb+0xef/0x5a0 net/core/skbuff.c:209 alloc_skb ./include/linux/skbuff.h:1055 alloc_uevent_skb+0x7b/0x210 lib/kobject_uevent.c:289 uevent_net_broadcast_untagged lib/kobject_uevent.c:325 kobject_uevent_net_broadcast lib/kobject_uevent.c:408 kobject_uevent_env+0x8ee/0x1160 lib/kobject_uevent.c:592 device_del+0x6b2/0xb10 drivers/base/core.c:2349 usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237 usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199 hub_port_connect drivers/usb/core/hub.c:4949 hub_port_connect_change drivers/usb/core/hub.c:5213 port_event drivers/usb/core/hub.c:5359 hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441 process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 worker_thread+0x96/
Re: WARNING in rollback_registered_many (2)
On Thu, Aug 22, 2019 at 3:07 PM Andrey Konovalov wrote: > > On Wed, Aug 7, 2019 at 4:03 PM Andrey Konovalov wrote: > > > > On Fri, Apr 12, 2019 at 1:32 PM Andrey Konovalov > > wrote: > > > > > > On Fri, Apr 12, 2019 at 1:29 AM syzbot > > > wrote: > > > > > > > > syzbot has found a reproducer for the following crash on: > > > > > > > > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver > > > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10d552b720 > > > > kernel config: > > > > https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > > > > dashboard link: > > > > https://syzkaller.appspot.com/bug?extid=40918e4d826fb2ff9b96 > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > syz repro: > > > > https://syzkaller.appspot.com/x/repro.syz?x=17a4c1af20 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=121b274b20 > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > commit: > > > > Reported-by: syzbot+40918e4d826fb2ff9...@syzkaller.appspotmail.com > > > > > > > > usb 1-1: r8712u: MAC Address from efuse = 00:e0:4c:87:00:00 > > > > usb 1-1: r8712u: Loading firmware from "rtlwifi/rtl8712u.bin" > > > > usb 1-1: USB disconnect, device number 2 > > > > usb 1-1: Direct firmware load for rtlwifi/rtl8712u.bin failed with > > > > error -2 > > > > usb 1-1: r8712u: Firmware request failed > > > > WARNING: CPU: 0 PID: 575 at net/core/dev.c:8152 > > > > rollback_registered_many+0x1f3/0xe70 net/core/dev.c:8152 > > > > Kernel panic - not syncing: panic_on_warn set ... > > > > CPU: 0 PID: 575 Comm: kworker/0:4 Not tainted 5.1.0-rc4-319354-g9a33b36 > > > > #3 > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > > Google 01/01/2011 > > > > Workqueue: usb_hub_wq hub_event > > > > Call Trace: > > > > __dump_stack lib/dump_stack.c:77 [inline] > > > > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > > > > panic+0x29d/0x5f2 kernel/panic.c:214 > > > > __warn.cold+0x20/0x48 kernel/panic.c:571 > > > > report_bug+0x262/0x2a0 lib/bug.c:186 > > > > fixup_bug arch/x86/kernel/traps.c:179 [inline] > > > > fixup_bug arch/x86/kernel/traps.c:174 [inline] > > > > do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272 > > > > do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291 > > > > invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 > > > > RIP: 0010:rollback_registered_many+0x1f3/0xe70 net/core/dev.c:8152 > > > > Code: 05 00 00 31 ff 44 89 fe e8 5a 15 f3 f4 45 84 ff 0f 85 49 ff ff ff > > > > e8 > > > > 1c 14 f3 f4 0f 1f 44 00 00 e8 12 14 f3 f4 e8 0d 14 f3 f4 <0f> 0b 4c 89 > > > > e7 > > > > e8 33 72 f2 f6 31 ff 41 89 c4 89 c6 e8 27 15 f3 f4 > > > > RSP: 0018:88809d087698 EFLAGS: 00010293 > > > > RAX: 88809d058000 RBX: 88809624 RCX: 8c7eb146 > > > > RDX: RSI: 8c7eb163 RDI: 0001 > > > > RBP: 88809d0877c8 R08: 88809d058000 R09: fbfff2708111 > > > > R10: fbfff2708110 R11: 93840887 R12: 888096240070 > > > > R13: dc00 R14: 88809d087758 R15: > > > > rollback_registered+0xf7/0x1c0 net/core/dev.c:8228 > > > > unregister_netdevice_queue net/core/dev.c:9275 [inline] > > > > unregister_netdevice_queue+0x1dc/0x2b0 net/core/dev.c:9268 > > > > unregister_netdevice include/linux/netdevice.h:2655 [inline] > > > > unregister_netdev+0x1d/0x30 net/core/dev.c:9316 > > > > r871xu_dev_remove+0xe7/0x223 drivers/staging/rtl8712/usb_intf.c:604 > > > > usb_unbind_interface+0x1c9/0x980 drivers/usb/core/driver.c:423 > > > > __device_release_driver drivers/base/dd.c:1082 [inline] > > > > device_release_driver_internal+0x436/0x4f0 drivers/base/dd.c:1113 > > > > bus_remove_device+0x302/0x5c0 drivers/base/bus.c:556 > > > > device_del+0x467/0xb90 drivers/base/core.c:2269 > > > > usb_disable_device+0x242/0x790 drivers/usb/core/message.c:1235 > > > > usb_disconnect+0x298/0x870 drivers/usb/core/hub.c:2197 &g
Re: WARNING in rollback_registered_many (2)
On Wed, Aug 7, 2019 at 4:03 PM Andrey Konovalov wrote: > > On Fri, Apr 12, 2019 at 1:32 PM Andrey Konovalov > wrote: > > > > On Fri, Apr 12, 2019 at 1:29 AM syzbot > > wrote: > > > > > > syzbot has found a reproducer for the following crash on: > > > > > > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver > > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10d552b720 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > > > dashboard link: > > > https://syzkaller.appspot.com/bug?extid=40918e4d826fb2ff9b96 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17a4c1af20 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=121b274b20 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+40918e4d826fb2ff9...@syzkaller.appspotmail.com > > > > > > usb 1-1: r8712u: MAC Address from efuse = 00:e0:4c:87:00:00 > > > usb 1-1: r8712u: Loading firmware from "rtlwifi/rtl8712u.bin" > > > usb 1-1: USB disconnect, device number 2 > > > usb 1-1: Direct firmware load for rtlwifi/rtl8712u.bin failed with error > > > -2 > > > usb 1-1: r8712u: Firmware request failed > > > WARNING: CPU: 0 PID: 575 at net/core/dev.c:8152 > > > rollback_registered_many+0x1f3/0xe70 net/core/dev.c:8152 > > > Kernel panic - not syncing: panic_on_warn set ... > > > CPU: 0 PID: 575 Comm: kworker/0:4 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > Workqueue: usb_hub_wq hub_event > > > Call Trace: > > > __dump_stack lib/dump_stack.c:77 [inline] > > > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > > > panic+0x29d/0x5f2 kernel/panic.c:214 > > > __warn.cold+0x20/0x48 kernel/panic.c:571 > > > report_bug+0x262/0x2a0 lib/bug.c:186 > > > fixup_bug arch/x86/kernel/traps.c:179 [inline] > > > fixup_bug arch/x86/kernel/traps.c:174 [inline] > > > do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272 > > > do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291 > > > invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 > > > RIP: 0010:rollback_registered_many+0x1f3/0xe70 net/core/dev.c:8152 > > > Code: 05 00 00 31 ff 44 89 fe e8 5a 15 f3 f4 45 84 ff 0f 85 49 ff ff ff e8 > > > 1c 14 f3 f4 0f 1f 44 00 00 e8 12 14 f3 f4 e8 0d 14 f3 f4 <0f> 0b 4c 89 e7 > > > e8 33 72 f2 f6 31 ff 41 89 c4 89 c6 e8 27 15 f3 f4 > > > RSP: 0018:88809d087698 EFLAGS: 00010293 > > > RAX: 88809d058000 RBX: 88809624 RCX: 8c7eb146 > > > RDX: RSI: 8c7eb163 RDI: 0001 > > > RBP: 88809d0877c8 R08: 88809d058000 R09: fbfff2708111 > > > R10: fbfff2708110 R11: 93840887 R12: 888096240070 > > > R13: dc00 R14: 88809d087758 R15: > > > rollback_registered+0xf7/0x1c0 net/core/dev.c:8228 > > > unregister_netdevice_queue net/core/dev.c:9275 [inline] > > > unregister_netdevice_queue+0x1dc/0x2b0 net/core/dev.c:9268 > > > unregister_netdevice include/linux/netdevice.h:2655 [inline] > > > unregister_netdev+0x1d/0x30 net/core/dev.c:9316 > > > r871xu_dev_remove+0xe7/0x223 drivers/staging/rtl8712/usb_intf.c:604 > > > usb_unbind_interface+0x1c9/0x980 drivers/usb/core/driver.c:423 > > > __device_release_driver drivers/base/dd.c:1082 [inline] > > > device_release_driver_internal+0x436/0x4f0 drivers/base/dd.c:1113 > > > bus_remove_device+0x302/0x5c0 drivers/base/bus.c:556 > > > device_del+0x467/0xb90 drivers/base/core.c:2269 > > > usb_disable_device+0x242/0x790 drivers/usb/core/message.c:1235 > > > usb_disconnect+0x298/0x870 drivers/usb/core/hub.c:2197 > > > hub_port_connect drivers/usb/core/hub.c:4940 [inline] > > > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > > > port_event drivers/usb/core/hub.c:5350 [inline] > > > hub_event+0xcd2/0x3b00 drivers/usb/core/hub.c:5432 > > > process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 > > > process_scheduled_works kernel/workqueue.c:2331 [inline] > > > worker_thread+0x7b0/0xe20 kernel/workqueue.c:2417 > > > kthread+0x313/0x420 kernel
Re: [PATCH] HID: USB: Fix general protection fault caused by Logitech driver
On Tue, Aug 20, 2019 at 10:00 PM Alan Stern wrote:
>
> The syzbot fuzzer found a general protection fault in the HID subsystem:
>
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: [#1] SMP KASAN
> CPU: 0 PID: 3715 Comm: syz-executor.3 Not tainted 5.2.0-rc6+ #15
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:__pm_runtime_resume+0x49/0x180 drivers/base/power/runtime.c:1069
> Code: ed 74 d5 fe 45 85 ed 0f 85 9a 00 00 00 e8 6f 73 d5 fe 48 8d bd c1 02
> 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48
> 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 fe 00 00 00
> RSP: 0018:8881d99d78e0 EFLAGS: 00010202
> RAX: dc00 RBX: 0020 RCX: c90003f3f000
> RDX: 000416d8686d RSI: 82676841 RDI: 0020b6c3436a
> RBP: 0020b6c340a9 R08: 8881c6d64800 R09: fbfff0e84c25
> R10: 8881d99d7940 R11: 87426127 R12: 0004
> R13: R14: 8881d9b94000 R15: 897f9048
> FS: 7f047f542700() GS:8881db20() knlGS:
> CS: 0010 DS: ES: CR0: 80050033
> CR2: 001b30f21000 CR3: 0001ca032000 CR4: 001406f0
> DR0: DR1: DR2:
> DR3: DR6: fffe0ff0 DR7: 0400
> Call Trace:
> pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
> usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1707
> usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
> hid_hw_power include/linux/hid.h:1038 [inline]
> hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
> chrdev_open+0x219/0x5c0 fs/char_dev.c:413
> do_dentry_open+0x497/0x1040 fs/open.c:778
> do_last fs/namei.c:3416 [inline]
> path_openat+0x1430/0x3ff0 fs/namei.c:3533
> do_filp_open+0x1a1/0x280 fs/namei.c:3563
> do_sys_open+0x3c0/0x580 fs/open.c:1070
> do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> It turns out the fault was caused by a bug in the HID Logitech driver,
> which violates the requirement that every pathway calling
> hid_hw_start() must also call hid_hw_stop(). This patch fixes the bug
> by making sure the requirement is met.
>
> Reported-and-tested-by: syzbot+3cbe5cd105d2ad56a...@syzkaller.appspotmail.com
> Signed-off-by: Alan Stern
> CC:
>
> ---
>
> [as1909]
>
>
> drivers/hid/hid-lg.c| 10 ++
> drivers/hid/hid-lg4ff.c |1 -
> 2 files changed, 6 insertions(+), 5 deletions(-)
>
> Index: usb-devel/drivers/hid/hid-lg.c
> ===
> --- usb-devel.orig/drivers/hid/hid-lg.c
> +++ usb-devel/drivers/hid/hid-lg.c
> @@ -818,7 +818,7 @@ static int lg_probe(struct hid_device *h
>
> if (!buf) {
> ret = -ENOMEM;
> - goto err_free;
> + goto err_stop;
> }
>
> ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf),
> @@ -850,9 +850,12 @@ static int lg_probe(struct hid_device *h
> ret = lg4ff_init(hdev);
>
> if (ret)
> - goto err_free;
> + goto err_stop;
>
> return 0;
> +
> +err_stop:
> + hid_hw_stop(hdev);
> err_free:
> kfree(drv_data);
> return ret;
> @@ -863,8 +866,7 @@ static void lg_remove(struct hid_device
> struct lg_drv_data *drv_data = hid_get_drvdata(hdev);
> if (drv_data->quirks & LG_FF4)
> lg4ff_deinit(hdev);
> - else
> - hid_hw_stop(hdev);
> + hid_hw_stop(hdev);
> kfree(drv_data);
> }
>
> Index: usb-devel/drivers/hid/hid-lg4ff.c
> ===
> --- usb-devel.orig/drivers/hid/hid-lg4ff.c
> +++ usb-devel/drivers/hid/hid-lg4ff.c
> @@ -1477,7 +1477,6 @@ int lg4ff_deinit(struct hid_device *hid)
> }
> }
> #endif
> - hid_hw_stop(hid);
> drv_data->device_props = NULL;
>
> kfree(entry);
>
Hi Alan,
I've ran the fuzzer with your patches applied overnight and noticed
another fallout of similar bugs. I think they are caused by a similar
issue in the sony HID driver. There's no hid_hw_stop() call in the "if
(!(hdev->claimed & HID_CLAIMED_INPUT))" case in sony_probe(). Does it
look like a bug to you?
Thanks!
Re: WARNING: bad usercopy in hidraw_ioctl
On Thu, Aug 22, 2019 at 12:38 AM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:eea39f24 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=128c664c60 > kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e > dashboard link: https://syzkaller.appspot.com/bug?extid=fc7106c3bcd1cb7b165c > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+fc7106c3bcd1cb7b1...@syzkaller.appspotmail.com > > [ cut here ] > Bad or missing usercopy whitelist? Kernel memory exposure attempt detected > from SLUB object 'shmem_inode_cache' (offset 88, size 33)! > WARNING: CPU: 0 PID: 3101 at mm/usercopy.c:74 usercopy_warn+0xe8/0x110 > mm/usercopy.c:74 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 0 PID: 3101 Comm: syz-executor.0 Not tainted 5.3.0-rc5+ #28 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > panic+0x2a3/0x6da kernel/panic.c:219 > __warn.cold+0x20/0x4a kernel/panic.c:576 > report_bug+0x262/0x2a0 lib/bug.c:186 > fixup_bug arch/x86/kernel/traps.c:179 [inline] > fixup_bug arch/x86/kernel/traps.c:174 [inline] > do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272 > do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291 > invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 > RIP: 0010:usercopy_warn+0xe8/0x110 mm/usercopy.c:74 > Code: e8 bd f8 d6 ff 49 89 e9 4c 89 e1 48 89 de 41 57 48 c7 c7 40 f5 cd 85 > 41 55 41 56 4c 8b 44 24 20 48 8b 54 24 18 e8 9d de ac ff <0f> 0b 48 83 c4 > 18 e9 45 ff ff ff 48 c7 c5 40 f3 cd 85 49 89 ee 49 > RSP: 0018:8881c5d07be8 EFLAGS: 00010282 > RAX: RBX: 85cdf500 RCX: > RDX: 8303 RSI: 81288cfd RDI: ed1038ba0f6f > RBP: 85cc2ca0 R08: 8881c79b R09: ed103b645d58 > R10: ed103b645d57 R11: 8881db22eabf R12: 86a6b0c8 > R13: 0058 R14: 85cdf380 R15: 0021 > check_heap_object mm/usercopy.c:234 [inline] > __check_object_size mm/usercopy.c:280 [inline] > __check_object_size+0x327/0x39a mm/usercopy.c:250 > check_object_size include/linux/thread_info.h:119 [inline] > check_copy_size include/linux/thread_info.h:150 [inline] > copy_to_user include/linux/uaccess.h:151 [inline] > hidraw_ioctl+0x65f/0xae0 drivers/hid/hidraw.c:440 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f75e27c6c78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 20c0 RSI: 80404804 RDI: 0003 > RBP: 0075bfc8 R08: R09: > R10: R11: 0246 R12: 7f75e27c76d4 > R13: 004c21c9 R14: 004d5628 R15: > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. #syz dup: BUG: bad usercopy in hidraw_ioctl
Re: BUG: unable to handle kernel paging request in au0828_usb_disconnect
On Mon, Apr 29, 2019 at 2:06 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:43151d6c usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=106c9498a0 > kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234 > dashboard link: https://syzkaller.appspot.com/bug?extid=15e91d49c4c757c3d363 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+15e91d49c4c757c3d...@syzkaller.appspotmail.com > > usb 5-1: selecting invalid altsetting 5 > au0828: Failure setting usb interface0 to as5 > au0828: au0828_usb_probe() au0828_analog_register failed to register on V4L2 > BUG: unable to handle kernel paging request at fffc4508a958 > #PF error: [normal kernel read fault] > PGD 1167e067 P4D 1167e067 PUD 0 > Oops: [#1] SMP KASAN PTI > CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.1.0-rc3-319004-g43151d6 #6 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > RIP: 0010:decode_cpu kernel/locking/osq_lock.c:34 [inline] > RIP: 0010:osq_lock+0xfd/0x5a0 kernel/locking/osq_lock.c:111 > Code: 48 63 e8 48 b8 00 00 00 00 00 fc ff df 48 8d 3c ed 60 b0 39 91 48 89 > f9 48 c1 e9 03 80 3c 01 00 0f 85 2c 04 00 00 48 8d 53 08 <4c> 03 2c ed 60 > b0 39 91 48 b8 00 00 00 00 00 fc ff df 48 89 d6 48 > RSP: 0018:8880a84f70e8 EFLAGS: 00010246 > RAX: dc00 RBX: 8880ad12dfc0 RCX: 1fff88a1152b > RDX: 8880ad12dfc8 RSI: 0004 RDI: fffc4508a958 > RBP: 9679df1f R08: R09: ed10122cb31e > R10: ed10122cb31d R11: 8880916598eb R12: 8880ad12dfd0 > R13: 0002dfc0 R14: 8880a84db100 R15: 8880916598e8 > FS: () GS:8880ad10() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: fffc4508a958 CR3: 824b6000 CR4: 001406e0 > Call Trace: > mutex_optimistic_spin kernel/locking/mutex.c:630 [inline] > __mutex_lock_common kernel/locking/mutex.c:928 [inline] > __mutex_lock+0x27d/0x12b0 kernel/locking/mutex.c:1072 > au0828_usb_disconnect+0xa3/0x130 drivers/media/usb/au0828/au0828-core.c:194 > au0828_usb_probe.cold+0x121/0x7d8 > drivers/media/usb/au0828/au0828-core.c:661 > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2023 > generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 > usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 > process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 > worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 > kthread+0x313/0x420 kernel/kthread.c:253 > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > Modules linked in: > CR2: fffc4508a958 > ---[ end trace e04421c5fdf22ecf ]--- > RIP: 0010:decode_cpu kernel/locking/osq_lock.c:34 [inline] > RIP: 0010:osq_lock+0xfd/0x5a0 kernel/locking/osq_lock.c:111 > Code: 48 63 e8 48 b8 00 00 00 00 00 fc ff df 48 8d 3c ed 60 b0 39 91 48 89 > f9 48 c1 e9 03 80 3c 01 00 0f 85 2c 04 00 00 48 8d 53 08 <4c> 03 2c ed 60 > b0 39 91 48 b8 00 00 00 00 00 fc ff df 48 89 d6 48 > RSP: 0018:8880a84f70e8 EFLAGS: 00010246 > RAX: dc00 RBX: 8880ad12dfc0 RCX: 1fff88a1152b > RDX: 8880ad12dfc8 RSI: 0004 RDI: fffc4508a958 > RBP: 9679df1f R08: R09: ed10122cb31e > R10: ed10122cb31d R11: 8880916598eb R12: 8880ad12dfd0 > R13: 0002dfc0 R14: 8880a84db100 R15: 8880916598e8 > FS: () GS:8880ad10() knlGS: > CS: 0010 DS: 00
Re: KASAN: slab-out-of-bounds Read in usbhid_close
On Tue, Aug 6, 2019 at 3:18 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=117a9f4260 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=3268ee512f866a903602 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+3268ee512f866a903...@syzkaller.appspotmail.com > > == > BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x302a/0x3b50 > kernel/locking/lockdep.c:3753 > Read of size 8 at addr 8881ceab68a0 by task syz-executor.0/3352 > > CPU: 1 PID: 3352 Comm: syz-executor.0 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > __lock_acquire+0x302a/0x3b50 kernel/locking/lockdep.c:3753 > lock_acquire+0x127/0x320 kernel/locking/lockdep.c:4412 > __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] > _raw_spin_lock_irq+0x2d/0x40 kernel/locking/spinlock.c:167 > spin_lock_irq include/linux/spinlock.h:363 [inline] > usbhid_close+0x51/0x210 drivers/hid/usbhid/hid-core.c:740 > hid_hw_close+0xa8/0xd0 drivers/hid/hid-core.c:2046 > drop_ref.part.0+0x32/0xe0 drivers/hid/hidraw.c:337 > drop_ref drivers/hid/hidraw.c:360 [inline] > hidraw_release+0x34f/0x440 drivers/hid/hidraw.c:356 > __fput+0x2d7/0x840 fs/file_table.c:280 > task_work_run+0x13f/0x1c0 kernel/task_work.c:113 > exit_task_work include/linux/task_work.h:22 [inline] > do_exit+0x8ef/0x2c50 kernel/exit.c:878 > do_group_exit+0x125/0x340 kernel/exit.c:982 > get_signal+0x466/0x23d0 kernel/signal.c:2728 > do_signal+0x88/0x14e0 arch/x86/kernel/signal.c:815 > exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:159 > prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] > syscall_return_slowpath arch/x86/entry/common.c:274 [inline] > do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: Bad RIP value. > RSP: 002b:7f123439dcf8 EFLAGS: 0246 ORIG_RAX: 00ca > RAX: fe00 RBX: 0075bf28 RCX: 00459829 > RDX: RSI: 0080 RDI: 0075bf28 > RBP: 0075bf20 R08: R09: > R10: R11: 0246 R12: 0075bf2c > R13: 7ffe9281699f R14: 7f123439e9c0 R15: 0075bf2c > > Allocated by task 0: > (stack is not available) > > Freed by task 0: > (stack is not available) > > The buggy address belongs to the object at 8881ceab6880 > which belongs to the cache shmem_inode_cache of size 1168 > The buggy address is located 32 bytes inside of > 1168-byte region [8881ceab6880, 8881ceab6d10) > The buggy address belongs to the page: > page:ea00073aad00 refcount:1 mapcount:0 mapping:8881da115180 > index:0x0 compound_mapcount: 0 > flags: 0x2010200(slab|head) > raw: 02010200 dead0100 dead0122 8881da115180 > raw: 800c000c 0001 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > 8881ceab6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 8881ceab6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > 8881ceab6880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > 8881ceab6900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > 8881ceab6980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > == > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. Looks like the same bug: #syz dup: KASAN: slab-out-of-bounds Read in hidraw_ioctl
Re: WARNING in hiddev_ioctl/usb_submit_urb
On Wed, Aug 7, 2019 at 4:28 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=14f54e2660 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=5ef817fc02cd64d038a3 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+5ef817fc02cd64d03...@syzkaller.appspotmail.com > > [ cut here ] > usb 4-1: BOGUS urb xfer, pipe 2 != type 2 > WARNING: CPU: 0 PID: 7794 at drivers/usb/core/urb.c:477 > usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 0 PID: 7794 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > panic+0x2a3/0x6da kernel/panic.c:219 > __warn.cold+0x20/0x4a kernel/panic.c:576 > report_bug+0x262/0x2a0 lib/bug.c:186 > fixup_bug arch/x86/kernel/traps.c:179 [inline] > fixup_bug arch/x86/kernel/traps.c:174 [inline] > do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272 > do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291 > invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026 > RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477 > Code: 4d 85 ed 74 2c e8 28 76 ed fd 4c 89 f7 e8 c0 6d 1a ff 41 89 d8 44 89 > e1 4c 89 ea 48 89 c6 48 c7 c7 60 e7 18 86 e8 3d 47 c3 fd <0f> 0b e9 20 f4 > ff ff e8 fc 75 ed fd 4c 89 f2 48 b8 00 00 00 00 00 > RSP: 0018:8881b01178a0 EFLAGS: 00010282 > RAX: RBX: 0002 RCX: > RDX: 549e RSI: 8128a0fd RDI: ed1036022f06 > RBP: R08: 8881cfd11800 R09: fbfff11acda9 > R10: fbfff11acda8 R11: 88d66d47 R12: 0002 > R13: 8881cd771828 R14: 8881c87e22a0 R15: 8881d3f1ac00 > usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57 > usb_internal_control_msg drivers/usb/core/message.c:101 [inline] > usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152 > usb_get_string+0xac/0x1a0 drivers/usb/core/message.c:693 > usb_string_sub+0x8b/0x3d0 drivers/usb/core/message.c:737 > usb_string+0x32b/0x480 drivers/usb/core/message.c:836 > hiddev_ioctl_string.isra.0+0xf5/0x1d0 drivers/hid/usbhid/hiddev.c:576 > hiddev_ioctl+0x5b8/0x1550 drivers/hid/usbhid/hiddev.c:682 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f8529fb1c78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 21c0 RSI: 81044804 RDI: 0004 > RBP: 0075c1c0 R08: R09: > R10: R11: 0246 R12: 7f8529fb26d4 > R13: 004c2249 R14: 004d55f8 R15: > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. Looks like the same bug: #syz dup: general protection fault in __pm_runtime_resume
Re: KASAN: use-after-free Read in usbhid_wait_io
On Mon, Aug 5, 2019 at 1:58 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=136bed1a60 > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > dashboard link: https://syzkaller.appspot.com/bug?extid=cff772ea5b2812d504a9 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+cff772ea5b2812d50...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in test_bit > include/asm-generic/bitops-instrumented.h:237 [inline] > BUG: KASAN: use-after-free in usbhid_wait_io+0xc9/0x3a0 > drivers/hid/usbhid/hid-core.c:646 > Read of size 8 at addr 8881c84068c0 by task syz-executor.2/3548 > > CPU: 1 PID: 3548 Comm: syz-executor.2 Not tainted 5.3.0-rc2+ #24 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > check_memory_region_inline mm/kasan/generic.c:185 [inline] > check_memory_region+0x128/0x190 mm/kasan/generic.c:192 > test_bit include/asm-generic/bitops-instrumented.h:237 [inline] > usbhid_wait_io+0xc9/0x3a0 drivers/hid/usbhid/hid-core.c:646 > usbhid_init_reports+0x119/0x320 drivers/hid/usbhid/hid-core.c:774 > hiddev_ioctl+0x10ed/0x1550 drivers/hid/usbhid/hiddev.c:792 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7fb23788ec78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 20005700 RSI: 40184810 RDI: 0008 > RBP: 0075bf20 R08: R09: > R10: R11: 0246 R12: 7fb23788f6d4 > R13: 004c2104 R14: 004d5490 R15: > > Allocated by task 12: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > slab_post_alloc_hook mm/slab.h:520 [inline] > slab_alloc_node mm/slub.c:2766 [inline] > __kmalloc_node_track_caller+0xd0/0x230 mm/slub.c:4361 > __kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:141 > __alloc_skb+0xef/0x5a0 net/core/skbuff.c:209 > alloc_skb include/linux/skbuff.h:1055 [inline] > alloc_uevent_skb+0x7b/0x210 lib/kobject_uevent.c:289 > uevent_net_broadcast_untagged lib/kobject_uevent.c:325 [inline] > kobject_uevent_net_broadcast lib/kobject_uevent.c:408 [inline] > kobject_uevent_env+0x8ee/0x1160 lib/kobject_uevent.c:592 > __device_release_driver drivers/base/dd.c:1140 [inline] > device_release_driver_internal+0x3c4/0x4c0 drivers/base/dd.c:1151 > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > device_del+0x420/0xb10 drivers/base/core.c:2288 > usb_disconnect+0x4c3/0x8d0 drivers/usb/core/hub.c:2225 > hub_port_connect drivers/usb/core/hub.c:4949 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 240: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 > slab_free_hook mm/slub.c:1423 [inline] > slab_free_freelist_hook mm/slub.c:1470 [inline] > slab_free mm/slub.c:3012 [inline] > kfree+0xe4/0x2f0 mm/slub.c:3953 > skb_free_head+0x8b/0xa0 net/core/skbuff.c:591 > skb_release_data+0x41f/0x7c0 net/core/skbuff.c:611 > skb_release_all+0x46/0x60 net/core/skbuff.c:665 > __kfree_skb net/core/skbuff.c:679
Re: KASAN: use-after-free Read in hiddev_ioctl
On Tue, Aug 6, 2019 at 3:18 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1732258a60 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=5e9ed50a49eb77802d0e > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+5e9ed50a49eb77802...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in __mutex_lock_common > kernel/locking/mutex.c:912 [inline] > BUG: KASAN: use-after-free in __mutex_lock+0xf23/0x1360 > kernel/locking/mutex.c:1077 > Read of size 8 at addr 8881cf955468 by task syz-executor.1/19529 > > CPU: 0 PID: 19529 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > __mutex_lock_common kernel/locking/mutex.c:912 [inline] > __mutex_lock+0xf23/0x1360 kernel/locking/mutex.c:1077 > hiddev_ioctl+0xea/0x1550 drivers/hid/usbhid/hiddev.c:607 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f0ec5dd7c78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 2380 RSI: 81044804 RDI: 0005 > RBP: 0075c070 R08: R09: > R10: R11: 0246 R12: 7f0ec5dd86d4 > R13: 004c2249 R14: 004d55f8 R15: > > Allocated by task 2777: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > kmalloc include/linux/slab.h:552 [inline] > kzalloc include/linux/slab.h:748 [inline] > hiddev_connect+0x242/0x5b0 drivers/hid/usbhid/hiddev.c:900 > hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882 > hid_hw_start drivers/hid/hid-core.c:1981 [inline] > hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972 > appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308 > hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365 > usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 >
Re: BUG: bad usercopy in hidraw_ioctl
On Wed, Aug 7, 2019 at 9:28 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=151b292660 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=3de312463756f656b47d > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+3de312463756f656b...@syzkaller.appspotmail.com > > usercopy: Kernel memory exposure attempt detected from wrapped address > (offset 0, size 0)! > [ cut here ] > kernel BUG at mm/usercopy.c:98! > invalid opcode: [#1] SMP KASAN > CPU: 1 PID: 2968 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy.c:98 > Code: e8 c1 f7 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 e0 > f3 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 15 98 c1 ff <0f> 0b e8 95 f7 > d6 ff e8 80 9f fd ff 8b 54 24 04 49 89 d8 4c 89 e1 > RSP: 0018:8881b0f37be8 EFLAGS: 00010282 > RAX: 005a RBX: 85cdf100 RCX: > RDX: RSI: 8128a0fd RDI: ed10361e6f6f > RBP: 85cdf2c0 R08: 005a R09: ed103b665d58 > R10: ed103b665d57 R11: 8881db32eabf R12: 85cdf460 > R13: 85cdf100 R14: R15: 85cdf100 > FS: 7f539a2a9700() GS:8881db30() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 021237d0 CR3: 0001d6ac6000 CR4: 001406e0 > Call Trace: > check_bogus_address mm/usercopy.c:151 [inline] > __check_object_size mm/usercopy.c:260 [inline] > __check_object_size.cold+0xb2/0xba mm/usercopy.c:250 > check_object_size include/linux/thread_info.h:119 [inline] > check_copy_size include/linux/thread_info.h:150 [inline] > copy_to_user include/linux/uaccess.h:151 [inline] > hidraw_ioctl+0x38c/0xae0 drivers/hid/hidraw.c:392 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f539a2a8c78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 2800 RSI: 90044802 RDI: 0004 > RBP: 0075c268 R08: R09: > R10: R11: 0246 R12: 7f539a2a96d4 > R13: 004c21f3 R14: 004d55b8 R15: > Modules linked in: > ---[ end trace 24b9968555bf4653 ]--- > RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy.c:98 > Code: e8 c1 f7 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 e0 > f3 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 15 98 c1 ff <0f> 0b e8 95 f7 > d6 ff e8 80 9f fd ff 8b 54 24 04 49 89 d8 4c 89 e1 > RSP: 0018:8881b0f37be8 EFLAGS: 00010282 > RAX: 005a RBX: 85cdf100 RCX: > RDX: RSI: 8128a0fd RDI: ed10361e6f6f > RBP: 85cdf2c0 R08: 005a R09: ed103b665d58 > R10: ed103b665d57 R11: 8881db32eabf R12: 85cdf460 > R13: 85cdf100 R14: R15: 85cdf100 > FS: 7f539a2a9700() GS:8881db30() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 021237d0 CR3: 0001d6ac6000 CR4: 001406e0 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. Looks like the same bug: #syz dup: KASAN: slab-out-of-bounds Read in hidraw_ioctl
Re: KASAN: slab-out-of-bounds Read in hidraw_ioctl
On Wed, Aug 21, 2019 at 6:26 PM Andrey Konovalov wrote: > > On Wed, Aug 21, 2019 at 6:24 PM Alan Stern wrote: > > > > On Wed, 21 Aug 2019, Andrey Konovalov wrote: > > > > > On Wed, Aug 21, 2019 at 3:37 PM syzbot > > > wrote: > > > > > > > > Hello, > > > > > > > > syzbot has tested the proposed patch but the reproducer still triggered > > > > crash: > > > > KASAN: slab-out-of-bounds Read in hidraw_ioctl > > > > > > Same here, a different bug. > > > > It looks like I've got the fix for both these bugs. Testing now... > > Great! Do you think "BUG: bad usercopy in hidraw_ioctl" can also be > fixed by one of those fixes? We actually have a bunch of other non reproducible bug reports that come from HID. I think I'll dup them into these two bugs that you've fixed, and we'll see if syzkaller triggers them again once the fixes are upstream. > > > > > > > Tested on: > > > > > > > > commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > > > git tree: https://github.com/google/kasan.git > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=14f14a1e60 > > > > kernel config: > > > > https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > patch: > > > > https://syzkaller.appspot.com/x/patch.diff?x=171cd95a60 > > > > Why don't these patch-test reports include the dashboard link? It sure > > would be handy to have a copy of it here. Sorry, didn't notice this comment. This should be easy to implement, I'll look into that, thanks!
Re: KASAN: use-after-free Read in hidraw_ioctl
On Wed, Aug 21, 2019 at 6:38 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger > crash: > > Reported-and-tested-by: > syzbot+ded1794a717e3b235...@syzkaller.appspotmail.com > > Tested on: > > commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > patch: https://syzkaller.appspot.com/x/patch.diff?x=126b9da660 > > Note: testing is done by a robot and is best-effort only. Let's dup this bug into the other one: #syz dup: KASAN: slab-out-of-bounds Read in hidraw_ioctl
Re: KASAN: slab-out-of-bounds Read in hidraw_ioctl
On Wed, Aug 21, 2019 at 6:24 PM Alan Stern wrote: > > On Wed, 21 Aug 2019, Andrey Konovalov wrote: > > > On Wed, Aug 21, 2019 at 3:37 PM syzbot > > wrote: > > > > > > Hello, > > > > > > syzbot has tested the proposed patch but the reproducer still triggered > > > crash: > > > KASAN: slab-out-of-bounds Read in hidraw_ioctl > > > > Same here, a different bug. > > It looks like I've got the fix for both these bugs. Testing now... Great! Do you think "BUG: bad usercopy in hidraw_ioctl" can also be fixed by one of those fixes? > > > > Tested on: > > > > > > commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > > git tree: https://github.com/google/kasan.git > > > console output: https://syzkaller.appspot.com/x/log.txt?x=14f14a1e60 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > patch: > > > https://syzkaller.appspot.com/x/patch.diff?x=171cd95a60 > > Why don't these patch-test reports include the dashboard link? It sure > would be handy to have a copy of it here. > > Alan Stern >
Re: [PATCH] HID: USB: Fix general protection fault caused by Logitech driver
On Tue, Aug 20, 2019 at 10:00 PM Alan Stern wrote:
>
> The syzbot fuzzer found a general protection fault in the HID subsystem:
>
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: [#1] SMP KASAN
> CPU: 0 PID: 3715 Comm: syz-executor.3 Not tainted 5.2.0-rc6+ #15
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:__pm_runtime_resume+0x49/0x180 drivers/base/power/runtime.c:1069
> Code: ed 74 d5 fe 45 85 ed 0f 85 9a 00 00 00 e8 6f 73 d5 fe 48 8d bd c1 02
> 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48
> 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 fe 00 00 00
> RSP: 0018:8881d99d78e0 EFLAGS: 00010202
> RAX: dc00 RBX: 0020 RCX: c90003f3f000
> RDX: 000416d8686d RSI: 82676841 RDI: 0020b6c3436a
> RBP: 0020b6c340a9 R08: 8881c6d64800 R09: fbfff0e84c25
> R10: 8881d99d7940 R11: 87426127 R12: 0004
> R13: R14: 8881d9b94000 R15: 897f9048
> FS: 7f047f542700() GS:8881db20() knlGS:
> CS: 0010 DS: ES: CR0: 80050033
> CR2: 001b30f21000 CR3: 0001ca032000 CR4: 001406f0
> DR0: DR1: DR2:
> DR3: DR6: fffe0ff0 DR7: 0400
> Call Trace:
> pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
> usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1707
> usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
> hid_hw_power include/linux/hid.h:1038 [inline]
> hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
> chrdev_open+0x219/0x5c0 fs/char_dev.c:413
> do_dentry_open+0x497/0x1040 fs/open.c:778
> do_last fs/namei.c:3416 [inline]
> path_openat+0x1430/0x3ff0 fs/namei.c:3533
> do_filp_open+0x1a1/0x280 fs/namei.c:3563
> do_sys_open+0x3c0/0x580 fs/open.c:1070
> do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> It turns out the fault was caused by a bug in the HID Logitech driver,
> which violates the requirement that every pathway calling
> hid_hw_start() must also call hid_hw_stop(). This patch fixes the bug
> by making sure the requirement is met.
>
> Reported-and-tested-by: syzbot+3cbe5cd105d2ad56a...@syzkaller.appspotmail.com
> Signed-off-by: Alan Stern
> CC:
This bug has manifested in a bunch of different ways and produced
multiple confusing syzbot reports. Thank you for tracking this down
and fixing it, Alan!
>
> ---
>
> [as1909]
>
>
> drivers/hid/hid-lg.c| 10 ++
> drivers/hid/hid-lg4ff.c |1 -
> 2 files changed, 6 insertions(+), 5 deletions(-)
>
> Index: usb-devel/drivers/hid/hid-lg.c
> ===
> --- usb-devel.orig/drivers/hid/hid-lg.c
> +++ usb-devel/drivers/hid/hid-lg.c
> @@ -818,7 +818,7 @@ static int lg_probe(struct hid_device *h
>
> if (!buf) {
> ret = -ENOMEM;
> - goto err_free;
> + goto err_stop;
> }
>
> ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf),
> @@ -850,9 +850,12 @@ static int lg_probe(struct hid_device *h
> ret = lg4ff_init(hdev);
>
> if (ret)
> - goto err_free;
> + goto err_stop;
>
> return 0;
> +
> +err_stop:
> + hid_hw_stop(hdev);
> err_free:
> kfree(drv_data);
> return ret;
> @@ -863,8 +866,7 @@ static void lg_remove(struct hid_device
> struct lg_drv_data *drv_data = hid_get_drvdata(hdev);
> if (drv_data->quirks & LG_FF4)
> lg4ff_deinit(hdev);
> - else
> - hid_hw_stop(hdev);
> + hid_hw_stop(hdev);
> kfree(drv_data);
> }
>
> Index: usb-devel/drivers/hid/hid-lg4ff.c
> ===
> --- usb-devel.orig/drivers/hid/hid-lg4ff.c
> +++ usb-devel/drivers/hid/hid-lg4ff.c
> @@ -1477,7 +1477,6 @@ int lg4ff_deinit(struct hid_device *hid)
> }
> }
> #endif
> - hid_hw_stop(hid);
> drv_data->device_props = NULL;
>
> kfree(entry);
>
Re: KASAN: slab-out-of-bounds Read in hidraw_ioctl
On Wed, Aug 21, 2019 at 3:37 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: slab-out-of-bounds Read in hidraw_ioctl Same here, a different bug. > > == > BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525 > Read of size 1 at addr 8881c8035f38 by task syz-executor.4/2833 > > CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > strlen+0x79/0x90 lib/string.c:525 > strlen include/linux/string.h:281 [inline] > hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f7a68f6dc78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: RSI: 80404805 RDI: 0004 > RBP: 0075bf20 R08: R09: > R10: R11: 0246 R12: 7f7a68f6e6d4 > R13: 004c21de R14: 004d5620 R15: > > Allocated by task 0: > (stack is not available) > > Freed by task 0: > (stack is not available) > > The buggy address belongs to the object at 8881c8035e60 > which belongs to the cache shmem_inode_cache of size 1168 > The buggy address is located 216 bytes inside of > 1168-byte region [8881c8035e60, 8881c80362f0) > The buggy address belongs to the page: > page:ea0007200d00 refcount:1 mapcount:0 mapping:8881da115180 > index:0x0 compound_mapcount: 0 > flags: 0x2010200(slab|head) > raw: 02010200 dead0100 dead0122 8881da115180 > raw: 800c000c 0001 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > 8881c8035e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > 8881c8035e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > 8881c8035f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > 8881c8035f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > 8881c8036000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > == > > > Tested on: > > commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git > console output: https://syzkaller.appspot.com/x/log.txt?x=14f14a1e60 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > patch: https://syzkaller.appspot.com/x/patch.diff?x=171cd95a60 >
Re: KASAN: use-after-free Read in hidraw_ioctl
On Wed, Aug 21, 2019 at 3:27 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: use-after-free Read in hidraw_ioctl OK, so this looks like a different bug. > > == > BUG: KASAN: use-after-free in hidraw_ioctl+0x609/0xaf0 > drivers/hid/hidraw.c:380 > Read of size 4 at addr 8881d2db4218 by task syz-executor.1/3343 > > CPU: 1 PID: 3343 Comm: syz-executor.1 Not tainted 5.2.0-rc6+ #1 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x67/0x231 mm/kasan/report.c:188 > __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 > kasan_report+0xe/0x20 mm/kasan/common.c:614 > hidraw_ioctl+0x609/0xaf0 drivers/hid/hidraw.c:380 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xcda/0x12e0 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7fac801dac78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 200015c0 RSI: 80044801 RDI: 0005 > RBP: 0075bf20 R08: R09: > R10: R11: 0246 R12: 7fac801db6d4 > R13: 004c21ee R14: 004d53f8 R15: > > Allocated by task 2911: > save_stack+0x1b/0x80 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_kmalloc mm/kasan/common.c:489 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462 > kmalloc include/linux/slab.h:547 [inline] > kzalloc include/linux/slab.h:742 [inline] > hid_allocate_device+0x3e/0x480 drivers/hid/hid-core.c:2389 > usbhid_probe+0x23e/0xfa0 drivers/hid/usbhid/hid-core.c:1321 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_new_device.cold+0x6a4/0xe61 drivers/usb/core/hub.c:2536 > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1abd/0x3550 drivers/usb/core/hub.c:5441 > process_one_work+0x905/0x1570 kernel/workqueue.c:2269 > process_scheduled_works kernel/workqueue.c:2331 [inline] > worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417 > kthread+0x30b/0x410 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 2895: > save_stack+0x1b/0x80 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:451 > slab_free_hook mm/slub.c:1421 [inline] > slab_free_freelist_hook mm/slub.c:1448 [inline] > slab_free mm/slub.c:2994 [inline] > kfree+0xd7/0x280 mm/slub.c:3949 > device_release+0x71/0x200 drivers/base/core.c:1064 > kobject_cleanup lib/kobject.c:691 [inline] > kobject_release lib/kobject.c:720 [inline] > kref_put include/linux/kref.h:65 [inline] > kobject_put+0x171/0x280 lib/kobject.c:737 > put_device+0x1b/0x30 drivers/base/core.c:2210 > usbhid_disconnect+0x90/0xd0 drivers/hid/usbhid/hid-core.c:1413 > usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423 > __device_release_driver drivers/base/dd.c:1081 [inline] > device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1112 > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > device
Re: WARNING in usbhid_raw_request/usb_submit_urb
On Wed, Aug 21, 2019 at 3:09 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger > crash: > > Reported-and-tested-by: > syzbot+a7a6b9c609b9457c6...@syzkaller.appspotmail.com > > Tested on: > > commit: 7f7867ff usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > patch: https://syzkaller.appspot.com/x/patch.diff?x=140148ca60 > > Note: testing is done by a robot and is best-effort only. Looks like the same bug: #syz dup: general protection fault in __pm_runtime_resume
Re: KASAN: slab-out-of-bounds Read in hidraw_ioctl
On Wed, Aug 21, 2019 at 2:57 PM Andrey Konovalov wrote: > > On Sun, Aug 11, 2019 at 10:46 PM syzbot > wrote: > > > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=150426ba60 > > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > dashboard link: https://syzkaller.appspot.com/bug?extid=5a6c4ec678a0c6ee84ba > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12725c0260 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162163c260 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+5a6c4ec678a0c6ee8...@syzkaller.appspotmail.com > > > > == > > BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525 > > Read of size 1 at addr 8881d29bdf38 by task syz-executor201/1726 > > > > CPU: 1 PID: 1726 Comm: syz-executor201 Not tainted 5.3.0-rc2+ #25 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > > kasan_report+0xe/0x12 mm/kasan/common.c:612 > > strlen+0x79/0x90 lib/string.c:525 > > strlen include/linux/string.h:281 [inline] > > hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446 > > vfs_ioctl fs/ioctl.c:46 [inline] > > file_ioctl fs/ioctl.c:509 [inline] > > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > > __do_sys_ioctl fs/ioctl.c:720 [inline] > > __se_sys_ioctl fs/ioctl.c:718 [inline] > > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x445679 > > Code: e8 5c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > ff 0f 83 9b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:7ffc8514f3a8 EFLAGS: 0246 ORIG_RAX: 0010 > > RAX: ffda RBX: RCX: 00445679 > > RDX: RSI: 80404805 RDI: 0004 > > RBP: 006d0018 R08: 000b R09: 004002e0 > > R10: 000f R11: 0246 R12: 004028a0 > > R13: 00402930 R14: R15: > > > > Allocated by task 0: > > (stack is not available) > > > > Freed by task 0: > > (stack is not available) > > > > The buggy address belongs to the object at 8881d29bde60 > > which belongs to the cache shmem_inode_cache of size 1168 > > The buggy address is located 216 bytes inside of > > 1168-byte region [8881d29bde60, 8881d29be2f0) > > The buggy address belongs to the page: > > page:ea00074a6f00 refcount:1 mapcount:0 mapping:8881da115180 > > index:0x0 compound_mapcount: 0 > > flags: 0x2010200(slab|head) > > raw: 02010200 dead0100 dead0122 8881da115180 > > raw: 800c000c 0001 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > 8881d29bde00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > 8881d29bde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > 8881d29bdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ^ > > 8881d29bdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > 8881d29be000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > == > > > > Trying Alan's fix from another thread here: > > #syz test: https://github.com/google/kasan.git usb-fuzzer e96407b4 >< #syz test: https://github.com/google/kasan.git e96407b4 Index: usb-devel/drivers/hid/hid-lg.c === --- usb-devel.orig/drivers/hid/hid-lg.c +++ usb-devel/drivers/hid/hid-lg.c @@ -818,7 +818
Re: KASAN: slab-out-of-bounds Read in hidraw_ioctl
On Sun, Aug 11, 2019 at 10:46 PM syzbot
wrote:
>
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=150426ba60
> kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e
> dashboard link: https://syzkaller.appspot.com/bug?extid=5a6c4ec678a0c6ee84ba
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12725c0260
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162163c260
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+5a6c4ec678a0c6ee8...@syzkaller.appspotmail.com
>
> ==
> BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525
> Read of size 1 at addr 8881d29bdf38 by task syz-executor201/1726
>
> CPU: 1 PID: 1726 Comm: syz-executor201 Not tainted 5.3.0-rc2+ #25
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xca/0x13e lib/dump_stack.c:113
> print_address_description+0x6a/0x32c mm/kasan/report.c:351
> __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
> kasan_report+0xe/0x12 mm/kasan/common.c:612
> strlen+0x79/0x90 lib/string.c:525
> strlen include/linux/string.h:281 [inline]
> hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446
> vfs_ioctl fs/ioctl.c:46 [inline]
> file_ioctl fs/ioctl.c:509 [inline]
> do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
> ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
> __do_sys_ioctl fs/ioctl.c:720 [inline]
> __se_sys_ioctl fs/ioctl.c:718 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
> do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x445679
> Code: e8 5c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 0f 83 9b cd fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:7ffc8514f3a8 EFLAGS: 0246 ORIG_RAX: 0010
> RAX: ffda RBX: RCX: 00445679
> RDX: RSI: 80404805 RDI: 0004
> RBP: 006d0018 R08: 000b R09: 004002e0
> R10: 000f R11: 0246 R12: 004028a0
> R13: 00402930 R14: R15:
>
> Allocated by task 0:
> (stack is not available)
>
> Freed by task 0:
> (stack is not available)
>
> The buggy address belongs to the object at 8881d29bde60
> which belongs to the cache shmem_inode_cache of size 1168
> The buggy address is located 216 bytes inside of
> 1168-byte region [8881d29bde60, 8881d29be2f0)
> The buggy address belongs to the page:
> page:ea00074a6f00 refcount:1 mapcount:0 mapping:8881da115180
> index:0x0 compound_mapcount: 0
> flags: 0x2010200(slab|head)
> raw: 02010200 dead0100 dead0122 8881da115180
> raw: 800c000c 0001
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> 8881d29bde00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> 8881d29bde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > 8881d29bdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ^
> 8881d29bdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> 8881d29be000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==
>
Trying Alan's fix from another thread here:
#syz test: https://github.com/google/kasan.git usb-fuzzer e96407b4
Index: usb-devel/drivers/hid/hid-lg.c
===
--- usb-devel.orig/drivers/hid/hid-lg.c
+++ usb-devel/drivers/hid/hid-lg.c
@@ -818,7 +818,7 @@ static int lg_probe(struct hid_device *h
if (!buf) {
ret = -ENOMEM;
- goto err_free;
+ goto err_stop;
}
ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf),
@@ -850,9 +850,12 @@ static int lg_probe(struct hid_device *h
ret = lg4ff_init(hdev);
if (ret)
- goto err_free;
+ goto err_stop;
return 0;
+
+err_stop:
+ hid_hw_stop(hdev);
err_free:
kfree(drv_data);
return ret;
@@ -863,8 +866,7 @@ static void lg_remove(struct hid_device
struct lg_drv_data *drv_data = hid_get_drvdata(hdev);
if (drv_data->quirks & LG_FF4)
lg4ff_deinit(hdev);
- else
- hid_hw_stop(hdev);
+ hid_hw_stop(hdev);
kfree(drv_data);
}
Index: usb-devel/drivers/hid/hid-lg4ff.c
===
--- usb-devel.orig/drivers/hid/h
Re: KASAN: use-after-free Read in hidraw_ioctl
On Wed, Aug 21, 2019 at 2:54 PM Andrey Konovalov wrote: > > On Tue, Jul 23, 2019 at 2:48 PM syzbot > wrote: > > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:6a3599ce usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=107e726460 > > kernel config: https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > > dashboard link: https://syzkaller.appspot.com/bug?extid=ded1794a717e3b235226 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b98b4c60 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1619b07c60 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+ded1794a717e3b235...@syzkaller.appspotmail.com > > > > == > > BUG: KASAN: use-after-free in hidraw_ioctl+0x609/0xaf0 > > /drivers/hid/hidraw.c:380 > > Read of size 4 at addr 8881d549a118 by task syz-executor073/2445 > > > > CPU: 0 PID: 2445 Comm: syz-executor073 Not tainted 5.2.0-rc6+ #15 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack /lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e /lib/dump_stack.c:113 > > print_address_description+0x67/0x231 /mm/kasan/report.c:188 > > __kasan_report.cold+0x1a/0x32 /mm/kasan/report.c:317 > > kasan_report+0xe/0x20 /mm/kasan/common.c:614 > > hidraw_ioctl+0x609/0xaf0 /drivers/hid/hidraw.c:380 > > vfs_ioctl /fs/ioctl.c:46 [inline] > > file_ioctl /fs/ioctl.c:509 [inline] > > do_vfs_ioctl+0xcda/0x12e0 /fs/ioctl.c:696 > > ksys_ioctl+0x9b/0xc0 /fs/ioctl.c:713 > > __do_sys_ioctl /fs/ioctl.c:720 [inline] > > __se_sys_ioctl /fs/ioctl.c:718 [inline] > > __x64_sys_ioctl+0x6f/0xb0 /fs/ioctl.c:718 > > do_syscall_64+0xb7/0x560 /arch/x86/entry/common.c:301 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x451fd9 > > Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > ff 0f 83 5b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:7f3144bd5ce8 EFLAGS: 0246 ORIG_RAX: 0010 > > RAX: ffda RBX: 006e3c88 RCX: 00451fd9 > > RDX: 200015c0 RSI: 80044801 RDI: 0005 > > RBP: 006e3c80 R08: R09: > > R10: R11: 0246 R12: 006e3c8c > > R13: 7ffc64ba492f R14: 7f3144bd69c0 R15: 0002 > > > > Allocated by task 5: > > save_stack+0x1b/0x80 /mm/kasan/common.c:71 > > set_track /mm/kasan/common.c:79 [inline] > > __kasan_kmalloc /mm/kasan/common.c:489 [inline] > > __kasan_kmalloc.constprop.0+0xbf/0xd0 /mm/kasan/common.c:462 > > kmalloc /./include/linux/slab.h:547 [inline] > > kzalloc /./include/linux/slab.h:742 [inline] > > hid_allocate_device+0x3e/0x480 /drivers/hid/hid-core.c:2389 > > usbhid_probe+0x23e/0xfa0 /drivers/hid/usbhid/hid-core.c:1321 > > usb_probe_interface+0x305/0x7a0 /drivers/usb/core/driver.c:361 > > really_probe+0x281/0x660 /drivers/base/dd.c:509 > > driver_probe_device+0x104/0x210 /drivers/base/dd.c:670 > > __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777 > > bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454 > > __device_attach+0x217/0x360 /drivers/base/dd.c:843 > > bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 /drivers/base/core.c:2111 > > usb_set_configuration+0xdf6/0x1670 /drivers/usb/core/message.c:2023 > > generic_probe+0x9d/0xd5 /drivers/usb/core/generic.c:210 > > usb_probe_device+0x99/0x100 /drivers/usb/core/driver.c:266 > > really_probe+0x281/0x660 /drivers/base/dd.c:509 > > driver_probe_device+0x104/0x210 /drivers/base/dd.c:670 > > __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777 > > bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454 > > __device_attach+0x217/0x360 /drivers/base/dd.c:843 > > bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 /drivers/base/core.c:2111 > > usb_new_device.cold+0x6a4/0xe61 /drivers/usb/core/hub.c:2536 > > hub_port_connect /drivers/usb/core/hub.c:5098 [inline] > > hub_port_connect_
Re: KASAN: use-after-free Read in hidraw_ioctl
On Tue, Jul 23, 2019 at 2:48 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:6a3599ce usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=107e726460 > kernel config: https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > dashboard link: https://syzkaller.appspot.com/bug?extid=ded1794a717e3b235226 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b98b4c60 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1619b07c60 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+ded1794a717e3b235...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in hidraw_ioctl+0x609/0xaf0 > /drivers/hid/hidraw.c:380 > Read of size 4 at addr 8881d549a118 by task syz-executor073/2445 > > CPU: 0 PID: 2445 Comm: syz-executor073 Not tainted 5.2.0-rc6+ #15 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack /lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e /lib/dump_stack.c:113 > print_address_description+0x67/0x231 /mm/kasan/report.c:188 > __kasan_report.cold+0x1a/0x32 /mm/kasan/report.c:317 > kasan_report+0xe/0x20 /mm/kasan/common.c:614 > hidraw_ioctl+0x609/0xaf0 /drivers/hid/hidraw.c:380 > vfs_ioctl /fs/ioctl.c:46 [inline] > file_ioctl /fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xcda/0x12e0 /fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 /fs/ioctl.c:713 > __do_sys_ioctl /fs/ioctl.c:720 [inline] > __se_sys_ioctl /fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 /fs/ioctl.c:718 > do_syscall_64+0xb7/0x560 /arch/x86/entry/common.c:301 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x451fd9 > Code: e8 ec e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 5b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f3144bd5ce8 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 006e3c88 RCX: 00451fd9 > RDX: 200015c0 RSI: 80044801 RDI: 0005 > RBP: 006e3c80 R08: R09: > R10: R11: 0246 R12: 006e3c8c > R13: 7ffc64ba492f R14: 7f3144bd69c0 R15: 0002 > > Allocated by task 5: > save_stack+0x1b/0x80 /mm/kasan/common.c:71 > set_track /mm/kasan/common.c:79 [inline] > __kasan_kmalloc /mm/kasan/common.c:489 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 /mm/kasan/common.c:462 > kmalloc /./include/linux/slab.h:547 [inline] > kzalloc /./include/linux/slab.h:742 [inline] > hid_allocate_device+0x3e/0x480 /drivers/hid/hid-core.c:2389 > usbhid_probe+0x23e/0xfa0 /drivers/hid/usbhid/hid-core.c:1321 > usb_probe_interface+0x305/0x7a0 /drivers/usb/core/driver.c:361 > really_probe+0x281/0x660 /drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 /drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454 > __device_attach+0x217/0x360 /drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514 > device_add+0xae6/0x16f0 /drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 /drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 /drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 /drivers/usb/core/driver.c:266 > really_probe+0x281/0x660 /drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 /drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454 > __device_attach+0x217/0x360 /drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514 > device_add+0xae6/0x16f0 /drivers/base/core.c:2111 > usb_new_device.cold+0x6a4/0xe61 /drivers/usb/core/hub.c:2536 > hub_port_connect /drivers/usb/core/hub.c:5098 [inline] > hub_port_connect_change /drivers/usb/core/hub.c:5213 [inline] > port_event /drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1abd/0x3550 /drivers/usb/core/hub.c:5441 > process_one_work+0x905/0x1570 /kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 /kernel/workqueue.c:2415 > kthread+0x30b/0x410 /kernel/kthread.c:255 > ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:352 > > Freed by task 1781: > save_stack+0x1b/0x80 /mm/kasan/common.c:71 > set_track /mm/kasan/common.c:79 [inline] > __kasan_slab_free+0x130/0x180 /mm/kasan/common.c:451 > slab_free_hook /mm/slub.c:1421 [inline] > slab_free_freelist_hook /mm/slub.c:1448 [inline] > slab_free /mm/slub.c:2994 [inline] > kfree+0xd7/0x280 /mm/slub.c:3949 > device_release+0x71/0x200
Re: WARNING in usbhid_raw_request/usb_submit_urb
On Tue, Aug 13, 2019 at 10:13 PM Alan Stern wrote:
>
> On Mon, 12 Aug 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > KASAN: invalid-free in hcd_buffer_free
>
> This bug report shows that Hillf's fix isn't exactly right.
>
> > usb 5-1: USB disconnect, device number 2
> > ==
> > BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260
> > drivers/usb/core/buffer.c:165
> >
> > CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xca/0x13e lib/dump_stack.c:113
> > print_address_description+0x6a/0x32c mm/kasan/report.c:351
> > kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444
> > __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428
> > slab_free_hook mm/slub.c:1423 [inline]
> > slab_free_freelist_hook mm/slub.c:1470 [inline]
> > slab_free mm/slub.c:3012 [inline]
> > kfree+0xe4/0x2f0 mm/slub.c:3953
> > hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
> > usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
> > hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
> > usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
> > logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797
>
> Here the double-free occurred when logi_dj_remove() called
> hd_hw_stop()...
>
> > hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242
> > __device_release_driver drivers/base/dd.c:1118 [inline]
> > device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151
> > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
> > device_del+0x420/0xb10 drivers/base/core.c:2288
> > hid_remove_device drivers/hid/hid-core.c:2413 [inline]
> > hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432
> > usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414
>
> which occurred inside usbhid_disconnect()'s call to
> hid_destroy_device().
>
> But just above the call to hid_destroy_device(), Hillf's patch adds a
> direct call to hid_hw_stop(), which is what did the original free.
>
> So it looks like the problem here is that some paths in the original
> unpatched code end up calling hid_hw_stop() by way of the hid_device's
> driver, and other paths do not.
>
> I haven't had time to track down this difference. Maybe somebody
> on the mailing list already knows why it occurs.
Trying Alan's fix from another thread here:
#syz test: https://github.com/google/kasan.git 7f7867ff
Index: usb-devel/drivers/hid/hid-lg.c
===
--- usb-devel.orig/drivers/hid/hid-lg.c
+++ usb-devel/drivers/hid/hid-lg.c
@@ -818,7 +818,7 @@ static int lg_probe(struct hid_device *h
if (!buf) {
ret = -ENOMEM;
- goto err_free;
+ goto err_stop;
}
ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf),
@@ -850,9 +850,12 @@ static int lg_probe(struct hid_device *h
ret = lg4ff_init(hdev);
if (ret)
- goto err_free;
+ goto err_stop;
return 0;
+
+err_stop:
+ hid_hw_stop(hdev);
err_free:
kfree(drv_data);
return ret;
@@ -863,8 +866,7 @@ static void lg_remove(struct hid_device
struct lg_drv_data *drv_data = hid_get_drvdata(hdev);
if (drv_data->quirks & LG_FF4)
lg4ff_deinit(hdev);
- else
- hid_hw_stop(hdev);
+ hid_hw_stop(hdev);
kfree(drv_data);
}
Index: usb-devel/drivers/hid/hid-lg4ff.c
===
--- usb-devel.orig/drivers/hid/hid-lg4ff.c
+++ usb-devel/drivers/hid/hid-lg4ff.c
@@ -1477,7 +1477,6 @@ int lg4ff_deinit(struct hid_device *hid)
}
}
#endif
- hid_hw_stop(hid);
drv_data->device_props = NULL;
kfree(entry);
Re: KASAN: use-after-free Write in usb_anchor_resume_wakeups
On Tue, Jul 9, 2019 at 2:27 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:7829a896 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=160b9e93a0 > kernel config: https://syzkaller.appspot.com/x/.config?x=f6d4561982f71f63 > dashboard link: https://syzkaller.appspot.com/bug?extid=6c355f8d5f11884fa38e > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+6c355f8d5f11884fa...@syzkaller.appspotmail.com > > dummy_hcd dummy_hcd.4: no ep configured for urb 01b02d23 > xpad 5-1:0.169: xpad_irq_out - usb_submit_urb failed with result -19 > == > BUG: KASAN: use-after-free in register_lock_class+0xeb7/0x1240 > kernel/locking/lockdep.c:1156 > Write of size 8 at addr 8881c7e89b78 by task kworker/0:4/2785 > > CPU: 0 PID: 2785 Comm: kworker/0:4 Not tainted 5.2.0-rc6+ #13 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x67/0x231 mm/kasan/report.c:188 > __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 > kasan_report+0xe/0x20 mm/kasan/common.c:614 > register_lock_class+0xeb7/0x1240 kernel/locking/lockdep.c:1156 > __lock_acquire+0x11d/0x5340 kernel/locking/lockdep.c:3674 > lock_acquire+0x100/0x2b0 kernel/locking/lockdep.c:4303 > __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] > _raw_spin_lock_irqsave+0x32/0x50 kernel/locking/spinlock.c:159 > __wake_up_common_lock+0xb0/0x170 kernel/sched/wait.c:121 > __usb_unanchor_urb drivers/usb/core/urb.c:154 [inline] > usb_anchor_resume_wakeups+0xbe/0xe0 drivers/usb/core/urb.c:148 > __usb_hcd_giveback_urb+0x1fa/0x470 drivers/usb/core/hcd.c:1760 > usb_hcd_giveback_urb+0x34a/0x400 drivers/usb/core/hcd.c:1823 > dummy_timer+0x1022/0x2df4 drivers/usb/gadget/udc/dummy_hcd.c:1965 > call_timer_fn+0x15e/0x5e0 kernel/time/timer.c:1322 > expire_timers kernel/time/timer.c:1366 [inline] > __run_timers kernel/time/timer.c:1685 [inline] > __run_timers kernel/time/timer.c:1653 [inline] > run_timer_softirq+0x597/0x1410 kernel/time/timer.c:1698 > __do_softirq+0x219/0x8b0 kernel/softirq.c:292 > invoke_softirq kernel/softirq.c:373 [inline] > irq_exit+0x17c/0x1a0 kernel/softirq.c:413 > exiting_irq arch/x86/include/asm/apic.h:536 [inline] > smp_apic_timer_interrupt+0xe2/0x480 arch/x86/kernel/apic/apic.c:1068 > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806 > > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline] > RIP: 0010:console_unlock+0x9db/0xbf0 kernel/printk/printk.c:2471 > Code: 00 89 ee 48 c7 c7 e0 eb f2 86 e8 50 a4 03 00 65 ff 0d 51 56 da 7e e9 > 11 fa ff ff e8 af 43 15 00 e8 ba 69 1a 00 ff 74 24 30 9d 31 fe ff ff > e8 9b 43 15 00 48 8b bc 24 80 00 00 00 c7 05 d9 e6 > RSP: 0018:8881aeeff148 EFLAGS: 0216 ORIG_RAX: ff13 > RAX: 0007 RBX: 0200 RCX: 111035dc8a24 > RDX: RSI: 8881aee45100 RDI: 8881aee45034 > RBP: R08: 8881aee44800 R09: > R10: R11: R12: 004e > R13: 828cb580 R14: 8726a520 R15: dc00 > vprintk_emit+0x171/0x3e0 kernel/printk/printk.c:1986 > vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386 > printk+0xba/0xed kernel/printk/printk.c:2046 > really_probe.cold+0x69/0x122 drivers/base/dd.c:577 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [in
Re: KASAN: use-after-free Read in device_del
On Mon, Jun 3, 2019 at 1:41 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1684d87ca0 > kernel config: https://syzkaller.appspot.com/x/.config?x=193d8457178b3229 > dashboard link: https://syzkaller.appspot.com/bug?extid=93f2f45b19519b289613 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+93f2f45b19519b289...@syzkaller.appspotmail.com > > worker_thread+0x96/0xe20 kernel/workqueue.c:2414 > kthread+0x30b/0x410 kernel/kthread.c:254 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > hso 3-1:0.2: Failed to find BULK IN ep > == > BUG: KASAN: use-after-free in __lock_acquire+0x3a5d/0x5340 > kernel/locking/lockdep.c:3664 > Read of size 8 at addr 8881d98a4d60 by task kworker/0:0/5 > > CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc1+ #10 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x67/0x231 mm/kasan/report.c:188 > __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 > kasan_report+0xe/0x20 mm/kasan/common.c:614 > __lock_acquire+0x3a5d/0x5340 kernel/locking/lockdep.c:3664 > lock_acquire+0x100/0x2b0 kernel/locking/lockdep.c:4302 > __mutex_lock_common kernel/locking/mutex.c:925 [inline] > __mutex_lock+0xf9/0x12b0 kernel/locking/mutex.c:1072 > device_lock include/linux/device.h:1207 [inline] > device_del+0xa2/0xb80 drivers/base/core.c:2240 > device_unregister drivers/base/core.c:2306 [inline] > device_destroy+0x90/0xd0 drivers/base/core.c:2864 > tty_unregister_device+0x7e/0x1a0 drivers/tty/tty_io.c:3189 > hso_serial_tty_unregister drivers/net/usb/hso.c:2245 [inline] > hso_create_bulk_serial_device drivers/net/usb/hso.c:2682 [inline] > hso_probe.cold+0xc8/0x120 drivers/net/usb/hso.c:2948 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x1ada/0x3590 drivers/usb/core/hub.c:5432 > process_one_work+0x905/0x1570 kernel/workqueue.c:2268 > worker_thread+0x96/0xe20 kernel/workqueue.c:2414 > kthread+0x30b/0x410 kernel/kthread.c:254 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Allocated by task 3910: > save_stack+0x1b/0x80 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_kmalloc mm/kasan/common.c:489 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462 > kmalloc include/linux/slab.h:547 [inline] > kzalloc include/linux/slab.h:742 [inline] > tty_register_device_attr+0x1b6/0x6f0 drivers/tty/tty_io.c:3128 > hso_serial_common_create+0x113/0x710 drivers/net/usb/hso.c:2279 > hso_create_bulk_serial_device drivers/net/usb/hso.c:2652 [inline] > hso_probe+0xc93/0x1a46 drivers/net/usb/hso.c:2948 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > ge
Re: BUG: unable to handle kernel paging request in osq_lock
On Thu, Apr 18, 2019 at 2:36 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:d34f9519 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1338d3e320 > kernel config: https://syzkaller.appspot.com/x/.config?x=c73d1bb5aeaeae20 > dashboard link: https://syzkaller.appspot.com/bug?extid=e5c9afc3e1eed1dfc2b0 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+e5c9afc3e1eed1dfc...@syzkaller.appspotmail.com > > au0828: recv_control_msg() Failed receiving control message, error -71. > au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5) > usb 1-1: selecting invalid altsetting 5 > au0828: Failure setting usb interface0 to as5 > au0828: au0828_usb_probe() au0828_analog_register failed to register on V4L2 > BUG: unable to handle kernel paging request at fffc45040758 > #PF error: [normal kernel read fault] > PGD 1167e067 P4D 1167e067 PUD 0 > Oops: [#1] SMP KASAN PTI > CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.1.0-rc5-319617-gd34f951 #4 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > RIP: 0010:decode_cpu kernel/locking/osq_lock.c:34 [inline] > RIP: 0010:osq_lock+0xfd/0x5a0 kernel/locking/osq_lock.c:111 > Code: 48 63 e8 48 b8 00 00 00 00 00 fc ff df 48 8d 3c ed 60 c0 39 91 48 89 > f9 48 c1 e9 03 80 3c 01 00 0f 85 2c 04 00 00 48 8d 53 08 <4c> 03 2c ed 60 > c0 39 91 48 b8 00 00 00 00 00 fc ff df 48 89 d6 48 > RSP: 0018:8880a846f0e8 EFLAGS: 00010246 > RAX: dc00 RBX: 8880ad02dfc0 RCX: 1fff88a080eb > RDX: 8880ad02dfc8 RSI: 0004 RDI: fffc45040758 > RBP: 967948df R08: R09: ed1012299b1e > R10: ed1012299b1d R11: 8880914cd8eb R12: 8880ad02dfd0 > R13: 0002dfc0 R14: 8880a8443100 R15: 8880914cd8e8 > FS: () GS:8880ad00() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: fffc45040758 CR3: 9f4ac000 CR4: 001406f0 > Call Trace: > mutex_optimistic_spin kernel/locking/mutex.c:630 [inline] > __mutex_lock_common kernel/locking/mutex.c:928 [inline] > __mutex_lock+0x27d/0x12b0 kernel/locking/mutex.c:1072 > au0828_usb_disconnect+0xa3/0x130 drivers/media/usb/au0828/au0828-core.c:194 > au0828_usb_probe.cold+0x121/0x7d8 > drivers/media/usb/au0828/au0828-core.c:661 > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 > generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 > usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x1398/0x3b00 drivers/usb/core/hub.c:5432 > process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 > process_scheduled_works kernel/workqueue.c:2331 [inline] > worker_thread+0x7b0/0xe20 kernel/workqueue.c:2417 > kthread+0x313/0x420 kernel/kthread.c:253 > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > Modules linked in: > CR2: fffc45040758 > ---[ end trace 41843cb8c360ab9e ]--- > RIP: 0010:decode_cpu kernel/locking/osq_lock.c:34 [inline] > RIP: 0010:osq_lock+0xfd/0x5a0 kernel/locking/osq_lock.c:111 > Code: 48 63 e8 48 b8 00 00 00 00 00 fc ff df 48 8d 3c ed 60 c0 39 91 48 89 > f9 48 c1 e9 03 80 3c 01 00 0f 85 2c 04 00 00 48 8d 53 08 <4c> 03 2c ed 60 > c0 39 91 48 b8 00 00 00 00 00 fc ff df 48 89 d6 48 > RSP: 0018:8880a846f0e8 EFLAGS: 00010246 > RAX: dc00 RBX: 8880ad02dfc0 RCX: 1fff88a080eb > RDX: 8880ad02dfc8 RSI: 0004 RDI: fffc45040758 > RBP: 967948df R08: R09: ed1012299b1e > R10: ed1012299b1d
Re: WARNING in kmem_cache_alloc_trace
On Mon, Aug 19, 2019 at 6:18 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:d0847550 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=16947fce60 > kernel config: https://syzkaller.appspot.com/x/.config?x=dbc9c80cc095da19 > dashboard link: https://syzkaller.appspot.com/bug?extid=0e7b6b6001ca8ed655f6 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1141c5ba60 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ed91d260 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+0e7b6b6001ca8ed65...@syzkaller.appspotmail.com > > [ cut here ] > do not call blocking ops when !TASK_RUNNING; state=1 set at > [<0453b57c>] prepare_to_wait+0xb1/0x2b0 kernel/sched/wait.c:230 > WARNING: CPU: 0 PID: 1720 at kernel/sched/core.c:6551 > __might_sleep+0x135/0x190 kernel/sched/core.c:6551 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 0 PID: 1720 Comm: syz-executor552 Not tainted 5.3.0-rc4+ #26 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > panic+0x2a3/0x6da kernel/panic.c:219 > __warn.cold+0x20/0x4a kernel/panic.c:576 > report_bug+0x262/0x2a0 lib/bug.c:186 > fixup_bug arch/x86/kernel/traps.c:179 [inline] > fixup_bug arch/x86/kernel/traps.c:174 [inline] > do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272 > do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291 > invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 > RIP: 0010:__might_sleep+0x135/0x190 kernel/sched/core.c:6551 > Code: 65 48 8b 1c 25 00 ef 01 00 48 8d 7b 10 48 89 fe 48 c1 ee 03 80 3c 06 > 00 75 2b 48 8b 73 10 48 c7 c7 e0 55 c6 85 e8 30 21 f6 ff <0f> 0b e9 46 ff > ff ff e8 ef ee 46 00 e9 29 ff ff ff e8 e5 ee 46 00 > RSP: 0018:8881c7df7a30 EFLAGS: 00010282 > RAX: RBX: 8881d4a49800 RCX: > RDX: RSI: 81288cfd RDI: ed1038fbef38 > RBP: 86a6a5d1 R08: 8881d4a49800 R09: fbfff11ad3a1 > R10: fbfff11ad3a0 R11: 88d69d07 R12: 01f5 > R13: R14: R15: 0cc0 > slab_pre_alloc_hook mm/slab.h:501 [inline] > slab_alloc_node mm/slub.c:2690 [inline] > slab_alloc mm/slub.c:2778 [inline] > kmem_cache_alloc_trace+0x233/0x2f0 mm/slub.c:2795 > kmalloc include/linux/slab.h:552 [inline] > dummy_urb_enqueue+0x7c/0x890 drivers/usb/gadget/udc/dummy_hcd.c:1249 > usb_hcd_submit_urb+0x2aa/0x1ee0 drivers/usb/core/hcd.c:1555 > usb_submit_urb+0x6e5/0x13b0 drivers/usb/core/urb.c:569 > yurex_write+0x3b2/0x710 drivers/usb/misc/yurex.c:491 > __vfs_write+0x76/0x100 fs/read_write.c:494 > vfs_write+0x262/0x5c0 fs/read_write.c:558 > ksys_write+0x127/0x250 fs/read_write.c:611 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x440749 > Code: e8 bc af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7ffccb32e308 EFLAGS: 0246 ORIG_RAX: 0001 > RAX: ffda RBX: 004002c8 RCX: 00440749 > RDX: 008d RSI: 2040 RDI: 0004 > RBP: 006cb018 R08: 000f R09: 004002c8 > R10: R11: 0246 R12: 00401fd0 > R13: 00402060 R14: R15: > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches Looks like an issue in the yurex driver, despite a generic report title.
Re: divide error in usbtmc_generic_read
On Mon, Aug 19, 2019 at 3:49 PM Oliver Neukum wrote: > > Am Montag, den 19.08.2019, 15:18 +0200 schrieb Andrey Konovalov: > > On Mon, Aug 19, 2019 at 3:09 PM Oliver Neukum wrote: > > > > > > Am Montag, den 19.08.2019, 14:43 +0200 schrieb Andrey Konovalov: > > > > On Mon, Aug 19, 2019 at 2:37 PM Oliver Neukum wrote: > > > > > The original error was a divide by zero. The first fix fixed that > > > > > but still another error showed up. If I propose a fix there are > > > > > other possibilities besides it working. > > > > > > > > > > I could have no effect on the original bug or my fix breaks > > > > > something else and KASAN is making no difference between > > > > > those cases. > > > > > > > > I think you mean syzbot here and not KASAN. Do I understand correctly, > > > > that you're saying that the original report was > > > > > > Yes, sorry syzbot. > > > > > > > divide-by-zero, but > > > > when you requested to test the patch the reproducer triggered a > > > > use-after-free, and syzbot didn't treat the patch you provided as a > > > > correct fix? > > > > > > No, obviously there is still a bug. What I would like syzbot to have > > > would be a third category: inconclusive. > > > Seeing another bug instead may also mean the first bug struck > > > before the second could ever happen. We just lack data to tell. > > > > OK, I see. The exact words that syzbot uses in this case are "syzbot > > has tested the proposed patch but the reproducer still triggered > > crash". What would you like to see instead? > > > > "syzbot has tested the proposed patch but the reproducer triggered > another crash" would make it clearer. This implies that we can differentiate between different crashes. We can differentiate between different manifestations of crashes, but those can be caused by the same bug. I think we can remove the word "still" though, so the words will be: "syzbot has tested the proposed patch, but the reproducer triggered a crash". Dmitry, WDYT?
Re: divide error in usbtmc_generic_read
On Mon, Aug 19, 2019 at 3:09 PM Oliver Neukum wrote: > > Am Montag, den 19.08.2019, 14:43 +0200 schrieb Andrey Konovalov: > > On Mon, Aug 19, 2019 at 2:37 PM Oliver Neukum wrote: > > > > The original error was a divide by zero. The first fix fixed that > > > but still another error showed up. If I propose a fix there are > > > other possibilities besides it working. > > > > > > I could have no effect on the original bug or my fix breaks > > > something else and KASAN is making no difference between > > > those cases. > > > > I think you mean syzbot here and not KASAN. Do I understand correctly, > > that you're saying that the original report was > > Yes, sorry syzbot. > > > divide-by-zero, but > > when you requested to test the patch the reproducer triggered a > > use-after-free, and syzbot didn't treat the patch you provided as a > > correct fix? > > No, obviously there is still a bug. What I would like syzbot to have > would be a third category: inconclusive. > Seeing another bug instead may also mean the first bug struck > before the second could ever happen. We just lack data to tell. OK, I see. The exact words that syzbot uses in this case are "syzbot has tested the proposed patch but the reproducer still triggered crash". What would you like to see instead?
Re: divide error in usbtmc_generic_read
On Mon, Aug 19, 2019 at 2:37 PM Oliver Neukum wrote: > > Am Montag, den 19.08.2019, 14:17 +0200 schrieb Andrey Konovalov: > > On Thu, Aug 15, 2019 at 3:31 PM Oliver Neukum wrote: > > > > > > Am Mittwoch, den 14.08.2019, 06:38 -0700 schrieb syzbot: > > > > syzbot has tested the proposed patch but the reproducer still triggered > > > > crash: > > > > KASAN: use-after-free Read in usbtmc_disconnect > > > > > > I am afraid that is a difficiency in KASAN that should be fixed. > > > Is the class of the error compared if I leave in more of the > > > original bug report? Actually the ID is still there, so it really > > > should return an inconclusive in these cases. > > > > I don't get this, what kind of deficiency do you mean? > > The original error was a divide by zero. The first fix fixed that > but still another error showed up. If I propose a fix there are > other possibilities besides it working. > > I could have no effect on the original bug or my fix breaks > something else and KASAN is making no difference between > those cases. I think you mean syzbot here and not KASAN. Do I understand correctly, that you're saying that the original report was divide-by-zero, but when you requested to test the patch the reproducer triggered a use-after-free, and syzbot didn't treat the patch you provided as a correct fix? In this case this is working as intended, as a bug (especially some race) can manifest in different ways, so the kernel might crash with a different stack trace.
Re: divide error in usbtmc_generic_read
On Thu, Aug 15, 2019 at 3:31 PM Oliver Neukum wrote: > > Am Mittwoch, den 14.08.2019, 06:38 -0700 schrieb syzbot: > > syzbot has tested the proposed patch but the reproducer still triggered > > crash: > > KASAN: use-after-free Read in usbtmc_disconnect > > I am afraid that is a difficiency in KASAN that should be fixed. > Is the class of the error compared if I leave in more of the > original bug report? Actually the ID is still there, so it really > should return an inconclusive in these cases. I don't get this, what kind of deficiency do you mean? Anyway, looks like I was wrong, the reported use-after-free is caused by an incomplete fix, and setting the right retcode fixes the use-after-free.
Re: divide error in usbtmc_generic_read
On Wed, Aug 14, 2019 at 3:38 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: use-after-free Read in usbtmc_disconnect Looks like a different bug in the same driver that gets triggered by the same reproducer =) You fix looks good to me. > > usb 5-1: USB disconnect, device number 2 > == > BUG: KASAN: use-after-free in __mutex_lock_common > kernel/locking/mutex.c:912 [inline] > BUG: KASAN: use-after-free in __mutex_lock+0xf23/0x1360 > kernel/locking/mutex.c:1077 > Read of size 8 at addr 8881d63299c8 by task kworker/1:0/17 > > CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.3.0-rc4+ #1 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > __mutex_lock_common kernel/locking/mutex.c:912 [inline] > __mutex_lock+0xf23/0x1360 kernel/locking/mutex.c:1077 > usbtmc_disconnect+0x58/0x180 drivers/usb/class/usbtmc.c:2443 > usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423 > __device_release_driver drivers/base/dd.c:1134 [inline] > device_release_driver_internal+0x42f/0x500 drivers/base/dd.c:1165 > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > device_del+0x420/0xb10 drivers/base/core.c:2339 > usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237 > usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199 > hub_port_connect drivers/usb/core/hub.c:4949 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Allocated by task 1737: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > kmalloc include/linux/slab.h:552 [inline] > kzalloc include/linux/slab.h:748 [inline] > usbtmc_probe+0xad/0x1360 drivers/usb/class/usbtmc.c:2328 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x6d0 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2165 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x6d0 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2165 > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 1737: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 > slab_free_hook mm/slub.c:1423 [inline] > slab_free_freelist_hook mm/slub.c:1474 [inline] > slab_free mm/slub.c:3016 [inline] > kfree+0xe4/0x2f0 mm/slub.c:3957 > kref_put include/linux/kref.h:65 [inline] > usbtmc_probe+0x55c/0x1360 drivers/usb/class/usbtmc.c:2433 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x6d0 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828 > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:894 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x
Re: KASAN: global-out-of-bounds Read in dvb_pll_attach
On Tue, Aug 13, 2019 at 10:51 PM Sean Young wrote: > > On Tue, Aug 13, 2019 at 03:22:49PM +0200, Andrey Konovalov wrote: > > On Wed, Jul 17, 2019 at 2:29 PM syzbot > > wrote: > > > > > > Hello, > > > > > > syzbot has tested the proposed patch and the reproducer did not trigger > > > crash: > > > > > > Reported-and-tested-by: > > > syzbot+8a8f48672560c8ca5...@syzkaller.appspotmail.com > > > > > > Tested on: > > > > > > commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > kernel config: https://syzkaller.appspot.com/x/.config?x=d90745bdf884fc0a > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > patch: > > > https://syzkaller.appspot.com/x/patch.diff?x=1454f4d060 > > > > > > Note: testing is done by a robot and is best-effort only. > > > > Hi bnvandana, > > > > Could you submit this patch? Syzbot testing shows that is fixes the issue. > > The patch had issues (see discussion in the thread). I created this patch > but I see now I did not include the correct Reported-by: tag. > > https://www.mail-archive.com/linux-media@vger.kernel.org/msg148889.html No problem, we can mark the fix manually: #syz fix: media: dvb-frontends: use ida for pll number Thanks!
Re: KMSAN: uninit-value in smsc75xx_bind
On Tue, Aug 13, 2019 at 2:43 PM Oliver Neukum wrote:
>
> Am Freitag, den 09.08.2019, 01:48 -0700 schrieb syzbot:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:beaab8a3 fix KASAN build
> > git tree: kmsan
>
> [..]
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x191/0x1f0 lib/dump_stack.c:113
> > kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
> > __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
> > smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:976 [inline]
> > smsc75xx_bind+0x541/0x12d0 drivers/net/usb/smsc75xx.c:1483
>
> >
> > Local variable description: buf.i93@smsc75xx_bind
> > Variable was created at:
> > __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
> > smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:969 [inline]
> > smsc75xx_bind+0x44c/0x12d0 drivers/net/usb/smsc75xx.c:1483
> > usbnet_probe+0x10d3/0x3950 drivers/net/usb/usbnet.c:1722
>
> Hi,
>
> this looks like a false positive to me.
> The offending code is likely this:
>
> if (size) {
> buf = kmalloc(size, GFP_KERNEL);
> if (!buf)
> goto out;
> }
>
> err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
> cmd, reqtype, value, index, buf, size,
> USB_CTRL_GET_TIMEOUT);
>
> which uses 'buf' uninitialized. But it is used for input.
> What is happening here?
AFAICS, the uninitialized use of buf that KMSAN points out is in the
"if (buf & PMT_CTL_DEV_RDY)" statement in smsc75xx_wait_ready(). Does
__smsc75xx_read_reg/usb_control_msg() always initialize buf? Can it
just initialize the first few bytes for example?
Re: KASAN: use-after-free Read in v4l2_ioctl
On Tue, Aug 13, 2019 at 2:28 PM Andrey Konovalov wrote: > > On Sun, Apr 14, 2019 at 10:06 PM syzbot > wrote: > > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=137d8a2d20 > > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > > dashboard link: https://syzkaller.appspot.com/bug?extid=d587871cd33a9bc7c086 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e878f320 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=102432e320 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+d587871cd33a9bc7c...@syzkaller.appspotmail.com > > > > usb 6-1: USB disconnect, device number 19 > > radio-raremono 6-1:0.210: Thanko's Raremono disconnected > > radio-si470x 2-1:0.210: could not find interrupt in endpoint > > radio-si470x 3-1:0.210: could not find interrupt in endpoint > > == > > BUG: KASAN: use-after-free in v4l2_ioctl+0x187/0x1a0 > > drivers/media/v4l2-core/v4l2-dev.c:362 > > Read of size 8 at addr 88809b3645e0 by task v4l_id/5799 > > radio-si470x 4-1:0.210: could not find interrupt in endpoint > > > > CPU: 0 PID: 5799 Comm: v4l_id Not tainted 5.1.0-rc4-319354-g9a33b36 #3 > > radio-si470x: probe of 4-1:0.210 failed with error -5 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > > radio-si470x: probe of 2-1:0.210 failed with error -5 > > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > > v4l2_ioctl+0x187/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:362 > > vfs_ioctl fs/ioctl.c:46 [inline] > > #syz fix: media: radio-raremono: change devm_k*alloc to k*alloc #syz dup: KASAN: use-after-free Read in v4l2_release > > > file_ioctl fs/ioctl.c:509 [inline] > > do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696 > > usb 5-1: new high-speed USB device number 19 using dummy_hcd > > radio-si470x: probe of 3-1:0.210 failed with error -5 > > ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713 > > __do_sys_ioctl fs/ioctl.c:720 [inline] > > __se_sys_ioctl fs/ioctl.c:718 [inline] > > __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718 > > do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x7f435c835347 > > Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff > > ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff > > ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64 > > radio-raremono 2-1:0.210: Thanko's Raremono connected: (10C4:818A) > > RSP: 002b:7ffeca71fda8 EFLAGS: 0202 ORIG_RAX: 0010 > > RAX: ffda RBX: 0003 RCX: 7f435c835347 > > RDX: 7ffeca71fdb0 RSI: 80685600 RDI: 0003 > > RBP: R08: R09: > > R10: R11: 0202 R12: 00400884 > > R13: 7ffeca71ff00 R14: R15: > > > > Allocated by task 12: > > set_track mm/kasan/common.c:87 [inline] > > __kasan_kmalloc mm/kasan/common.c:497 [inline] > > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470 > > slab_post_alloc_hook mm/slab.h:437 [inline] > > slab_alloc_node mm/slub.c:2756 [inline] > > __kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372 > > alloc_dr drivers/base/devres.c:103 [inline] > > devm_kmalloc+0x8c/0x190 drivers/base/devres.c:793 > > devm_kzalloc include/linux/device.h:679 [inline] > > usb_raremono_probe+0x34/0x235 drivers/media/radio/radio-raremono.c:298 > > radio-raremono 3-1:0.210: Thanko's Raremono connected: (10C4:818A) > > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > > radio-raremono 4-1:0.210: Thanko's Raremono connected: (10C4:818A) > > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > > bus_for_each_drv+0x163/0x1e0 drivers/base/bu
Re: KASAN: use-after-free Read in device_release_driver_internal
On Wed, Aug 7, 2019 at 3:44 PM Andrey Konovalov wrote:
>
> On Wed, Aug 7, 2019 at 3:44 PM Andrey Konovalov wrote:
> >
> > On Wed, Aug 7, 2019 at 3:38 PM Oliver Neukum wrote:
> > >
> > > Am Dienstag, den 06.08.2019, 14:50 +0200 schrieb Andrey Konovalov:
> > > > On Tue, Aug 6, 2019 at 2:36 PM Oliver Neukum wrote:
> > > > >
> > > > > Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern:
> > > > > >
> > > > > > I think this must be caused by an unbalanced refcount. That is,
> > > > > > something must drop one more reference to the device than it takes.
> > > > > > That would explain why the invalid access occurs inside a single
> > > > > > bus_remove_device() call, between the klist_del() and
> > > > > > device_release_driver().
> > > > > >
> > > > > > The kernel log indicates that the device was probed by rndis_wlan,
> > > > > > rndis_host, and cdc_acm, all of which got errors because of the
> > > > > > device's bogus descriptors. Probably one of them is messing up the
> > > > > > refcount.
> > > > >
> > > > > Hi,
> > > > >
> > > > > you made me look at cdc-acm. I suspect
> > > > >
> > > > > cae2bc768d176bfbdad7035bbcc3cdc973eb7984 ("usb: cdc-acm: Decrement
> > > > > tty port's refcount if probe() fail")
> > > > >
> > > > > is buggy decrementing the refcount on the interface in destroy()
> > > > > even before the refcount is increased.
> > > > >
> > > > > Unfortunately I cannot tell from the bug report how many and which
> > > > > interfaces the emulated test device has. Hence it is unclear to me,
> > > > > when exactly probe() would fail cdc-acm.
> > > > >
> > > > > If you agree. I am attaching a putative fix.
> > > >
> > > > Let's see if it fixes the issue.
> > > >
> > > > #syz fix: https://github.com/google/kasan.git 6a3599ce
> > >
> > > Hi,
> > >
> > > did this ever produce a result? I saw none.
> >
> > Hm, that's weird, maybe that's caused by putting the bot into CC. Let
> > me try that again.
> >
> > #syz fix: https://github.com/google/kasan.git 6a3599ce
Let's fix the wrong title displayed on dashboard:
#syz fix: usb: cdc-acm: make sure a refcount is taken early enough
>
> Oh, wait, it should be syz test =)
>
> #syz test: https://github.com/google/kasan.git 6a3599ce
>
> >
> > >
> > > Regards
> > > Oliver
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups
> > > "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an
> > > email to syzkaller-bugs+unsubscr...@googlegroups.com.
> > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/syzkaller-bugs/1565185131.15973.1.camel%40suse.com.
Re: KASAN: out-of-bounds Read in hidraw_ioctl
On Fri, Aug 9, 2019 at 8:18 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=126120e260 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=f817d84b72194c4a5fe2 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+f817d84b72194c4a5...@syzkaller.appspotmail.com > > == > BUG: KASAN: out-of-bounds in hidraw_ioctl+0x609/0xae0 > drivers/hid/hidraw.c:380 > Read of size 4 at addr 8881cb9fc018 by task syz-executor.1/3309 > > CPU: 1 PID: 3309 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > hidraw_ioctl+0x609/0xae0 drivers/hid/hidraw.c:380 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f877bde2c78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 20001300 RSI: 80044801 RDI: 0004 > RBP: 0075c118 R08: R09: > R10: R11: 0246 R12: 7f877bde36d4 > R13: 004c2206 R14: 004d5610 R15: > > Allocated by task 2751: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > slab_post_alloc_hook mm/slab.h:520 [inline] > slab_alloc_node mm/slub.c:2766 [inline] > __kmalloc_node_track_caller+0xd0/0x230 mm/slub.c:4361 > __kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:141 > __alloc_skb+0xef/0x5a0 net/core/skbuff.c:209 > alloc_skb include/linux/skbuff.h:1055 [inline] > alloc_uevent_skb+0x7b/0x210 lib/kobject_uevent.c:289 > uevent_net_broadcast_untagged lib/kobject_uevent.c:325 [inline] > kobject_uevent_net_broadcast lib/kobject_uevent.c:408 [inline] > kobject_uevent_env+0x8ee/0x1160 lib/kobject_uevent.c:592 > device_del+0x6b2/0xb10 drivers/base/core.c:2298 > usb_disconnect+0x4c3/0x8d0 drivers/usb/core/hub.c:2225 > hub_port_connect drivers/usb/core/hub.c:4949 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 238: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 > slab_free_hook mm/slub.c:1423 [inline] > slab_free_freelist_hook mm/slub.c:1470 [inline] > slab_free mm/slub.c:3012 [inline] > kfree+0xe4/0x2f0 mm/slub.c:3953 > skb_free_head+0x8b/0xa0 net/core/skbuff.c:591 > skb_release_data+0x41f/0x7c0 net/core/skbuff.c:611 > skb_release_all+0x46/0x60 net/core/skbuff.c:665 > __kfree_skb net/core/skbuff.c:679 [inline] > consume_skb net/core/skbuff.c:838 [inline] > consume_skb+0xd9/0x320 net/core/skbuff.c:832 > skb_free_datagram+0x16/0xf0 net/core/datagram.c:328 > netlink_recvmsg+0x65e/0xee0 net/netlink/af_netlink.c:1996 > sock_recvmsg_nosec net/socket.c:871 [inline] > sock_recvmsg net/socket.c:889 [inline] > sock_recvmsg+0xca/0x110 net/socket.c:885 > ___sys_recvmsg+0x271/0x5a0 net/socket.c:2480 > __sys_recvmsg+0xe9/0x1b0 net/socket.c:2537 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > The buggy address belongs to the object at 8881cb9fc000 >
Re: KASAN: user-memory-access Read in hidraw_ioctl
On Tue, Jul 30, 2019 at 2:28 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:7f7867ff usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=13c21ab460 > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > dashboard link: https://syzkaller.appspot.com/bug?extid=5a8c44432a51154ff6d5 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+5a8c44432a51154ff...@syzkaller.appspotmail.com > > == > BUG: KASAN: user-memory-access in _copy_to_user+0x124/0x150 > lib/usercopy.c:27 > Read of size 148 at addr 1000 by task syz-executor.2/19576 > > CPU: 1 PID: 19576 Comm: syz-executor.2 Not tainted 5.3.0-rc2+ #23 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > __kasan_report.cold+0x5/0x33 mm/kasan/report.c:486 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > check_memory_region_inline mm/kasan/generic.c:185 [inline] > check_memory_region+0x128/0x190 mm/kasan/generic.c:192 > _copy_to_user+0x124/0x150 lib/usercopy.c:27 > copy_to_user include/linux/uaccess.h:152 [inline] > hidraw_ioctl+0x39c/0xae0 drivers/hid/hidraw.c:392 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f6587cfbc78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 20005640 RSI: 90044802 RDI: 0004 > RBP: 0075c070 R08: R09: > R10: R11: 0246 R12: 7f6587cfc6d4 > R13: 004c21db R14: 004d5540 R15: > == #syz dup: BUG: bad usercopy in hidraw_ioctl > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: [EXT] INFO: trying to register non-static key in del_timer_sync (2)
On Wed, Jun 12, 2019 at 6:03 PM Ganapathi Bhat wrote: > > Hi Dmitry, > > We have a patch to fix this: https://patchwork.kernel.org/patch/10990275/ Hi Ganapathi, Has this patch been accepted anywhere? This bug is still open on syzbot. Thanks!
Re: KASAN: slab-out-of-bounds Read in p54u_load_firmware_cb
On Thu, Jun 20, 2019 at 9:46 PM Alan Stern wrote: > > On Wed, 19 Jun 2019, syzbot wrote: > > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit:9939f56e usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=135e29faa0 > > kernel config: https://syzkaller.appspot.com/x/.config?x=df134eda130bb43a > > dashboard link: https://syzkaller.appspot.com/bug?extid=6d237e74cdc13f036473 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175d946ea0 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+6d237e74cdc13f036...@syzkaller.appspotmail.com > > > > usb 3-1: Direct firmware load for isl3887usb failed with error -2 > > usb 3-1: Firmware not found. > > == > > BUG: KASAN: slab-out-of-bounds in p54u_load_firmware_cb.cold+0x97/0x13d > > drivers/net/wireless/intersil/p54/p54usb.c:936 > > Read of size 8 at addr 8881c9cf7588 by task kworker/1:5/2759 > > > > CPU: 1 PID: 2759 Comm: kworker/1:5 Not tainted 5.2.0-rc5+ #11 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Workqueue: events request_firmware_work_func > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > print_address_description+0x67/0x231 mm/kasan/report.c:188 > > __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 > > kasan_report+0xe/0x20 mm/kasan/common.c:614 > > p54u_load_firmware_cb.cold+0x97/0x13d > > drivers/net/wireless/intersil/p54/p54usb.c:936 > > request_firmware_work_func+0x126/0x242 > > drivers/base/firmware_loader/main.c:785 > > process_one_work+0x905/0x1570 kernel/workqueue.c:2269 > > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > > kthread+0x30b/0x410 kernel/kthread.c:255 > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > > > Allocated by task 1612: > > save_stack+0x1b/0x80 mm/kasan/common.c:71 > > set_track mm/kasan/common.c:79 [inline] > > __kasan_kmalloc mm/kasan/common.c:489 [inline] > > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462 > > kmalloc include/linux/slab.h:547 [inline] > > syslog_print kernel/printk/printk.c:1346 [inline] > > do_syslog kernel/printk/printk.c:1519 [inline] > > do_syslog+0x4f4/0x12e0 kernel/printk/printk.c:1493 > > kmsg_read+0x8a/0xb0 fs/proc/kmsg.c:40 > > proc_reg_read+0x1c1/0x280 fs/proc/inode.c:221 > > __vfs_read+0x76/0x100 fs/read_write.c:425 > > vfs_read+0x18e/0x3d0 fs/read_write.c:461 > > ksys_read+0x127/0x250 fs/read_write.c:587 > > do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > Freed by task 1612: > > save_stack+0x1b/0x80 mm/kasan/common.c:71 > > set_track mm/kasan/common.c:79 [inline] > > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:451 > > slab_free_hook mm/slub.c:1421 [inline] > > slab_free_freelist_hook mm/slub.c:1448 [inline] > > slab_free mm/slub.c:2994 [inline] > > kfree+0xd7/0x280 mm/slub.c:3949 > > syslog_print kernel/printk/printk.c:1405 [inline] > > do_syslog kernel/printk/printk.c:1519 [inline] > > do_syslog+0xff3/0x12e0 kernel/printk/printk.c:1493 > > kmsg_read+0x8a/0xb0 fs/proc/kmsg.c:40 > > proc_reg_read+0x1c1/0x280 fs/proc/inode.c:221 > > __vfs_read+0x76/0x100 fs/read_write.c:425 > > vfs_read+0x18e/0x3d0 fs/read_write.c:461 > > ksys_read+0x127/0x250 fs/read_write.c:587 > > do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > The buggy address belongs to the object at 8881c9cf7180 > > which belongs to the cache kmalloc-1k of size 1024 > > The buggy address is located 8 bytes to the right of > > 1024-byte region [8881c9cf7180, 8881c9cf7580) > > The buggy address belongs to the page: > > page:ea0007273d00 refcount:1 mapcount:0 mapping:8881dac02a00 > > index:0x0 compound_mapcount: 0 > > flags: 0x2010200(slab|head) > > raw: 02010200 dead0100 dead0200 8881dac02a00 > > raw: 000e000e 0001 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > 8881c9cf7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > 8881c9cf7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > > 8881c9cf7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > >^ > > 8881c9cf7600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > 8881c9cf7680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > == > > Isn't this the same as syzkaller bug 200d4bb11b23d929335f ? Doesn't
Re: KASAN: use-after-free Read in device_release_driver_internal
On Tue, Aug 13, 2019 at 3:22 PM Oliver Neukum wrote: > > Am Dienstag, den 13.08.2019, 14:42 +0200 schrieb Andrey Konovalov: > > > > > > [..] > > > On Thu, Aug 8, 2019 at 4:00 PM Alan Stern wrote: > > > Ah, that looks right, thank you. The patch worked correctly -- good > > > work Oliver! > > > > Great! Just a reminder to submit the fix :) > > I did last week: > https://patchwork.kernel.org/patch/11084261/ Ah, perfect, thank you! Apparently I've missed it.
Re: KASAN: global-out-of-bounds Read in dvb_pll_attach
On Wed, Jul 17, 2019 at 2:29 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger > crash: > > Reported-and-tested-by: > syzbot+8a8f48672560c8ca5...@syzkaller.appspotmail.com > > Tested on: > > commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > kernel config: https://syzkaller.appspot.com/x/.config?x=d90745bdf884fc0a > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > patch: https://syzkaller.appspot.com/x/patch.diff?x=1454f4d060 > > Note: testing is done by a robot and is best-effort only. Hi bnvandana, Could you submit this patch? Syzbot testing shows that is fixes the issue. Thanks!
Re: general protection fault in cdev_del
On Tue, Aug 13, 2019 at 3:16 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: use-after-free Read in hso_free_interface > > == > BUG: KASAN: use-after-free in hso_free_interface+0x3f2/0x4f0 > drivers/net/usb/hso.c:3108 > Read of size 8 at addr 8881d112d998 by task kworker/0:1/12 > > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc1+ #1 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x67/0x231 mm/kasan/report.c:188 > __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 > kasan_report+0xe/0x20 mm/kasan/common.c:614 > hso_free_interface+0x3f2/0x4f0 drivers/net/usb/hso.c:3108 > hso_probe+0x362/0x1a50 drivers/net/usb/hso.c:2963 > usb_probe_interface+0x30b/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x287/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777 > bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x1700 drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0xa2/0x100 drivers/usb/core/driver.c:266 > really_probe+0x287/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777 > bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x1700 drivers/base/core.c:2111 > usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x1adc/0x35a0 drivers/usb/core/hub.c:5432 > process_one_work+0x90a/0x1580 kernel/workqueue.c:2268 > worker_thread+0x96/0xe20 kernel/workqueue.c:2414 > kthread+0x30e/0x420 kernel/kthread.c:254 > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > > Allocated by task 12: > save_stack+0x1b/0x80 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_kmalloc mm/kasan/common.c:489 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462 > kmalloc include/linux/slab.h:547 [inline] > kzalloc include/linux/slab.h:742 [inline] > hso_create_device+0x43/0x390 drivers/net/usb/hso.c:2336 > hso_create_bulk_serial_device drivers/net/usb/hso.c:2617 [inline] > hso_probe+0xbb0/0x1a50 drivers/net/usb/hso.c:2948 > usb_probe_interface+0x30b/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x287/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777 > bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x1700 drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0xa2/0x100 drivers/usb/core/driver.c:266 > really_probe+0x287/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777 > bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x1700 drivers/base/core.c:2111 > usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x1adc/0x35a0 drivers/usb/core/hub.c:5432 > process_one_work+0x90a/0x1580 kernel/workqueue.c:2268 > worker_thread+0x96/0xe20 kernel/workqueue.c:2414 > kthread+0x30e/0x420 kernel/kthread.c:254 > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > > Freed by task 12: > save_stack+0x1b/0x80 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:451 > slab_free_hook mm/slub.c:1421 [inline] > slab_free_freelist_hook mm/slub.c:1448 [inline] > slab_free mm/slub.c:2994 [inline] > kfree+0xd7/0x290 mm/slub.c:3949 > hso_create_bulk_serial_device drivers/net/usb/hso.c:2687
Re: WARNING in usbtouch_reset_resume
On Mon, Aug 5, 2019 at 1:58 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1104baf860 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=91f7bbcce580376d784e > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14199a6260 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17d94aaa60 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+91f7bbcce580376d7...@syzkaller.appspotmail.com > > input: USB Touchscreen 0eef:0002 as > /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.180/input/input5 > usb 1-1: reset high-speed USB device number 2 using dummy_hcd > usb 1-1: Using ep0 maxpacket: 32 > [ cut here ] > DEBUG_LOCKS_WARN_ON(lock->magic != lock) > WARNING: CPU: 0 PID: 12 at kernel/locking/mutex.c:912 __mutex_lock_common > kernel/locking/mutex.c:912 [inline] > WARNING: CPU: 0 PID: 12 at kernel/locking/mutex.c:912 > __mutex_lock+0xd31/0x1360 kernel/locking/mutex.c:1077 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > panic+0x2a3/0x6da kernel/panic.c:219 > __warn.cold+0x20/0x4a kernel/panic.c:576 > report_bug+0x262/0x2a0 lib/bug.c:186 > fixup_bug arch/x86/kernel/traps.c:179 [inline] > fixup_bug arch/x86/kernel/traps.c:174 [inline] > do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272 > do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291 > invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026 > RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:912 [inline] > RIP: 0010:__mutex_lock+0xd31/0x1360 kernel/locking/mutex.c:1077 > Code: d2 0f 85 f6 05 00 00 44 8b 05 7b de 1c 02 45 85 c0 0f 85 0a f4 ff ff > 48 c7 c6 c0 92 c6 85 48 c7 c7 60 90 c6 85 e8 f4 c4 a6 fb <0f> 0b e9 f0 f3 > ff ff 65 48 8b 1c 25 00 ef 01 00 be 08 00 00 00 48 > RSP: 0018:8881da20f6b0 EFLAGS: 00010286 > RAX: RBX: RCX: > RDX: RSI: 8128a0fd RDI: ed103b441ec8 > RBP: 8881da20f820 R08: 8881da1f9800 R09: fbfff0d9ee35 > R10: fbfff0d9ee34 R11: 86cf71a3 R12: > R13: dc00 R14: 8881d2e291c8 R15: 8881d2fba228 > usbtouch_reset_resume+0xb1/0x170 > drivers/input/touchscreen/usbtouchscreen.c:1611 > usb_resume_interface drivers/usb/core/driver.c:1242 [inline] > usb_resume_interface.isra.0+0x184/0x390 drivers/usb/core/driver.c:1210 > usb_resume_both+0x26a/0x7b0 drivers/usb/core/driver.c:1412 > __rpm_callback+0x27e/0x3c0 drivers/base/power/runtime.c:355 > rpm_callback+0x18f/0x230 drivers/base/power/runtime.c:485 > rpm_resume+0x10f7/0x1870 drivers/base/power/runtime.c:849 > __pm_runtime_resume+0x103/0x180 drivers/base/power/runtime.c:1076 > pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline] > usb_autoresume_device+0x1e/0x60 drivers/usb/core/driver.c:1599 > usb_remote_wakeup+0x7b/0xb0 drivers/usb/core/hub.c:3603 > hub_port_connect_change drivers/usb/core/hub.c:5199 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x246c/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > Kernel Offset: disabled > Rebooting in 86400 seconds.. #syz dup: WARNING in usbtouch_open > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches
Re: INFO: trying to register non-static key in usbtouch_open
On Tue, Jul 23, 2019 at 2:48 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:6a3599ce usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1633092060 > kernel config: https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > dashboard link: https://syzkaller.appspot.com/bug?extid=f9c21a30eb9d374e30c1 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e5ee7860 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e4a74c60 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+f9c21a30eb9d374e3...@syzkaller.appspotmail.com > > INFO: trying to register non-static key. > the code is fine but needs lockdep annotation. > turning off the locking correctness validator. > CPU: 0 PID: 1737 Comm: syz-executor481 Not tainted 5.2.0-rc6+ #15 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack /lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e /lib/dump_stack.c:113 > assign_lock_key /kernel/locking/lockdep.c:775 [inline] > register_lock_class+0x11ae/0x1240 /kernel/locking/lockdep.c:1084 > __lock_acquire+0x11d/0x5340 /kernel/locking/lockdep.c:3674 > lock_acquire+0x100/0x2b0 /kernel/locking/lockdep.c:4303 > __mutex_lock_common /kernel/locking/mutex.c:926 [inline] > __mutex_lock+0xf9/0x12b0 /kernel/locking/mutex.c:1073 > usbtouch_open+0x101/0x310 /drivers/input/touchscreen/usbtouchscreen.c:1537 > input_open_device+0x170/0x280 /drivers/input/input.c:607 > evdev_open_device /drivers/input/evdev.c:433 [inline] > evdev_open+0x3fe/0x510 /drivers/input/evdev.c:518 > chrdev_open+0x219/0x5c0 /fs/char_dev.c:413 > do_dentry_open+0x497/0x1040 /fs/open.c:778 > do_last /fs/namei.c:3416 [inline] > path_openat+0x1430/0x3ff0 /fs/namei.c:3533 > do_filp_open+0x1a1/0x280 /fs/namei.c:3563 > do_sys_open+0x3c0/0x580 /fs/open.c:1070 > do_syscall_64+0xb7/0x560 /arch/x86/entry/common.c:301 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x4011f0 > Code: 01 f0 ff ff 0f 83 00 0b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f > 44 00 00 83 3d 9d 4b 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 0f 83 d4 0a 00 00 c3 48 83 ec 08 e8 3a 00 00 00 > RSP: 002b:7ffdc8662728 EFLAGS: 0246 ORIG_RAX: 0002 > RAX: ffda RBX: RCX: 004011f0 > RDX: RSI: 0002 RDI: 7ffdc8662730 > RBP: 6667 R08: 000f R09: 0023 > R10: 0075 R11: 0246 R12: 00402150 > R13: 004021e0 R14: R15: #syz dup: WARNING in usbtouch_open > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches
Re: INFO: trying to register non-static key in usbtouch_reset_resume
On Thu, Jun 20, 2019 at 11:33 AM syzbot wrote: > > syzbot has found a reproducer for the following crash on: > > HEAD commit:9939f56e usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=100c063aa0 > kernel config: https://syzkaller.appspot.com/x/.config?x=df134eda130bb43a > dashboard link: https://syzkaller.appspot.com/bug?extid=933daad9be4e67ba91a9 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144fa5e6a0 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d12de6a0 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+933daad9be4e67ba9...@syzkaller.appspotmail.com > > usb 1-1: reset low-speed USB device number 2 using dummy_hcd > INFO: trying to register non-static key. > the code is fine but needs lockdep annotation. > turning off the locking correctness validator. > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc5+ #11 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > assign_lock_key kernel/locking/lockdep.c:775 [inline] > register_lock_class+0x11ae/0x1240 kernel/locking/lockdep.c:1084 > __lock_acquire+0x11d/0x5340 kernel/locking/lockdep.c:3674 > lock_acquire+0x100/0x2b0 kernel/locking/lockdep.c:4303 > __mutex_lock_common kernel/locking/mutex.c:926 [inline] > __mutex_lock+0xf9/0x12b0 kernel/locking/mutex.c:1073 > usbtouch_reset_resume+0xb1/0x170 > drivers/input/touchscreen/usbtouchscreen.c:1611 > usb_resume_interface drivers/usb/core/driver.c:1242 [inline] > usb_resume_interface.isra.0+0x184/0x390 drivers/usb/core/driver.c:1210 > usb_resume_both+0x23d/0x780 drivers/usb/core/driver.c:1412 > __rpm_callback+0x27e/0x3c0 drivers/base/power/runtime.c:355 > rpm_callback+0x18f/0x230 drivers/base/power/runtime.c:485 > rpm_resume+0x10c5/0x1840 drivers/base/power/runtime.c:849 > __pm_runtime_resume+0x103/0x180 drivers/base/power/runtime.c:1076 > pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline] > usb_autoresume_device+0x1e/0x60 drivers/usb/core/driver.c:1599 > usb_remote_wakeup+0x7b/0xb0 drivers/usb/core/hub.c:3601 > hub_port_connect_change drivers/usb/core/hub.c:5190 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x23d7/0x3590 drivers/usb/core/hub.c:5432 > process_one_work+0x905/0x1570 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x30b/0x410 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > dummy_hcd dummy_hcd.0: port status 0x00010100 has changes > dummy_hcd dummy_hcd.0: port status 0x00010101 has changes > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb 1-1: reset low-speed USB device number 2 using dummy_hcd > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb usb1: dummy_bus_suspend > usb usb1: dummy_bus_resume > dummy_hcd dummy_hcd.0: port status 0x00010100 has changes > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb 1-1: reset low-speed USB device number 2 using dummy_hcd > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb usb1: dummy_bus_suspend > usb usb1: dummy_bus_resume > dummy_hcd dummy_hcd.0: port status 0x00010100 has changes > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb 1-1: reset low-speed USB device number 2 using dummy_hcd > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb usb1: dummy_bus_suspend > usb usb1: dummy_bus_resume > dummy_hcd dummy_hcd.0: port status 0x00010100 has changes > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb 1-1: reset low-speed USB device number 2 using dummy_hcd > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb usb1: dummy_bus_suspend > usb usb1: dummy_bus_resume > dummy_hcd dummy_hcd.0: port status 0x00010100 has changes > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > usb 1-1: reset low-speed USB device number 2 using dummy_hcd > dummy_hcd dummy_hcd.0: port status 0x00100303 has changes > #syz dup: WARNING in usbtouch_open
Re: USB fuzzing with syzbot
On Wed, Apr 17, 2019 at 6:33 PM Andrey Konovalov wrote: > > Hi, > > As you might have noticed, syzbot has started reporting bugs in the > USB subsystem that can be triggered externally by a malicious USB > device. Right now the fuzzing is done via a GadgetFS-like interface to > emulate USB devices through the USB Gadget subsystem and the Dummy > HCD/UDC module to "loopback" connect those devices to the running > kernel. There are more details in my OffensiveCon talk [1], [2]. > > A few questions/comments: > > 1. Which tree should we use for testing? > > Right now we're targeting the upstream tree, but we can switch to some > USB development tree, where the fixes are likely to end up earlier. > > 2. Is there an easy way to figure out which config options enable > drivers reachable over USB? > > Right now our kernel config is based on one of the Debian kernel > configs, that supposedly enables enough relevant USB drivers. At the > same time it enables a lot of other unnecessary stuff, which makes the > kernel big and long to compile. Ideally, we would to have a way to > auto-generate a kernel config that enables all the relevant (enabled > by at least one of the distros) USB drivers. I've looked at whether > it's possible to figure out which particular options in some kernel > config are related to USB, but it seems that neither the option names, > nor the way they are grouped in the config file, are representative > enough. > > 3. Regarding that GadgetFS-like interface. > > Initially I was using GadgetFS (together with the Dummy HCD/UDC > module) to perform emulation of USB devices for fuzzing, but later > switched to a custom written interface. This interface is essentially > implemented in the following patch [3]. An example that emulates a USB > keyboard through this interface can be found here [4]. And the > syzkaller parts responsible for USB fuzzing are here [5], [6]. The > incentive to implement a different interface was to provide a somewhat > raw and direct access to the USB Gadget layer for the userspace, where > every USB request is passed to the userspace to get a response. > > The main differences between this interface (referred to as usb-fuzzer > for now) and GadgetFS are: > > 1) GadgetFS does some sanity checks on the provided USB descriptors, > which is something we don't want for fuzzing. We want the descriptors > to be as corrupted as they can. > > 2) GadgetFS handles some of the USB requests internally based on the > provided device descriptor, which is also something we don't want. For > example we may want to be able to provide differently corrupted > responses to the same request. > > 3) usb-fuzzer has ioctl-based interface instead of a filesystem-based > one. I wouldn't say it's that big of a deal, but it makes it somewhat > easier to incorporate into a fuzzer. > > 4) Somewhat related to the previous point: usb-fuzzer uses predictable > endpoint names across different UDCs. > > Right now each UDC driver defines endpoint names via EP_INFO() as it > pleases. And GadgetFS uses those names to create file entries for each > of the endpoints. As a result, endpoint names for different UDCs will > be different and it requires more work to write a portable userspace > gadget. The usb-fuzzer interface auto selects and assigns an endpoint > based on the required features like the transfer type. > > 5) GadgetFS binds to the first available UDC, usb-fuzzer provides a > way to select a UDC to bind to. > > Since the fuzzing happens in multiple processes each of which has its > own Dummy UDC assigned, we want to have control over which UDC we bind > to. This part is a bit confusing, but what I found out is that a UDC > is selected based on two different identifying names. I call the first > one "udc_device_name" and the second one "udc_driver_name". > "udc_device_name" has to be assigned to usb_gadget_driver->udc_name > when usb_gadget_probe_driver() is called, and "udc_driver_name" is > what we have to compare usb_gadget->name with inside of the > usb_gadget_driver->bind() callback. For example, Dummy UDC has > "dummy_udc" as its "udc_driver_name" and "dummy_udc.N" as its > "udc_device_name". At the same time the dwc2 driver that is used on > Raspberry Pi Zero, has "2098.usb" as both "udc_driver_name" and > "udc_device_name". > > Overall, the usb-fuzzer interface implementation has a similar > structure to that of GadgetFS, but looks way simpler (although that > might be because I've missed to implement some functionality :). > > We'd like to get thi
Re: general protection fault in cdev_del
On Tue, May 28, 2019 at 12:48 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=178e4526a0 > kernel config: https://syzkaller.appspot.com/x/.config?x=c309d28e15db39c5 > dashboard link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dc5d54a0 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cae526a0 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+67b2bd0e34f952d03...@syzkaller.appspotmail.com > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN PTI > CPU: 1 PID: 2486 Comm: kworker/1:2 Not tainted 5.2.0-rc1+ #9 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:592 > Code: cf 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 a5 d5 ff 48 8d > 7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 > 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48 > RSP: 0018:8881d18e7218 EFLAGS: 00010207 > RAX: dc00 RBX: 8881d249a100 RCX: 820d879e > RDX: 000c RSI: 8167705d RDI: 0064 > RBP: R08: 8881d18d1800 R09: > R10: R11: R12: > R13: 8881d25c9100 R14: R15: 8881cc2a8070 > FS: () GS:8881db30() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7f35af318000 CR3: 0001cc182000 CR4: 001406e0 > Call Trace: > tty_unregister_device drivers/tty/tty_io.c:3192 [inline] > tty_unregister_device+0x10d/0x1a0 drivers/tty/tty_io.c:3187 > hso_serial_tty_unregister drivers/net/usb/hso.c:2245 [inline] > hso_create_bulk_serial_device drivers/net/usb/hso.c:2682 [inline] > hso_probe.cold+0xc8/0x120 drivers/net/usb/hso.c:2948 > usb_probe_interface+0x30b/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x287/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777 > bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x1700 drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0xa2/0x100 drivers/usb/core/driver.c:266 > really_probe+0x287/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777 > bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x1700 drivers/base/core.c:2111 > usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x1adc/0x35a0 drivers/usb/core/hub.c:5432 > process_one_work+0x90a/0x1580 kernel/workqueue.c:2268 > worker_thread+0x96/0xe20 kernel/workqueue.c:2414 > kthread+0x30e/0x420 kernel/kthread.c:254 > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > Modules linked in: > ---[ end trace 3b56fa5a205cba42 ]--- > RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:592 > Code: cf 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 a5 d5 ff 48 8d > 7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 > 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48 > RSP: 0018:8881d18e7218 EFLAGS: 00010207 > RAX: dc00 RBX: 8881d249a100 RCX: 820d879e > RDX: 000c RSI: 8167705d RDI: 0064 > RBP: R08: 8881d18d1800 R09: > R10: R11: R12: > R13: 8881d25c9100 R14: R15: 8881cc2a8070 > FS: () GS:8881db30() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7f35af318000 CR3: 0001cc182000 CR4: 001406e0 Trying Oliver's fix from [1]: #syz test: https://github.com/google/kasan.git 69bbe8c7 [1] https://groups.google.com/forum/#!msg/syzkaller-bugs/5qVDUDTxXYQ/OlN_ZX6LBwAJ > > > --- > This bug is generate
Re: KASAN: use-after-free Read in v4l2_fh_del
On Thu, May 2, 2019 at 2:36 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:43151d6c usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=145cd8ff20 > kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234 > dashboard link: https://syzkaller.appspot.com/bug?extid=d53275bc1af5eb01bfff > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+d53275bc1af5eb01b...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in __lock_acquire+0x2930/0x37c0 > kernel/locking/lockdep.c:3573 > Read of size 8 at addr 88806b57ec90 by task v4l_id/7959 > > CPU: 0 PID: 7959 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > __lock_acquire+0x2930/0x37c0 kernel/locking/lockdep.c:3573 > lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 > __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] > _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152 > v4l2_fh_del+0x4e/0x270 drivers/media/v4l2-core/v4l2-fh.c:81 > v4l2_fh_release+0x46/0x70 drivers/media/v4l2-core/v4l2-fh.c:104 > v4l2_release+0x2f0/0x390 drivers/media/v4l2-core/v4l2-dev.c:459 > __fput+0x2df/0x8c0 fs/file_table.c:278 > task_work_run+0x149/0x1c0 kernel/task_work.c:113 > tracehook_notify_resume include/linux/tracehook.h:188 [inline] > exit_to_usermode_loop+0x243/0x270 arch/x86/entry/common.c:166 > prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] > syscall_return_slowpath arch/x86/entry/common.c:268 [inline] > do_syscall_64+0x40c/0x4f0 arch/x86/entry/common.c:293 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x7fd157cde2b0 > Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0 > 07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24 > RSP: 002b:7ffcf08bde38 EFLAGS: 0246 ORIG_RAX: 0003 > RAX: RBX: 0003 RCX: 7fd157cde2b0 > RDX: 0013 RSI: 80685600 RDI: 0003 > RBP: R08: R09: > R10: R11: 0246 R12: 00400884 > R13: 7ffcf08bdf90 R14: R15: > > Allocated by task 17: > set_track mm/kasan/common.c:87 [inline] > __kasan_kmalloc mm/kasan/common.c:497 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470 > slab_post_alloc_hook mm/slab.h:437 [inline] > slab_alloc_node mm/slub.c:2756 [inline] > __kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372 > alloc_dr drivers/base/devres.c:103 [inline] > devm_kmalloc+0x8c/0x190 drivers/base/devres.c:793 > devm_kzalloc include/linux/device.h:679 [inline] > usb_raremono_probe+0x34/0x235 drivers/media/radio/radio-raremono.c:298 > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2023 > generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 > usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 > process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 > process_scheduled_works kernel/workqueue.c:2331 [inline] > worker_thread+0x7b0/0xe20 kernel/workqueue.c:2417 >
Re: KASAN: use-after-free Write in v4l2_device_release
On Mon, Apr 29, 2019 at 2:06 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:43151d6c usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=13f56538a0 > kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234 > dashboard link: https://syzkaller.appspot.com/bug?extid=62d0ec9a8d05fffcf12e > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+62d0ec9a8d05fffcf...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in v4l2_device_release+0x3ce/0x408 > drivers/media/v4l2-core/v4l2-dev.c:197 > Write of size 8 at addr 88809a266c08 by task v4l_id/7544 > > CPU: 1 PID: 7544 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > v4l2_device_release+0x3ce/0x408 drivers/media/v4l2-core/v4l2-dev.c:197 > device_release+0x7d/0x210 drivers/base/core.c:1064 > kobject_cleanup lib/kobject.c:662 [inline] > kobject_release lib/kobject.c:691 [inline] > kref_put include/linux/kref.h:67 [inline] > kobject_put+0x1df/0x4f0 lib/kobject.c:708 > put_device+0x21/0x30 drivers/base/core.c:2205 > video_put drivers/media/v4l2-core/v4l2-dev.c:174 [inline] > v4l2_release+0x2d1/0x390 drivers/media/v4l2-core/v4l2-dev.c:469 > __fput+0x2df/0x8c0 fs/file_table.c:278 > task_work_run+0x149/0x1c0 kernel/task_work.c:113 > tracehook_notify_resume include/linux/tracehook.h:188 [inline] > exit_to_usermode_loop+0x243/0x270 arch/x86/entry/common.c:166 > prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] > syscall_return_slowpath arch/x86/entry/common.c:268 [inline] > do_syscall_64+0x40c/0x4f0 arch/x86/entry/common.c:293 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x7fc1f5f952b0 > Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0 > 07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24 > RSP: 002b:7ffd270a0138 EFLAGS: 0246 ORIG_RAX: 0003 > RAX: RBX: 0003 RCX: 7fc1f5f952b0 > RDX: 7fc1f624bdf0 RSI: 0001 RDI: 0003 > RBP: R08: 7fc1f624bdf0 R09: 000a > R10: R11: 0246 R12: 00400884 > R13: 7ffd270a0290 R14: R15: > > Allocated by task 5354: > set_track mm/kasan/common.c:87 [inline] > __kasan_kmalloc mm/kasan/common.c:497 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470 > slab_post_alloc_hook mm/slab.h:437 [inline] > slab_alloc_node mm/slub.c:2756 [inline] > __kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372 > alloc_dr drivers/base/devres.c:103 [inline] > devm_kmalloc+0x8c/0x190 drivers/base/devres.c:793 > devm_kzalloc include/linux/device.h:679 [inline] > usb_raremono_probe+0x34/0x235 drivers/media/radio/radio-raremono.c:298 > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2023 > generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 > usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 > process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 > process_scheduled_works kernel/workqueue.c:2331 [inline] > w
Re: KASAN: use-after-free Write in v4l2_prio_close
On Mon, Jun 3, 2019 at 1:41 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=142ef636a0 > kernel config: https://syzkaller.appspot.com/x/.config?x=193d8457178b3229 > dashboard link: https://syzkaller.appspot.com/bug?extid=a6566701042e6e3e4ed1 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+a6566701042e6e3e4...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in atomic_dec > include/asm-generic/atomic-instrumented.h:329 [inline] > BUG: KASAN: use-after-free in v4l2_prio_close+0x45/0x60 > drivers/media/v4l2-core/v4l2-dev.c:285 > Write of size 4 at addr 8881d4d21890 by task v4l_id/3238 > > CPU: 1 PID: 3238 Comm: v4l_id Not tainted 5.2.0-rc1+ #10 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x67/0x231 mm/kasan/report.c:188 > __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 > kasan_report+0xe/0x20 mm/kasan/common.c:614 > atomic_dec include/asm-generic/atomic-instrumented.h:329 [inline] > v4l2_prio_close+0x45/0x60 drivers/media/v4l2-core/v4l2-dev.c:285 > v4l2_fh_release+0x41/0x70 drivers/media/v4l2-core/v4l2-fh.c:104 > v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:459 > __fput+0x2d7/0x790 fs/file_table.c:279 > task_work_run+0x13f/0x1c0 kernel/task_work.c:113 > tracehook_notify_resume include/linux/tracehook.h:188 [inline] > exit_to_usermode_loop+0x1c5/0x1f0 arch/x86/entry/common.c:168 > prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] > syscall_return_slowpath arch/x86/entry/common.c:279 [inline] > do_syscall_64+0x43f/0x560 arch/x86/entry/common.c:304 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x7f5bcbde22b0 > Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0 > 07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24 > RSP: 002b:7ffd54ae7938 EFLAGS: 0246 ORIG_RAX: 0003 > RAX: RBX: 0003 RCX: 7f5bcbde22b0 > RDX: 0013 RSI: 80685600 RDI: 0003 > RBP: R08: R09: > R10: R11: 0246 R12: 00400884 > R13: 7ffd54ae7a90 R14: R15: > > Allocated by task 2762: > save_stack+0x1b/0x80 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_kmalloc mm/kasan/common.c:489 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462 > slab_post_alloc_hook mm/slab.h:437 [inline] > slab_alloc_node mm/slub.c:2748 [inline] > __kmalloc_node_track_caller+0xee/0x370 mm/slub.c:4363 > alloc_dr drivers/base/devres.c:103 [inline] > devm_kmalloc+0x87/0x190 drivers/base/devres.c:793 > devm_kzalloc include/linux/device.h:679 [inline] > usb_raremono_probe+0x2f/0x231 drivers/media/radio/radio-raremono.c:298 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x660 drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2111 > usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x1ada/0x3590 drivers/usb/core/hub.c:5432 > process_one_work+0x905/0x1570 kernel/workqueue.c:2268 > process_scheduled_works kernel/workqueue.c:2330 [inline] > worker_thread+0x7ab/0xe20 kernel/workqueue.c:24
Re: KASAN: slab-out-of-bounds Read in hex_string
On Tue, Apr 30, 2019 at 4:13 PM Alan Stern wrote:
>
> On Mon, 29 Apr 2019, Eric Biggers wrote:
>
> > On Mon, Apr 29, 2019 at 04:07:04PM -0400, Alan Stern wrote:
>
> > > Accessing beyond the end of the descriptor.
> > >
> > > #syz test: https://github.com/google/kasan.git usb-fuzzer
> > >
> > > --- a/drivers/video/fbdev/udlfb.c
> > > +++ b/drivers/video/fbdev/udlfb.c
> > > @@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor(
> > > char *buf;
> > > char *desc_end;
> > > int total_len;
> > > + int width;
> > >
> > > buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL);
> > > if (!buf)
> > > @@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor(
> > > }
> > >
> > > if (total_len > 5) {
> > > + width = min(total_len, 11);
> > > dev_info(&intf->dev,
> > > -"vendor descriptor length: %d data: %11ph\n",
> > > -total_len, desc);
> > > +"vendor descriptor length: %d data: %*ph\n",
> > > +total_len, width, desc);
> > >
> > > if ((desc[0] != total_len) || /* descriptor length */
> > > (desc[1] != 0x5f) || /* vendor descriptor type */
> > >
> > >
> >
> > Why not write just:
> >
> > dev_info(&intf->dev,
> > "vendor descriptor length: %d data: %*ph\n",
> > total_len, min(total_len, 11), desc);
>
> I did consider doing that. In the end I decided adding an extra
> temporary variable made the code a little more readable. (For some
> reason, extra recursion -- a function call embedded in a function
> argument -- seems to demand more mental effort than an extra
> temporary. Maybe my brain is just getting old...)
>
> > Also, aren't there more out-of-bounds reads in the code just after? It only
> > checks for at least 1 byte available, but then it reads up to 7 bytes:
> >
> > while (desc < desc_end) {
> > u8 length;
> > u16 key;
> >
> > key = *desc++;
> > key |= (u16)*desc++ << 8;
> > length = *desc++;
> >
> > switch (key) {
> > case 0x0200: { /* max_area */
> > u32 max_area = *desc++;
> > max_area |= (u32)*desc++ << 8;
> > max_area |= (u32)*desc++ << 16;
> > max_area |= (u32)*desc++ << 24;
> > dev_warn(&intf->dev,
> >"DL chip limited to %d pixel
> > modes\n",
> >max_area);
> > dlfb->sku_pixel_limit = max_area;
> > break;
> > }
> > default:
> > break;
> > }
> > desc += length;
> > }
>
> Quite right. Please feel free to submit a patch fixing all these
> problems.
>
> > Also I couldn't help but notice it's also using 'char' rather than 'u8',
> > so bytes >= 0x80 are read incorrectly as they're sign extended...
>
> As I recall, the C standard doesn't specify whether char is signed or
> unsigned; it can vary with the implementation. However you are
> certainly correct that to ensure there is no sign extension, the code
> should use unsigned char or u8.
Hi Alan and Eric,
Have any of this fixes been submitted anywhere? This bug is still open
on syzbot.
Thanks!
Re: KASAN: use-after-free Read in ds_probe
On Sun, Apr 14, 2019 at 10:06 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=15fb7cd320 > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > dashboard link: https://syzkaller.appspot.com/bug?extid=5620801aaaf778ca83c6 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1676f06b20 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1373c65b20 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+5620801aaaf778ca8...@syzkaller.appspotmail.com > > usb 1-1: config 0 has no interface number 0 > usb 1-1: New USB device found, idVendor=04fa, idProduct=2490, > bcdDevice=89.a4 > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > usb 1-1: config 0 descriptor?? > == > BUG: KASAN: use-after-free in ds_probe+0x604/0x760 > drivers/w1/masters/ds2490.c:1019 > Read of size 1 at addr 8880a7996862 by task kworker/0:1/12 > > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > ds_probe+0x604/0x760 drivers/w1/masters/ds2490.c:1019 > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 > generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 > usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 > process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 > worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 > kthread+0x313/0x420 kernel/kthread.c:253 > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > > Allocated by task 4260: > set_track mm/kasan/common.c:87 [inline] > __kasan_kmalloc mm/kasan/common.c:497 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470 > kmalloc include/linux/slab.h:552 [inline] > kzalloc include/linux/slab.h:742 [inline] > lsm_task_alloc security/security.c:544 [inline] > security_task_alloc+0x113/0x180 security/security.c:1456 > copy_process.part.0+0x1c62/0x76b0 kernel/fork.c:1898 > copy_process kernel/fork.c:1709 [inline] > _do_fork+0x234/0xed0 kernel/fork.c:2226 > do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Freed by task 1405: > set_track mm/kasan/common.c:87 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459 > slab_free_hook mm/slub.c:1429 [inline] > slab_free_freelist_hook+0x5e/0x140 mm/slub.c:1456 > slab_free mm/slub.c:3003 [inline] > kfree+0xce/0x290 mm/slub.c:3958 > security_task_free+0x9a/0xf0 security/security.c:1470 > __put_task_struct+0xec/0x4d0 kernel/fork.c:724 > put_task_struct include/linux/sched/task.h:98 [inline] > delayed_put_task_struct+0x189/0x290 kernel/exit.c:181 > __rcu_reclaim kernel/rcu/rcu.h:227 [inline] > rcu_do_batch kernel/rcu/tree.c:2475 [inline] > invoke_rcu_callbacks kernel/rcu/tree.c:2788 [inline] > rcu_core+0x83b/0x1a80 kernel/rcu/tree.c:2769 > __do_softirq+0x22a/0x8cd kernel/softirq.c:293 > > The buggy address belongs to the object at 8880a7996840 > which belongs to the cache kmalloc-64 of size 64 > The buggy address is located 34 bytes inside of > 64-byte region [8880a7996840, 8880a7996880) > The buggy address belongs to the page: > page:ff
Re: KASAN: use-after-free Read in device_release_driver_internal
On Thu, Aug 8, 2019 at 4:00 PM Alan Stern wrote: > > On Thu, 8 Aug 2019, Andrey Konovalov wrote: > > > On Thu, Aug 8, 2019 at 2:44 PM Dmitry Vyukov wrote: > > > > > > On Thu, Aug 8, 2019 at 2:28 PM Andrey Konovalov > > > wrote: > > > > > > > > On Wed, Aug 7, 2019 at 8:31 PM Alan Stern > > > > wrote: > > > > > > > > > > On Wed, 7 Aug 2019, syzbot wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > syzbot has tested the proposed patch and the reproducer did not > > > > > > trigger > > > > > > crash: > > > > > > > > > > > > Reported-and-tested-by: > > > > > > syzbot+1b2449b7b5dc240d1...@syzkaller.appspotmail.com > > > > > > > > > > > > Tested on: > > > > > > > > > > > > commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver > > > > > > git tree: https://github.com/google/kasan.git > > > > > > kernel config: > > > > > > https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > > > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > > > patch: > > > > > > https://syzkaller.appspot.com/x/patch.diff?x=132eec8c60 > > > > > > > > > > > > Note: testing is done by a robot and is best-effort only. > > > > > > > > > > Andrey, is there any way to get the console output from this test? > > > > > > > > Dmitry, would it be possible to link console log for successful tests > > > > as well? > > > > > > Yes. Start by filing a feature request at > > > https://github.com/google/syzkaller/issues > > > > Filed https://github.com/google/syzkaller/issues/1322 > > > > Alan, for now I've applied your patch and run the reproducer manually: > > > > [ 90.844643][ T74] usb 1-1: new high-speed USB device number 2 > > using dummy_hcd > > [ 91.085789][ T74] usb 1-1: Using ep0 maxpacket: 16 > > [ 91.204698][ T74] usb 1-1: config 0 has an invalid interface > > number: 234 but max is 0 > > [ 91.209137][ T74] usb 1-1: config 0 has no interface number 0 > > [ 91.211599][ T74] usb 1-1: config 0 interface 234 altsetting 0 > > endpoint 0x8D has an inva1 > > [ 91.216162][ T74] usb 1-1: config 0 interface 234 altsetting 0 > > endpoint 0x7 has invalid 4 > > [ 91.218211][ T74] usb 1-1: config 0 interface 234 altsetting 0 > > bulk endpoint 0x7 has inv4 > > [ 91.220131][ T74] usb 1-1: config 0 interface 234 altsetting 0 > > bulk endpoint 0x8F has in0 > > [ 91.222052][ T74] usb 1-1: New USB device found, idVendor=0421, > > idProduct=0486, bcdDevic7 > > [ 91.223851][ T74] usb 1-1: New USB device strings: Mfr=0, > > Product=0, SerialNumber=0 > > [ 91.233180][ T74] usb 1-1: config 0 descriptor?? > > [ 91.270222][ T74] rndis_wlan 1-1:0.234: Refcount before probe: 3 > > [ 91.275464][ T74] rndis_wlan 1-1:0.234: invalid descriptor buffer > > length > > [ 91.277558][ T74] usb 1-1: bad CDC descriptors > > [ 91.279716][ T74] rndis_wlan 1-1:0.234: Refcount after probe: 3 > > [ 91.281378][ T74] rndis_host 1-1:0.234: Refcount before probe: 3 > > [ 91.283303][ T74] rndis_host 1-1:0.234: invalid descriptor buffer > > length > > [ 91.284724][ T74] usb 1-1: bad CDC descriptors > > [ 91.286004][ T74] rndis_host 1-1:0.234: Refcount after probe: 3 > > [ 91.287318][ T74] cdc_acm 1-1:0.234: Refcount before probe: 3 > > [ 91.288513][ T74] cdc_acm 1-1:0.234: invalid descriptor buffer length > > [ 91.289835][ T74] cdc_acm 1-1:0.234: No union descriptor, testing > > for castrated device > > [ 91.291555][ T74] cdc_acm 1-1:0.234: Refcount after probe: 3 > > [ 91.292766][ T74] cdc_acm: probe of 1-1:0.234 failed with error -12 > > [ 92.001549][ T96] usb 1-1: USB disconnect, device number 2 > > Ah, that looks right, thank you. The patch worked correctly -- good > work Oliver! Great! Just a reminder to submit the fix :)
Re: KASAN: use-after-free Read in v4l2_ioctl
On Sun, Apr 14, 2019 at 10:06 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=137d8a2d20 > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > dashboard link: https://syzkaller.appspot.com/bug?extid=d587871cd33a9bc7c086 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e878f320 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=102432e320 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+d587871cd33a9bc7c...@syzkaller.appspotmail.com > > usb 6-1: USB disconnect, device number 19 > radio-raremono 6-1:0.210: Thanko's Raremono disconnected > radio-si470x 2-1:0.210: could not find interrupt in endpoint > radio-si470x 3-1:0.210: could not find interrupt in endpoint > == > BUG: KASAN: use-after-free in v4l2_ioctl+0x187/0x1a0 > drivers/media/v4l2-core/v4l2-dev.c:362 > Read of size 8 at addr 88809b3645e0 by task v4l_id/5799 > radio-si470x 4-1:0.210: could not find interrupt in endpoint > > CPU: 0 PID: 5799 Comm: v4l_id Not tainted 5.1.0-rc4-319354-g9a33b36 #3 > radio-si470x: probe of 4-1:0.210 failed with error -5 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > radio-si470x: probe of 2-1:0.210 failed with error -5 > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > v4l2_ioctl+0x187/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:362 > vfs_ioctl fs/ioctl.c:46 [inline] #syz fix: media: radio-raremono: change devm_k*alloc to k*alloc > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696 > usb 5-1: new high-speed USB device number 19 using dummy_hcd > radio-si470x: probe of 3-1:0.210 failed with error -5 > ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718 > do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x7f435c835347 > Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff > ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64 > radio-raremono 2-1:0.210: Thanko's Raremono connected: (10C4:818A) > RSP: 002b:7ffeca71fda8 EFLAGS: 0202 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 7f435c835347 > RDX: 7ffeca71fdb0 RSI: 80685600 RDI: 0003 > RBP: R08: R09: > R10: R11: 0202 R12: 00400884 > R13: 7ffeca71ff00 R14: R15: > > Allocated by task 12: > set_track mm/kasan/common.c:87 [inline] > __kasan_kmalloc mm/kasan/common.c:497 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470 > slab_post_alloc_hook mm/slab.h:437 [inline] > slab_alloc_node mm/slub.c:2756 [inline] > __kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372 > alloc_dr drivers/base/devres.c:103 [inline] > devm_kmalloc+0x8c/0x190 drivers/base/devres.c:793 > devm_kzalloc include/linux/device.h:679 [inline] > usb_raremono_probe+0x34/0x235 drivers/media/radio/radio-raremono.c:298 > radio-raremono 3-1:0.210: Thanko's Raremono connected: (10C4:818A) > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > radio-raremono 4-1:0.210: Thanko's Raremono connected: (10C4:818A) > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > usb 1-1: new high-speed USB device number 19 using dummy_hcd > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 > generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 > usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > usb 5-1: Using ep0 maxpacket: 8 >
Re: KASAN: use-after-free Read in __video_do_ioctl
On Sun, Apr 14, 2019 at 10:06 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1317cedd20 > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > dashboard link: https://syzkaller.appspot.com/bug?extid=5b7575b3f6820232e17c > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+5b7575b3f6820232e...@syzkaller.appspotmail.com > > radio-raremono 6-1:0.210: raremono_cmd_main failed (-71) > radio-raremono 6-1:0.210: V4L2 device registered as radio32 > usb 6-1: USB disconnect, device number 119 > radio-raremono 6-1:0.210: Thanko's Raremono disconnected > == > BUG: KASAN: use-after-free in __mutex_lock_common > kernel/locking/mutex.c:1009 [inline] > BUG: KASAN: use-after-free in __mutex_lock+0x11ad/0x12b0 > kernel/locking/mutex.c:1072 > Read of size 8 at addr 888097e94bf8 by task v4l_id/7329 > > CPU: 1 PID: 7329 Comm: v4l_id Not tainted 5.1.0-rc4-319354-g9a33b36 #3 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > __mutex_lock_common kernel/locking/mutex.c:1009 [inline] > __mutex_lock+0x11ad/0x12b0 kernel/locking/mutex.c:1072 > __video_do_ioctl+0x5d2/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2842 > usb 5-1: Using ep0 maxpacket: 8 > video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056 > v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364 #syz dup: KASAN: use-after-free Read in v4l2_ioctl > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696 > ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718 > do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x7f582f197347 > Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff > ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64 > usb 5-1: config 0 has an invalid interface number: 85 but max is 0 > RSP: 002b:7ffda90c77a8 EFLAGS: 0202 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 7f582f197347 > RDX: 7ffda90c77b0 RSI: 80685600 RDI: 0003 > RBP: R08: R09: > R10: R11: 0202 R12: 00400884 > R13: 7ffda90c7900 R14: R15: > > Allocated by task 5: > set_track mm/kasan/common.c:87 [inline] > __kasan_kmalloc mm/kasan/common.c:497 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470 > slab_post_alloc_hook mm/slab.h:437 [inline] > slab_alloc_node mm/slub.c:2756 [inline] > __kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372 > alloc_dr drivers/base/devres.c:103 [inline] > devm_kmalloc+0x8c/0x190 drivers/base/devres.c:793 > devm_kzalloc include/linux/device.h:679 [inline] > usb_raremono_probe+0x34/0x235 drivers/media/radio/radio-raremono.c:298 > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > usb 5-1: config 0 has no interface number 0 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 > generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 > usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > usb 5-1: New USB device found, idVendor=04b3, idProduct=4001, bcdDevice= > 1.10 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 > usb
Re: WARNING in usbhid_raw_request/usb_submit_urb
On Mon, Aug 12, 2019 at 4:47 PM Hillf Danton wrote: > > > Hi Andrey > > On Mon, 12 Aug 2019 06:03:01 -0700 > > Hello, > > > > syzbot has tested the proposed patch but the reproducer still triggered > > crash: > > KASAN: invalid-free in hcd_buffer_free > > > > usb 5-1: USB disconnect, device number 2 > > == > > BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260 > > drivers/usb/core/buffer.c:165 > > JFYI: > 1, the hid-core.patch in the attachment at > https://lore.kernel.org/lkml/CAAeHK+z-uCr-bWu9uVDynU2S=wCrtxRbuA-Cut=h5zyuycs...@mail.gmail.com/ > > ===quote begin=== > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+a7a6b9c609b9457c6...@syzkaller.appspotmail.com > > Let's try Hillf's patch here as well: > > #syz test: https://github.com/google/kasan.git 7f7867ff Remove # when quoting syzbot commands, as this will trigger syzbot testing again =) > > > > > [ cut here ] > > usb 2-1: BOGUS urb xfer, pipe 2 != type 2 > > WARNING: CPU: 1 PID: 7429 at drivers/usb/core/urb.c:477 > > usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477 > ===quote end=== > > is identical to the patch for > #syz test: https://github.com/google/kasan.git 6a3599ce > Reported-by: syzbot+3cbe5cd105d2ad56a...@syzkaller.appspotmail.com > > --- a/drivers/hid/usbhid/hid-core.c > +++ b/drivers/hid/usbhid/hid-core.c > @@ -1410,6 +1410,7 @@ static void usbhid_disconnect(struct usb > spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ > set_bit(HID_DISCONNECTED, &usbhid->iofl); > spin_unlock_irq(&usbhid->lock); > + hid_hw_stop(hid); > hid_destroy_device(hid); > kfree(usbhid); > } > > > 2, based on the report itself in the quote section above, > > > usb 2-1: BOGUS urb xfer, pipe 2 != type 2 > > I suggest that we get it invalidated for now. If unfortunately it comes > up again we know at least what once happened. > > 3, this is a new report I did not see before, and worth a new report > thread with a new subject line. See it soon after 7 hours of sleep and > prepare patch with Test-by. Let's dup it into the PM report: #syz dup: general protection fault in __pm_runtime_resume Once the fix is in the USB fuzzer tree, the double-free will be reported in a separate thread (once it gets hit again). > > Thanks > Hillf > > > > > CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Workqueue: usb_hub_wq hub_event > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > > kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444 > > __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428 > > slab_free_hook mm/slub.c:1423 [inline] > > slab_free_freelist_hook mm/slub.c:1470 [inline] > > slab_free mm/slub.c:3012 [inline] > > kfree+0xe4/0x2f0 mm/slub.c:3953 > > hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165 > > usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932 > > hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964 > > usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224 > > logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797 > > hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242 > > __device_release_driver drivers/base/dd.c:1118 [inline] > > device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151 > > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > > device_del+0x420/0xb10 drivers/base/core.c:2288 > > hid_remove_device drivers/hid/hid-core.c:2413 [inline] > > hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432 > > usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414 > > usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423 > > __device_release_driver drivers/base/dd.c:1120 [inline] > > device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151 > > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > > device_del+0x420/0xb10 drivers/base/core.c:2288 > > usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237 > > usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199 > > hub_port_connect drivers/usb/core/hub.c:4949 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > > port_event drivers/usb/core/hub.c:5359 [inline] > > hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441 > > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > > process_scheduled_works kernel/workqueue.c:2331 [inline] > > worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417 > > kthread+0x318/0x420 kernel/kthread.c:255 > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > > > Allocated by task 1745: > > save_stack+0x1b/0x
Re: KASAN: use-after-free Read in usbhid_power
On Fri, Aug 9, 2019 at 8:12 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger > crash: > > Reported-and-tested-by: > syzbot+ef5de9c4f99c4edb4...@syzkaller.appspotmail.com OK, I'm duping this BUG to the similar one that Hillf fixed: #syz dup: general protection fault in __pm_runtime_resume If there are more issues with PM counters, syzbot will rereport them once the fix is in its tree. > > Tested on: > > commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git > kernel config: https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > patch: https://syzkaller.appspot.com/x/patch.diff?x=17fcd52c60 > > Note: testing is done by a robot and is best-effort only. > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/4de4e2058fb31c2b%40google.com.
Re: Re: KASAN: use-after-free Read in __pm_runtime_resume
On Mon, Aug 12, 2019 at 4:27 PM syzbot wrote: > > > On Sat, Aug 3, 2019 at 11:12 AM Hillf Danton wrote: > > > >> On Fri, 02 Aug 2019 05:58:05 -0700 > >> > Hello, > >> > > >> > syzbot found the following crash on: > >> > > >> > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > >> > git tree: https://github.com/google/kasan.git usb-fuzzer > >> > console output: > >> https://syzkaller.appspot.com/x/log.txt?x=146071b460 > >> > kernel config: > >> https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > >> > dashboard link: > >> https://syzkaller.appspot.com/bug?extid=b156665cf4d1b5e00c76 > >> > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > >> > > >> > Unfortunately, I don't have any reproducer for this crash yet. > >> > > >> > IMPORTANT: if you fix the bug, please add the following tag to the > >> commit: > >> > Reported-by: syzbot+b156665cf4d1b5e00...@syzkaller.appspotmail.com > >> > > >> > == > >> > BUG: KASAN: use-after-free in __pm_runtime_resume+0x162/0x180 > >> > drivers/base/power/runtime.c:1069 > >> > Read of size 1 at addr 8881c775b671 by task syz-executor.4/5918 > >> > > >> > CPU: 1 PID: 5918 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #24 > >> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > >> > Google 01/01/2011 > >> > Call Trace: > >> > __dump_stack lib/dump_stack.c:77 [inline] > >> > dump_stack+0xca/0x13e lib/dump_stack.c:113 > >> > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > >> > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > >> > kasan_report+0xe/0x12 mm/kasan/common.c:612 > >> > __pm_runtime_resume+0x162/0x180 drivers/base/power/runtime.c:1069 > >> > pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline] > >> > usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1707 > >> > usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234 > >> > hid_hw_power include/linux/hid.h:1038 [inline] > >> > hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282 > >> > chrdev_open+0x219/0x5c0 fs/char_dev.c:414 > >> > do_dentry_open+0x494/0x1120 fs/open.c:797 > >> > do_last fs/namei.c:3416 [inline] > >> > path_openat+0x1430/0x3f50 fs/namei.c:3533 > >> > do_filp_open+0x1a1/0x280 fs/namei.c:3563 > >> > do_sys_open+0x3c0/0x580 fs/open.c:1089 > >> > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > >> > entry_SYSCALL_64_after_hwframe+0x49/0xbe > >> > RIP: 0033:0x413711 > >> > Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 > >> c3 48 > >> > 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 > >> 48 > >> > 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01 > >> > RSP: 002b:7fa3309ef7a0 EFLAGS: 0293 ORIG_RAX: 0002 > >> > RAX: ffda RBX: 6667 RCX: 00413711 > >> > RDX: RSI: RDI: 7fa3309ef850 > >> > RBP: 0075bf20 R08: 000f R09: > >> > R10: R11: 0293 R12: 7fa3309f06d4 > >> > R13: 004c8c02 R14: 004dfa80 R15: > >> > > >> > Allocated by task 103: > >> > save_stack+0x1b/0x80 mm/kasan/common.c:69 > >> > set_track mm/kasan/common.c:77 [inline] > >> > __kasan_kmalloc mm/kasan/common.c:487 [inline] > >> > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > >> > kmalloc include/linux/slab.h:552 [inline] > >> > kzalloc include/linux/slab.h:748 [inline] > >> > usb_set_configuration+0x2c4/0x1670 drivers/usb/core/message.c:1846 > >> > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > >> > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > >> > really_probe+0x281/0x650 drivers/base/dd.c:548 > >> > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > >> > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > >> > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > >> > __device_attach+0x217/0x360 drivers/base/dd.c:882 > >> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > >> > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > >> > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > >> > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > >> > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > >> > port_event drivers/usb/core/hub.c:5359 [inline] > >> > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > >> > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > >> > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > >> > kthread+0x318/0x420 kernel/kthread.c:255 > >> > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > >> > > >> > Freed by task 103: > >> > save_stack+0x1b/0x80 mm/kasan/common.c:69 > >> > set_track mm/kasan/common.c:77 [inline] > >> > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 > >> > slab_free_hook mm/slub.c:1423 [inline] > >> > slab_fr
Re: KASAN: use-after-free Read in __pm_runtime_resume
On Sat, Aug 3, 2019 at 11:12 AM Hillf Danton wrote: > > > On Fri, 02 Aug 2019 05:58:05 -0700 > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=146071b460 > > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > > dashboard link: https://syzkaller.appspot.com/bug?extid=b156665cf4d1b5e00c76 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+b156665cf4d1b5e00...@syzkaller.appspotmail.com > > > > == > > BUG: KASAN: use-after-free in __pm_runtime_resume+0x162/0x180 > > drivers/base/power/runtime.c:1069 > > Read of size 1 at addr 8881c775b671 by task syz-executor.4/5918 > > > > CPU: 1 PID: 5918 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #24 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > > kasan_report+0xe/0x12 mm/kasan/common.c:612 > > __pm_runtime_resume+0x162/0x180 drivers/base/power/runtime.c:1069 > > pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline] > > usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1707 > > usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234 > > hid_hw_power include/linux/hid.h:1038 [inline] > > hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282 > > chrdev_open+0x219/0x5c0 fs/char_dev.c:414 > > do_dentry_open+0x494/0x1120 fs/open.c:797 > > do_last fs/namei.c:3416 [inline] > > path_openat+0x1430/0x3f50 fs/namei.c:3533 > > do_filp_open+0x1a1/0x280 fs/namei.c:3563 > > do_sys_open+0x3c0/0x580 fs/open.c:1089 > > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x413711 > > Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 > > 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48 > > 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01 > > RSP: 002b:7fa3309ef7a0 EFLAGS: 0293 ORIG_RAX: 0002 > > RAX: ffda RBX: 6667 RCX: 00413711 > > RDX: RSI: RDI: 7fa3309ef850 > > RBP: 0075bf20 R08: 000f R09: > > R10: R11: 0293 R12: 7fa3309f06d4 > > R13: 004c8c02 R14: 004dfa80 R15: > > > > Allocated by task 103: > > save_stack+0x1b/0x80 mm/kasan/common.c:69 > > set_track mm/kasan/common.c:77 [inline] > > __kasan_kmalloc mm/kasan/common.c:487 [inline] > > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > > kmalloc include/linux/slab.h:552 [inline] > > kzalloc include/linux/slab.h:748 [inline] > > usb_set_configuration+0x2c4/0x1670 drivers/usb/core/message.c:1846 > > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > > really_probe+0x281/0x650 drivers/base/dd.c:548 > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > > __device_attach+0x217/0x360 drivers/base/dd.c:882 > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > > port_event drivers/usb/core/hub.c:5359 [inline] > > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > > kthread+0x318/0x420 kernel/kthread.c:255 > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > > > Freed by task 103: > > save_stack+0x1b/0x80 mm/kasan/common.c:69 > > set_track mm/kasan/common.c:77 [inline] > > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 > > slab_free_hook mm/slub.c:1423 [inline] > > slab_free_freelist_hook mm/slub.c:1470 [inline] > > slab_free mm/slub.c:3012 [inline] > > kfree+0xe4/0x2f0 mm/slub.c:3953 > > device_release+0x71/0x200 drivers/base/core.c:1064 > > kobject_cleanup lib/kobject.c:693 [inline] > > kobject_release lib/kobject.c:722 [inline] > > kref_put include/linux/kref.h:65 [inline] > > kobject_put+0x171/0x2
Re: WARNING in usbhid_raw_request/usb_submit_urb
On Mon, Aug 12, 2019 at 3:03 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: invalid-free in hcd_buffer_free > > usb 5-1: USB disconnect, device number 2 > == > BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260 > drivers/usb/core/buffer.c:165 Hm, looks like a different bug... > > CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444 > __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428 > slab_free_hook mm/slub.c:1423 [inline] > slab_free_freelist_hook mm/slub.c:1470 [inline] > slab_free mm/slub.c:3012 [inline] > kfree+0xe4/0x2f0 mm/slub.c:3953 > hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165 > usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932 > hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964 > usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224 > logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797 > hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242 > __device_release_driver drivers/base/dd.c:1118 [inline] > device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151 > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > device_del+0x420/0xb10 drivers/base/core.c:2288 > hid_remove_device drivers/hid/hid-core.c:2413 [inline] > hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432 > usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414 > usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423 > __device_release_driver drivers/base/dd.c:1120 [inline] > device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151 > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > device_del+0x420/0xb10 drivers/base/core.c:2288 > usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237 > usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199 > hub_port_connect drivers/usb/core/hub.c:4949 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > process_scheduled_works kernel/workqueue.c:2331 [inline] > worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Allocated by task 1745: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > kmalloc include/linux/slab.h:557 [inline] > hcd_buffer_alloc+0x1ca/0x290 drivers/usb/core/buffer.c:135 > usb_alloc_coherent+0x5d/0x80 drivers/usb/core/usb.c:910 > hid_alloc_buffers drivers/hid/usbhid/hid-core.c:846 [inline] > usbhid_start+0x60b/0x22f0 drivers/hid/usbhid/hid-core.c:1075 > hid_hw_start+0x5d/0x130 drivers/hid/hid-core.c:1976 > logi_dj_probe+0x808/0xcd7 drivers/hid/hid-logitech-dj.c:1703 > hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365 > usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus
Re: KASAN: use-after-free Read in usbhid_raw_request
On Thu, Aug 8, 2019 at 2:38 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1600051660 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=75e6910bf03e266a277f > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+75e6910bf03e266a2...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in usbhid_get_raw_report > drivers/hid/usbhid/hid-core.c:865 [inline] > BUG: KASAN: use-after-free in usbhid_raw_request+0x5f2/0x640 > drivers/hid/usbhid/hid-core.c:1263 > Read of size 8 at addr 8881c8702270 by task syz-executor.4/8993 > > CPU: 0 PID: 8993 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > usbhid_get_raw_report drivers/hid/usbhid/hid-core.c:865 [inline] > usbhid_raw_request+0x5f2/0x640 drivers/hid/usbhid/hid-core.c:1263 > hid_hw_raw_request include/linux/hid.h:1079 [inline] > hidraw_get_report drivers/hid/hidraw.c:228 [inline] > hidraw_ioctl+0x936/0xae0 drivers/hid/hidraw.c:426 #syz dup: WARNING in usbhid_raw_request/usb_submit_urb > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f7f49878c78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 2180 RSI: c0404807 RDI: 0004 > RBP: 0075bf20 R08: R09: > R10: R11: 0246 R12: 7f7f498796d4 > R13: 004c2152 R14: 004d54f8 R15: > > Allocated by task 83: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > kmalloc include/linux/slab.h:552 [inline] > kzalloc include/linux/slab.h:748 [inline] > usb_set_configuration+0x2c4/0x1670 drivers/usb/core/message.c:1846 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 83: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 > slab_free_hook mm/slub.c:1423 [inline] > slab_free_freelist_hook mm/slub.c:1470 [inline] > slab_free mm/slub.c:3012 [inline] > kfree+0xe4/0x2f0 mm/slub.c:3953 > device_release+0x71/0x200 drivers/base/core.c:1064 > kobject_cleanup lib/kobject.c:693 [inline] > kobject_release lib/kobject.c:722 [inline] > kref_put include/linux/kref.h:65 [inline] > kobject_put+0x171/0x280 lib/kobject.c:739 > put_device+0x1b/0x30 drivers/base/core.c:2213 > usb_disable_device+0x2ce/0x690 drivers/usb
Re: WARNING in usbhid_raw_request/usb_submit_urb
On Tue, Jul 30, 2019 at 6:58 PM syzbot wrote: > > syzbot has found a reproducer for the following crash on: > > HEAD commit:7f7867ff usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=10619cec60 > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > dashboard link: https://syzkaller.appspot.com/bug?extid=a7a6b9c609b9457c62c6 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10606c4260 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+a7a6b9c609b9457c6...@syzkaller.appspotmail.com Let's try Hillf's patch here as well: #syz test: https://github.com/google/kasan.git 7f7867ff > > [ cut here ] > usb 2-1: BOGUS urb xfer, pipe 2 != type 2 > WARNING: CPU: 1 PID: 7429 at drivers/usb/core/urb.c:477 > usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 1 PID: 7429 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #23 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > panic+0x2a3/0x6da kernel/panic.c:219 > __warn.cold+0x20/0x4a kernel/panic.c:576 > report_bug+0x262/0x2a0 lib/bug.c:186 > fixup_bug arch/x86/kernel/traps.c:179 [inline] > fixup_bug arch/x86/kernel/traps.c:174 [inline] > do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272 > do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291 > invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026 > RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477 > Code: 4d 85 ed 74 2c e8 38 e8 ed fd 4c 89 f7 e8 70 dc 1a ff 41 89 d8 44 89 > e1 4c 89 ea 48 89 c6 48 c7 c7 60 cc f8 85 e8 4d b9 c3 fd <0f> 0b e9 20 f4 > ff ff e8 0c e8 ed fd 4c 89 f2 48 b8 00 00 00 00 00 > RSP: 0018:8881cef0f9d0 EFLAGS: 00010282 > RAX: RBX: 0002 RCX: > RDX: RSI: 812830fd RDI: ed1039de1f2c > RBP: R08: 8881c853e000 R09: fbfff115e1a2 > R10: fbfff115e1a1 R11: 88af0d0f R12: 0002 > R13: 8881d976b0a8 R14: 8881d0e02b20 R15: 8881d1720600 > usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57 > usb_internal_control_msg drivers/usb/core/message.c:101 [inline] > usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152 > usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline] > usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265 > hid_hw_raw_request include/linux/hid.h:1079 [inline] > hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151 > hidraw_ioctl+0x5b4/0xae0 drivers/hid/hidraw.c:421 > vfs_ioctl fs/ioctl.c:46 [inline] > file_ioctl fs/ioctl.c:509 [inline] > do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696 > ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713 > __do_sys_ioctl fs/ioctl.c:720 [inline] > __se_sys_ioctl fs/ioctl.c:718 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f6a91f44c78 EFLAGS: 0246 ORIG_RAX: 0010 > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: 2240 RSI: c0404806 RDI: 0004 > RBP: 0075bf20 R08: R09: > R10: R11: 0246 R12: 7f6a91f456d4 > R13: 004c22c3 R14: 004d5688 R15: > Kernel Offset: disabled > Rebooting in 86400 seconds.. > --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -1410,6 +1410,7 @@ static void usbhid_disconnect(struct usb spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ set_bit(HID_DISCONNECTED, &usbhid->iofl); spin_unlock_irq(&usbhid->lock); + hid_hw_stop(hid); hid_destroy_device(hid); kfree(usbhid); }
Re: general protection fault in __pm_runtime_resume
On Thu, Jul 25, 2019 at 7:04 AM syzbot wrote: > > syzbot has found a reproducer for the following crash on: > > HEAD commit:6a3599ce usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=108edb6860 > kernel config: https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > dashboard link: https://syzkaller.appspot.com/bug?extid=3cbe5cd105d2ad56a1df > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13f0b4c860 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172d875860 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+3cbe5cd105d2ad56a...@syzkaller.appspotmail.com > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > CPU: 0 PID: 1740 Comm: syz-executor618 Not tainted 5.2.0-rc6+ #15 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:__pm_runtime_resume+0x49/0x180 drivers/base/power/runtime.c:1069 > Code: ed 74 d5 fe 45 85 ed 0f 85 9a 00 00 00 e8 6f 73 d5 fe 48 8d bd c1 02 > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 > 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 fe 00 00 00 > RSP: 0018:8881cf5878e0 EFLAGS: 00010202 > RAX: dc00 RBX: 0020 RCX: 82676833 > RDX: 00021d463be5 RSI: 82676841 RDI: 0010ea31df2b > RBP: 0010ea31dc6a R08: 8881d1b7e000 R09: fbfff0e84c25 > R10: 8881cf587940 R11: 87426127 R12: 0004 > R13: R14: 8881cfd7a500 R15: 897f9040 > FS: 55808880() GS:8881db20() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 0043f760 CR3: 0001d0f29000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline] > usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1707 > usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234 > hid_hw_power include/linux/hid.h:1038 [inline] > hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282 > chrdev_open+0x219/0x5c0 fs/char_dev.c:413 > do_dentry_open+0x497/0x1040 fs/open.c:778 > do_last fs/namei.c:3416 [inline] > path_openat+0x1430/0x3ff0 fs/namei.c:3533 > do_filp_open+0x1a1/0x280 fs/namei.c:3563 > do_sys_open+0x3c0/0x580 fs/open.c:1070 > do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x401ad0 > Code: 01 f0 ff ff 0f 83 c0 0b 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f > 44 00 00 83 3d fd 5b 2d 00 00 75 14 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 0f 83 94 0b 00 00 c3 48 83 ec 08 e8 fa 00 00 00 > RSP: 002b:7ffed8d15738 EFLAGS: 0246 ORIG_RAX: 0002 > RAX: ffda RBX: RCX: 00401ad0 > RDX: RSI: RDI: 7ffed8d15740 > RBP: 6667 R08: 000f R09: > R10: R11: 0246 R12: 00402af0 > R13: 00402b80 R14: R15: > Modules linked in: > ---[ end trace 60987a9feed42828 ]--- > RIP: 0010:__pm_runtime_resume+0x49/0x180 drivers/base/power/runtime.c:1069 > Code: ed 74 d5 fe 45 85 ed 0f 85 9a 00 00 00 e8 6f 73 d5 fe 48 8d bd c1 02 > 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 > 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 fe 00 00 00 > RSP: 0018:8881cf5878e0 EFLAGS: 00010202 > RAX: dc00 RBX: 0020 RCX: 82676833 > RDX: 00021d463be5 RSI: 82676841 RDI: 0010ea31df2b > RBP: 0010ea31dc6a R08: 8881d1b7e000 R09: fbfff0e84c25 > R10: 8881cf587940 R11: 87426127 R12: 0004 > R13: R14: 8881cfd7a500 R15: 897f9040 > FS: 55808880() GS:8881db20() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 0043f760 CR3: 0001d0f29000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Let's try Hillf's patch here as well: #syz test: https://github.com/google/kasan.git 6a3599ce --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -1410,6 +1410,7 @@ static void usbhid_disconnect(struct usb spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ set_bit(HID_DISCONNECTED, &usbhid->iofl); spin_unlock_irq(&usbhid->lock); + hid_hw_stop(hid); hid_destroy_device(hid); kfree(usbhid); }
Re: KASAN: slab-out-of-bounds Read in usbnet_generic_cdc_bind
On Mon, Aug 12, 2019 at 2:18 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1390791c60 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=45a53506b65321c1fe91 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c78cd260 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1395b40e60 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+45a53506b65321c1f...@syzkaller.appspotmail.com > > usb 1-1: config 1 interface 0 altsetting 0 has 0 endpoint descriptors, > different from the interface descriptor's value: 18 > usb 1-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= > 0.40 > usb 1-1: New USB device strings: Mfr=6, Product=0, SerialNumber=0 > == > BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904 > Read of size 1 at addr 8881d4262f3b by task kworker/1:2/83 > > CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > memcmp+0xa6/0xb0 lib/string.c:904 > memcmp include/linux/string.h:400 [inline] > usbnet_generic_cdc_bind+0x71b/0x17c0 drivers/net/usb/cdc_ether.c:225 > usbnet_ether_cdc_bind drivers/net/usb/cdc_ether.c:322 [inline] > usbnet_cdc_bind+0x20/0x1a0 drivers/net/usb/cdc_ether.c:430 > usbnet_probe+0xb43/0x23d0 drivers/net/usb/usbnet.c:1722 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Allocated by task 83: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > kmalloc include/linux/slab.h:557 [inline] > usb_get_configuration+0x30c/0x3070 drivers/usb/core/config.c:857 > usb_enumerate_device drivers/usb/core/hub.c:2369 [inline] > usb_new_device+0xd3/0x160 drivers/usb/core/hub.c:2505 > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 269: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 > slab_free_hook mm/slub.c:1423 [inline] > slab_free_freelist_hook mm/slub.c:1470 [inline] > slab_free mm/slub.c:3012 [inline] > kfree+0xe4/0x2f0 mm/slub.c:3953 > kobject_uevent_env+0x294/0x1160 lib/kobject_uevent.c:624 > kobject_synth_ueven
Re: KASAN: slab-out-of-bounds Read in ld_usb_read
On Mon, Aug 12, 2019 at 2:18 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=162aac0260 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=ba00d6a2a24df57a94ca > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1123edc260 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16079d2c60 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+ba00d6a2a24df57a9...@syzkaller.appspotmail.com > > ldusb 1-1:0.28: Read buffer overflow, -131386046930688 bytes dropped > == > BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x124/0x150 > lib/usercopy.c:27 > Read of size 2147479552 at addr 8881cd580008 by task > syz-executor268/1890 > > CPU: 0 PID: 1890 Comm: syz-executor268 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > check_memory_region_inline mm/kasan/generic.c:185 [inline] > check_memory_region+0x128/0x190 mm/kasan/generic.c:192 > _copy_to_user+0x124/0x150 lib/usercopy.c:27 > copy_to_user include/linux/uaccess.h:152 [inline] > ld_usb_read+0x31a/0x780 drivers/usb/misc/ldusb.c:495 #syz dup: KASAN: use-after-free Read in ld_usb_release > __vfs_read+0x76/0x100 fs/read_write.c:425 > vfs_read+0x1ea/0x430 fs/read_write.c:461 > ksys_read+0x1e8/0x250 fs/read_write.c:587 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x441c49 > Code: e8 8c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7ffd920003d8 EFLAGS: 0246 ORIG_RAX: > RAX: ffda RBX: RCX: 00441c49 > RDX: fd68 RSI: 2100 RDI: 0004 > RBP: 000305b5 R08: 000f R09: 00402a30 > R10: R11: 0246 R12: 004029a0 > R13: 00402a30 R14: R15: > > The buggy address belongs to the page: > page:ea0007356000 refcount:1 mapcount:0 mapping: > index:0x0 compound_mapcount: 0 > flags: 0x201(head) > raw: 0201 dead0100 dead0122 > raw: 0001 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > 8881cd595500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 8881cd595580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 8881cd595600: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > ^ > 8881cd595680: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > 8881cd595700: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe > == > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches
Re: KASAN: use-after-free Write in ld_usb_interrupt_in_callback
On Mon, Aug 12, 2019 at 2:18 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1327f2ee60 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=a4b088ebfbadf5f82150 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=128acc6a60 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1082c8e260 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+a4b088ebfbadf5f82...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in ld_usb_interrupt_in_callback+0x40c/0x4c0 > drivers/usb/misc/ldusb.c:276 > Write of size 4 at addr 8881cdf0b55c by task udevd/238 > > CPU: 1 PID: 238 Comm: udevd Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > ld_usb_interrupt_in_callback+0x40c/0x4c0 drivers/usb/misc/ldusb.c:276 #syz dup: KASAN: use-after-free Read in ld_usb_release > __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1757 > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1822 > dummy_timer+0x120f/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1965 > call_timer_fn+0x179/0x650 kernel/time/timer.c:1322 > expire_timers kernel/time/timer.c:1366 [inline] > __run_timers kernel/time/timer.c:1685 [inline] > __run_timers kernel/time/timer.c:1653 [inline] > run_timer_softirq+0x5cc/0x14b0 kernel/time/timer.c:1698 > __do_softirq+0x221/0x912 kernel/softirq.c:292 > invoke_softirq kernel/softirq.c:373 [inline] > irq_exit+0x178/0x1a0 kernel/softirq.c:413 > exiting_irq arch/x86/include/asm/apic.h:537 [inline] > smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1095 > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:828 > > RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline] > RIP: 0010:check_kcov_mode kernel/kcov.c:140 [inline] > RIP: 0010:__sanitizer_cov_trace_pc+0x9/0x50 kernel/kcov.c:174 > Code: 25 8c c4 cf 07 41 bc f4 ff ff ff e8 8a a0 ea ff 48 c7 05 76 c4 cf 07 > 00 00 00 00 e9 ee eb ff ff 90 65 48 8b 04 25 00 ef 01 00 <65> 8b 15 e8 ff > c3 7e 81 e2 00 01 1f 00 48 8b 34 24 75 2b 8b 90 20 > RSP: 0018:8881d391fd80 EFLAGS: 0246 ORIG_RAX: ff13 > RAX: 8881d38b9800 RBX: dc00 RCX: 815ab382 > RDX: 7fefa32f1000 RSI: 7fefa32f1000 RDI: 0006 > RBP: 8881d3822b20 R08: 8881d38b9800 R09: ed103a7f68a7 > R10: ed103a7f68a6 R11: 8881d3fb4533 R12: 7fefa32f1000 > R13: 7fefa32f1000 R14: 8881d3822b00 R15: 8881d3822b20 > browse_rb mm/mmap.c:346 [inline] > validate_mm+0x2f0/0x610 mm/mmap.c:418 > remove_vma_list mm/mmap.c:2592 [inline] > __do_munmap+0x847/0xf90 mm/mmap.c:2833 > __vm_munmap+0xe6/0x170 mm/mmap.c:2853 > __do_sys_munmap mm/mmap.c:2878 [inline] > __se_sys_munmap mm/mmap.c:2875 [inline] > __x64_sys_munmap+0x62/0x80 mm/mmap.c:2875 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x7fefa33ccd37 > Code: f0 ff ff 73 01 c3 48 8b 0d fe c0 2a 00 31 d2 48 29 c2 64 89 11 48 83 > c8 ff eb ea 90 90 90 90 90 90 90 90 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff > ff 73 01 c3 48 8b 0d d1 c0 2a 00 31 d2 48 29 c2 64 > RSP: 002b:7ffc17b3cfe8 EFLAGS: 0206 ORIG_RAX: 000b > RAX: ffda RBX: 00ffdd10 RCX: 7fefa33ccd37 > RDX: RSI: 1000 RDI: 7fefa3cc2000 > RBP: R08: 7fefa3cbc7a0 R09: > R10: 5f4344555f425355 R11: 0206 R12: > R13: 00ffdd10 R14: 0006 R15: > > Allocated by task 1757: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > kmalloc include/linux/slab.h:552 [inline] > kzalloc include/linux/slab.h:748 [inline] > ld_usb_probe+0x6e/0xa65 drivers/usb/misc/ldusb.c:661 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base
Re: possible deadlock in usb_deregister_dev
On Fri, Aug 9, 2019 at 9:32 PM Alan Stern wrote:
>
> On Fri, 9 Aug 2019, syzbot wrote:
>
> > syzbot has found a reproducer for the following crash on:
> >
> > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=15bf780e60
> > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a64a382964bf6c71a9c0
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1678757460
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136cc4d260
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a64a382964bf6c71a...@syzkaller.appspotmail.com
> >
> > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> > usb 1-1: config 0 descriptor??
> > iowarrior 1-1:0.236: IOWarrior product=0x1501, serial= interface=236 now
> > attached to iowarrior0
> > usb 1-1: USB disconnect, device number 2
> > ==
> > WARNING: possible circular locking dependency detected
> > 5.3.0-rc2+ #25 Not tainted
> > --
> > kworker/0:1/12 is trying to acquire lock:
> > cd63e8f1 (minor_rwsem){}, at: usb_deregister_dev
> > drivers/usb/core/file.c:238 [inline]
> > cd63e8f1 (minor_rwsem){}, at: usb_deregister_dev+0x61/0x270
> > drivers/usb/core/file.c:230
> >
> > but task is already holding lock:
> > 1d1989ef (iowarrior_open_disc_lock){+.+.}, at:
> > iowarrior_disconnect+0x45/0x2c0 drivers/usb/misc/iowarrior.c:867
> >
> > which lock already depends on the new lock.
>
> https://syzkaller.appspot.com/bug?extid=ca52394faa436d8131df is
> undoubtedly a duplicate of this.
I've marked it as one, thanks!
Now that we have a reproducer, let's retry Oliver's fix:
#syz test: https://github.com/google/kasan.git e96407b4
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index ba05dd80a020..f5bed9f29e56 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -866,19 +866,20 @@ static void iowarrior_disconnect(struct usb_interface *interface)
dev = usb_get_intfdata(interface);
mutex_lock(&iowarrior_open_disc_lock);
usb_set_intfdata(interface, NULL);
+ /* prevent device read, write and ioctl */
+ dev->present = 0;
minor = dev->minor;
+ mutex_unlock(&iowarrior_open_disc_lock);
+ /* give back our minor - this will call close() locks need to be dropped at this point*/
- /* give back our minor */
usb_deregister_dev(interface, &iowarrior_class);
mutex_lock(&dev->mutex);
/* prevent device read, write and ioctl */
- dev->present = 0;
mutex_unlock(&dev->mutex);
- mutex_unlock(&iowarrior_open_disc_lock);
if (dev->opened) {
/* There is a process that holds a filedescriptor to the device ,
Re: possible deadlock in iowarrior_open
On Thu, Aug 1, 2019 at 5:28 PM syzbot
wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:7f7867ff usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=17ab6aec60
> kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
> dashboard link: https://syzkaller.appspot.com/bug?extid=ca52394faa436d8131df
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+ca52394faa436d813...@syzkaller.appspotmail.com
>
> ==
> WARNING: possible circular locking dependency detected
> 5.3.0-rc2+ #23 Not tainted
> --
> syz-executor.0/10062 is trying to acquire lock:
> 527cb8c7 (iowarrior_open_disc_lock){+.+.}, at:
> iowarrior_open+0x8a/0x2a0 drivers/usb/misc/iowarrior.c:600
>
> but task is already holding lock:
> 61445bc7 (iowarrior_mutex){+.+.}, at: iowarrior_open+0x23/0x2a0
> drivers/usb/misc/iowarrior.c:589
>
> which lock already depends on the new lock.
>
>
> the existing dependency chain (in reverse order) is:
>
> -> #2 (iowarrior_mutex){+.+.}:
> __mutex_lock_common kernel/locking/mutex.c:930 [inline]
> __mutex_lock+0x158/0x1360 kernel/locking/mutex.c:1077
> iowarrior_open+0x23/0x2a0 drivers/usb/misc/iowarrior.c:589
> usb_open+0x1df/0x270 drivers/usb/core/file.c:48
> chrdev_open+0x219/0x5c0 fs/char_dev.c:414
> do_dentry_open+0x494/0x1120 fs/open.c:797
> do_last fs/namei.c:3416 [inline]
> path_openat+0x1430/0x3f50 fs/namei.c:3533
> do_filp_open+0x1a1/0x280 fs/namei.c:3563
> do_sys_open+0x3c0/0x580 fs/open.c:1089
> do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> -> #1 (minor_rwsem#2){}:
> down_write+0x92/0x150 kernel/locking/rwsem.c:1500
> usb_deregister_dev drivers/usb/core/file.c:238 [inline]
> usb_deregister_dev+0x61/0x270 drivers/usb/core/file.c:230
> iowarrior_disconnect+0xa8/0x2c0 drivers/usb/misc/iowarrior.c:873
> usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
> __device_release_driver drivers/base/dd.c:1120 [inline]
> device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
> bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
> device_del+0x420/0xb10 drivers/base/core.c:2288
> usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
> usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
> hub_port_connect drivers/usb/core/hub.c:4949 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> port_event drivers/usb/core/hub.c:5359 [inline]
> hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
> process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
> worker_thread+0x96/0xe20 kernel/workqueue.c:2415
> kthread+0x318/0x420 kernel/kthread.c:255
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
>
> -> #0 (iowarrior_open_disc_lock){+.+.}:
> check_prev_add kernel/locking/lockdep.c:2405 [inline]
> check_prevs_add kernel/locking/lockdep.c:2507 [inline]
> validate_chain kernel/locking/lockdep.c:2897 [inline]
> __lock_acquire+0x1f7c/0x3b50 kernel/locking/lockdep.c:3880
> lock_acquire+0x127/0x320 kernel/locking/lockdep.c:4412
> __mutex_lock_common kernel/locking/mutex.c:930 [inline]
> __mutex_lock+0x158/0x1360 kernel/locking/mutex.c:1077
> iowarrior_open+0x8a/0x2a0 drivers/usb/misc/iowarrior.c:600
> usb_open+0x1df/0x270 drivers/usb/core/file.c:48
> chrdev_open+0x219/0x5c0 fs/char_dev.c:414
> do_dentry_open+0x494/0x1120 fs/open.c:797
> do_last fs/namei.c:3416 [inline]
> path_openat+0x1430/0x3f50 fs/namei.c:3533
> do_filp_open+0x1a1/0x280 fs/namei.c:3563
> do_sys_open+0x3c0/0x580 fs/open.c:1089
> do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> other info that might help us debug this:
>
> Chain exists of:
>iowarrior_open_disc_lock --> minor_rwsem#2 --> iowarrior_mutex
>
> Possible unsafe locking scenario:
>
> CPU0CPU1
>
>lock(iowarrior_mutex);
> lock(minor_rwsem#2);
> lock(iowarrior_mutex);
>lock(iowarrior_open_disc_lock);
>
> *** DEADLOCK ***
>
> 2 locks held by syz-executor.0/10062:
> #0: 0fd8903d (minor_rwsem#2){}, at: usb_open+0x23/0x270
> drivers/usb/core/file.c:39
> #1: 61445bc7
Re: KASAN: use-after-free Read in ld_usb_release
On Fri, Aug 9, 2019 at 6:51 PM Alan Stern wrote: > > Greg: > > See below... > > On Fri, 9 Aug 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=15a16f2660 > > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > dashboard link: https://syzkaller.appspot.com/bug?extid=30cf45ebfe0b0c4847a1 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1416df2660 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ce511c60 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+30cf45ebfe0b0c484...@syzkaller.appspotmail.com > > > > == > > BUG: KASAN: use-after-free in __mutex_lock_common > > kernel/locking/mutex.c:912 [inline] > > BUG: KASAN: use-after-free in __mutex_lock+0xf23/0x1360 > > kernel/locking/mutex.c:1077 > > Read of size 8 at addr 8881d21fc2d8 by task syz-executor834/1878 > > > > CPU: 0 PID: 1878 Comm: syz-executor834 Not tainted 5.3.0-rc2+ #25 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > > kasan_report+0xe/0x12 mm/kasan/common.c:612 > > __mutex_lock_common kernel/locking/mutex.c:912 [inline] > > __mutex_lock+0xf23/0x1360 kernel/locking/mutex.c:1077 > > ld_usb_release+0xb1/0x400 drivers/usb/misc/ldusb.c:386 > > __fput+0x2d7/0x840 fs/file_table.c:280 > > task_work_run+0x13f/0x1c0 kernel/task_work.c:113 > > tracehook_notify_resume include/linux/tracehook.h:188 [inline] > > exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163 > > prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] > > syscall_return_slowpath arch/x86/entry/common.c:274 [inline] > > do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x406b31 > > Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 > > 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 > > 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 > > RSP: 002b:7ffcf13bd080 EFLAGS: 0293 ORIG_RAX: 0003 > > RAX: RBX: 0005 RCX: 00406b31 > > RDX: fff7 RSI: 0080 RDI: 0004 > > RBP: 0159 R08: 0020 R09: 0020 > > R10: 7ffcf13bd0b0 R11: 0293 R12: 0001d884 > > R13: 0004 R14: 006e39ec R15: 0064 > > > > Allocated by task 1775: > > save_stack+0x1b/0x80 mm/kasan/common.c:69 > > set_track mm/kasan/common.c:77 [inline] > > __kasan_kmalloc mm/kasan/common.c:487 [inline] > > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > > kmalloc include/linux/slab.h:552 [inline] > > kzalloc include/linux/slab.h:748 [inline] > > ld_usb_probe+0x6e/0xa65 drivers/usb/misc/ldusb.c:661 > > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > > really_probe+0x281/0x650 drivers/base/dd.c:548 > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > > __device_attach+0x217/0x360 drivers/base/dd.c:882 > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > > really_probe+0x281/0x650 drivers/base/dd.c:548 > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > > __device_attach+0x217/0x360 drivers/base/dd.c:882 > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > > port_event drivers/usb/core/hub.c:5359 [inline] > > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > > kthread+0x318/0x420 kernel/kthread.c:255 > > ret_from_fork+0x24
Re: BUG: bad usercopy in ld_usb_read
On Thu, Aug 8, 2019 at 2:38 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=13aeaece60 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=45b2f40f0778cfa7634e > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+45b2f40f0778cfa76...@syzkaller.appspotmail.com > > ldusb 6-1:0.124: Read buffer overflow, -131383996186150 bytes dropped > usercopy: Kernel memory exposure attempt detected from SLUB > object 'kmalloc-2k' (offset 8, size 65062)! > [ cut here ] > kernel BUG at mm/usercopy.c:98! > invalid opcode: [#1] SMP KASAN > CPU: 0 PID: 15185 Comm: syz-executor.2 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy.c:98 > Code: e8 c1 f7 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 e0 > f3 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 15 98 c1 ff <0f> 0b e8 95 f7 > d6 ff e8 80 9f fd ff 8b 54 24 04 49 89 d8 4c 89 e1 > RSP: 0018:8881ccb3fc38 EFLAGS: 00010286 > RAX: 0067 RBX: 86a659d4 RCX: > RDX: RSI: 8128a0fd RDI: ed1039967f79 > RBP: 85cdf2c0 R08: 0067 R09: fbfff11acdaa > R10: fbfff11acda9 R11: 88d66d4f R12: 86a696e8 > R13: 85cdf180 R14: fe26 R15: 85cdf140 > FS: 7ff6daf91700() GS:8881db20() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7f1de660 CR3: 0001ca554000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > __check_heap_object+0xdd/0x110 mm/slub.c:3914 > check_heap_object mm/usercopy.c:234 [inline] > __check_object_size mm/usercopy.c:280 [inline] > __check_object_size+0x32d/0x39b mm/usercopy.c:250 > check_object_size include/linux/thread_info.h:119 [inline] > check_copy_size include/linux/thread_info.h:150 [inline] > copy_to_user include/linux/uaccess.h:151 [inline] > ld_usb_read+0x304/0x780 drivers/usb/misc/ldusb.c:495 #syz dup: KASAN: use-after-free Read in ld_usb_release > __vfs_read+0x76/0x100 fs/read_write.c:425 > vfs_read+0x1ea/0x430 fs/read_write.c:461 > ksys_read+0x1e8/0x250 fs/read_write.c:587 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x459829 > Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7ff6daf90c78 EFLAGS: 0246 ORIG_RAX: > RAX: ffda RBX: 0003 RCX: 00459829 > RDX: fe26 RSI: 20c0 RDI: 0003 > RBP: 0075bf20 R08: R09: > R10: R11: 0246 R12: 7ff6daf916d4 > R13: 004c6c73 R14: 004dbee8 R15: > Modules linked in: > ---[ end trace 4fe8dba032d24ceb ]--- > RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy.c:98 > Code: e8 c1 f7 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 e0 > f3 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 15 98 c1 ff <0f> 0b e8 95 f7 > d6 ff e8 80 9f fd ff 8b 54 24 04 49 89 d8 4c 89 e1 > RSP: 0018:8881ccb3fc38 EFLAGS: 00010286 > RAX: 0067 RBX: 86a659d4 RCX: > RDX: RSI: 8128a0fd RDI: ed1039967f79 > RBP: 85cdf2c0 R08: 0067 R09: fbfff11acdaa > R10: fbfff11acda9 R11: 88d66d4f R12: 86a696e8 > R13: 85cdf180 R14: fe26 R15: 85cdf140 > FS: 7ff6daf91700() GS:8881db20() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7f1de660 CR3: 0001ca554000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: KASAN: use-after-free Read in prepare_to_wait_event
On Fri, Aug 9, 2019 at 3:18 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=10fbde8c60 > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > dashboard link: https://syzkaller.appspot.com/bug?extid=332cbcbd8be3e03c62eb > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127dd63660 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171de9ce60 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+332cbcbd8be3e03c6...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in __lock_acquire+0x302a/0x3b50 > kernel/locking/lockdep.c:3753 > Read of size 8 at addr 8881d2a83238 by task syz-executor771/2979 > > CPU: 0 PID: 2979 Comm: syz-executor771 Not tainted 5.3.0-rc2+ #25 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e lib/dump_stack.c:113 > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > kasan_report+0xe/0x12 mm/kasan/common.c:612 > __lock_acquire+0x302a/0x3b50 kernel/locking/lockdep.c:3753 > lock_acquire+0x127/0x320 kernel/locking/lockdep.c:4412 > __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] > _raw_spin_lock_irqsave+0x32/0x50 kernel/locking/spinlock.c:159 > prepare_to_wait_event+0x5b/0x650 kernel/sched/wait.c:263 > ld_usb_read+0x619/0x780 drivers/usb/misc/ldusb.c:480 #syz dup: KASAN: use-after-free Read in ld_usb_release > __vfs_read+0x76/0x100 fs/read_write.c:425 > vfs_read+0x1ea/0x430 fs/read_write.c:461 > ksys_read+0x1e8/0x250 fs/read_write.c:587 > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x448859 > Code: e8 ac e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 4b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7f9b31740ce8 EFLAGS: 0246 ORIG_RAX: > RAX: ffda RBX: 006dec48 RCX: 00448859 > RDX: 0049 RSI: 2080 RDI: 0004 > RBP: 006dec40 R08: R09: > R10: R11: 0246 R12: 006dec4c > R13: 7ffd58e161df R14: 7f9b317419c0 R15: 006dec4c > > Allocated by task 2705: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_kmalloc mm/kasan/common.c:487 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > kmalloc include/linux/slab.h:552 [inline] > kzalloc include/linux/slab.h:748 [inline] > ld_usb_probe+0x6e/0xa65 drivers/usb/misc/ldusb.c:661 > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > really_probe+0x281/0x650 drivers/base/dd.c:548 > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > __device_attach+0x217/0x360 drivers/base/dd.c:882 > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > port_event drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > kthread+0x318/0x420 kernel/kthread.c:255 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > Freed by task 2705: > save_stack+0x1b/0x80 mm/kasan/common.c:69 > set_track mm/kasan/common.c:77 [inline] > __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449 > slab_free_hook mm/slub.c:1423 [inline] > slab_free_freelist_hook mm/slub.c:1470 [in
Re: KASAN: use-after-free Read in usb_kill_urb
On Fri, Aug 9, 2019 at 10:52 PM Alan Stern wrote: > > On Fri, 9 Aug 2019, syzbot wrote: > > > Hello, > > > > syzbot has tested the proposed patch and the reproducer did not trigger > > crash: > > > > Reported-and-tested-by: > > syzbot+22ae4e3b9fcc8a5c1...@syzkaller.appspotmail.com > > > > Tested on: > > > > commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git > > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > patch: https://syzkaller.appspot.com/x/patch.diff?x=173f2d2c60 > > > > Note: testing is done by a robot and is best-effort only. > > This shows that this bug is a duplicate of extid=30cf45ebfe0b0c4847a1. Let's mark it as one: #syz dup: KASAN: use-after-free Read in ld_usb_release I'll also mark all bugs that involve ldusb as duplicates, as they all likely are. > This fact is also visible in the console logs; both have lines saying > something like: > > [ 549.416341][ T22] sysfs: cannot create duplicate filename > '/class/usbmisc/ldusb0' > > and > > [ 549.958755][ T22] ldusb 1-1:0.28: Not able to get a minor for this > device. > > preceding the invalid access. > > Alan Stern >
Re: KASAN: use-after-free Read in usbhid_power
On Thu, Aug 8, 2019 at 9:37 PM Alan Stern wrote:
>
> On Thu, 8 Aug 2019, Andrey Konovalov wrote:
>
> > On Thu, Jul 25, 2019 at 5:09 PM Alan Stern
> > wrote:
> > >
> > > On Thu, 25 Jul 2019, Oliver Neukum wrote:
> > >
> > > > Am Mittwoch, den 24.07.2019, 17:02 -0400 schrieb Alan Stern:
> > > > > On Wed, 24 Jul 2019, Oliver Neukum wrote:
> > > > >
> > > > > > drivers/hid/usbhid/hid-core.c | 13 +
> > > > > > 1 file changed, 13 insertions(+)
> > > > > >
> > > > > > diff --git a/drivers/hid/usbhid/hid-core.c
> > > > > > b/drivers/hid/usbhid/hid-core.c
> > > > > > index c7bc9db5b192..98b996ecf4d3 100644
> > > > > > --- a/drivers/hid/usbhid/hid-core.c
> > > > > > +++ b/drivers/hid/usbhid/hid-core.c
> > > > > > @@ -1229,6 +1229,17 @@ static int usbhid_power(struct hid_device
> > > > > > *hid, int lvl)
> > > > > > struct usbhid_device *usbhid = hid->driver_data;
> > > > > > int r = 0;
> > > > > >
> > > > > > + spin_lock_irq(&usbhid->lock);
> > > > > > + if (test_bit(HID_DISCONNECTED, &usbhid->iofl)) {
> > > > > > + r = -ENODEV;
> > > > > > + spin_unlock_irq(&usbhid->lock);
> > > > > > + goto bail_out;
> > > > > > + } else {
> > > > > > + /* protect against disconnect */
> > > > > > + usb_get_dev(interface_to_usbdev(usbhid->intf));
> > > > > > + spin_unlock_irq(&usbhid->lock);
> > > > > > + }
> > > > > > +
> > > > > > switch (lvl) {
> > > > > > case PM_HINT_FULLON:
> > > > > > r = usb_autopm_get_interface(usbhid->intf);
> > > > > > @@ -1238,7 +1249,9 @@ static int usbhid_power(struct hid_device
> > > > > > *hid, int lvl)
> > > > > > usb_autopm_put_interface(usbhid->intf);
> > > > > > break;
> > > > > > }
> > > > > > + usb_put_dev(interface_to_usbdev(usbhid->intf));
> > > > > >
> > > > > > +bail_out:
> > > > > > return r;
> > > > > > }
>
> > This report looks like very similar to these two:
> >
> > https://syzkaller.appspot.com/bug?extid=b156665cf4d1b5e00c76
> > https://syzkaller.appspot.com/bug?extid=3cbe5cd105d2ad56a1df
>
> It also seems to resemble extids a7a6b9c609b9457c62c6,
> 62a1e04fd3ec2abf099e, and 75e6910bf03e266a277f, although this may be an
> illusion.
>
> > Maybe we should mark those two as duplicates.
> >
> > Hillf suggested a fix on one of them, but it looks different from what
> > you propose:
> >
> > https://groups.google.com/d/msg/syzkaller-bugs/xW7LvKfpyn0/SpKbs5ZLEAAJ
>
> Go ahead and try it out on all of them. I don't have a clear feeling
> about it, not having worked on usbhid in quite a while.
>
> Alan Stern
>
Let's try on this one first:
#syz test: https://github.com/google/kasan.git 6a3599ce
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1410,6 +1410,7 @@ static void usbhid_disconnect(struct usb
spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */
set_bit(HID_DISCONNECTED, &usbhid->iofl);
spin_unlock_irq(&usbhid->lock);
+ hid_hw_stop(hid);
hid_destroy_device(hid);
kfree(usbhid);
}
Re: KASAN: use-after-free Read in ld_usb_release
On Fri, Aug 9, 2019 at 6:51 PM Alan Stern wrote: > > Greg: > > See below... > > On Fri, 9 Aug 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=15a16f2660 > > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > dashboard link: https://syzkaller.appspot.com/bug?extid=30cf45ebfe0b0c4847a1 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1416df2660 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ce511c60 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+30cf45ebfe0b0c484...@syzkaller.appspotmail.com > > > > == > > BUG: KASAN: use-after-free in __mutex_lock_common > > kernel/locking/mutex.c:912 [inline] > > BUG: KASAN: use-after-free in __mutex_lock+0xf23/0x1360 > > kernel/locking/mutex.c:1077 > > Read of size 8 at addr 8881d21fc2d8 by task syz-executor834/1878 > > > > CPU: 0 PID: 1878 Comm: syz-executor834 Not tainted 5.3.0-rc2+ #25 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > > kasan_report+0xe/0x12 mm/kasan/common.c:612 > > __mutex_lock_common kernel/locking/mutex.c:912 [inline] > > __mutex_lock+0xf23/0x1360 kernel/locking/mutex.c:1077 > > ld_usb_release+0xb1/0x400 drivers/usb/misc/ldusb.c:386 > > __fput+0x2d7/0x840 fs/file_table.c:280 > > task_work_run+0x13f/0x1c0 kernel/task_work.c:113 > > tracehook_notify_resume include/linux/tracehook.h:188 [inline] > > exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163 > > prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] > > syscall_return_slowpath arch/x86/entry/common.c:274 [inline] > > do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x406b31 > > Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 > > 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 > > 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 > > RSP: 002b:7ffcf13bd080 EFLAGS: 0293 ORIG_RAX: 0003 > > RAX: RBX: 0005 RCX: 00406b31 > > RDX: fff7 RSI: 0080 RDI: 0004 > > RBP: 0159 R08: 0020 R09: 0020 > > R10: 7ffcf13bd0b0 R11: 0293 R12: 0001d884 > > R13: 0004 R14: 006e39ec R15: 0064 > > > > Allocated by task 1775: > > save_stack+0x1b/0x80 mm/kasan/common.c:69 > > set_track mm/kasan/common.c:77 [inline] > > __kasan_kmalloc mm/kasan/common.c:487 [inline] > > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > > kmalloc include/linux/slab.h:552 [inline] > > kzalloc include/linux/slab.h:748 [inline] > > ld_usb_probe+0x6e/0xa65 drivers/usb/misc/ldusb.c:661 > > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > > really_probe+0x281/0x650 drivers/base/dd.c:548 > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > > __device_attach+0x217/0x360 drivers/base/dd.c:882 > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > > really_probe+0x281/0x650 drivers/base/dd.c:548 > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > > __device_attach+0x217/0x360 drivers/base/dd.c:882 > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > > port_event drivers/usb/core/hub.c:5359 [inline] > > hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441 > > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > > worker_thread+0x96/0xe20 kernel/workqueue.c:2415 > > kthread+0x318/0x420 kernel/kthread.c:255 > > ret_from_fork+0x24
Re: KASAN: use-after-free Read in usbhid_power
On Thu, Jul 25, 2019 at 5:09 PM Alan Stern wrote:
>
> On Thu, 25 Jul 2019, Oliver Neukum wrote:
>
> > Am Mittwoch, den 24.07.2019, 17:02 -0400 schrieb Alan Stern:
> > > On Wed, 24 Jul 2019, Oliver Neukum wrote:
> > >
> > > > drivers/hid/usbhid/hid-core.c | 13 +
> > > > 1 file changed, 13 insertions(+)
> > > >
> > > > diff --git a/drivers/hid/usbhid/hid-core.c
> > > > b/drivers/hid/usbhid/hid-core.c
> > > > index c7bc9db5b192..98b996ecf4d3 100644
> > > > --- a/drivers/hid/usbhid/hid-core.c
> > > > +++ b/drivers/hid/usbhid/hid-core.c
> > > > @@ -1229,6 +1229,17 @@ static int usbhid_power(struct hid_device *hid,
> > > > int lvl)
> > > > struct usbhid_device *usbhid = hid->driver_data;
> > > > int r = 0;
> > > >
> > > > + spin_lock_irq(&usbhid->lock);
> > > > + if (test_bit(HID_DISCONNECTED, &usbhid->iofl)) {
> > > > + r = -ENODEV;
> > > > + spin_unlock_irq(&usbhid->lock);
> > > > + goto bail_out;
> > > > + } else {
> > > > + /* protect against disconnect */
> > > > + usb_get_dev(interface_to_usbdev(usbhid->intf));
> > > > + spin_unlock_irq(&usbhid->lock);
> > > > + }
> > > > +
> > > > switch (lvl) {
> > > > case PM_HINT_FULLON:
> > > > r = usb_autopm_get_interface(usbhid->intf);
> > > > @@ -1238,7 +1249,9 @@ static int usbhid_power(struct hid_device *hid,
> > > > int lvl)
> > > > usb_autopm_put_interface(usbhid->intf);
> > > > break;
> > > > }
> > > > + usb_put_dev(interface_to_usbdev(usbhid->intf));
> > > >
> > > > +bail_out:
> > > > return r;
> > > > }
> > >
> > > Isn't this treating the symptom instead of the cause?
> >
> > Sort of. Holding a reference for the whole time would have merit,
> > but I doubt it is strictly necessary.
>
> Just to be crystal clear, I was talking about a device reference --
> usb_{get,put}_dev or usb_{get,put}_intf -- not a runtime PM reference.
>
> (Incidentally, your patch could be simplified by using usb_get_intf
> instead of usb_get_dev.)
>
> > > Shouldn't the hid_device hold a reference to usbhid->intf throughout
> > > its lifetime? That way this sort of problem wouldn't arise in any
> > > routine, not just usbhid_power().
> >
> > Unfortunately the semantics would still be wrong without the check
> > in corner cases. In case disconnect() is called without a physical
> > unplug, we must not touch the power state.
> > I am indeed afraid that in that case my putative fix is still racy.
> > But I don't to just introduce a mutex just for this. Any ideas?
>
> That's a separate issue. USB drivers -- indeed, all drivers -- are
> required to balance their runtime PM gets and puts (although in the
> case of a physical disconnection it doesn't matter). Are you asking
> about the best way to do this?
>
> Normally a driver's release or disconnect routine will stop all
> asynchronous accesses to the device (interrupt handlers, work queues,
> URBs, and so on). At that point the only remaining runtime PM activity
> will be whatever the routine itself does. So it can see if any extra
> runtime PM gets or puts are needed, and do whatever is necessary.
>
> Does that answer your question? I can't tell for sure...
>
> Note: I did not try to track down the reason for the invalid access
> reported by syzbot. It looked like a simple use-after-free, which
> would normally be fixed by taking the appropriate reference. Which is
> what your patch does, except that it holds the reference only for a
> short time instead of over the entire lifetime of the private data
> structure (the usbhid structure), which is what normally happens.
This report looks like very similar to these two:
https://syzkaller.appspot.com/bug?extid=b156665cf4d1b5e00c76
https://syzkaller.appspot.com/bug?extid=3cbe5cd105d2ad56a1df
Maybe we should mark those two as duplicates.
Hillf suggested a fix on one of them, but it looks different from what
you propose:
https://groups.google.com/d/msg/syzkaller-bugs/xW7LvKfpyn0/SpKbs5ZLEAAJ
Re: possible deadlock in open_rio
On Thu, Aug 8, 2019 at 4:33 PM Alan Stern wrote:
>
> On Wed, 7 Aug 2019, Oliver Neukum wrote:
>
> > Am Mittwoch, den 07.08.2019, 10:07 -0400 schrieb Alan Stern:
> > > On Wed, 7 Aug 2019, Oliver Neukum wrote:
>
> > > > technically yes. However in practical terms the straight revert I sent
> > > > out yesterday should fix it.
> > >
> > > I didn't see the revert, and it doesn't appear to have reached the
> > > mailing list archive. Can you post it again?
> >
> > As soon as our VPN server is back up again.
>
> The revert may not be necessay; a little fix should get rid of the
> locking violation. The key is to avoid calling the registration or
> deregistration routines while holding the rio500_mutex, and to
> recognize that the probe and disconnect routines are both protected by
> the device mutex.
>
> How does this patch look?
>
> Alan Stern
>
>
> #syz test: https://github.com/google/kasan.git 7f7867ff
There's no reproducer yet (it should appear at some point, I've
enabled fuzzing of USB char devices). I've tested your patch manually
and the deadlock report is gone. Thanks!
Tested-by: Andrey Konovalov
>
> Index: usb-devel/drivers/usb/misc/rio500.c
> ===
> --- usb-devel.orig/drivers/usb/misc/rio500.c
> +++ usb-devel/drivers/usb/misc/rio500.c
> @@ -454,52 +454,54 @@ static int probe_rio(struct usb_interfac
> {
> struct usb_device *dev = interface_to_usbdev(intf);
> struct rio_usb_data *rio = &rio_instance;
> - int retval = 0;
> + int retval;
> + char *ibuf, *obuf;
>
> - mutex_lock(&rio500_mutex);
> if (rio->present) {
> dev_info(&intf->dev, "Second USB Rio at address %d
> refused\n", dev->devnum);
> - retval = -EBUSY;
> - goto bail_out;
> - } else {
> - dev_info(&intf->dev, "USB Rio found at address %d\n",
> dev->devnum);
> + return -EBUSY;
> }
> + dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
>
> retval = usb_register_dev(intf, &usb_rio_class);
> if (retval) {
> dev_err(&dev->dev,
> "Not able to get a minor for this device.\n");
> - retval = -ENOMEM;
> - goto bail_out;
> + goto err_register;
> }
>
> - rio->rio_dev = dev;
> -
> - if (!(rio->obuf = kmalloc(OBUF_SIZE, GFP_KERNEL))) {
> + obuf = kmalloc(OBUF_SIZE, GFP_KERNEL);
> + if (!obuf) {
> dev_err(&dev->dev,
> "probe_rio: Not enough memory for the output
> buffer\n");
> - usb_deregister_dev(intf, &usb_rio_class);
> - retval = -ENOMEM;
> - goto bail_out;
> + goto err_obuf;
> }
> - dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf);
> + dev_dbg(&intf->dev, "obuf address: %p\n", obuf);
>
> - if (!(rio->ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL))) {
> + ibuf = kmalloc(IBUF_SIZE, GFP_KERNEL);
> + if (!ibuf) {
> dev_err(&dev->dev,
> "probe_rio: Not enough memory for the input
> buffer\n");
> - usb_deregister_dev(intf, &usb_rio_class);
> - kfree(rio->obuf);
> - retval = -ENOMEM;
> - goto bail_out;
> + goto err_ibuf;
> }
> - dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf);
> + dev_dbg(&intf->dev, "ibuf address: %p\n", ibuf);
>
> + mutex_lock(&rio500_mutex);
> + rio->rio_dev = dev;
> + rio->ibuf = ibuf;
> + rio->obuf = obuf;
> usb_set_intfdata (intf, rio);
> rio->present = 1;
> -bail_out:
> mutex_unlock(&rio500_mutex);
>
> return retval;
> +
> + err_ibuf:
> + kfree(obuf);
> + err_obuf:
> + usb_deregister_dev(intf, &usb_rio_class);
> + err_register:
> + return -ENOMEM;
> }
>
> static void disconnect_rio(struct usb_interface *intf)
> @@ -507,10 +509,10 @@ static void disconnect_rio(struct usb_in
> struct rio_usb_data *rio = usb_get_intfdata (intf);
>
> usb_set_intfdata (intf, NULL);
> - mutex_lock(&rio500_mutex);
> if (rio) {
> usb_deregister_dev(intf, &usb_rio_class);
>
> + mutex_lock(&rio500_mutex);
> if (rio->isopen) {
> rio->isopen = 0;
> /* better let it finish - the release will do whats
> needed */
> @@ -524,8 +526,8 @@ static void disconnect_rio(struct usb_in
> dev_info(&intf->dev, "USB Rio disconnected.\n");
>
> rio->present = 0;
> + mutex_unlock(&rio500_mutex);
> }
> - mutex_unlock(&rio500_mutex);
> }
>
> static const struct usb_device_id rio_table[] = {
>
Re: KASAN: use-after-free Read in device_release_driver_internal
On Thu, Aug 8, 2019 at 2:44 PM Dmitry Vyukov wrote: > > On Thu, Aug 8, 2019 at 2:28 PM Andrey Konovalov wrote: > > > > On Wed, Aug 7, 2019 at 8:31 PM Alan Stern wrote: > > > > > > On Wed, 7 Aug 2019, syzbot wrote: > > > > > > > Hello, > > > > > > > > syzbot has tested the proposed patch and the reproducer did not trigger > > > > crash: > > > > > > > > Reported-and-tested-by: > > > > syzbot+1b2449b7b5dc240d1...@syzkaller.appspotmail.com > > > > > > > > Tested on: > > > > > > > > commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver > > > > git tree: https://github.com/google/kasan.git > > > > kernel config: > > > > https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > patch: > > > > https://syzkaller.appspot.com/x/patch.diff?x=132eec8c60 > > > > > > > > Note: testing is done by a robot and is best-effort only. > > > > > > Andrey, is there any way to get the console output from this test? > > > > Dmitry, would it be possible to link console log for successful tests as > > well? > > Yes. Start by filing a feature request at > https://github.com/google/syzkaller/issues Filed https://github.com/google/syzkaller/issues/1322 Alan, for now I've applied your patch and run the reproducer manually: [ 90.844643][ T74] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 91.085789][ T74] usb 1-1: Using ep0 maxpacket: 16 [ 91.204698][ T74] usb 1-1: config 0 has an invalid interface number: 234 but max is 0 [ 91.209137][ T74] usb 1-1: config 0 has no interface number 0 [ 91.211599][ T74] usb 1-1: config 0 interface 234 altsetting 0 endpoint 0x8D has an inva1 [ 91.216162][ T74] usb 1-1: config 0 interface 234 altsetting 0 endpoint 0x7 has invalid 4 [ 91.218211][ T74] usb 1-1: config 0 interface 234 altsetting 0 bulk endpoint 0x7 has inv4 [ 91.220131][ T74] usb 1-1: config 0 interface 234 altsetting 0 bulk endpoint 0x8F has in0 [ 91.222052][ T74] usb 1-1: New USB device found, idVendor=0421, idProduct=0486, bcdDevic7 [ 91.223851][ T74] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 91.233180][ T74] usb 1-1: config 0 descriptor?? [ 91.270222][ T74] rndis_wlan 1-1:0.234: Refcount before probe: 3 [ 91.275464][ T74] rndis_wlan 1-1:0.234: invalid descriptor buffer length [ 91.277558][ T74] usb 1-1: bad CDC descriptors [ 91.279716][ T74] rndis_wlan 1-1:0.234: Refcount after probe: 3 [ 91.281378][ T74] rndis_host 1-1:0.234: Refcount before probe: 3 [ 91.283303][ T74] rndis_host 1-1:0.234: invalid descriptor buffer length [ 91.284724][ T74] usb 1-1: bad CDC descriptors [ 91.286004][ T74] rndis_host 1-1:0.234: Refcount after probe: 3 [ 91.287318][ T74] cdc_acm 1-1:0.234: Refcount before probe: 3 [ 91.288513][ T74] cdc_acm 1-1:0.234: invalid descriptor buffer length [ 91.289835][ T74] cdc_acm 1-1:0.234: No union descriptor, testing for castrated device [ 91.291555][ T74] cdc_acm 1-1:0.234: Refcount after probe: 3 [ 91.292766][ T74] cdc_acm: probe of 1-1:0.234 failed with error -12 [ 92.001549][ T96] usb 1-1: USB disconnect, device number 2
Re: KASAN: use-after-free Read in dvb_usb_device_exit (2)
On Thu, Aug 8, 2019 at 10:03 AM Hillf Danton wrote: > > > [respin due to "Sender frequency limited" and therefore the Cc list once > cut short:(] > > Tue, 06 Aug 2019 06:18:08 -0700 > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=114fd9aa60 > > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > dashboard link: https://syzkaller.appspot.com/bug?extid=c58e976e022432ee60b4 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=173ee42c60 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d9442c60 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+c58e976e022432ee6...@syzkaller.appspotmail.com > > > > input: TeVii S421 PCI as > > /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc0/input5 > > dvb-usb: schedule remote query interval to 150 msecs. > > dw2102: su3000_power_ctrl: 0, initialized 1 > > dvb-usb: TeVii S421 PCI successfully initialized and connected. > > usb 1-1: USB disconnect, device number 2 > > == > > BUG: KASAN: use-after-free in dvb_usb_device_exit+0x19a/0x1a0 > > drivers/media/usb/dvb-usb/dvb-usb-init.c:305 > > Read of size 8 at addr 8881d50468e8 by task kworker/1:1/22 > > > > CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.3.0-rc2+ #25 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Workqueue: usb_hub_wq hub_event > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > > kasan_report+0xe/0x12 mm/kasan/common.c:612 > > dvb_usb_device_exit+0x19a/0x1a0 > > drivers/media/usb/dvb-usb/dvb-usb-init.c:305 > > usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423 > > __device_release_driver drivers/base/dd.c:1120 [inline] > > device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151 > > bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556 > > device_del+0x420/0xb10 drivers/base/core.c:2288 > > usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237 > > usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199 > > hub_port_connect drivers/usb/core/hub.c:4949 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > > port_event drivers/usb/core/hub.c:5359 [inline] > > hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441 > > process_one_work+0x92b/0x1530 kernel/workqueue.c:2269 > > process_scheduled_works kernel/workqueue.c:2331 [inline] > > worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417 > > kthread+0x318/0x420 kernel/kthread.c:255 > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > > > > Allocated by task 22: > > save_stack+0x1b/0x80 mm/kasan/common.c:69 > > set_track mm/kasan/common.c:77 [inline] > > __kasan_kmalloc mm/kasan/common.c:487 [inline] > > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460 > > slab_post_alloc_hook mm/slab.h:520 [inline] > > slab_alloc_node mm/slub.c:2766 [inline] > > slab_alloc mm/slub.c:2774 [inline] > > __kmalloc_track_caller+0xc8/0x2a0 mm/slub.c:4331 > > kmemdup+0x23/0x50 mm/util.c:120 > > kmemdup include/linux/string.h:432 [inline] > > dw2102_probe+0x627/0xc40 drivers/media/usb/dvb-usb/dw2102.c:2372 > > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > > really_probe+0x281/0x650 drivers/base/dd.c:548 > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > > __device_attach+0x217/0x360 drivers/base/dd.c:882 > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > > usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023 > > generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210 > > usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266 > > really_probe+0x281/0x650 drivers/base/dd.c:548 > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709 > > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816 > > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > > __device_attach+0x217/0x360 drivers/base/dd.c:882 > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514 > > device_add+0xae6/0x16f0 drivers/base/core.c:2114 > > usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536 > > hub_port_connect drivers/usb/core/hub.c:5098 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] > > port_event drivers/usb/core/hub.c:53
Re: KASAN: use-after-free Read in device_release_driver_internal
On Wed, Aug 7, 2019 at 8:31 PM Alan Stern wrote: > > On Wed, 7 Aug 2019, syzbot wrote: > > > Hello, > > > > syzbot has tested the proposed patch and the reproducer did not trigger > > crash: > > > > Reported-and-tested-by: > > syzbot+1b2449b7b5dc240d1...@syzkaller.appspotmail.com > > > > Tested on: > > > > commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git > > kernel config: https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > patch: https://syzkaller.appspot.com/x/patch.diff?x=132eec8c60 > > > > Note: testing is done by a robot and is best-effort only. > > Andrey, is there any way to get the console output from this test? Dmitry, would it be possible to link console log for successful tests as well? > > Alan Stern >
Re: possible deadlock in open_rio
On Wed, Aug 7, 2019 at 4:39 PM Alan Stern wrote: > > On Wed, 7 Aug 2019, Andrey Konovalov wrote: > > > On Wed, Aug 7, 2019 at 4:01 PM Alan Stern wrote: > > > > > > On Wed, 7 Aug 2019, Andrey Konovalov wrote: > > > > > > > On Tue, Aug 6, 2019 at 9:13 PM Alan Stern > > > > wrote: > > > > > > > > > > On Thu, 1 Aug 2019, syzbot wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > syzbot found the following crash on: > > > > > > > > > > > > HEAD commit:7f7867ff usb-fuzzer: main usb gadget fuzzer driver > > > > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > > > > console output: > > > > > > https://syzkaller.appspot.com/x/log.txt?x=136b6aec60 > > > > > > kernel config: > > > > > > https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > > > > > > dashboard link: > > > > > > https://syzkaller.appspot.com/bug?extid=7bbcbe9c9ff0cd49592a > > > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > > > > > > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > > > commit: > > > > > > Reported-by: syzbot+7bbcbe9c9ff0cd495...@syzkaller.appspotmail.com > > > > > > > > > > > > == > > > > > > WARNING: possible circular locking dependency detected > > > > > > 5.3.0-rc2+ #23 Not tainted > > > > > > -- > > > > > > > > > > Andrey: > > > > > > > > > > This should be completely reproducible, since it's a simple ABBA > > > > > locking violation. Maybe just introducing a time delay (to avoid > > > > > races > > > > > and give the open() call time to run) between the gadget creation and > > > > > gadget removal would be enough to do it. > > > > > > > > I've tried some simple approaches to reproducing this, but failed. > > > > Should this require two rio500 devices to trigger? > > > > > > No, one device should be enough. Just plug it in and then try to open > > > the character device file. > > > > OK, I've reproduced it, so I can test a patch manually. The reason > > syzbot couldn't do that, is because it doesn't open character devices. > > Right now the USB fuzzing instance only opens /dev/input*, > > /dev/hidraw* and /dev/usb/hiddev* (only the devices that are created > > by USB HID devices as I've been working on adding USB HID targeted > > fuzzing support lately). > > > > I guess we should open /dev/chr/* as well. The problem is that there > > 300+ devices there even without connecting USB devices and opening > > them blindly probably won't work. Is there a way to know which > > character devices are created by USB devices? Maybe they are exposed > > over /sys/bus/usb or via some other way? > > I don't have any devices that use this API, so I can't be certain. > However, I believe the devices do get registered under /sys/class/usb/. > (Note that this directory doesn't exist when there aren't any USB class > files.) > > In any case, the USB character device files all have their major > numbers set to 180 (USB_MAJOR defined in include/linux/usb.h), so you > can identify them that way. This should work! I'll enable fuzzing of /dev/char/180:*, thanks! > > Alan Stern >
Re: possible deadlock in open_rio
On Wed, Aug 7, 2019 at 4:34 PM Andrey Konovalov wrote: > > On Wed, Aug 7, 2019 at 4:24 PM Andrey Konovalov wrote: > > > > On Wed, Aug 7, 2019 at 4:01 PM Alan Stern wrote: > > > > > > On Wed, 7 Aug 2019, Andrey Konovalov wrote: > > > > > > > On Tue, Aug 6, 2019 at 9:13 PM Alan Stern > > > > wrote: > > > > > > > > > > On Thu, 1 Aug 2019, syzbot wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > syzbot found the following crash on: > > > > > > > > > > > > HEAD commit:7f7867ff usb-fuzzer: main usb gadget fuzzer driver > > > > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > > > > console output: > > > > > > https://syzkaller.appspot.com/x/log.txt?x=136b6aec60 > > > > > > kernel config: > > > > > > https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > > > > > > dashboard link: > > > > > > https://syzkaller.appspot.com/bug?extid=7bbcbe9c9ff0cd49592a > > > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > > > > > > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > > > commit: > > > > > > Reported-by: syzbot+7bbcbe9c9ff0cd495...@syzkaller.appspotmail.com > > > > > > > > > > > > == > > > > > > WARNING: possible circular locking dependency detected > > > > > > 5.3.0-rc2+ #23 Not tainted > > > > > > -- > > > > > > > > > > Andrey: > > > > > > > > > > This should be completely reproducible, since it's a simple ABBA > > > > > locking violation. Maybe just introducing a time delay (to avoid > > > > > races > > > > > and give the open() call time to run) between the gadget creation and > > > > > gadget removal would be enough to do it. > > > > > > > > I've tried some simple approaches to reproducing this, but failed. > > > > Should this require two rio500 devices to trigger? > > > > > > No, one device should be enough. Just plug it in and then try to open > > > the character device file. > > > > OK, I've reproduced it, so I can test a patch manually. The reason > > syzbot couldn't do that, is because it doesn't open character devices. > > Right now the USB fuzzing instance only opens /dev/input*, > > /dev/hidraw* and /dev/usb/hiddev* (only the devices that are created > > by USB HID devices as I've been working on adding USB HID targeted > > fuzzing support lately). > > > > I guess we should open /dev/chr/* as well. The problem is that there > > 300+ devices there even without connecting USB devices and opening > > them blindly probably won't work. Is there a way to know which > > character devices are created by USB devices? Maybe they are exposed > > over /sys/bus/usb or via some other way? > > Ah, OK, I see that it's also exposed as /dev/rio500 for this > particular driver. This doesn't really help, as these names will > differ for different drivers, and this will require custom syzkaller > descriptions for each driver. I'm planning to add them for some > widely-used (i.e. enabled on Android) drivers at some point, but it's > too much work to do it for all the drivers enabled on e.g. Ubuntu. BTW, the deadlock report is actually followed by another one, which looks like a different bug: usercopy: Kernel memory exposure attempt detected from wrapped address (offset 0, size 184466! [ cut here ] kernel BUG at mm/usercopy.c:98! invalid opcode: [#1] SMP KASAN CPU: 1 PID: 2287 Comm: cat Not tainted 5.3.0-rc2+ #126 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy.c:86 Code: e8 b1 f5 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 20 f4 cd 85 ff 74 24 1 RSP: 0018:88806655fc60 EFLAGS: 00010282 RAX: 006d RBX: 85cdf140 RCX: RDX: RSI: 8128a0fd RDI: ed100ccabf7e RBP: 85cdf300 R08: 006d R09: ed100d965d60 R10: ed100d965d5f R11: 88806cb2eaff
Re: possible deadlock in open_rio
On Wed, Aug 7, 2019 at 4:24 PM Andrey Konovalov wrote: > > On Wed, Aug 7, 2019 at 4:01 PM Alan Stern wrote: > > > > On Wed, 7 Aug 2019, Andrey Konovalov wrote: > > > > > On Tue, Aug 6, 2019 at 9:13 PM Alan Stern > > > wrote: > > > > > > > > On Thu, 1 Aug 2019, syzbot wrote: > > > > > > > > > Hello, > > > > > > > > > > syzbot found the following crash on: > > > > > > > > > > HEAD commit:7f7867ff usb-fuzzer: main usb gadget fuzzer driver > > > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > > > console output: > > > > > https://syzkaller.appspot.com/x/log.txt?x=136b6aec60 > > > > > kernel config: > > > > > https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > > > > > dashboard link: > > > > > https://syzkaller.appspot.com/bug?extid=7bbcbe9c9ff0cd49592a > > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > > > > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > > commit: > > > > > Reported-by: syzbot+7bbcbe9c9ff0cd495...@syzkaller.appspotmail.com > > > > > > > > > > == > > > > > WARNING: possible circular locking dependency detected > > > > > 5.3.0-rc2+ #23 Not tainted > > > > > -- > > > > > > > > Andrey: > > > > > > > > This should be completely reproducible, since it's a simple ABBA > > > > locking violation. Maybe just introducing a time delay (to avoid races > > > > and give the open() call time to run) between the gadget creation and > > > > gadget removal would be enough to do it. > > > > > > I've tried some simple approaches to reproducing this, but failed. > > > Should this require two rio500 devices to trigger? > > > > No, one device should be enough. Just plug it in and then try to open > > the character device file. > > OK, I've reproduced it, so I can test a patch manually. The reason > syzbot couldn't do that, is because it doesn't open character devices. > Right now the USB fuzzing instance only opens /dev/input*, > /dev/hidraw* and /dev/usb/hiddev* (only the devices that are created > by USB HID devices as I've been working on adding USB HID targeted > fuzzing support lately). > > I guess we should open /dev/chr/* as well. The problem is that there > 300+ devices there even without connecting USB devices and opening > them blindly probably won't work. Is there a way to know which > character devices are created by USB devices? Maybe they are exposed > over /sys/bus/usb or via some other way? Ah, OK, I see that it's also exposed as /dev/rio500 for this particular driver. This doesn't really help, as these names will differ for different drivers, and this will require custom syzkaller descriptions for each driver. I'm planning to add them for some widely-used (i.e. enabled on Android) drivers at some point, but it's too much work to do it for all the drivers enabled on e.g. Ubuntu. > > > > > Alan Stern > > > > > > Is there any way you can test this? > > > > > > Not yet. > > > > > > > > > > > Alan Stern > >
Re: possible deadlock in open_rio
On Wed, Aug 7, 2019 at 4:01 PM Alan Stern wrote: > > On Wed, 7 Aug 2019, Andrey Konovalov wrote: > > > On Tue, Aug 6, 2019 at 9:13 PM Alan Stern wrote: > > > > > > On Thu, 1 Aug 2019, syzbot wrote: > > > > > > > Hello, > > > > > > > > syzbot found the following crash on: > > > > > > > > HEAD commit:7f7867ff usb-fuzzer: main usb gadget fuzzer driver > > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=136b6aec60 > > > > kernel config: > > > > https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > > > > dashboard link: > > > > https://syzkaller.appspot.com/bug?extid=7bbcbe9c9ff0cd49592a > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > commit: > > > > Reported-by: syzbot+7bbcbe9c9ff0cd495...@syzkaller.appspotmail.com > > > > > > > > == > > > > WARNING: possible circular locking dependency detected > > > > 5.3.0-rc2+ #23 Not tainted > > > > -- > > > > > > Andrey: > > > > > > This should be completely reproducible, since it's a simple ABBA > > > locking violation. Maybe just introducing a time delay (to avoid races > > > and give the open() call time to run) between the gadget creation and > > > gadget removal would be enough to do it. > > > > I've tried some simple approaches to reproducing this, but failed. > > Should this require two rio500 devices to trigger? > > No, one device should be enough. Just plug it in and then try to open > the character device file. OK, I've reproduced it, so I can test a patch manually. The reason syzbot couldn't do that, is because it doesn't open character devices. Right now the USB fuzzing instance only opens /dev/input*, /dev/hidraw* and /dev/usb/hiddev* (only the devices that are created by USB HID devices as I've been working on adding USB HID targeted fuzzing support lately). I guess we should open /dev/chr/* as well. The problem is that there 300+ devices there even without connecting USB devices and opening them blindly probably won't work. Is there a way to know which character devices are created by USB devices? Maybe they are exposed over /sys/bus/usb or via some other way? > > Alan Stern > > > > Is there any way you can test this? > > > > Not yet. > > > > > > > > Alan Stern >
Re: WARNING in zd_mac_clear
On Fri, Apr 12, 2019 at 1:46 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=101a06dd20 > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > dashboard link: https://syzkaller.appspot.com/bug?extid=74c65761783d66a9c97c > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1170c22d20 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1496adbb20 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+74c65761783d66a9c...@syzkaller.appspotmail.com > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > usb 1-1: config 0 descriptor?? > usb 1-1: reset low-speed USB device number 2 using dummy_hcd > usb 1-1: read over firmware interface failed: -71 > usb 1-1: reset low-speed USB device number 2 using dummy_hcd > WARNING: CPU: 1 PID: 21 at drivers/net/wireless/zydas/zd1211rw/zd_mac.c:238 > zd_mac_clear+0xb0/0xe0 drivers/net/wireless/zydas/zd1211rw/zd_mac.c:238 > Kernel panic - not syncing: panic_on_warn set ... > CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > panic+0x29d/0x5f2 kernel/panic.c:214 > __warn.cold+0x20/0x48 kernel/panic.c:571 > report_bug+0x262/0x2a0 lib/bug.c:186 > fixup_bug arch/x86/kernel/traps.c:179 [inline] > fixup_bug arch/x86/kernel/traps.c:174 [inline] > do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272 > do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291 > invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 > RIP: 0010:zd_mac_clear+0xb0/0xe0 > drivers/net/wireless/zydas/zd1211rw/zd_mac.c:238 > Code: e8 85 d0 60 f8 48 8d bb f8 2b 00 00 be ff ff ff ff e8 54 5a 46 f8 31 > ff 89 c3 89 c6 e8 d9 d1 60 f8 85 db 75 d4 e8 60 d0 60 f8 <0f> 0b 5b 5d e9 > 57 d0 60 f8 48 c7 c7 58 05 cb 93 e8 fb e0 97 f8 eb > RSP: 0018:8880a85c7310 EFLAGS: 00010293 > RAX: 8880a84de200 RBX: RCX: 8910f507 > RDX: RSI: 8910f510 RDI: 0005 > RBP: 0001 R08: 8880a84de200 R09: ed1012f83a0b > R10: ed1012f83a0a R11: 888097c1d057 R12: ffb9 > R13: 888097c18b20 R14: 888099456630 R15: 8f979398 > probe+0x259/0x590 drivers/net/wireless/zydas/zd1211rw/zd_usb.c:1421 > usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 > generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 > usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 > really_probe+0x2da/0xb10 drivers/base/dd.c:509 > driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 > __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 > bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 > __device_attach+0x223/0x3a0 drivers/base/dd.c:844 > bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 > device_add+0xad2/0x16e0 drivers/base/core.c:2106 > usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 > hub_port_connect drivers/usb/core/hub.c:5089 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > port_event drivers/usb/core/hub.c:5350 [inline] > hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 > process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 > worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 > kthread+0x313/0x420 kernel/kthread.c:253 > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > Kernel Offset: disabled > Rebooting in 86400 seconds.. This USB bug is the second most frequently triggered one with over 10k kernel crashes. > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches
Re: WARNING in rollback_registered_many (2)
On Fri, Apr 12, 2019 at 1:32 PM Andrey Konovalov wrote: > > On Fri, Apr 12, 2019 at 1:29 AM syzbot > wrote: > > > > syzbot has found a reproducer for the following crash on: > > > > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=10d552b720 > > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > > dashboard link: https://syzkaller.appspot.com/bug?extid=40918e4d826fb2ff9b96 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17a4c1af20 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=121b274b20 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+40918e4d826fb2ff9...@syzkaller.appspotmail.com > > > > usb 1-1: r8712u: MAC Address from efuse = 00:e0:4c:87:00:00 > > usb 1-1: r8712u: Loading firmware from "rtlwifi/rtl8712u.bin" > > usb 1-1: USB disconnect, device number 2 > > usb 1-1: Direct firmware load for rtlwifi/rtl8712u.bin failed with error -2 > > usb 1-1: r8712u: Firmware request failed > > WARNING: CPU: 0 PID: 575 at net/core/dev.c:8152 > > rollback_registered_many+0x1f3/0xe70 net/core/dev.c:8152 > > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 0 PID: 575 Comm: kworker/0:4 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Workqueue: usb_hub_wq hub_event > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > > panic+0x29d/0x5f2 kernel/panic.c:214 > > __warn.cold+0x20/0x48 kernel/panic.c:571 > > report_bug+0x262/0x2a0 lib/bug.c:186 > > fixup_bug arch/x86/kernel/traps.c:179 [inline] > > fixup_bug arch/x86/kernel/traps.c:174 [inline] > > do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272 > > do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291 > > invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 > > RIP: 0010:rollback_registered_many+0x1f3/0xe70 net/core/dev.c:8152 > > Code: 05 00 00 31 ff 44 89 fe e8 5a 15 f3 f4 45 84 ff 0f 85 49 ff ff ff e8 > > 1c 14 f3 f4 0f 1f 44 00 00 e8 12 14 f3 f4 e8 0d 14 f3 f4 <0f> 0b 4c 89 e7 > > e8 33 72 f2 f6 31 ff 41 89 c4 89 c6 e8 27 15 f3 f4 > > RSP: 0018:88809d087698 EFLAGS: 00010293 > > RAX: 88809d058000 RBX: 88809624 RCX: 8c7eb146 > > RDX: RSI: 8c7eb163 RDI: 0001 > > RBP: 88809d0877c8 R08: 88809d058000 R09: fbfff2708111 > > R10: fbfff2708110 R11: 93840887 R12: 888096240070 > > R13: dc00 R14: 88809d087758 R15: > > rollback_registered+0xf7/0x1c0 net/core/dev.c:8228 > > unregister_netdevice_queue net/core/dev.c:9275 [inline] > > unregister_netdevice_queue+0x1dc/0x2b0 net/core/dev.c:9268 > > unregister_netdevice include/linux/netdevice.h:2655 [inline] > > unregister_netdev+0x1d/0x30 net/core/dev.c:9316 > > r871xu_dev_remove+0xe7/0x223 drivers/staging/rtl8712/usb_intf.c:604 > > usb_unbind_interface+0x1c9/0x980 drivers/usb/core/driver.c:423 > > __device_release_driver drivers/base/dd.c:1082 [inline] > > device_release_driver_internal+0x436/0x4f0 drivers/base/dd.c:1113 > > bus_remove_device+0x302/0x5c0 drivers/base/bus.c:556 > > device_del+0x467/0xb90 drivers/base/core.c:2269 > > usb_disable_device+0x242/0x790 drivers/usb/core/message.c:1235 > > usb_disconnect+0x298/0x870 drivers/usb/core/hub.c:2197 > > hub_port_connect drivers/usb/core/hub.c:4940 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] > > port_event drivers/usb/core/hub.c:5350 [inline] > > hub_event+0xcd2/0x3b00 drivers/usb/core/hub.c:5432 > > process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 > > process_scheduled_works kernel/workqueue.c:2331 [inline] > > worker_thread+0x7b0/0xe20 kernel/workqueue.c:2417 > > kthread+0x313/0x420 kernel/kthread.c:253 > > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 > > Kernel Offset: disabled > > Rebooting in 86400 seconds.. > > > > +linux-usb mailing list This USB bug is the most frequently triggered one right now with over 27k kernel crashes.
Re: possible deadlock in open_rio
On Tue, Aug 6, 2019 at 9:13 PM Alan Stern wrote: > > On Thu, 1 Aug 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:7f7867ff usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=136b6aec60 > > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > > dashboard link: https://syzkaller.appspot.com/bug?extid=7bbcbe9c9ff0cd49592a > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+7bbcbe9c9ff0cd495...@syzkaller.appspotmail.com > > > > == > > WARNING: possible circular locking dependency detected > > 5.3.0-rc2+ #23 Not tainted > > -- > > Andrey: > > This should be completely reproducible, since it's a simple ABBA > locking violation. Maybe just introducing a time delay (to avoid races > and give the open() call time to run) between the gadget creation and > gadget removal would be enough to do it. I've tried some simple approaches to reproducing this, but failed. Should this require two rio500 devices to trigger? > > Is there any way you can test this? Not yet. > > Alan Stern >
Re: KASAN: use-after-free Read in device_release_driver_internal
On Tue, Aug 6, 2019 at 5:34 PM Oliver Neukum wrote: > > Am Dienstag, den 06.08.2019, 10:19 -0400 schrieb Alan Stern: > > In any case, I don't know if this missing "get" would cause the > > problem, but it might well. > > Hi, > > upon further thought, this should be automated. Checking for > refcount leaks is KASAN's job. In particular, refcounts > should not > > * decrease in probe() > * increase in disconnect() > * change in case probe() fails It's probably a job for some other refcount debugging tool, but yes, it would be nice to have a detector for this kind of stuff. It will probably require some annotations in each place we want this kind of checks to be performed. > > Regards > Oliver >
Re: KASAN: use-after-free Read in device_release_driver_internal
On Wed, Aug 7, 2019 at 3:44 PM Andrey Konovalov wrote:
>
> On Wed, Aug 7, 2019 at 3:44 PM Andrey Konovalov wrote:
> >
> > On Wed, Aug 7, 2019 at 3:38 PM Oliver Neukum wrote:
> > >
> > > Am Dienstag, den 06.08.2019, 14:50 +0200 schrieb Andrey Konovalov:
> > > > On Tue, Aug 6, 2019 at 2:36 PM Oliver Neukum wrote:
> > > > >
> > > > > Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern:
> > > > > >
> > > > > > I think this must be caused by an unbalanced refcount. That is,
> > > > > > something must drop one more reference to the device than it takes.
> > > > > > That would explain why the invalid access occurs inside a single
> > > > > > bus_remove_device() call, between the klist_del() and
> > > > > > device_release_driver().
> > > > > >
> > > > > > The kernel log indicates that the device was probed by rndis_wlan,
> > > > > > rndis_host, and cdc_acm, all of which got errors because of the
> > > > > > device's bogus descriptors. Probably one of them is messing up the
> > > > > > refcount.
> > > > >
> > > > > Hi,
> > > > >
> > > > > you made me look at cdc-acm. I suspect
> > > > >
> > > > > cae2bc768d176bfbdad7035bbcc3cdc973eb7984 ("usb: cdc-acm: Decrement
> > > > > tty port's refcount if probe() fail")
> > > > >
> > > > > is buggy decrementing the refcount on the interface in destroy()
> > > > > even before the refcount is increased.
> > > > >
> > > > > Unfortunately I cannot tell from the bug report how many and which
> > > > > interfaces the emulated test device has. Hence it is unclear to me,
> > > > > when exactly probe() would fail cdc-acm.
> > > > >
> > > > > If you agree. I am attaching a putative fix.
> > > >
> > > > Let's see if it fixes the issue.
> > > >
> > > > #syz fix: https://github.com/google/kasan.git 6a3599ce
> > >
> > > Hi,
> > >
> > > did this ever produce a result? I saw none.
> >
> > Hm, that's weird, maybe that's caused by putting the bot into CC. Let
> > me try that again.
> >
> > #syz fix: https://github.com/google/kasan.git 6a3599ce
>
> Oh, wait, it should be syz test =)
>
> #syz test: https://github.com/google/kasan.git 6a3599ce
And now I forgot the patch :(
#syz test: https://github.com/google/kasan.git 6a3599ce
>
> >
> > >
> > > Regards
> > > Oliver
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups
> > > "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an
> > > email to syzkaller-bugs+unsubscr...@googlegroups.com.
> > > To view this discussion on the web visit
> > > https://groups.google.com/d/msgid/syzkaller-bugs/1565185131.15973.1.camel%40suse.com.
From 6b31904e6cf75f89441e308b9e428a1de7728fd8 Mon Sep 17 00:00:00 2001
From: Oliver Neukum
Date: Tue, 6 Aug 2019 14:34:27 +0200
Subject: [PATCH] usb: cdc-acm: make sure a refcount is taken early enough
destroy() will decrement the refcount on the interface, so that
it needs to be taken so early that it never undercounts.
Signed-off-by: Oliver Neukum
---
drivers/usb/class/cdc-acm.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 183b41753c98..28e3de775ada 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1301,10 +1301,6 @@ static int acm_probe(struct usb_interface *intf,
tty_port_init(&acm->port);
acm->port.ops = &acm_port_ops;
- minor = acm_alloc_minor(acm);
- if (minor < 0)
- goto alloc_fail1;
-
ctrlsize = usb_endpoint_maxp(epctrl);
readsize = usb_endpoint_maxp(epread) *
(quirks == SINGLE_RX_URB ? 1 : 2);
@@ -1312,6 +1308,13 @@ static int acm_probe(struct usb_interface *intf,
acm->writesize = usb_endpoint_maxp(epwrite) * 20;
acm->control = control_interface;
acm->data = data_interface;
+
+ usb_get_intf(acm->control); /* undone in destroy() */
+
+ minor = acm_alloc_minor(acm);
+ if (minor < 0)
+ goto alloc_fail1;
+
acm->minor = minor;
acm->dev = usb_dev;
if (h.usb_cdc_acm_descriptor)
@@ -1458,7 +1461,6 @@ static int acm_probe(struct usb_interface *intf,
usb_driver_claim_interface(&acm_driver, data_interface, acm);
usb_set_intfdata(data_interface, acm);
- usb_get_intf(control_interface);
tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
&control_interface->dev);
if (IS_ERR(tty_dev)) {
--
2.16.4
Re: KASAN: use-after-free Read in device_release_driver_internal
On Wed, Aug 7, 2019 at 3:44 PM Andrey Konovalov wrote:
>
> On Wed, Aug 7, 2019 at 3:38 PM Oliver Neukum wrote:
> >
> > Am Dienstag, den 06.08.2019, 14:50 +0200 schrieb Andrey Konovalov:
> > > On Tue, Aug 6, 2019 at 2:36 PM Oliver Neukum wrote:
> > > >
> > > > Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern:
> > > > >
> > > > > I think this must be caused by an unbalanced refcount. That is,
> > > > > something must drop one more reference to the device than it takes.
> > > > > That would explain why the invalid access occurs inside a single
> > > > > bus_remove_device() call, between the klist_del() and
> > > > > device_release_driver().
> > > > >
> > > > > The kernel log indicates that the device was probed by rndis_wlan,
> > > > > rndis_host, and cdc_acm, all of which got errors because of the
> > > > > device's bogus descriptors. Probably one of them is messing up the
> > > > > refcount.
> > > >
> > > > Hi,
> > > >
> > > > you made me look at cdc-acm. I suspect
> > > >
> > > > cae2bc768d176bfbdad7035bbcc3cdc973eb7984 ("usb: cdc-acm: Decrement tty
> > > > port's refcount if probe() fail")
> > > >
> > > > is buggy decrementing the refcount on the interface in destroy()
> > > > even before the refcount is increased.
> > > >
> > > > Unfortunately I cannot tell from the bug report how many and which
> > > > interfaces the emulated test device has. Hence it is unclear to me,
> > > > when exactly probe() would fail cdc-acm.
> > > >
> > > > If you agree. I am attaching a putative fix.
> > >
> > > Let's see if it fixes the issue.
> > >
> > > #syz fix: https://github.com/google/kasan.git 6a3599ce
> >
> > Hi,
> >
> > did this ever produce a result? I saw none.
>
> Hm, that's weird, maybe that's caused by putting the bot into CC. Let
> me try that again.
>
> #syz fix: https://github.com/google/kasan.git 6a3599ce
Oh, wait, it should be syz test =)
#syz test: https://github.com/google/kasan.git 6a3599ce
>
> >
> > Regards
> > Oliver
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to syzkaller-bugs+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/syzkaller-bugs/1565185131.15973.1.camel%40suse.com.
Re: KASAN: use-after-free Read in device_release_driver_internal
On Wed, Aug 7, 2019 at 3:38 PM Oliver Neukum wrote:
>
> Am Dienstag, den 06.08.2019, 14:50 +0200 schrieb Andrey Konovalov:
> > On Tue, Aug 6, 2019 at 2:36 PM Oliver Neukum wrote:
> > >
> > > Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern:
> > > >
> > > > I think this must be caused by an unbalanced refcount. That is,
> > > > something must drop one more reference to the device than it takes.
> > > > That would explain why the invalid access occurs inside a single
> > > > bus_remove_device() call, between the klist_del() and
> > > > device_release_driver().
> > > >
> > > > The kernel log indicates that the device was probed by rndis_wlan,
> > > > rndis_host, and cdc_acm, all of which got errors because of the
> > > > device's bogus descriptors. Probably one of them is messing up the
> > > > refcount.
> > >
> > > Hi,
> > >
> > > you made me look at cdc-acm. I suspect
> > >
> > > cae2bc768d176bfbdad7035bbcc3cdc973eb7984 ("usb: cdc-acm: Decrement tty
> > > port's refcount if probe() fail")
> > >
> > > is buggy decrementing the refcount on the interface in destroy()
> > > even before the refcount is increased.
> > >
> > > Unfortunately I cannot tell from the bug report how many and which
> > > interfaces the emulated test device has. Hence it is unclear to me,
> > > when exactly probe() would fail cdc-acm.
> > >
> > > If you agree. I am attaching a putative fix.
> >
> > Let's see if it fixes the issue.
> >
> > #syz fix: https://github.com/google/kasan.git 6a3599ce
>
> Hi,
>
> did this ever produce a result? I saw none.
Hm, that's weird, maybe that's caused by putting the bot into CC. Let
me try that again.
#syz fix: https://github.com/google/kasan.git 6a3599ce
>
> Regards
> Oliver
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/1565185131.15973.1.camel%40suse.com.
From 6b31904e6cf75f89441e308b9e428a1de7728fd8 Mon Sep 17 00:00:00 2001
From: Oliver Neukum
Date: Tue, 6 Aug 2019 14:34:27 +0200
Subject: [PATCH] usb: cdc-acm: make sure a refcount is taken early enough
destroy() will decrement the refcount on the interface, so that
it needs to be taken so early that it never undercounts.
Signed-off-by: Oliver Neukum
---
drivers/usb/class/cdc-acm.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 183b41753c98..28e3de775ada 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1301,10 +1301,6 @@ static int acm_probe(struct usb_interface *intf,
tty_port_init(&acm->port);
acm->port.ops = &acm_port_ops;
- minor = acm_alloc_minor(acm);
- if (minor < 0)
- goto alloc_fail1;
-
ctrlsize = usb_endpoint_maxp(epctrl);
readsize = usb_endpoint_maxp(epread) *
(quirks == SINGLE_RX_URB ? 1 : 2);
@@ -1312,6 +1308,13 @@ static int acm_probe(struct usb_interface *intf,
acm->writesize = usb_endpoint_maxp(epwrite) * 20;
acm->control = control_interface;
acm->data = data_interface;
+
+ usb_get_intf(acm->control); /* undone in destroy() */
+
+ minor = acm_alloc_minor(acm);
+ if (minor < 0)
+ goto alloc_fail1;
+
acm->minor = minor;
acm->dev = usb_dev;
if (h.usb_cdc_acm_descriptor)
@@ -1458,7 +1461,6 @@ static int acm_probe(struct usb_interface *intf,
usb_driver_claim_interface(&acm_driver, data_interface, acm);
usb_set_intfdata(data_interface, acm);
- usb_get_intf(control_interface);
tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
&control_interface->dev);
if (IS_ERR(tty_dev)) {
--
2.16.4
Re: KASAN: use-after-free Read in device_release_driver_internal
On Tue, Aug 6, 2019 at 2:36 PM Oliver Neukum wrote:
>
> Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern:
> >
> > I think this must be caused by an unbalanced refcount. That is,
> > something must drop one more reference to the device than it takes.
> > That would explain why the invalid access occurs inside a single
> > bus_remove_device() call, between the klist_del() and
> > device_release_driver().
> >
> > The kernel log indicates that the device was probed by rndis_wlan,
> > rndis_host, and cdc_acm, all of which got errors because of the
> > device's bogus descriptors. Probably one of them is messing up the
> > refcount.
>
> Hi,
>
> you made me look at cdc-acm. I suspect
>
> cae2bc768d176bfbdad7035bbcc3cdc973eb7984 ("usb: cdc-acm: Decrement tty port's
> refcount if probe() fail")
>
> is buggy decrementing the refcount on the interface in destroy()
> even before the refcount is increased.
>
> Unfortunately I cannot tell from the bug report how many and which
> interfaces the emulated test device has. Hence it is unclear to me,
> when exactly probe() would fail cdc-acm.
>
> If you agree. I am attaching a putative fix.
Let's see if it fixes the issue.
#syz fix: https://github.com/google/kasan.git 6a3599ce
>
> Regards
> Oliver
From 6b31904e6cf75f89441e308b9e428a1de7728fd8 Mon Sep 17 00:00:00 2001
From: Oliver Neukum
Date: Tue, 6 Aug 2019 14:34:27 +0200
Subject: [PATCH] usb: cdc-acm: make sure a refcount is taken early enough
destroy() will decrement the refcount on the interface, so that
it needs to be taken so early that it never undercounts.
Signed-off-by: Oliver Neukum
---
drivers/usb/class/cdc-acm.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 183b41753c98..28e3de775ada 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1301,10 +1301,6 @@ static int acm_probe(struct usb_interface *intf,
tty_port_init(&acm->port);
acm->port.ops = &acm_port_ops;
- minor = acm_alloc_minor(acm);
- if (minor < 0)
- goto alloc_fail1;
-
ctrlsize = usb_endpoint_maxp(epctrl);
readsize = usb_endpoint_maxp(epread) *
(quirks == SINGLE_RX_URB ? 1 : 2);
@@ -1312,6 +1308,13 @@ static int acm_probe(struct usb_interface *intf,
acm->writesize = usb_endpoint_maxp(epwrite) * 20;
acm->control = control_interface;
acm->data = data_interface;
+
+ usb_get_intf(acm->control); /* undone in destroy() */
+
+ minor = acm_alloc_minor(acm);
+ if (minor < 0)
+ goto alloc_fail1;
+
acm->minor = minor;
acm->dev = usb_dev;
if (h.usb_cdc_acm_descriptor)
@@ -1458,7 +1461,6 @@ static int acm_probe(struct usb_interface *intf,
usb_driver_claim_interface(&acm_driver, data_interface, acm);
usb_set_intfdata(data_interface, acm);
- usb_get_intf(control_interface);
tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
&control_interface->dev);
if (IS_ERR(tty_dev)) {
--
2.16.4
Re: KMSAN: kernel-usb-infoleak in pcan_usb_pro_send_req
On Tue, Aug 6, 2019 at 3:59 PM Alan Stern wrote: > > On Tue, 6 Aug 2019, Andrey Konovalov wrote: > > > On Tue, Aug 6, 2019 at 2:45 PM Oliver Neukum wrote: > > > > > > Am Dienstag, den 30.07.2019, 02:38 -0700 schrieb syzbot: > > > > Hello, > > > > > > > > syzbot found the following crash on: > > > > > > > > HEAD commit:41550654 [UPSTREAM] KVM: x86: degrade WARN to > > > > pr_warn_rate.. > > > > git tree: kmsan > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13e95183a0 > > > > kernel config: > > > > https://syzkaller.appspot.com/x/.config?x=40511ad0c5945201 > > > > dashboard link: > > > > https://syzkaller.appspot.com/bug?extid=513e4d0985298538bf9b > > > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > > > syz repro: > > > > https://syzkaller.appspot.com/x/repro.syz?x=17eafa1ba0 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b87983a0 > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > commit: > > > > Reported-by: syzbot+513e4d0985298538b...@syzkaller.appspotmail.com > > > > > > #syz test: https://github.com/google/kasan.git 41550654 > > > > Hi Oliver, > > > > For KMSAN bugs you'll need to use the kmsan tree (syz test: > > https://github.com/google/kmsan.git COMMIT_ID). I've updated the > > testing instructions some time ago to reflect this. Sorry for the > > complexity, this is caused by USB fuzzing and KMSAN not being upstream > > yet. > > Maybe you can fix the "git tree:" header in the bug report. It should > say "https://github.com/google/kmsan.git"; instead of just "kmsan". Makes sense, will do, thanks! > > Alan Stern >
Re: KMSAN: kernel-usb-infoleak in pcan_usb_pro_send_req
On Tue, Aug 6, 2019 at 2:45 PM Oliver Neukum wrote: > > Am Dienstag, den 30.07.2019, 02:38 -0700 schrieb syzbot: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:41550654 [UPSTREAM] KVM: x86: degrade WARN to pr_warn_rate.. > > git tree: kmsan > > console output: https://syzkaller.appspot.com/x/log.txt?x=13e95183a0 > > kernel config: https://syzkaller.appspot.com/x/.config?x=40511ad0c5945201 > > dashboard link: https://syzkaller.appspot.com/bug?extid=513e4d0985298538bf9b > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17eafa1ba0 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b87983a0 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+513e4d0985298538b...@syzkaller.appspotmail.com > > #syz test: https://github.com/google/kasan.git 41550654 Hi Oliver, For KMSAN bugs you'll need to use the kmsan tree (syz test: https://github.com/google/kmsan.git COMMIT_ID). I've updated the testing instructions some time ago to reflect this. Sorry for the complexity, this is caused by USB fuzzing and KMSAN not being upstream yet. Thanks! > > From 6de76fa3df8aedc7a76dc0ecdea8308e38d4dccc Mon Sep 17 00:00:00 2001 > From: Oliver Neukum > Date: Tue, 6 Aug 2019 14:41:52 +0200 > Subject: [PATCH] pcan_usb_fd: zero out the common command buffer > > Lest we leak kernel memory to a device we better zero out buffers. > > Signed-off-by: Oliver Neukum > --- > drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c > b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c > index 34761c3a6286..47cc1ff5b88e 100644 > --- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c > +++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c > @@ -841,7 +841,7 @@ static int pcan_usb_fd_init(struct peak_usb_device *dev) > goto err_out; > > /* allocate command buffer once for all for the interface */ > - pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE, > + pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE, > GFP_KERNEL); > if (!pdev->cmd_buffer_addr) > goto err_out_1; > -- > 2.16.4 > > > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/1565095525.8136.22.camel%40suse.com.
Re: KASAN: slab-out-of-bounds Write in lg4ff_init
On Mon, Aug 5, 2019 at 4:34 PM Oliver Neukum wrote: > > Am Montag, den 05.08.2019, 05:38 -0700 schrieb syzbot: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=144c21dc60 > > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e > > dashboard link: https://syzkaller.appspot.com/bug?extid=94e2b9e9c7d1dd332345 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169e854260 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ec826260 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+94e2b9e9c7d1dd332...@syzkaller.appspotmail.com > > > > usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, > > different from the interface descriptor's value: 9 > > usb 1-1: New USB device found, idVendor=046d, idProduct=c298, bcdDevice= > > 0.00 > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > usb 1-1: config 0 descriptor?? > > logitech 0003:046D:C298.0001: unknown main item tag 0x0 > > logitech 0003:046D:C298.0001: unknown main item tag 0x0 > > logitech 0003:046D:C298.0001: hidraw0: USB HID v0.00 Device [HID 046d:c298] > > on usb-dummy_hcd.0-1/input0 > > BUG: KASAN: slab-out-of-bounds in set_bit > > include/asm-generic/bitops-instrumented.h:28 [inline] > > #syz test: https://github.com/google/kasan.git e96407b4 > > From 7e7f8ce9108b69613f8bb4ff2f95c258e22c3228 Mon Sep 17 00:00:00 2001 > From: Oliver Neukum > Date: Mon, 5 Aug 2019 16:14:47 +0200 > Subject: [PATCH] hid-lg4ff: sanity check for offsets of FF effects > > Malicious devices could provide huge offsets which would lead > to setting bits in random kernel memory. Adding a sanity check. > > Reported-by: syzbot+94e2b9e9c7d1dd332...@syzkaller.appspotmail.com > Signed-off-by: Oliver Neukum > --- > drivers/hid/hid-lg4ff.c | 6 +- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c > index cefba038520c..f9572750d889 100644 > --- a/drivers/hid/hid-lg4ff.c > +++ b/drivers/hid/hid-lg4ff.c > @@ -1327,8 +1327,12 @@ int lg4ff_init(struct hid_device *hid) > } > > /* Set supported force feedback capabilities */ > + error = -ENODEV; > for (j = 0; lg4ff_devices[i].ff_effects[j] >= 0; j++) > - set_bit(lg4ff_devices[i].ff_effects[j], dev->ffbit); > + if (lg4ff_devices[i].ff_effects[j] <= 15) Can't ff_effects have one of the FF_CONSTANT, FF_PERIODIC, etc. values? Those are 0x50, 0x51, ... Or maybe I'm just misunderstanding something. Are those ff_effects provided by the device? > + set_bit(lg4ff_devices[i].ff_effects[j], dev->ffbit); > + else > + goto err_init; > > error = input_ff_create_memless(dev, NULL, lg4ff_play); > > -- > 2.16.4 >
Re: KASAN: use-after-free Read in __pm_runtime_resume
On Fri, Aug 2, 2019 at 3:33 PM Pavel Machek wrote: > > On Fri 2019-08-02 05:58:05, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:e96407b4 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=146071b460 > > kernel config: https://syzkaller.appspot.com/x/.config?x=792eb47789f57810 > > dashboard link: https://syzkaller.appspot.com/bug?extid=b156665cf4d1b5e00c76 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > Unfortunately, I don't have any reproducer for this crash yet. > > I asked a question, noone bothered to reply, yet you spam me again? > > You are a bad bot. Go away. Come back when your human master is > willing to communicate. Hi Pavel, What was the question that you've asked and where did you send it? I can't find anything in my inbox. Thanks! > > Pavel > > -- > (english) http://www.livejournal.com/~pavelmachek > (cesky, pictures) > http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Re: KASAN: use-after-free Read in device_release_driver_internal
On Tue, Jul 23, 2019 at 4:28 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:6a3599ce usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=13f640cc60 > kernel config: https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae > dashboard link: https://syzkaller.appspot.com/bug?extid=1b2449b7b5dc240d107a > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=116ce31fa0 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1022f69460 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+1b2449b7b5dc240d1...@syzkaller.appspotmail.com > > usb 1-1: USB disconnect, device number 2 > == > BUG: KASAN: use-after-free in __lock_acquire+0x3a5d/0x5340 > /kernel/locking/lockdep.c:3665 > Read of size 8 at addr 8881cfc4ef90 by task kworker/0:2/108 > > CPU: 0 PID: 108 Comm: kworker/0:2 Not tainted 5.2.0-rc6+ #15 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack /lib/dump_stack.c:77 [inline] > dump_stack+0xca/0x13e /lib/dump_stack.c:113 > print_address_description+0x67/0x231 /mm/kasan/report.c:188 > __kasan_report.cold+0x1a/0x32 /mm/kasan/report.c:317 > kasan_report+0xe/0x20 /mm/kasan/common.c:614 > __lock_acquire+0x3a5d/0x5340 /kernel/locking/lockdep.c:3665 > lock_acquire+0x100/0x2b0 /kernel/locking/lockdep.c:4303 > __mutex_lock_common /kernel/locking/mutex.c:926 [inline] > __mutex_lock+0xf9/0x12b0 /kernel/locking/mutex.c:1073 > device_release_driver_internal+0x23/0x4c0 /drivers/base/dd.c:1109 > bus_remove_device+0x2dc/0x4a0 /drivers/base/bus.c:556 > device_del+0x460/0xb80 /drivers/base/core.c:2274 > usb_disable_device+0x211/0x690 /drivers/usb/core/message.c:1237 > usb_disconnect+0x284/0x830 /drivers/usb/core/hub.c:2199 > hub_port_connect /drivers/usb/core/hub.c:4949 [inline] > hub_port_connect_change /drivers/usb/core/hub.c:5213 [inline] > port_event /drivers/usb/core/hub.c:5359 [inline] > hub_event+0x13bd/0x3550 /drivers/usb/core/hub.c:5441 > process_one_work+0x905/0x1570 /kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 /kernel/workqueue.c:2415 > kthread+0x30b/0x410 /kernel/kthread.c:255 > ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:352 > > Allocated by task 88: > save_stack+0x1b/0x80 /mm/kasan/common.c:71 > set_track /mm/kasan/common.c:79 [inline] > __kasan_kmalloc /mm/kasan/common.c:489 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 /mm/kasan/common.c:462 > kmalloc /./include/linux/slab.h:547 [inline] > kzalloc /./include/linux/slab.h:742 [inline] > usb_set_configuration+0x2c4/0x1670 /drivers/usb/core/message.c:1846 > generic_probe+0x9d/0xd5 /drivers/usb/core/generic.c:210 > usb_probe_device+0x99/0x100 /drivers/usb/core/driver.c:266 > really_probe+0x281/0x660 /drivers/base/dd.c:509 > driver_probe_device+0x104/0x210 /drivers/base/dd.c:670 > __device_attach_driver+0x1c2/0x220 /drivers/base/dd.c:777 > bus_for_each_drv+0x15c/0x1e0 /drivers/base/bus.c:454 > __device_attach+0x217/0x360 /drivers/base/dd.c:843 > bus_probe_device+0x1e4/0x290 /drivers/base/bus.c:514 > device_add+0xae6/0x16f0 /drivers/base/core.c:2111 > usb_new_device.cold+0x6a4/0xe61 /drivers/usb/core/hub.c:2536 > hub_port_connect /drivers/usb/core/hub.c:5098 [inline] > hub_port_connect_change /drivers/usb/core/hub.c:5213 [inline] > port_event /drivers/usb/core/hub.c:5359 [inline] > hub_event+0x1abd/0x3550 /drivers/usb/core/hub.c:5441 > process_one_work+0x905/0x1570 /kernel/workqueue.c:2269 > worker_thread+0x96/0xe20 /kernel/workqueue.c:2415 > kthread+0x30b/0x410 /kernel/kthread.c:255 > ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:352 > > Freed by task 108: > save_stack+0x1b/0x80 /mm/kasan/common.c:71 > set_track /mm/kasan/common.c:79 [inline] > __kasan_slab_free+0x130/0x180 /mm/kasan/common.c:451 > slab_free_hook /mm/slub.c:1421 [inline] > slab_free_freelist_hook /mm/slub.c:1448 [inline] > slab_free /mm/slub.c:2994 [inline] > kfree+0xd7/0x280 /mm/slub.c:3949 > device_release+0x71/0x200 /drivers/base/core.c:1064 > kobject_cleanup /lib/kobject.c:691 [inline] > kobject_release /lib/kobject.c:720 [inline] > kref_put /./include/linux/kref.h:65 [inline] > kobject_put+0x171/0x280 /lib/kobject.c:737 > put_device+0x1b/0x30 /drivers/base/core.c:2210 > klist_put+0xce/0x170 /lib/klist.c:221 > bus_remove_device+0x3a4/0x4a0 /drivers/base/bus.c:552 > device_del+0x460/0xb80 /drivers/base/core.c:2274 > usb_disable_device+0x211/0x690 /drivers/usb/core/message.c:1237 > usb_disconnect+0x284/0x830 /drivers/usb/core/hub.c:2199 > hub_port_connect /drivers/usb/core/hub.c:4949 [inline
Re: KMSAN: kernel-usb-infoleak in pcan_usb_pro_send_req
On Tue, Jul 30, 2019 at 4:20 PM Andrey Konovalov wrote: > > On Tue, Jul 30, 2019 at 4:17 PM Alan Stern wrote: > > > > On Tue, 30 Jul 2019, syzbot wrote: > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit:41550654 [UPSTREAM] KVM: x86: degrade WARN to > > > pr_warn_rate.. > > > git tree: kmsan > > > console output: https://syzkaller.appspot.com/x/log.txt?x=13e95183a0 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=40511ad0c5945201 > > > dashboard link: > > > https://syzkaller.appspot.com/bug?extid=513e4d0985298538bf9b > > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17eafa1ba0 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b87983a0 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+513e4d0985298538b...@syzkaller.appspotmail.com > > > > > > usb 1-1: config 0 has no interface number 0 > > > usb 1-1: New USB device found, idVendor=0c72, idProduct=0014, > > > bcdDevice=8b.53 > > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > > usb 1-1: config 0 descriptor?? > > > peak_usb 1-1:0.146: PEAK-System PCAN-USB X6 v0 fw v0.0.0 (2 channels) > > > == > > > BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x7ef/0x1f50 > > > drivers/usb/core/urb.c:405 > > > > What does "kernel-usb-infoleak" mean? > > That means that the kernel put some uninitialized data into a request > that was sent to a USB device. Here's a better report for this bug: https://syzkaller.appspot.com/text?tag=CrashReport&x=11dae8ec60 This is a real bug, I was able to reproduce it with a hardware reproducer and leak some kernel pointers AFAIR. > > > > > Alan Stern > >
Re: KMSAN: kernel-usb-infoleak in pcan_usb_pro_send_req
On Tue, Jul 30, 2019 at 4:17 PM Alan Stern wrote: > > On Tue, 30 Jul 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:41550654 [UPSTREAM] KVM: x86: degrade WARN to pr_warn_rate.. > > git tree: kmsan > > console output: https://syzkaller.appspot.com/x/log.txt?x=13e95183a0 > > kernel config: https://syzkaller.appspot.com/x/.config?x=40511ad0c5945201 > > dashboard link: https://syzkaller.appspot.com/bug?extid=513e4d0985298538bf9b > > compiler: clang version 9.0.0 (/home/glider/llvm/clang > > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17eafa1ba0 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17b87983a0 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+513e4d0985298538b...@syzkaller.appspotmail.com > > > > usb 1-1: config 0 has no interface number 0 > > usb 1-1: New USB device found, idVendor=0c72, idProduct=0014, > > bcdDevice=8b.53 > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > usb 1-1: config 0 descriptor?? > > peak_usb 1-1:0.146: PEAK-System PCAN-USB X6 v0 fw v0.0.0 (2 channels) > > == > > BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x7ef/0x1f50 > > drivers/usb/core/urb.c:405 > > What does "kernel-usb-infoleak" mean? That means that the kernel put some uninitialized data into a request that was sent to a USB device. > > Alan Stern >
