* [syzbot] general protection fault in hidraw_release @ 2022-01-04 7:49 syzbot 2022-02-02 7:19 ` syzbot 2022-02-02 10:17 ` syzbot 0 siblings, 2 replies; 8+ messages in thread From: syzbot @ 2022-01-04 7:49 UTC (permalink / raw) To: benjamin.tissoires, jikos, linux-input, linux-kernel, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: ea586a076e8a Add linux-next specific files for 20211224 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=124161edb00000 kernel config: https://syzkaller.appspot.com/x/.config?x=a9c4e3dde2c568fb dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 0 PID: 9653 Comm: syz-executor.3 Not tainted 5.16.0-rc6-next-20211224-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__lock_acquire+0xd7a/0x5470 kernel/locking/lockdep.c:4897 Code: 13 0e 41 bf 01 00 00 00 0f 86 c8 00 00 00 89 05 ac c8 13 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 9f 2e 00 00 49 81 3e 60 94 1b 8f 0f 84 52 f3 ff RSP: 0018:ffffc90005647bc8 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 1ffff92000ac8fa4 RCX: 1ffff92000ac8f8b RDX: 0000000000000011 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: fffffbfff1b2663a R11: 0000000000000001 R12: 0000000000000000 R13: ffff888045f657c0 R14: 0000000000000088 R15: 0000000000000000 FS: 0000555555772400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2ef2e000 CR3: 00000000131f3000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> lock_acquire kernel/locking/lockdep.c:5639 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 hidraw_release+0xca/0x370 drivers/hid/hidraw.c:352 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fcce3b0fadb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff23159320 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007fcce3b0fadb RDX: 0000000000000000 RSI: 00007fcce2cd5760 RDI: 0000000000000004 RBP: 00007fcce3c71960 R08: 0000000000000000 R09: 00000000355938f3 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000011a408 R13: 00007fff23159420 R14: 00007fcce3c70100 R15: 0000000000000032 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__lock_acquire+0xd7a/0x5470 kernel/locking/lockdep.c:4897 Code: 13 0e 41 bf 01 00 00 00 0f 86 c8 00 00 00 89 05 ac c8 13 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 9f 2e 00 00 49 81 3e 60 94 1b 8f 0f 84 52 f3 ff RSP: 0018:ffffc90005647bc8 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 1ffff92000ac8fa4 RCX: 1ffff92000ac8f8b RDX: 0000000000000011 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: fffffbfff1b2663a R11: 0000000000000001 R12: 0000000000000000 R13: ffff888045f657c0 R14: 0000000000000088 R15: 0000000000000000 FS: 0000555555772400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2ef2e000 CR3: 00000000131f3000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 13 0e adc (%rsi),%ecx 2: 41 bf 01 00 00 00 mov $0x1,%r15d 8: 0f 86 c8 00 00 00 jbe 0xd6 e: 89 05 ac c8 13 0e mov %eax,0xe13c8ac(%rip) # 0xe13c8c0 14: e9 bd 00 00 00 jmpq 0xd6 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 20: fc ff df 23: 4c 89 f2 mov %r14,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 9f 2e 00 00 jne 0x2ed3 34: 49 81 3e 60 94 1b 8f cmpq $0xffffffff8f1b9460,(%r14) 3b: 0f .byte 0xf 3c: 84 52 f3 test %dl,-0xd(%rdx) 3f: ff .byte 0xff --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] general protection fault in hidraw_release 2022-01-04 7:49 [syzbot] general protection fault in hidraw_release syzbot @ 2022-02-02 7:19 ` syzbot [not found] ` <20220203040227.2057-1-hdanton@sina.com> 2022-02-02 10:17 ` syzbot 1 sibling, 1 reply; 8+ messages in thread From: syzbot @ 2022-02-02 7:19 UTC (permalink / raw) To: benjamin.tissoires, jikos, linux-input, linux-kernel, syzkaller-bugs syzbot has found a reproducer for the following issue on: HEAD commit: 9f7fb8de5d9b Merge tag 'spi-fix-v5.17-rc2' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1653b6cbb00000 kernel config: https://syzkaller.appspot.com/x/.config?x=3e56c9b92aaaee24 dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fff530700000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=106469f0700000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51 Read of size 8 at addr ffff8880143e8eb0 by task syz-executor753/4862 CPU: 0 PID: 4862 Comm: syz-executor753 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51 __list_del_entry include/linux/list.h:134 [inline] list_del include/linux/list.h:148 [inline] hidraw_release+0xd5/0x370 drivers/hid/hidraw.c:353 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f4256d1c749 Code: Unable to access opcode bytes at RIP 0x7f4256d1c71f. RSP: 002b:00007fffddc9a4e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f4256d913f0 RCX: 00007f4256d1c749 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007fffddc9a560 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4256d913f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK> Allocated by task 20: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 kasan_kmalloc include/linux/kasan.h:270 [inline] kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:715 [inline] hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543 hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960 hid_hw_start drivers/hid/hid-core.c:2059 [inline] hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050 hid_generic_probe drivers/hid/hid-generic.c:67 [inline] hid_generic_probe+0x6d/0x90 drivers/hid/hid-generic.c:56 hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2380 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x245/0xcc0 drivers/base/dd.c:596 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:752 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:782 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:899 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:970 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc17/0x1ee0 drivers/base/core.c:3405 hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2530 uhid_device_add_worker+0x36/0x60 drivers/hid/uhid.c:73 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 worker_thread+0x657/0x1110 kernel/workqueue.c:2454 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Freed by task 4861: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xee/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf6/0x290 mm/slab.c:3794 drop_ref+0x28f/0x390 drivers/hid/hidraw.c:335 hidraw_release+0x255/0x370 drivers/hid/hidraw.c:357 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff8880143e8e00 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 176 bytes inside of 192-byte region [ffff8880143e8e00, ffff8880143e8ec0) The buggy address belongs to the page: page:ffffea000050fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143e8 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea000050f188 ffffea000050fc48 ffff888010c40000 raw: 0000000000000000 ffff8880143e8000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2151082992, free_ts 0 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline] kmem_getpages mm/slab.c:1378 [inline] cache_grow_begin+0x75/0x350 mm/slab.c:2584 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957 ____cache_alloc mm/slab.c:3040 [inline] ____cache_alloc mm/slab.c:3023 [inline] __do_cache_alloc mm/slab.c:3267 [inline] slab_alloc mm/slab.c:3308 [inline] kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:715 [inline] call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365 kobject_uevent_env+0xf28/0x1600 lib/kobject_uevent.c:614 kernel_add_sysfs_param kernel/params.c:816 [inline] param_sysfs_builtin kernel/params.c:851 [inline] param_sysfs_init+0x367/0x43b kernel/params.c:970 do_one_initcall+0x103/0x650 init/main.c:1300 do_initcall_level init/main.c:1373 [inline] do_initcalls init/main.c:1389 [inline] do_basic_setup init/main.c:1408 [inline] kernel_init_freeable+0x6b1/0x73a init/main.c:1613 kernel_init+0x1a/0x1d0 init/main.c:1502 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 page_owner free stack trace missing Memory state around the buggy address: ffff8880143e8d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880143e8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880143e8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8880143e8f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880143e8f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20220203040227.2057-1-hdanton@sina.com>]
* Re: [syzbot] general protection fault in hidraw_release [not found] ` <20220203040227.2057-1-hdanton@sina.com> @ 2022-02-03 6:09 ` Dmitry Vyukov [not found] ` <20220203084246.2133-1-hdanton@sina.com> 0 siblings, 1 reply; 8+ messages in thread From: Dmitry Vyukov @ 2022-02-03 6:09 UTC (permalink / raw) To: Hillf Danton Cc: syzbot, benjamin.tissoires, jikos, linux-input, linux-kernel, syzkaller-bugs On Thu, 3 Feb 2022 at 05:02, Hillf Danton <hdanton@sina.com> wrote: > > On Tue, 01 Feb 2022 23:19:25 -0800 > > syzbot has found a reproducer for the following issue on: > > > > HEAD commit: 9f7fb8de5d9b Merge tag 'spi-fix-v5.17-rc2' of git://git.ke.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=1653b6cbb00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3e56c9b92aaaee24 > > dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fff530700000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=106469f0700000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51 > > Read of size 8 at addr ffff8880143e8eb0 by task syz-executor753/4862 > > > > CPU: 0 PID: 4862 Comm: syz-executor753 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > Call Trace: > > <TASK> > > __dump_stack lib/dump_stack.c:88 [inline] > > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > > print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 > > __kasan_report mm/kasan/report.c:442 [inline] > > kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 > > __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51 > > __list_del_entry include/linux/list.h:134 [inline] > > list_del include/linux/list.h:148 [inline] > > What is difficult to follow is syzbot instead did not complain at the spin_lock > prior to list_del in regard to uaf. > > Any light on the difficulty is welcome. Hi Hillf, If you mean these lock/unlock: spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags); list_del(&list->node); spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); They seem to operate on a global hidraw_table locks. I would assume only this file is corrupted/bad, but the global lock table is fine. > > hidraw_release+0xd5/0x370 drivers/hid/hidraw.c:353 > > __fput+0x286/0x9f0 fs/file_table.c:311 > > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 > > exit_task_work include/linux/task_work.h:32 [inline] > > do_exit+0xb29/0x2a30 kernel/exit.c:806 > > do_group_exit+0xd2/0x2f0 kernel/exit.c:935 > > __do_sys_exit_group kernel/exit.c:946 [inline] > > __se_sys_exit_group kernel/exit.c:944 [inline] > > __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 > > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > RIP: 0033:0x7f4256d1c749 > > Code: Unable to access opcode bytes at RIP 0x7f4256d1c71f. > > RSP: 002b:00007fffddc9a4e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 > > RAX: ffffffffffffffda RBX: 00007f4256d913f0 RCX: 00007f4256d1c749 > > RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 > > RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007fffddc9a560 > > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4256d913f0 > > R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 > > </TASK> > > > > Allocated by task 20: > > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 > > kasan_set_track mm/kasan/common.c:45 [inline] > > set_alloc_info mm/kasan/common.c:436 [inline] > > ____kasan_kmalloc mm/kasan/common.c:515 [inline] > > ____kasan_kmalloc mm/kasan/common.c:474 [inline] > > __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 > > kasan_kmalloc include/linux/kasan.h:270 [inline] > > kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567 > > kmalloc include/linux/slab.h:581 [inline] > > kzalloc include/linux/slab.h:715 [inline] > > hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543 > > hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960 > > hid_hw_start drivers/hid/hid-core.c:2059 [inline] > > hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050 > > hid_generic_probe drivers/hid/hid-generic.c:67 [inline] > > hid_generic_probe+0x6d/0x90 drivers/hid/hid-generic.c:56 > > hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2380 > > call_driver_probe drivers/base/dd.c:517 [inline] > > really_probe+0x245/0xcc0 drivers/base/dd.c:596 > > __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:752 > > driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:782 > > __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:899 > > bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 > > __device_attach+0x228/0x4a0 drivers/base/dd.c:970 > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 > > device_add+0xc17/0x1ee0 drivers/base/core.c:3405 > > hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2530 > > uhid_device_add_worker+0x36/0x60 drivers/hid/uhid.c:73 > > process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 > > worker_thread+0x657/0x1110 kernel/workqueue.c:2454 > > kthread+0x2e9/0x3a0 kernel/kthread.c:377 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > > > > Freed by task 4861: > > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 > > kasan_set_track+0x21/0x30 mm/kasan/common.c:45 > > kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 > > ____kasan_slab_free mm/kasan/common.c:366 [inline] > > ____kasan_slab_free mm/kasan/common.c:328 [inline] > > __kasan_slab_free+0xee/0x130 mm/kasan/common.c:374 > > kasan_slab_free include/linux/kasan.h:236 [inline] > > __cache_free mm/slab.c:3437 [inline] > > kfree+0xf6/0x290 mm/slab.c:3794 > > drop_ref+0x28f/0x390 drivers/hid/hidraw.c:335 > > hidraw_release+0x255/0x370 drivers/hid/hidraw.c:357 > > __fput+0x286/0x9f0 fs/file_table.c:311 > > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 > > exit_task_work include/linux/task_work.h:32 [inline] > > do_exit+0xb29/0x2a30 kernel/exit.c:806 > > do_group_exit+0xd2/0x2f0 kernel/exit.c:935 > > __do_sys_exit_group kernel/exit.c:946 [inline] > > __se_sys_exit_group kernel/exit.c:944 [inline] > > __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 > > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > The buggy address belongs to the object at ffff8880143e8e00 > > which belongs to the cache kmalloc-192 of size 192 > > The buggy address is located 176 bytes inside of > > 192-byte region [ffff8880143e8e00, ffff8880143e8ec0) > > The buggy address belongs to the page: > > page:ffffea000050fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143e8 > > flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) > > raw: 00fff00000000200 ffffea000050f188 ffffea000050fc48 ffff888010c40000 > > raw: 0000000000000000 ffff8880143e8000 0000000100000010 0000000000000000 > > page dumped because: kasan: bad access detected > > page_owner tracks the page as allocated > > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2151082992, free_ts 0 > > prep_new_page mm/page_alloc.c:2434 [inline] > > get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 > > __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 > > __alloc_pages_node include/linux/gfp.h:572 [inline] > > kmem_getpages mm/slab.c:1378 [inline] > > cache_grow_begin+0x75/0x350 mm/slab.c:2584 > > cache_alloc_refill+0x27f/0x380 mm/slab.c:2957 > > ____cache_alloc mm/slab.c:3040 [inline] > > ____cache_alloc mm/slab.c:3023 [inline] > > __do_cache_alloc mm/slab.c:3267 [inline] > > slab_alloc mm/slab.c:3308 [inline] > > kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565 > > kmalloc include/linux/slab.h:581 [inline] > > kzalloc include/linux/slab.h:715 [inline] > > call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365 > > kobject_uevent_env+0xf28/0x1600 lib/kobject_uevent.c:614 > > kernel_add_sysfs_param kernel/params.c:816 [inline] > > param_sysfs_builtin kernel/params.c:851 [inline] > > param_sysfs_init+0x367/0x43b kernel/params.c:970 > > do_one_initcall+0x103/0x650 init/main.c:1300 > > do_initcall_level init/main.c:1373 [inline] > > do_initcalls init/main.c:1389 [inline] > > do_basic_setup init/main.c:1408 [inline] > > kernel_init_freeable+0x6b1/0x73a init/main.c:1613 > > kernel_init+0x1a/0x1d0 init/main.c:1502 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > > page_owner free stack trace missing > > > > Memory state around the buggy address: > > ffff8880143e8d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > > ffff8880143e8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > >ffff8880143e8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > > ^ > > ffff8880143e8f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > ffff8880143e8f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > > ================================================================== > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20220203040227.2057-1-hdanton%40sina.com. ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20220203084246.2133-1-hdanton@sina.com>]
* Re: [syzbot] general protection fault in hidraw_release [not found] ` <20220203084246.2133-1-hdanton@sina.com> @ 2022-02-03 9:05 ` Dmitry Vyukov 0 siblings, 0 replies; 8+ messages in thread From: Dmitry Vyukov @ 2022-02-03 9:05 UTC (permalink / raw) To: Hillf Danton Cc: syzbot, benjamin.tissoires, jikos, linux-input, linux-kernel, syzkaller-bugs "On Thu, 3 Feb 2022 at 09:43, Hillf Danton <hdanton@sina.com> wrote: > > On Thu, 3 Feb 2022 07:09:52 +0100 Dmitry Vyukov wrote: > > On Thu, 3 Feb 2022 at 05:02, Hillf Danton <hdanton@sina.com> wrote: > > > > > > On Tue, 01 Feb 2022 23:19:25 -0800 > > > > syzbot has found a reproducer for the following issue on: > > > > > > > > HEAD commit: 9f7fb8de5d9b Merge tag 'spi-fix-v5.17-rc2' of git://git.ke.. > > > > git tree: upstream > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1653b6cbb00000 > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3e56c9b92aaaee24 > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e > > > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fff530700000 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=106469f0700000 > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com > > > > > > > > ================================================================== > > > > BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51 > > > > Read of size 8 at addr ffff8880143e8eb0 by task syz-executor753/4862 > > > > > > > > CPU: 0 PID: 4862 Comm: syz-executor753 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b #0 > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > > > Call Trace: > > > > <TASK> > > > > __dump_stack lib/dump_stack.c:88 [inline] > > > > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > > > > print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 > > > > __kasan_report mm/kasan/report.c:442 [inline] > > > > kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 > > > > __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51 > > > > __list_del_entry include/linux/list.h:134 [inline] > > > > list_del include/linux/list.h:148 [inline] > > > > > > What is difficult to follow is syzbot instead did not complain at the spin_lock > > > prior to list_del in regard to uaf. > > > > > > Any light on the difficulty is welcome. > > > > Hi Hillf, > > Hi Dmitry > > Thanks for taking a look at it. > > > > > If you mean these lock/unlock: > > Yes I did. > > > > spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags); > > list_del(&list->node); > > spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); > > > > They seem to operate on a global hidraw_table locks. > > I would assume only this file is corrupted/bad, but the global lock > > table is fine. > > > 0/ in hidraw_connect() > > dev = kzalloc(sizeof(struct hidraw), GFP_KERNEL); > ... > spin_lock_init(&dev->list_lock); > dev->minor = minor; > > 1/ in hidraw_open() > > down_read(&minors_rwsem); > if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { > err = -ENODEV; > goto out_unlock; > } > > dev = hidraw_table[minor]; > ... > spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags); > list_add_tail(&list->node, &hidraw_table[minor]->list); > spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); > > 3/ in drop_ref() > > hidraw_table[hidraw->minor] = NULL; > kfree(hidraw); > > 4/ in __list_del_entry_valid() > > 51 CHECK_DATA_CORRUPTION(prev->next != entry, > > > Given the kfree in 3/ can explain > "Read of size 8 at addr ffff8880143e8eb0 by task syz-executor753/4862", > I failed to work out how syzbot survived locking hidraw->list_lock after > scratching scalp twenty minutes in fear of unlnown hardware glitch. But > that fear does not have any chance for making sense given the reproducer > in your toolkit. The kernel may have survived locking hidraw->list_lock because it's a racy use-after-free: use and free happened in different tasks. So based on timing the task can start using freed memory at any line of code. Note sometimes it also manifests as "general protection fault in hidraw_release". Races frequently have different manifestations. > > > > hidraw_release+0xd5/0x370 drivers/hid/hidraw.c:353 > > > > __fput+0x286/0x9f0 fs/file_table.c:311 > > > > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 > > > > exit_task_work include/linux/task_work.h:32 [inline] > > > > do_exit+0xb29/0x2a30 kernel/exit.c:806 > > > > do_group_exit+0xd2/0x2f0 kernel/exit.c:935 > > > > __do_sys_exit_group kernel/exit.c:946 [inline] > > > > __se_sys_exit_group kernel/exit.c:944 [inline] > > > > __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 > > > > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > > > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > > > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > RIP: 0033:0x7f4256d1c749 > > > > Code: Unable to access opcode bytes at RIP 0x7f4256d1c71f. > > > > RSP: 002b:00007fffddc9a4e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 > > > > RAX: ffffffffffffffda RBX: 00007f4256d913f0 RCX: 00007f4256d1c749 > > > > RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 > > > > RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007fffddc9a560 > > > > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4256d913f0 > > > > R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 > > > > </TASK> > > > > > > > > Allocated by task 20: > > > > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 > > > > kasan_set_track mm/kasan/common.c:45 [inline] > > > > set_alloc_info mm/kasan/common.c:436 [inline] > > > > ____kasan_kmalloc mm/kasan/common.c:515 [inline] > > > > ____kasan_kmalloc mm/kasan/common.c:474 [inline] > > > > __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 > > > > kasan_kmalloc include/linux/kasan.h:270 [inline] > > > > kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567 > > > > kmalloc include/linux/slab.h:581 [inline] > > > > kzalloc include/linux/slab.h:715 [inline] > > > > hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543 > > > > hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960 > > > > hid_hw_start drivers/hid/hid-core.c:2059 [inline] > > > > hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050 > > > > hid_generic_probe drivers/hid/hid-generic.c:67 [inline] > > > > hid_generic_probe+0x6d/0x90 drivers/hid/hid-generic.c:56 > > > > hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2380 > > > > call_driver_probe drivers/base/dd.c:517 [inline] > > > > really_probe+0x245/0xcc0 drivers/base/dd.c:596 > > > > __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:752 > > > > driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:782 > > > > __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:899 > > > > bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 > > > > __device_attach+0x228/0x4a0 drivers/base/dd.c:970 > > > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 > > > > device_add+0xc17/0x1ee0 drivers/base/core.c:3405 > > > > hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2530 > > > > uhid_device_add_worker+0x36/0x60 drivers/hid/uhid.c:73 > > > > process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 > > > > worker_thread+0x657/0x1110 kernel/workqueue.c:2454 > > > > kthread+0x2e9/0x3a0 kernel/kthread.c:377 > > > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > > > > > > > > Freed by task 4861: > > > > kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 > > > > kasan_set_track+0x21/0x30 mm/kasan/common.c:45 > > > > kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 > > > > ____kasan_slab_free mm/kasan/common.c:366 [inline] > > > > ____kasan_slab_free mm/kasan/common.c:328 [inline] > > > > __kasan_slab_free+0xee/0x130 mm/kasan/common.c:374 > > > > kasan_slab_free include/linux/kasan.h:236 [inline] > > > > __cache_free mm/slab.c:3437 [inline] > > > > kfree+0xf6/0x290 mm/slab.c:3794 > > > > drop_ref+0x28f/0x390 drivers/hid/hidraw.c:335 > > > > hidraw_release+0x255/0x370 drivers/hid/hidraw.c:357 > > > > __fput+0x286/0x9f0 fs/file_table.c:311 > > > > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 > > > > exit_task_work include/linux/task_work.h:32 [inline] > > > > do_exit+0xb29/0x2a30 kernel/exit.c:806 > > > > do_group_exit+0xd2/0x2f0 kernel/exit.c:935 > > > > __do_sys_exit_group kernel/exit.c:946 [inline] > > > > __se_sys_exit_group kernel/exit.c:944 [inline] > > > > __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944 > > > > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > > > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > > > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > > > > > The buggy address belongs to the object at ffff8880143e8e00 > > > > which belongs to the cache kmalloc-192 of size 192 > > > > The buggy address is located 176 bytes inside of > > > > 192-byte region [ffff8880143e8e00, ffff8880143e8ec0) > > > > The buggy address belongs to the page: > > > > page:ffffea000050fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143e8 > > > > flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) > > > > raw: 00fff00000000200 ffffea000050f188 ffffea000050fc48 ffff888010c40000 > > > > raw: 0000000000000000 ffff8880143e8000 0000000100000010 0000000000000000 > > > > page dumped because: kasan: bad access detected > > > > page_owner tracks the page as allocated > > > > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2151082992, free_ts 0 > > > > prep_new_page mm/page_alloc.c:2434 [inline] > > > > get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 > > > > __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 > > > > __alloc_pages_node include/linux/gfp.h:572 [inline] > > > > kmem_getpages mm/slab.c:1378 [inline] > > > > cache_grow_begin+0x75/0x350 mm/slab.c:2584 > > > > cache_alloc_refill+0x27f/0x380 mm/slab.c:2957 > > > > ____cache_alloc mm/slab.c:3040 [inline] > > > > ____cache_alloc mm/slab.c:3023 [inline] > > > > __do_cache_alloc mm/slab.c:3267 [inline] > > > > slab_alloc mm/slab.c:3308 [inline] > > > > kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565 > > > > kmalloc include/linux/slab.h:581 [inline] > > > > kzalloc include/linux/slab.h:715 [inline] > > > > call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365 > > > > kobject_uevent_env+0xf28/0x1600 lib/kobject_uevent.c:614 > > > > kernel_add_sysfs_param kernel/params.c:816 [inline] > > > > param_sysfs_builtin kernel/params.c:851 [inline] > > > > param_sysfs_init+0x367/0x43b kernel/params.c:970 > > > > do_one_initcall+0x103/0x650 init/main.c:1300 > > > > do_initcall_level init/main.c:1373 [inline] > > > > do_initcalls init/main.c:1389 [inline] > > > > do_basic_setup init/main.c:1408 [inline] > > > > kernel_init_freeable+0x6b1/0x73a init/main.c:1613 > > > > kernel_init+0x1a/0x1d0 init/main.c:1502 > > > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > > > > page_owner free stack trace missing > > > > > > > > Memory state around the buggy address: > > > > ffff8880143e8d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > > > > ffff8880143e8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > > > >ffff8880143e8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > > > > ^ > > > > ffff8880143e8f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > > > ffff8880143e8f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc > > > > ================================================================== ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] general protection fault in hidraw_release 2022-01-04 7:49 [syzbot] general protection fault in hidraw_release syzbot 2022-02-02 7:19 ` syzbot @ 2022-02-02 10:17 ` syzbot 1 sibling, 0 replies; 8+ messages in thread From: syzbot @ 2022-02-02 10:17 UTC (permalink / raw) To: benjamin.tissoires, changbin.du, christian.brauner, daniel, davem, edumazet, hkallweit1, jikos, kuba, linux-input, linux-kernel, netdev, syzkaller-bugs, yajun.deng syzbot has bisected this issue to: commit e4b8954074f6d0db01c8c97d338a67f9389c042f Author: Eric Dumazet <edumazet@google.com> Date: Tue Dec 7 01:30:37 2021 +0000 netlink: add net device refcount tracker to struct ethnl_req_info bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15179fa8700000 start commit: 9f7fb8de5d9b Merge tag 'spi-fix-v5.17-rc2' of git://git.ke.. git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=17179fa8700000 console output: https://syzkaller.appspot.com/x/log.txt?x=13179fa8700000 kernel config: https://syzkaller.appspot.com/x/.config?x=3e56c9b92aaaee24 dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fff530700000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=106469f0700000 Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com Fixes: e4b8954074f6 ("netlink: add net device refcount tracker to struct ethnl_req_info") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20220203102217.2229-1-hdanton@sina.com>]
* Re: [syzbot] general protection fault in hidraw_release [not found] <20220203102217.2229-1-hdanton@sina.com> @ 2022-02-03 12:18 ` syzbot [not found] ` <20220204054708.2335-1-hdanton@sina.com> 0 siblings, 1 reply; 8+ messages in thread From: syzbot @ 2022-02-03 12:18 UTC (permalink / raw) To: benjamin.tissoires, dvyukov, hdanton, jikos, linux-input, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: kernel BUG in drop_ref ------------[ cut here ]------------ kernel BUG at drivers/hid/hidraw.c:335! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 5036 Comm: syz-executor223 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:drop_ref+0x375/0x3e0 drivers/hid/hidraw.c:335 Code: fb e9 a9 fd ff ff 48 89 ef 89 74 24 04 e8 43 61 04 fb 8b 74 24 04 e9 64 fd ff ff e8 a5 61 04 fb e9 13 fd ff ff e8 8b 1f bd fa <0f> 0b 48 89 df e8 31 61 04 fb e9 5a fe ff ff 48 89 de 48 c7 c7 a0 RSP: 0018:ffffc90005da7ac8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88801deef9b0 RCX: 0000000000000000 RDX: ffff888072660000 RSI: ffffffff86bb4ef5 RDI: ffffffff90869f60 RBP: ffff88801deef900 R08: 0000000000000000 R09: ffffffff8ffbda7f R10: ffffffff86bb4cd2 R11: 0000000000000000 R12: 0000000000000001 R13: ffff88801deef908 R14: ffff88807f1e98e0 R15: ffff88807f1e8000 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00007f229e36a600 CR3: 0000000079b38000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> hidraw_disconnect+0x48/0x60 drivers/hid/hidraw.c:600 hid_disconnect+0x130/0x1a0 drivers/hid/hid-core.c:2036 hid_hw_stop drivers/hid/hid-core.c:2079 [inline] hid_device_remove+0x15d/0x200 drivers/hid/hid-core.c:2411 __device_release_driver+0x3bd/0x700 drivers/base/dd.c:1204 device_release_driver_internal drivers/base/dd.c:1237 [inline] device_release_driver+0x26/0x40 drivers/base/dd.c:1260 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:529 device_del+0x502/0xd50 drivers/base/core.c:3592 hid_remove_device drivers/hid/hid-core.c:2578 [inline] hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2597 uhid_dev_destroy drivers/hid/uhid.c:587 [inline] uhid_char_release+0xed/0x210 drivers/hid/uhid.c:663 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __ia32_sys_exit_group+0x3a/0x50 kernel/exit.c:944 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7ee8549 Code: Unable to access opcode bytes at RIP 0xf7ee851f. RSP: 002b:00000000ff8aaf4c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 RDX: 00000000f7f94fa0 RSI: 00000000f7f953b8 RDI: 00000000f7f953b8 RBP: 00000000f7f95928 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:drop_ref+0x375/0x3e0 drivers/hid/hidraw.c:335 Code: fb e9 a9 fd ff ff 48 89 ef 89 74 24 04 e8 43 61 04 fb 8b 74 24 04 e9 64 fd ff ff e8 a5 61 04 fb e9 13 fd ff ff e8 8b 1f bd fa <0f> 0b 48 89 df e8 31 61 04 fb e9 5a fe ff ff 48 89 de 48 c7 c7 a0 RSP: 0018:ffffc90005da7ac8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88801deef9b0 RCX: 0000000000000000 RDX: ffff888072660000 RSI: ffffffff86bb4ef5 RDI: ffffffff90869f60 RBP: ffff88801deef900 R08: 0000000000000000 R09: ffffffff8ffbda7f R10: ffffffff86bb4cd2 R11: 0000000000000000 R12: 0000000000000001 R13: ffff88801deef908 R14: ffff88807f1e98e0 R15: ffff88807f1e8000 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00007f64971d1018 CR3: 000000007f5e0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Tested on: commit: 9f7fb8de Merge tag 'spi-fix-v5.17-rc2' of git://git.ke.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ console output: https://syzkaller.appspot.com/x/log.txt?x=15e029cc700000 kernel config: https://syzkaller.appspot.com/x/.config?x=b4a89edfcc8f7c74 dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: i386 patch: https://syzkaller.appspot.com/x/patch.diff?x=12571934700000 ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <20220204054708.2335-1-hdanton@sina.com>]
* Re: [syzbot] general protection fault in hidraw_release [not found] ` <20220204054708.2335-1-hdanton@sina.com> @ 2022-02-04 6:00 ` syzbot 2022-03-23 16:23 ` Jiri Kosina 1 sibling, 0 replies; 8+ messages in thread From: syzbot @ 2022-02-04 6:00 UTC (permalink / raw) To: benjamin.tissoires, dvyukov, hdanton, jikos, linux-input, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com Tested on: commit: 9f7fb8de Merge tag 'spi-fix-v5.17-rc2' of git://git.ke.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ kernel config: https://syzkaller.appspot.com/x/.config?x=b4a89edfcc8f7c74 dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: i386 patch: https://syzkaller.appspot.com/x/patch.diff?x=1665d17c700000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] general protection fault in hidraw_release [not found] ` <20220204054708.2335-1-hdanton@sina.com> 2022-02-04 6:00 ` syzbot @ 2022-03-23 16:23 ` Jiri Kosina 1 sibling, 0 replies; 8+ messages in thread From: Jiri Kosina @ 2022-03-23 16:23 UTC (permalink / raw) To: Hillf Danton Cc: syzbot, benjamin.tissoires, dvyukov, linux-input, linux-kernel, syzkaller-bugs On Fri, 4 Feb 2022, Hillf Danton wrote: > > ------------[ cut here ]------------ > > kernel BUG at drivers/hid/hidraw.c:335! > > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > > CPU: 1 PID: 5036 Comm: syz-executor223 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b-dirty #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > RIP: 0010:drop_ref+0x375/0x3e0 drivers/hid/hidraw.c:335 > > Code: fb e9 a9 fd ff ff 48 89 ef 89 74 24 04 e8 43 61 04 fb 8b 74 24 04 e9 64 fd ff ff e8 a5 61 04 fb e9 13 fd ff ff e8 8b 1f bd fa <0f> 0b 48 89 df e8 31 61 04 fb e9 5a fe ff ff 48 89 de 48 c7 c7 a0 > > RSP: 0018:ffffc90005da7ac8 EFLAGS: 00010293 > > RAX: 0000000000000000 RBX: ffff88801deef9b0 RCX: 0000000000000000 > > RDX: ffff888072660000 RSI: ffffffff86bb4ef5 RDI: ffffffff90869f60 > > RBP: ffff88801deef900 R08: 0000000000000000 R09: ffffffff8ffbda7f > > R10: ffffffff86bb4cd2 R11: 0000000000000000 R12: 0000000000000001 > > R13: ffff88801deef908 R14: ffff88807f1e98e0 R15: ffff88807f1e8000 > > FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > > CR2: 00007f229e36a600 CR3: 0000000079b38000 CR4: 00000000003506e0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > <TASK> > > hidraw_disconnect+0x48/0x60 drivers/hid/hidraw.c:600 > > hid_disconnect+0x130/0x1a0 drivers/hid/hid-core.c:2036 > > hid_hw_stop drivers/hid/hid-core.c:2079 [inline] > > hid_device_remove+0x15d/0x200 drivers/hid/hid-core.c:2411 > > __device_release_driver+0x3bd/0x700 drivers/base/dd.c:1204 > > device_release_driver_internal drivers/base/dd.c:1237 [inline] > > device_release_driver+0x26/0x40 drivers/base/dd.c:1260 > > bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:529 > > device_del+0x502/0xd50 drivers/base/core.c:3592 > > hid_remove_device drivers/hid/hid-core.c:2578 [inline] > > hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2597 > > uhid_dev_destroy drivers/hid/uhid.c:587 [inline] > > uhid_char_release+0xed/0x210 drivers/hid/uhid.c:663 > > __fput+0x286/0x9f0 fs/file_table.c:311 > > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 > > exit_task_work include/linux/task_work.h:32 [inline] > > do_exit+0xb29/0x2a30 kernel/exit.c:806 > > do_group_exit+0xd2/0x2f0 kernel/exit.c:935 > > __do_sys_exit_group kernel/exit.c:946 [inline] > > __se_sys_exit_group kernel/exit.c:944 [inline] > > __ia32_sys_exit_group+0x3a/0x50 kernel/exit.c:944 > > do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] > > __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 > > do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 > > entry_SYSENTER_compat_after_hwframe+0x4d/0x5c > > RIP: 0023:0xf7ee8549 > > Code: Unable to access opcode bytes at RIP 0xf7ee851f. > > RSP: 002b:00000000ff8aaf4c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc > > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 > > RDX: 00000000f7f94fa0 RSI: 00000000f7f953b8 RDI: 00000000f7f953b8 > > RBP: 00000000f7f95928 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > > </TASK> > > Modules linked in: > > ---[ end trace 0000000000000000 ]--- > > RIP: 0010:drop_ref+0x375/0x3e0 drivers/hid/hidraw.c:335 > > Code: fb e9 a9 fd ff ff 48 89 ef 89 74 24 04 e8 43 61 04 fb 8b 74 24 04 e9 64 fd ff ff e8 a5 61 04 fb e9 13 fd ff ff e8 8b 1f bd fa <0f> 0b 48 89 df e8 31 61 04 fb e9 5a fe ff ff 48 89 de 48 c7 c7 a0 > > RSP: 0018:ffffc90005da7ac8 EFLAGS: 00010293 > > RAX: 0000000000000000 RBX: ffff88801deef9b0 RCX: 0000000000000000 > > RDX: ffff888072660000 RSI: ffffffff86bb4ef5 RDI: ffffffff90869f60 > > RBP: ffff88801deef900 R08: 0000000000000000 R09: ffffffff8ffbda7f > > R10: ffffffff86bb4cd2 R11: 0000000000000000 R12: 0000000000000001 > > R13: ffff88801deef908 R14: ffff88807f1e98e0 R15: ffff88807f1e8000 > > FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > > CR2: 00007f64971d1018 CR3: 000000007f5e0000 CR4: 00000000003506f0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > > > > Tested on: > > > > commit: 9f7fb8de Merge tag 'spi-fix-v5.17-rc2' of git://git.ke.. > > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ > > console output: https://syzkaller.appspot.com/x/log.txt?x=15e029cc700000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=b4a89edfcc8f7c74 > > dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > userspace arch: i386 > > patch: https://syzkaller.appspot.com/x/patch.diff?x=12571934700000 > > This proves what Dmitry explained, given minor M, hidrawA == hidraw_table[M] > was freed with someone dangling on the hidrawA->list because of zero open > count, then another opener put hidrawB in hidraw_table[M]. > > TBH no evidence of leak in open count spotted, see what will come up with > parallel openers disabled. > > Hillf > > #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 9f7fb8de5d9b > > --- a/drivers/hid/hidraw.c > +++ b/drivers/hid/hidraw.c > @@ -272,7 +272,7 @@ static int hidraw_open(struct inode *ino > goto out; > } > > - down_read(&minors_rwsem); > + down_write(&minors_rwsem); > if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { > err = -ENODEV; > goto out_unlock; > @@ -301,7 +301,7 @@ static int hidraw_open(struct inode *ino > spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags); > file->private_data = list; > out_unlock: > - up_read(&minors_rwsem); > + up_write(&minors_rwsem); > out: > if (err < 0) > kfree(list); > @@ -332,6 +332,7 @@ static void drop_ref(struct hidraw *hidr > if (!hidraw->open) { > if (!hidraw->exist) { > hidraw_table[hidraw->minor] = NULL; > + BUG_ON(!list_empty(&hidraw->list)); > kfree(hidraw); > } else { > /* close device for last reader */ Hillf, could you please submit this properly with a full changelog, signed-off-by: line, etc? Thanks, -- Jiri Kosina SUSE Labs ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-03-23 16:23 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-04 7:49 [syzbot] general protection fault in hidraw_release syzbot
2022-02-02 7:19 ` syzbot
[not found] ` <20220203040227.2057-1-hdanton@sina.com>
2022-02-03 6:09 ` Dmitry Vyukov
[not found] ` <20220203084246.2133-1-hdanton@sina.com>
2022-02-03 9:05 ` Dmitry Vyukov
2022-02-02 10:17 ` syzbot
[not found] <20220203102217.2229-1-hdanton@sina.com>
2022-02-03 12:18 ` syzbot
[not found] ` <20220204054708.2335-1-hdanton@sina.com>
2022-02-04 6:00 ` syzbot
2022-03-23 16:23 ` Jiri Kosina
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.