From: Eric Biggers <ebiggers@kernel.org>
To: Hillf Danton <hdanton@sina.com>
Cc: syzbot <syzbot+8357fbef0d7bb602de45@syzkaller.appspotmail.com>,
benjamin.tissoires@redhat.com, dh.herrmann@googlemail.com,
jikos@kernel.org, linux-input@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: INFO: trying to register non-static key in uhid_char_release
Date: Sat, 7 Mar 2020 22:08:14 -0800 [thread overview]
Message-ID: <20200308060814.GZ15444@sol.localdomain> (raw)
In-Reply-To: <20200308040535.1540-1-hdanton@sina.com>
On Sun, Mar 08, 2020 at 12:05:35PM +0800, Hillf Danton wrote:
>
> Fri, 06 Mar 2020 19:05:11 -0800
> > syzbot found the following crash on:
> >
> > HEAD commit: fb279f4e Merge branch 'i2c/for-current-fixed' of git://git..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16bc5181e00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=8b13b05f0e61d957
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8357fbef0d7bb602de45
> > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+8357fbef0d7bb602de45@syzkaller.appspotmail.com
> >
> > INFO: trying to register non-static key.
> > the code is fine but needs lockdep annotation.
> > turning off the locking correctness validator.
> > CPU: 0 PID: 9870 Comm: syz-executor.1 Not tainted 5.6.0-rc3-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x1e9/0x30e lib/dump_stack.c:118
> > register_lock_class+0x6f4/0xec0 kernel/locking/lockdep.c:443
> > __lock_acquire+0x116/0x1bc0 kernel/locking/lockdep.c:3836
> > lock_acquire+0x154/0x250 kernel/locking/lockdep.c:4484
> > __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> > _raw_spin_lock_irqsave+0x9e/0xc0 kernel/locking/spinlock.c:159
> > __wake_up_common_lock kernel/sched/wait.c:122 [inline]
> > __wake_up+0xb8/0x150 kernel/sched/wait.c:142
> > uhid_dev_destroy drivers/hid/uhid.c:563 [inline]
> > uhid_char_release+0x99/0x600 drivers/hid/uhid.c:642
> > __fput+0x2d8/0x730 fs/file_table.c:280
> > task_work_run+0x176/0x1b0 kernel/task_work.c:113
> > tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> > exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
> > prepare_exit_to_usermode+0x48a/0x5c0 arch/x86/entry/common.c:195
> > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x416041
> > Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
> > RSP: 002b:00007ffd2649c0a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
> > RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416041
> > RDX: 0000001b2f820000 RSI: 0000000000000000 RDI: 0000000000000003
> > RBP: 0000000000000001 R08: 00000000a5a41883 R09: 00000000a5a41887
> > R10: 00007ffd2649c180 R11: 0000000000000293 R12: 000000000076bf20
> > R13: 00000000007715a0 R14: 000000000003bd20 R15: 000000000076bf2c
> >
> > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > CPU: 0 PID: 9870 Comm: syz-executor.1 Not tainted 5.6.0-rc3-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:__wake_up_common+0x297/0x4d0 kernel/sched/wait.c:86
> > Code: fb 01 00 00 45 31 f6 eb 13 66 2e 0f 1f 84 00 00 00 00 00 4d 39 fc 0f 84 e3 01 00 00 4c 89 fb 49 8d 6f e8 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 48 89 df e8 eb 48 59 00 48 ba 00 00 00 00 00 fc
> > RSP: 0018:ffffc900049a7d20 EFLAGS: 00010046
> > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> > RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888048e513c8
> > RBP: ffffffffffffffe8 R08: 0000000000000000 R09: ffffc900049a7d88
> > R10: fffff52000934fa4 R11: 0000000000000000 R12: ffff888048e51400
> > R13: 1ffff92000934fb1 R14: 0000000000000000 R15: 0000000000000000
> > FS: 0000000000ed3940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000001b2f822000 CR3: 0000000098f9a000 CR4: 00000000001406f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> > __wake_up_common_lock kernel/sched/wait.c:123 [inline]
> > __wake_up+0xd4/0x150 kernel/sched/wait.c:142
> > uhid_dev_destroy drivers/hid/uhid.c:563 [inline]
> > uhid_char_release+0x99/0x600 drivers/hid/uhid.c:642
> > __fput+0x2d8/0x730 fs/file_table.c:280
> > task_work_run+0x176/0x1b0 kernel/task_work.c:113
> > tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> > exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
> > prepare_exit_to_usermode+0x48a/0x5c0 arch/x86/entry/common.c:195
> > entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Only for gpf.
>
> --- a/drivers/hid/uhid.c
> +++ b/drivers/hid/uhid.c
> @@ -636,9 +636,13 @@ static int uhid_char_open(struct inode *
>
> static int uhid_char_release(struct inode *inode, struct file *file)
> {
> - struct uhid_device *uhid = file->private_data;
> + struct uhid_device *uhid;
> unsigned int i;
>
> + uhid = xchg(&file->private_data, NULL);
> + if (!uhid)
> + return 0; /* race is benign */
> +
> uhid_dev_destroy(uhid);
>
> for (i = 0; i < UHID_BUFSIZE; ++i)
>
That looks wrong. The normal semantics for files (and uhid looks no different)
is that file->private_data is valid as long as they're open, and then
->release() frees it. ->release() should never see NULL private_data.
next prev parent reply other threads:[~2020-03-08 6:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-07 3:05 INFO: trying to register non-static key in uhid_char_release syzbot
[not found] ` <20200308040535.1540-1-hdanton@sina.com>
2020-03-08 6:08 ` Eric Biggers [this message]
2020-03-09 15:26 ` syzbot
2020-03-10 0:57 ` syzbot
[not found] ` <20200310031757.12780-1-hdanton@sina.com>
2020-03-21 19:17 ` David Rheinsberg
2020-10-07 17:01 ` syzbot
2020-11-11 13:21 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200308060814.GZ15444@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=benjamin.tissoires@redhat.com \
--cc=dh.herrmann@googlemail.com \
--cc=hdanton@sina.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+8357fbef0d7bb602de45@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.