[syzbot] general protection fault in hidraw_release

[syzbot] general protection fault in hidraw_release

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ea586a076e8a Add linux-next specific files for 20211224
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=124161edb00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a9c4e3dde2c568fb
dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
CPU: 0 PID: 9653 Comm: syz-executor.3 Not tainted 5.16.0-rc6-next-20211224-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0xd7a/0x5470 kernel/locking/lockdep.c:4897
Code: 13 0e 41 bf 01 00 00 00 0f 86 c8 00 00 00 89 05 ac c8 13 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 9f 2e 00 00 49 81 3e 60 94 1b 8f 0f 84 52 f3 ff
RSP: 0018:ffffc90005647bc8 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff92000ac8fa4 RCX: 1ffff92000ac8f8b
RDX: 0000000000000011 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff1b2663a R11: 0000000000000001 R12: 0000000000000000
R13: ffff888045f657c0 R14: 0000000000000088 R15: 0000000000000000
FS:  0000555555772400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ef2e000 CR3: 00000000131f3000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 lock_acquire kernel/locking/lockdep.c:5639 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 hidraw_release+0xca/0x370 drivers/hid/hidraw.c:352
 __fput+0x286/0x9f0 fs/file_table.c:311
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fcce3b0fadb
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007fff23159320 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007fcce3b0fadb
RDX: 0000000000000000 RSI: 00007fcce2cd5760 RDI: 0000000000000004
RBP: 00007fcce3c71960 R08: 0000000000000000 R09: 00000000355938f3
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000011a408
R13: 00007fff23159420 R14: 00007fcce3c70100 R15: 0000000000000032
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0xd7a/0x5470 kernel/locking/lockdep.c:4897
Code: 13 0e 41 bf 01 00 00 00 0f 86 c8 00 00 00 89 05 ac c8 13 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 9f 2e 00 00 49 81 3e 60 94 1b 8f 0f 84 52 f3 ff
RSP: 0018:ffffc90005647bc8 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff92000ac8fa4 RCX: 1ffff92000ac8f8b
RDX: 0000000000000011 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff1b2663a R11: 0000000000000001 R12: 0000000000000000
R13: ffff888045f657c0 R14: 0000000000000088 R15: 0000000000000000
FS:  0000555555772400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ef2e000 CR3: 00000000131f3000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	13 0e                	adc    (%rsi),%ecx
   2:	41 bf 01 00 00 00    	mov    $0x1,%r15d
   8:	0f 86 c8 00 00 00    	jbe    0xd6
   e:	89 05 ac c8 13 0e    	mov    %eax,0xe13c8ac(%rip)        # 0xe13c8c0
  14:	e9 bd 00 00 00       	jmpq   0xd6
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	4c 89 f2             	mov    %r14,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 9f 2e 00 00    	jne    0x2ed3
  34:	49 81 3e 60 94 1b 8f 	cmpq   $0xffffffff8f1b9460,(%r14)
  3b:	0f                   	.byte 0xf
  3c:	84 52 f3             	test   %dl,-0xd(%rdx)
  3f:	ff                   	.byte 0xff


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] general protection fault in hidraw_release

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    9f7fb8de5d9b Merge tag 'spi-fix-v5.17-rc2' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1653b6cbb00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3e56c9b92aaaee24
dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15fff530700000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=106469f0700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51
Read of size 8 at addr ffff8880143e8eb0 by task syz-executor753/4862

CPU: 0 PID: 4862 Comm: syz-executor753 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51
 __list_del_entry include/linux/list.h:134 [inline]
 list_del include/linux/list.h:148 [inline]
 hidraw_release+0xd5/0x370 drivers/hid/hidraw.c:353
 __fput+0x286/0x9f0 fs/file_table.c:311
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xb29/0x2a30 kernel/exit.c:806
 do_group_exit+0xd2/0x2f0 kernel/exit.c:935
 __do_sys_exit_group kernel/exit.c:946 [inline]
 __se_sys_exit_group kernel/exit.c:944 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f4256d1c749
Code: Unable to access opcode bytes at RIP 0x7f4256d1c71f.
RSP: 002b:00007fffddc9a4e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f4256d913f0 RCX: 00007f4256d1c749
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007fffddc9a560
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4256d913f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>

Allocated by task 20:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:270 [inline]
 kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543
 hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960
 hid_hw_start drivers/hid/hid-core.c:2059 [inline]
 hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050
 hid_generic_probe drivers/hid/hid-generic.c:67 [inline]
 hid_generic_probe+0x6d/0x90 drivers/hid/hid-generic.c:56
 hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2380
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x245/0xcc0 drivers/base/dd.c:596
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:752
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:782
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:899
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:970
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc17/0x1ee0 drivers/base/core.c:3405
 hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2530
 uhid_device_add_worker+0x36/0x60 drivers/hid/uhid.c:73
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 4861:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xee/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:236 [inline]
 __cache_free mm/slab.c:3437 [inline]
 kfree+0xf6/0x290 mm/slab.c:3794
 drop_ref+0x28f/0x390 drivers/hid/hidraw.c:335
 hidraw_release+0x255/0x370 drivers/hid/hidraw.c:357
 __fput+0x286/0x9f0 fs/file_table.c:311
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xb29/0x2a30 kernel/exit.c:806
 do_group_exit+0xd2/0x2f0 kernel/exit.c:935
 __do_sys_exit_group kernel/exit.c:946 [inline]
 __se_sys_exit_group kernel/exit.c:944 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880143e8e00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 176 bytes inside of
 192-byte region [ffff8880143e8e00, ffff8880143e8ec0)
The buggy address belongs to the page:
page:ffffea000050fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143e8
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000050f188 ffffea000050fc48 ffff888010c40000
raw: 0000000000000000 ffff8880143e8000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2151082992, free_ts 0
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x350 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 __do_cache_alloc mm/slab.c:3267 [inline]
 slab_alloc mm/slab.c:3308 [inline]
 kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365
 kobject_uevent_env+0xf28/0x1600 lib/kobject_uevent.c:614
 kernel_add_sysfs_param kernel/params.c:816 [inline]
 param_sysfs_builtin kernel/params.c:851 [inline]
 param_sysfs_init+0x367/0x43b kernel/params.c:970
 do_one_initcall+0x103/0x650 init/main.c:1300
 do_initcall_level init/main.c:1373 [inline]
 do_initcalls init/main.c:1389 [inline]
 do_basic_setup init/main.c:1408 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1613
 kernel_init+0x1a/0x1d0 init/main.c:1502
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880143e8d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880143e8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880143e8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                     ^
 ffff8880143e8f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880143e8f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Re: [syzbot] general protection fault in hidraw_release

[syzbot]

syzbot has bisected this issue to:

commit e4b8954074f6d0db01c8c97d338a67f9389c042f
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Dec 7 01:30:37 2021 +0000

    netlink: add net device refcount tracker to struct ethnl_req_info

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15179fa8700000
start commit:   9f7fb8de5d9b Merge tag 'spi-fix-v5.17-rc2' of git://git.ke..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=17179fa8700000
console output: https://syzkaller.appspot.com/x/log.txt?x=13179fa8700000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3e56c9b92aaaee24
dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15fff530700000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=106469f0700000

Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com
Fixes: e4b8954074f6 ("netlink: add net device refcount tracker to struct ethnl_req_info")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] general protection fault in hidraw_release

[Dmitry Vyukov]

On Thu, 3 Feb 2022 at 05:02, Hillf Danton <hdanton@sina.com> wrote:
>
> On Tue, 01 Feb 2022 23:19:25 -0800
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit:    9f7fb8de5d9b Merge tag 'spi-fix-v5.17-rc2' of git://git.ke..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1653b6cbb00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=3e56c9b92aaaee24
> > dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15fff530700000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=106469f0700000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51
> > Read of size 8 at addr ffff8880143e8eb0 by task syz-executor753/4862
> >
> > CPU: 0 PID: 4862 Comm: syz-executor753 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> >  <TASK>
> >  __dump_stack lib/dump_stack.c:88 [inline]
> >  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> >  print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
> >  __kasan_report mm/kasan/report.c:442 [inline]
> >  kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
> >  __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51
> >  __list_del_entry include/linux/list.h:134 [inline]
> >  list_del include/linux/list.h:148 [inline]
>
> What is difficult to follow is syzbot instead did not complain at the spin_lock
> prior to list_del in regard to uaf.
>
> Any light on the difficulty is welcome.

Hi Hillf,

If you mean these lock/unlock:

spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags);
list_del(&list->node);
spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags);

They seem to operate on a global hidraw_table locks.
I would assume only this file is corrupted/bad, but the global lock
table is fine.


> >  hidraw_release+0xd5/0x370 drivers/hid/hidraw.c:353
> >  __fput+0x286/0x9f0 fs/file_table.c:311
> >  task_work_run+0xdd/0x1a0 kernel/task_work.c:164
> >  exit_task_work include/linux/task_work.h:32 [inline]
> >  do_exit+0xb29/0x2a30 kernel/exit.c:806
> >  do_group_exit+0xd2/0x2f0 kernel/exit.c:935
> >  __do_sys_exit_group kernel/exit.c:946 [inline]
> >  __se_sys_exit_group kernel/exit.c:944 [inline]
> >  __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > RIP: 0033:0x7f4256d1c749
> > Code: Unable to access opcode bytes at RIP 0x7f4256d1c71f.
> > RSP: 002b:00007fffddc9a4e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> > RAX: ffffffffffffffda RBX: 00007f4256d913f0 RCX: 00007f4256d1c749
> > RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
> > RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007fffddc9a560
> > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4256d913f0
> > R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
> >  </TASK>
> >
> > Allocated by task 20:
> >  kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
> >  kasan_set_track mm/kasan/common.c:45 [inline]
> >  set_alloc_info mm/kasan/common.c:436 [inline]
> >  ____kasan_kmalloc mm/kasan/common.c:515 [inline]
> >  ____kasan_kmalloc mm/kasan/common.c:474 [inline]
> >  __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
> >  kasan_kmalloc include/linux/kasan.h:270 [inline]
> >  kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567
> >  kmalloc include/linux/slab.h:581 [inline]
> >  kzalloc include/linux/slab.h:715 [inline]
> >  hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543
> >  hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960
> >  hid_hw_start drivers/hid/hid-core.c:2059 [inline]
> >  hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050
> >  hid_generic_probe drivers/hid/hid-generic.c:67 [inline]
> >  hid_generic_probe+0x6d/0x90 drivers/hid/hid-generic.c:56
> >  hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2380
> >  call_driver_probe drivers/base/dd.c:517 [inline]
> >  really_probe+0x245/0xcc0 drivers/base/dd.c:596
> >  __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:752
> >  driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:782
> >  __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:899
> >  bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
> >  __device_attach+0x228/0x4a0 drivers/base/dd.c:970
> >  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
> >  device_add+0xc17/0x1ee0 drivers/base/core.c:3405
> >  hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2530
> >  uhid_device_add_worker+0x36/0x60 drivers/hid/uhid.c:73
> >  process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
> >  worker_thread+0x657/0x1110 kernel/workqueue.c:2454
> >  kthread+0x2e9/0x3a0 kernel/kthread.c:377
> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> >
> > Freed by task 4861:
> >  kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
> >  kasan_set_track+0x21/0x30 mm/kasan/common.c:45
> >  kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
> >  ____kasan_slab_free mm/kasan/common.c:366 [inline]
> >  ____kasan_slab_free mm/kasan/common.c:328 [inline]
> >  __kasan_slab_free+0xee/0x130 mm/kasan/common.c:374
> >  kasan_slab_free include/linux/kasan.h:236 [inline]
> >  __cache_free mm/slab.c:3437 [inline]
> >  kfree+0xf6/0x290 mm/slab.c:3794
> >  drop_ref+0x28f/0x390 drivers/hid/hidraw.c:335
> >  hidraw_release+0x255/0x370 drivers/hid/hidraw.c:357
> >  __fput+0x286/0x9f0 fs/file_table.c:311
> >  task_work_run+0xdd/0x1a0 kernel/task_work.c:164
> >  exit_task_work include/linux/task_work.h:32 [inline]
> >  do_exit+0xb29/0x2a30 kernel/exit.c:806
> >  do_group_exit+0xd2/0x2f0 kernel/exit.c:935
> >  __do_sys_exit_group kernel/exit.c:946 [inline]
> >  __se_sys_exit_group kernel/exit.c:944 [inline]
> >  __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> >
> > The buggy address belongs to the object at ffff8880143e8e00
> >  which belongs to the cache kmalloc-192 of size 192
> > The buggy address is located 176 bytes inside of
> >  192-byte region [ffff8880143e8e00, ffff8880143e8ec0)
> > The buggy address belongs to the page:
> > page:ffffea000050fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143e8
> > flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
> > raw: 00fff00000000200 ffffea000050f188 ffffea000050fc48 ffff888010c40000
> > raw: 0000000000000000 ffff8880143e8000 0000000100000010 0000000000000000
> > page dumped because: kasan: bad access detected
> > page_owner tracks the page as allocated
> > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2151082992, free_ts 0
> >  prep_new_page mm/page_alloc.c:2434 [inline]
> >  get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
> >  __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
> >  __alloc_pages_node include/linux/gfp.h:572 [inline]
> >  kmem_getpages mm/slab.c:1378 [inline]
> >  cache_grow_begin+0x75/0x350 mm/slab.c:2584
> >  cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
> >  ____cache_alloc mm/slab.c:3040 [inline]
> >  ____cache_alloc mm/slab.c:3023 [inline]
> >  __do_cache_alloc mm/slab.c:3267 [inline]
> >  slab_alloc mm/slab.c:3308 [inline]
> >  kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565
> >  kmalloc include/linux/slab.h:581 [inline]
> >  kzalloc include/linux/slab.h:715 [inline]
> >  call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365
> >  kobject_uevent_env+0xf28/0x1600 lib/kobject_uevent.c:614
> >  kernel_add_sysfs_param kernel/params.c:816 [inline]
> >  param_sysfs_builtin kernel/params.c:851 [inline]
> >  param_sysfs_init+0x367/0x43b kernel/params.c:970
> >  do_one_initcall+0x103/0x650 init/main.c:1300
> >  do_initcall_level init/main.c:1373 [inline]
> >  do_initcalls init/main.c:1389 [inline]
> >  do_basic_setup init/main.c:1408 [inline]
> >  kernel_init_freeable+0x6b1/0x73a init/main.c:1613
> >  kernel_init+0x1a/0x1d0 init/main.c:1502
> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> > page_owner free stack trace missing
> >
> > Memory state around the buggy address:
> >  ffff8880143e8d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> >  ffff8880143e8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > >ffff8880143e8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> >                                      ^
> >  ffff8880143e8f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >  ffff8880143e8f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> > ==================================================================
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20220203040227.2057-1-hdanton%40sina.com.

Re: [syzbot] general protection fault in hidraw_release

[Dmitry Vyukov]

"On Thu, 3 Feb 2022 at 09:43, Hillf Danton <hdanton@sina.com> wrote:
>
> On Thu, 3 Feb 2022 07:09:52 +0100 Dmitry Vyukov wrote:
> > On Thu, 3 Feb 2022 at 05:02, Hillf Danton <hdanton@sina.com> wrote:
> > >
> > > On Tue, 01 Feb 2022 23:19:25 -0800
> > > > syzbot has found a reproducer for the following issue on:
> > > >
> > > > HEAD commit:    9f7fb8de5d9b Merge tag 'spi-fix-v5.17-rc2' of git://git.ke..
> > > > git tree:       upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1653b6cbb00000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=3e56c9b92aaaee24
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e
> > > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15fff530700000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=106469f0700000
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com
> > > >
> > > > ==================================================================
> > > > BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51
> > > > Read of size 8 at addr ffff8880143e8eb0 by task syz-executor753/4862
> > > >
> > > > CPU: 0 PID: 4862 Comm: syz-executor753 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b #0
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > > Call Trace:
> > > >  <TASK>
> > > >  __dump_stack lib/dump_stack.c:88 [inline]
> > > >  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> > > >  print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
> > > >  __kasan_report mm/kasan/report.c:442 [inline]
> > > >  kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
> > > >  __list_del_entry_valid+0xe0/0xf0 lib/list_debug.c:51
> > > >  __list_del_entry include/linux/list.h:134 [inline]
> > > >  list_del include/linux/list.h:148 [inline]
> > >
> > > What is difficult to follow is syzbot instead did not complain at the spin_lock
> > > prior to list_del in regard to uaf.
> > >
> > > Any light on the difficulty is welcome.
> >
> > Hi Hillf,
>
> Hi Dmitry
>
> Thanks for taking a look at it.
>
> >
> > If you mean these lock/unlock:
>
> Yes I did.
> >
> > spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags);
> > list_del(&list->node);
> > spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags);
> >
> > They seem to operate on a global hidraw_table locks.
> > I would assume only this file is corrupted/bad, but the global lock
> > table is fine.
> >
> 0/ in  hidraw_connect()
>
>         dev = kzalloc(sizeof(struct hidraw), GFP_KERNEL);
>         ...
>         spin_lock_init(&dev->list_lock);
>         dev->minor = minor;
>
> 1/ in hidraw_open()
>
>         down_read(&minors_rwsem);
>         if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
>                 err = -ENODEV;
>                 goto out_unlock;
>         }
>
>         dev = hidraw_table[minor];
>         ...
>         spin_lock_irqsave(&hidraw_table[minor]->list_lock, flags);
>         list_add_tail(&list->node, &hidraw_table[minor]->list);
>         spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags);
>
> 3/ in drop_ref()
>
>         hidraw_table[hidraw->minor] = NULL;
>         kfree(hidraw);
>
> 4/ in __list_del_entry_valid()
>
> 51      CHECK_DATA_CORRUPTION(prev->next != entry,
>
>
> Given the kfree in 3/ can explain
> "Read of size 8 at addr ffff8880143e8eb0 by task syz-executor753/4862",
> I failed to work out how syzbot survived locking hidraw->list_lock after
> scratching scalp twenty minutes in fear of unlnown hardware glitch. But
> that fear does not have any chance for making sense given the reproducer
> in your toolkit.

The kernel may have survived locking hidraw->list_lock because it's a
racy use-after-free: use and free happened in different tasks. So
based on timing the task can start using freed memory at any line of
code.
Note sometimes it also manifests as "general protection fault in
hidraw_release". Races frequently have different manifestations.



> > > >  hidraw_release+0xd5/0x370 drivers/hid/hidraw.c:353
> > > >  __fput+0x286/0x9f0 fs/file_table.c:311
> > > >  task_work_run+0xdd/0x1a0 kernel/task_work.c:164
> > > >  exit_task_work include/linux/task_work.h:32 [inline]
> > > >  do_exit+0xb29/0x2a30 kernel/exit.c:806
> > > >  do_group_exit+0xd2/0x2f0 kernel/exit.c:935
> > > >  __do_sys_exit_group kernel/exit.c:946 [inline]
> > > >  __se_sys_exit_group kernel/exit.c:944 [inline]
> > > >  __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
> > > >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > > >  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > > >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > > RIP: 0033:0x7f4256d1c749
> > > > Code: Unable to access opcode bytes at RIP 0x7f4256d1c71f.
> > > > RSP: 002b:00007fffddc9a4e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> > > > RAX: ffffffffffffffda RBX: 00007f4256d913f0 RCX: 00007f4256d1c749
> > > > RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
> > > > RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 00007fffddc9a560
> > > > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4256d913f0
> > > > R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
> > > >  </TASK>
> > > >
> > > > Allocated by task 20:
> > > >  kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
> > > >  kasan_set_track mm/kasan/common.c:45 [inline]
> > > >  set_alloc_info mm/kasan/common.c:436 [inline]
> > > >  ____kasan_kmalloc mm/kasan/common.c:515 [inline]
> > > >  ____kasan_kmalloc mm/kasan/common.c:474 [inline]
> > > >  __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
> > > >  kasan_kmalloc include/linux/kasan.h:270 [inline]
> > > >  kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567
> > > >  kmalloc include/linux/slab.h:581 [inline]
> > > >  kzalloc include/linux/slab.h:715 [inline]
> > > >  hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543
> > > >  hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960
> > > >  hid_hw_start drivers/hid/hid-core.c:2059 [inline]
> > > >  hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050
> > > >  hid_generic_probe drivers/hid/hid-generic.c:67 [inline]
> > > >  hid_generic_probe+0x6d/0x90 drivers/hid/hid-generic.c:56
> > > >  hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2380
> > > >  call_driver_probe drivers/base/dd.c:517 [inline]
> > > >  really_probe+0x245/0xcc0 drivers/base/dd.c:596
> > > >  __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:752
> > > >  driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:782
> > > >  __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:899
> > > >  bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
> > > >  __device_attach+0x228/0x4a0 drivers/base/dd.c:970
> > > >  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
> > > >  device_add+0xc17/0x1ee0 drivers/base/core.c:3405
> > > >  hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2530
> > > >  uhid_device_add_worker+0x36/0x60 drivers/hid/uhid.c:73
> > > >  process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
> > > >  worker_thread+0x657/0x1110 kernel/workqueue.c:2454
> > > >  kthread+0x2e9/0x3a0 kernel/kthread.c:377
> > > >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> > > >
> > > > Freed by task 4861:
> > > >  kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
> > > >  kasan_set_track+0x21/0x30 mm/kasan/common.c:45
> > > >  kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
> > > >  ____kasan_slab_free mm/kasan/common.c:366 [inline]
> > > >  ____kasan_slab_free mm/kasan/common.c:328 [inline]
> > > >  __kasan_slab_free+0xee/0x130 mm/kasan/common.c:374
> > > >  kasan_slab_free include/linux/kasan.h:236 [inline]
> > > >  __cache_free mm/slab.c:3437 [inline]
> > > >  kfree+0xf6/0x290 mm/slab.c:3794
> > > >  drop_ref+0x28f/0x390 drivers/hid/hidraw.c:335
> > > >  hidraw_release+0x255/0x370 drivers/hid/hidraw.c:357
> > > >  __fput+0x286/0x9f0 fs/file_table.c:311
> > > >  task_work_run+0xdd/0x1a0 kernel/task_work.c:164
> > > >  exit_task_work include/linux/task_work.h:32 [inline]
> > > >  do_exit+0xb29/0x2a30 kernel/exit.c:806
> > > >  do_group_exit+0xd2/0x2f0 kernel/exit.c:935
> > > >  __do_sys_exit_group kernel/exit.c:946 [inline]
> > > >  __se_sys_exit_group kernel/exit.c:944 [inline]
> > > >  __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
> > > >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > > >  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > > >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > >
> > > > The buggy address belongs to the object at ffff8880143e8e00
> > > >  which belongs to the cache kmalloc-192 of size 192
> > > > The buggy address is located 176 bytes inside of
> > > >  192-byte region [ffff8880143e8e00, ffff8880143e8ec0)
> > > > The buggy address belongs to the page:
> > > > page:ffffea000050fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143e8
> > > > flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
> > > > raw: 00fff00000000200 ffffea000050f188 ffffea000050fc48 ffff888010c40000
> > > > raw: 0000000000000000 ffff8880143e8000 0000000100000010 0000000000000000
> > > > page dumped because: kasan: bad access detected
> > > > page_owner tracks the page as allocated
> > > > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2151082992, free_ts 0
> > > >  prep_new_page mm/page_alloc.c:2434 [inline]
> > > >  get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
> > > >  __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
> > > >  __alloc_pages_node include/linux/gfp.h:572 [inline]
> > > >  kmem_getpages mm/slab.c:1378 [inline]
> > > >  cache_grow_begin+0x75/0x350 mm/slab.c:2584
> > > >  cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
> > > >  ____cache_alloc mm/slab.c:3040 [inline]
> > > >  ____cache_alloc mm/slab.c:3023 [inline]
> > > >  __do_cache_alloc mm/slab.c:3267 [inline]
> > > >  slab_alloc mm/slab.c:3308 [inline]
> > > >  kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565
> > > >  kmalloc include/linux/slab.h:581 [inline]
> > > >  kzalloc include/linux/slab.h:715 [inline]
> > > >  call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365
> > > >  kobject_uevent_env+0xf28/0x1600 lib/kobject_uevent.c:614
> > > >  kernel_add_sysfs_param kernel/params.c:816 [inline]
> > > >  param_sysfs_builtin kernel/params.c:851 [inline]
> > > >  param_sysfs_init+0x367/0x43b kernel/params.c:970
> > > >  do_one_initcall+0x103/0x650 init/main.c:1300
> > > >  do_initcall_level init/main.c:1373 [inline]
> > > >  do_initcalls init/main.c:1389 [inline]
> > > >  do_basic_setup init/main.c:1408 [inline]
> > > >  kernel_init_freeable+0x6b1/0x73a init/main.c:1613
> > > >  kernel_init+0x1a/0x1d0 init/main.c:1502
> > > >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> > > > page_owner free stack trace missing
> > > >
> > > > Memory state around the buggy address:
> > > >  ffff8880143e8d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> > > >  ffff8880143e8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > > >ffff8880143e8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> > > >                                      ^
> > > >  ffff8880143e8f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > >  ffff8880143e8f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> > > > ==================================================================

Re: [syzbot] general protection fault in hidraw_release

[Jiri Kosina]

On Fri, 4 Feb 2022, Hillf Danton wrote:

> > ------------[ cut here ]------------
> > kernel BUG at drivers/hid/hidraw.c:335!
> > invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> > CPU: 1 PID: 5036 Comm: syz-executor223 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b-dirty #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:drop_ref+0x375/0x3e0 drivers/hid/hidraw.c:335
> > Code: fb e9 a9 fd ff ff 48 89 ef 89 74 24 04 e8 43 61 04 fb 8b 74 24 04 e9 64 fd ff ff e8 a5 61 04 fb e9 13 fd ff ff e8 8b 1f bd fa <0f> 0b 48 89 df e8 31 61 04 fb e9 5a fe ff ff 48 89 de 48 c7 c7 a0
> > RSP: 0018:ffffc90005da7ac8 EFLAGS: 00010293
> > RAX: 0000000000000000 RBX: ffff88801deef9b0 RCX: 0000000000000000
> > RDX: ffff888072660000 RSI: ffffffff86bb4ef5 RDI: ffffffff90869f60
> > RBP: ffff88801deef900 R08: 0000000000000000 R09: ffffffff8ffbda7f
> > R10: ffffffff86bb4cd2 R11: 0000000000000000 R12: 0000000000000001
> > R13: ffff88801deef908 R14: ffff88807f1e98e0 R15: ffff88807f1e8000
> > FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> > CR2: 00007f229e36a600 CR3: 0000000079b38000 CR4: 00000000003506e0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  <TASK>
> >  hidraw_disconnect+0x48/0x60 drivers/hid/hidraw.c:600
> >  hid_disconnect+0x130/0x1a0 drivers/hid/hid-core.c:2036
> >  hid_hw_stop drivers/hid/hid-core.c:2079 [inline]
> >  hid_device_remove+0x15d/0x200 drivers/hid/hid-core.c:2411
> >  __device_release_driver+0x3bd/0x700 drivers/base/dd.c:1204
> >  device_release_driver_internal drivers/base/dd.c:1237 [inline]
> >  device_release_driver+0x26/0x40 drivers/base/dd.c:1260
> >  bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:529
> >  device_del+0x502/0xd50 drivers/base/core.c:3592
> >  hid_remove_device drivers/hid/hid-core.c:2578 [inline]
> >  hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2597
> >  uhid_dev_destroy drivers/hid/uhid.c:587 [inline]
> >  uhid_char_release+0xed/0x210 drivers/hid/uhid.c:663
> >  __fput+0x286/0x9f0 fs/file_table.c:311
> >  task_work_run+0xdd/0x1a0 kernel/task_work.c:164
> >  exit_task_work include/linux/task_work.h:32 [inline]
> >  do_exit+0xb29/0x2a30 kernel/exit.c:806
> >  do_group_exit+0xd2/0x2f0 kernel/exit.c:935
> >  __do_sys_exit_group kernel/exit.c:946 [inline]
> >  __se_sys_exit_group kernel/exit.c:944 [inline]
> >  __ia32_sys_exit_group+0x3a/0x50 kernel/exit.c:944
> >  do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
> >  __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
> >  do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
> >  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> > RIP: 0023:0xf7ee8549
> > Code: Unable to access opcode bytes at RIP 0xf7ee851f.
> > RSP: 002b:00000000ff8aaf4c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
> > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000
> > RDX: 00000000f7f94fa0 RSI: 00000000f7f953b8 RDI: 00000000f7f953b8
> > RBP: 00000000f7f95928 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> >  </TASK>
> > Modules linked in:
> > ---[ end trace 0000000000000000 ]---
> > RIP: 0010:drop_ref+0x375/0x3e0 drivers/hid/hidraw.c:335
> > Code: fb e9 a9 fd ff ff 48 89 ef 89 74 24 04 e8 43 61 04 fb 8b 74 24 04 e9 64 fd ff ff e8 a5 61 04 fb e9 13 fd ff ff e8 8b 1f bd fa <0f> 0b 48 89 df e8 31 61 04 fb e9 5a fe ff ff 48 89 de 48 c7 c7 a0
> > RSP: 0018:ffffc90005da7ac8 EFLAGS: 00010293
> > RAX: 0000000000000000 RBX: ffff88801deef9b0 RCX: 0000000000000000
> > RDX: ffff888072660000 RSI: ffffffff86bb4ef5 RDI: ffffffff90869f60
> > RBP: ffff88801deef900 R08: 0000000000000000 R09: ffffffff8ffbda7f
> > R10: ffffffff86bb4cd2 R11: 0000000000000000 R12: 0000000000000001
> > R13: ffff88801deef908 R14: ffff88807f1e98e0 R15: ffff88807f1e8000
> > FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> > CR2: 00007f64971d1018 CR3: 000000007f5e0000 CR4: 00000000003506f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > 
> > 
> > Tested on:
> > 
> > commit:         9f7fb8de Merge tag 'spi-fix-v5.17-rc2' of git://git.ke..
> > git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> > console output: https://syzkaller.appspot.com/x/log.txt?x=15e029cc700000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=b4a89edfcc8f7c74
> > dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > userspace arch: i386
> > patch:          https://syzkaller.appspot.com/x/patch.diff?x=12571934700000
> 
> This proves what Dmitry explained, given minor M, hidrawA == hidraw_table[M]
> was freed with someone dangling on the hidrawA->list because of zero open
> count, then another opener put hidrawB in hidraw_table[M].
> 
> TBH no evidence of leak in open count spotted, see what will come up with
> parallel openers disabled.
> 
> Hillf
> 
> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/  9f7fb8de5d9b 
> 
> --- a/drivers/hid/hidraw.c
> +++ b/drivers/hid/hidraw.c
> @@ -272,7 +272,7 @@ static int hidraw_open(struct inode *ino
>  		goto out;
>  	}
>  
> -	down_read(&minors_rwsem);
> +	down_write(&minors_rwsem);
>  	if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
>  		err = -ENODEV;
>  		goto out_unlock;
> @@ -301,7 +301,7 @@ static int hidraw_open(struct inode *ino
>  	spin_unlock_irqrestore(&hidraw_table[minor]->list_lock, flags);
>  	file->private_data = list;
>  out_unlock:
> -	up_read(&minors_rwsem);
> +	up_write(&minors_rwsem);
>  out:
>  	if (err < 0)
>  		kfree(list);
> @@ -332,6 +332,7 @@ static void drop_ref(struct hidraw *hidr
>  	if (!hidraw->open) {
>  		if (!hidraw->exist) {
>  			hidraw_table[hidraw->minor] = NULL;
> +			BUG_ON(!list_empty(&hidraw->list));
>  			kfree(hidraw);
>  		} else {
>  			/* close device for last reader */

Hillf,

could you please submit this properly with a full changelog, 
signed-off-by: line, etc?

Thanks,

-- 
Jiri Kosina
SUSE Labs

Re: [syzbot] general protection fault in hidraw_release

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+953a33deaf38c66a915e@syzkaller.appspotmail.com

Tested on:

commit:         9f7fb8de Merge tag 'spi-fix-v5.17-rc2' of git://git.ke..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config:  https://syzkaller.appspot.com/x/.config?x=b4a89edfcc8f7c74
dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1665d17c700000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] general protection fault in hidraw_release

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in drop_ref

------------[ cut here ]------------
kernel BUG at drivers/hid/hidraw.c:335!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5036 Comm: syz-executor223 Not tainted 5.17.0-rc2-syzkaller-00039-g9f7fb8de5d9b-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:drop_ref+0x375/0x3e0 drivers/hid/hidraw.c:335
Code: fb e9 a9 fd ff ff 48 89 ef 89 74 24 04 e8 43 61 04 fb 8b 74 24 04 e9 64 fd ff ff e8 a5 61 04 fb e9 13 fd ff ff e8 8b 1f bd fa <0f> 0b 48 89 df e8 31 61 04 fb e9 5a fe ff ff 48 89 de 48 c7 c7 a0
RSP: 0018:ffffc90005da7ac8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88801deef9b0 RCX: 0000000000000000
RDX: ffff888072660000 RSI: ffffffff86bb4ef5 RDI: ffffffff90869f60
RBP: ffff88801deef900 R08: 0000000000000000 R09: ffffffff8ffbda7f
R10: ffffffff86bb4cd2 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88801deef908 R14: ffff88807f1e98e0 R15: ffff88807f1e8000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007f229e36a600 CR3: 0000000079b38000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 hidraw_disconnect+0x48/0x60 drivers/hid/hidraw.c:600
 hid_disconnect+0x130/0x1a0 drivers/hid/hid-core.c:2036
 hid_hw_stop drivers/hid/hid-core.c:2079 [inline]
 hid_device_remove+0x15d/0x200 drivers/hid/hid-core.c:2411
 __device_release_driver+0x3bd/0x700 drivers/base/dd.c:1204
 device_release_driver_internal drivers/base/dd.c:1237 [inline]
 device_release_driver+0x26/0x40 drivers/base/dd.c:1260
 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:529
 device_del+0x502/0xd50 drivers/base/core.c:3592
 hid_remove_device drivers/hid/hid-core.c:2578 [inline]
 hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2597
 uhid_dev_destroy drivers/hid/uhid.c:587 [inline]
 uhid_char_release+0xed/0x210 drivers/hid/uhid.c:663
 __fput+0x286/0x9f0 fs/file_table.c:311
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xb29/0x2a30 kernel/exit.c:806
 do_group_exit+0xd2/0x2f0 kernel/exit.c:935
 __do_sys_exit_group kernel/exit.c:946 [inline]
 __se_sys_exit_group kernel/exit.c:944 [inline]
 __ia32_sys_exit_group+0x3a/0x50 kernel/exit.c:944
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7ee8549
Code: Unable to access opcode bytes at RIP 0xf7ee851f.
RSP: 002b:00000000ff8aaf4c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000
RDX: 00000000f7f94fa0 RSI: 00000000f7f953b8 RDI: 00000000f7f953b8
RBP: 00000000f7f95928 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:drop_ref+0x375/0x3e0 drivers/hid/hidraw.c:335
Code: fb e9 a9 fd ff ff 48 89 ef 89 74 24 04 e8 43 61 04 fb 8b 74 24 04 e9 64 fd ff ff e8 a5 61 04 fb e9 13 fd ff ff e8 8b 1f bd fa <0f> 0b 48 89 df e8 31 61 04 fb e9 5a fe ff ff 48 89 de 48 c7 c7 a0
RSP: 0018:ffffc90005da7ac8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88801deef9b0 RCX: 0000000000000000
RDX: ffff888072660000 RSI: ffffffff86bb4ef5 RDI: ffffffff90869f60
RBP: ffff88801deef900 R08: 0000000000000000 R09: ffffffff8ffbda7f
R10: ffffffff86bb4cd2 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88801deef908 R14: ffff88807f1e98e0 R15: ffff88807f1e8000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007f64971d1018 CR3: 000000007f5e0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit:         9f7fb8de Merge tag 'spi-fix-v5.17-rc2' of git://git.ke..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=15e029cc700000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b4a89edfcc8f7c74
dashboard link: https://syzkaller.appspot.com/bug?extid=953a33deaf38c66a915e
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12571934700000