From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=FROM_LOCAL_HEX, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E92AECE58C for ; Wed, 9 Oct 2019 16:09:09 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 09BA0218DE for ; Wed, 9 Oct 2019 16:09:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 09BA0218DE Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 7560F8E0005; Wed, 9 Oct 2019 12:09:08 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 706628E0003; Wed, 9 Oct 2019 12:09:08 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 61D078E0005; Wed, 9 Oct 2019 12:09:08 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0133.hostedemail.com [216.40.44.133]) by kanga.kvack.org (Postfix) with ESMTP id 413AF8E0003 for ; Wed, 9 Oct 2019 12:09:08 -0400 (EDT) Received: from smtpin26.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with SMTP id DC03D180AD7C3 for ; Wed, 9 Oct 2019 16:09:07 +0000 (UTC) X-FDA: 76024730334.26.tree81_328fca117b65a X-HE-Tag: tree81_328fca117b65a X-Filterd-Recvd-Size: 6720 Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) by imf50.hostedemail.com (Postfix) with ESMTP for ; Wed, 9 Oct 2019 16:09:07 +0000 (UTC) Received: by mail-io1-f71.google.com with SMTP id x13so5139954ioa.18 for ; Wed, 09 Oct 2019 09:09:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=S0f+uPTlkcg7rA+MA5xNWypkgCmJITL28IHTnWoRHdk=; b=TfUyld+68Y8NFq4+Nz2gyhfl5J26W6eJowBgD5xjB8UIPuiEcI51jB7SmlVFmeW7X8 lmDzQr6DfPyEmfscs9q/Wx1r38qYKthjGMUE6EtfmIkE4r1AGA5pwh6A8EB/5r+owqIf yzms8485sLTnwZfmf8hmje4YILjmSSqqu8qxk7O/PeLlWEKghamNYy8Q06+Zj7BHfcod H2tzBNKLKdJRVw9UkgcxPMOhmugZmqy62RuSEmlLA1Wb/4D6XXrqI+1v9ojDD90N//qg eIU8DHVBYSr5dIBsJUjsQ7Tktocno0cKj3J6TpSt/ZEqCLlPgKqW2EfuI8U4eTLmRDlg VFXA== X-Gm-Message-State: APjAAAWL5ab3T9+wXG3XXIoxlC97vNUhcb7yGcjAB1zOjFVSksz9eXkj 8yN87z1O8OjUnSAnorTOdQqwA4Vkq3OryNUQzIKbqRO2k9SA X-Google-Smtp-Source: APXvYqxWmEUcw/k+EDDpTJ7YCb+PtcgFqB4IVox7NPsS/ZG/xrXEKhL+WBf9xHEownLCUThguFzhm4yXtZRBRb4VNfafvlN0nZ22 MIME-Version: 1.0 X-Received: by 2002:a02:e48:: with SMTP id 69mr3981890jae.17.1570637346517; Wed, 09 Oct 2019 09:09:06 -0700 (PDT) Date: Wed, 09 Oct 2019 09:09:06 -0700 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000001c3ae905947c81bd@google.com> Subject: BUG: bad usercopy in read_rio From: syzbot To: akpm@linux-foundation.org, andreyknvl@google.com, cai@lca.pw, info@metux.net, isaacm@codeaurora.org, keescook@chromium.org, kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com, tglx@linutronix.de, william.kucharski@oracle.com Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hello, syzbot found the following crash on: HEAD commit: 58d5f26a usb-fuzzer: main usb gadget fuzzer driver git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=149329b3600000 kernel config: https://syzkaller.appspot.com/x/.config?x=aa5dac3cda4ffd58 dashboard link: https://syzkaller.appspot.com/bug?extid=43e923a8937c203e9954 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+43e923a8937c203e9954@syzkaller.appspotmail.com usb 3-1: Rio opened. usercopy: Kernel memory exposure attempt detected from wrapped address (offset 0, size 18446612689754797056)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:99! invalid opcode: 0000 [#1] SMP KASAN CPU: 0 PID: 12744 Comm: syz-executor.2 Not tainted 5.4.0-rc1+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy.c:99 Code: e8 42 55 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 00 d8 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 b6 e6 c0 ff <0f> 0b e8 16 55 d6 ff e8 11 8c fd ff 8b 54 24 04 49 89 d8 4c 89 e1 RSP: 0018:ffff8881cf06fc60 EFLAGS: 00010282 RAX: 000000000000006d RBX: ffffffff85cdd520 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8128bf9d RDI: ffffed1039e0df7e RBP: ffffffff85cdd6e0 R08: 000000000000006d R09: ffffed103b645d58 R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffffffff85cdd880 R13: ffffffff85cdd520 R14: ffff8881ca0c3400 R15: ffffffff85cdd520 FS: 00007f3de63a2700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3de633edb8 CR3: 00000001c9e27000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: check_bogus_address mm/usercopy.c:152 [inline] __check_object_size mm/usercopy.c:266 [inline] __check_object_size.cold+0xb2/0xbb mm/usercopy.c:256 check_object_size include/linux/thread_info.h:119 [inline] check_copy_size include/linux/thread_info.h:150 [inline] copy_to_user include/linux/uaccess.h:151 [inline] read_rio+0x223/0x47c drivers/usb/misc/rio500.c:423 __vfs_read+0x76/0x100 fs/read_write.c:425 vfs_read+0x1ea/0x430 fs/read_write.c:461 ksys_read+0x127/0x250 fs/read_write.c:587 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a59 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f3de63a1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459a59 RDX: 00000000000000da RSI: 0000000020000140 RDI: 0000000000000004 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3de63a26d4 R13: 00000000004c70d5 R14: 00000000004dc948 R15: 00000000ffffffff Modules linked in: ---[ end trace 5c4a17213aed3a20 ]--- RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy.c:99 Code: e8 42 55 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 00 d8 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 b6 e6 c0 ff <0f> 0b e8 16 55 d6 ff e8 11 8c fd ff 8b 54 24 04 49 89 d8 4c 89 e1 RSP: 0018:ffff8881cf06fc60 EFLAGS: 00010282 RAX: 000000000000006d RBX: ffffffff85cdd520 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8128bf9d RDI: ffffed1039e0df7e RBP: ffffffff85cdd6e0 R08: 000000000000006d R09: ffffed103b645d58 R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffffffff85cdd880 R13: ffffffff85cdd520 R14: ffff8881ca0c3400 R15: ffffffff85cdd520 FS: 00007f3de63a2700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3de633edb8 CR3: 00000001c9e27000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=FROM_LOCAL_HEX, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2372BC4360C for ; Sun, 13 Oct 2019 04:55:58 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B7846205F4 for ; Sun, 13 Oct 2019 04:55:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B7846205F4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 518966B0003; Sun, 13 Oct 2019 00:55:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4C9306B0005; Sun, 13 Oct 2019 00:55:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3438A6B0006; Sun, 13 Oct 2019 00:55:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0206.hostedemail.com [216.40.44.206]) by kanga.kvack.org (Postfix) with ESMTP id 0B0686B0003 for ; Sun, 13 Oct 2019 00:55:57 -0400 (EDT) Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with SMTP id 7D990181AEF32 for ; Sun, 13 Oct 2019 04:55:56 +0000 (UTC) X-FDA: 76037549112.21.page12_50d893004cb3f X-HE-Tag: page12_50d893004cb3f X-Filterd-Recvd-Size: 17458 Received: from listssympa-test.colorado.edu (listssympa-test.colorado.edu [128.138.129.156]) by imf19.hostedemail.com (Postfix) with ESMTP for ; Sun, 13 Oct 2019 04:55:55 +0000 (UTC) Received: from listssympa-test.colorado.edu (localhost [127.0.0.1]) by listssympa-test.colorado.edu (8.15.2/8.15.2/MJC-8.0/sympa) with ESMTPS id x9D4toKl024472 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 12 Oct 2019 22:55:50 -0600 Received: (from root@localhost) by listssympa-test.colorado.edu (8.15.2/8.15.2/MJC-8.0/submit) id x9D4tn9Q024429; Sat, 12 Oct 2019 22:55:49 -0600 Received: from BN7PR03MB4483.namprd03.prod.outlook.com (2603:10b6:a03:80::17) by BYAPR03MB4376.namprd03.prod.outlook.com with HTTPS via BYAPR11CA0040.NAMPRD11.PROD.OUTLOOK.COM; Wed, 9 Oct 2019 22:04:09 +0000 Received: from DM3PR03CA0005.namprd03.prod.outlook.com (2603:10b6:0:50::15) by BN7PR03MB4483.namprd03.prod.outlook.com (2603:10b6:408:39::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Wed, 9 Oct 2019 17:59:11 +0000 Received: from BY2NAM01FT047.eop-nam01.prod.protection.outlook.com (2a01:111:f400:7e42::201) by DM3PR03CA0005.outlook.office365.com (2603:10b6:0:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2347.16 via Frontend Transport; Wed, 9 Oct 2019 17:59:11 +0000 Received: from ipmx3.colorado.edu (128.138.67.74) by BY2NAM01FT047.mail.protection.outlook.com (10.152.68.243) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2347.16 via Frontend Transport; Wed, 9 Oct 2019 17:59:11 +0000 Received: from ipmx2.colorado.edu ([128.138.128.232]) by mx.colorado.edu with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Oct 2019 11:12:23 -0600 Received: from mx.colorado.edu ([128.138.128.150]) by mx.colorado.edu with ESMTP; 09 Oct 2019 10:33:51 -0600 Received: from vger.kernel.org ([209.132.180.67]) by mx.colorado.edu with ESMTP; 09 Oct 2019 10:09:11 -0600 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731637AbfJIQJJ (ORCPT ); Wed, 9 Oct 2019 12:09:09 -0400 Received: from mail-io1-f71.google.com ([209.85.166.71]:33501 "EHLO mail-io1-f71.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731226AbfJIQJJ (ORCPT ); Wed, 9 Oct 2019 12:09:09 -0400 Received: by mail-io1-f71.google.com with SMTP id g15so5260450ioc.0 for ; Wed, 09 Oct 2019 09:09:07 -0700 (PDT) Authentication-Results: spf=none (sender IP is 128.138.67.74) smtp.mailfrom=vger.kernel.org; o365.colorado.edu; dkim=none (message not signed) header.d=none;o365.colorado.edu; dmarc=fail action=none header.from=syzkaller.appspotmail.com; Received-SPF: None (protection.outlook.com: vger.kernel.org does not designate permitted sender hosts) Authentication-Results-Original: mx.colorado.edu; dkim=none (message not signed) header.i=none IronPort-SDR: QT8T7z1fuqKH8Lk0uNpoAuvct5j/NXgLJfp37XOTSdDCaTI7qN7oXkKjLajaaaX8QB5ceAqFmW R5h8CcG2K4EZXUEbDPkBZxKKXvrIX6pkE= IronPort-SDR: wJoD09SalP1o3+z38R65/vQewZtKAczeMiG9hjktM3wybWXQvAo5jNH2hhutFg5XmQnHO7bjHu dmPxG8C7PsxJtvdCm4nDmsth+dsDE47wM= IronPort-SDR: bjVl00sAcXYSEz1pg7thusP9VPw0uL0R+WDplGiSQay8yIVsFMxXO1HWd71V6taZ0D4XjvCbDK TA8o3QnHAVSgLEKdC39QsZ29QSYhTA15M= IronPort-PHdr: =?us-ascii?q?9a23=3ArtqDKxUH+n0/UImZckoUg3ADSOvV8LGuZFw894?= =?us-ascii?q?YnhrRSc6+q45XlOgnl6O5wiEPSA9yJ7uICgO3StLrpVWtG7Jqc4zgOc51JAh?= =?us-ascii?q?kCj8he3wktG9WMBkCzKvn2Jzc7E8JPWB4t/3yyPUVPXserYVrUr3A=3D?= IronPort-PHdr: =?us-ascii?q?9a23=3A7zSs3RwEsmhxwIDXCy+N+z0kezQntrPoPwUc9p?= =?us-ascii?q?sgjfd0f7+++4j5YhWN4OUrh1jNWp/S5/UChubL4OjsWm0FtJCGtn1KMJlBTA?= =?us-ascii?q?QMhshemQs8SNWEBkv2IL+ibyEzEMlYEl4w+Xa9PEU=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FyAABLGZ5dbeiAioBlEwEBBQEBAQE?= =?us-ascii?q?BAQEBAQMBAQEBEQEBAQICAQEBAYF7gW8sBWyBBSqEI4NKixKNRItPg0sDTBE?= =?us-ascii?q?BAQEBAQEBAQEIGAsGBAIBAQEBgQKBFIR6IzgTAgMJAQEBAwEBAQIBBQIBAQI?= =?us-ascii?q?CEAsNCQYrhRIiDIQBLwEBAQEBAQEBAQEBHwINVCZABQIPERVHCQIkAiYCAgM?= =?us-ascii?q?xAQUBIxIFHYMBgncPo2iBAzyLJoEyg3oRAYRugUIGEnoohRaGeIIXgRGDUIJ?= =?us-ascii?q?hAgIYhFWCXgSBOQEBAYtJCYg4gSWWVwEGAoIkgXiELGSOERuCOodOBY8yAS2?= =?us-ascii?q?OAIJ8hQYggnCKKYQUDyOBRlqBIXCBboFOHzEQFIFbF4NQgWiINFcjMQEYAQF?= =?us-ascii?q?tkBMBAQ?= X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GLCgCmBZ5dh0O0hNFlEwEBBwEBAQE?= =?us-ascii?q?BBwEBEQEEBAEBgXuBbyxwUzIqhCODSosSgiOLIYtPg0sDTBEBAQEBAQEBAQE?= =?us-ascii?q?gCwYDAQIBAQEBgQKBFIR6IzgTAgMJAQEBAwEBAQIBBQIBAQICEAEBAQoLCQg?= =?us-ascii?q?phRIiDIQBLwEBAQEBAQEBAQEBHwINVCZABQIPERVHCQIkAiYCAgMxAQUBIxI?= =?us-ascii?q?FHYMAAYIKD6NmgQM8iyaBMoN6EQGEb4FCBhJ6KIUWhniCF4ERg1CCYQICGIR?= =?us-ascii?q?VglgEgTkBAQGLSQmIOIElllcBBgKCJIF4hCxkjhEbgjqHTgWPMgEtjgCCfIQ?= =?us-ascii?q?qXCCCcIophBQygUZagSFwgW6BTh8xEBSBWxeDUIFoiDRXITMBGAEBawEBk10?= =?us-ascii?q?BAQ?= X-IPAS-Result: =?us-ascii?q?A0FyAABLGZ5dbeiAioBlEwEBBQEBAQEBAQEBAQMBAQEBE?= =?us-ascii?q?QEBAQICAQEBAYF7gW8sBWyBBSqEI4NKixKNRItPg0sDTBEBAQEBAQEBAQEIG?= =?us-ascii?q?AsGBAIBAQEBgQKBFIR6IzgTAgMJAQEBAwEBAQIBBQIBAQICEAsNCQYrhRIiD?= =?us-ascii?q?IQBLwEBAQEBAQEBAQEBHwINVCZABQIPERVHCQIkAiYCAgMxAQUBIxIFHYMBg?= =?us-ascii?q?ncPo2iBAzyLJoEyg3oRAYRugUIGEnoohRaGeIIXgRGDUIJhAgIYhFWCXgSBO?= =?us-ascii?q?QEBAYtJCYg4gSWWVwEGAoIkgXiELGSOERuCOodOBY8yAS2OAIJ8hQYggnCKK?= =?us-ascii?q?YQUDyOBRlqBIXCBboFOHzEQFIFbF4NQgWiINFcjMQEYAQFtkBMBAQ?= X-IPAS-Result: =?us-ascii?q?A0GLCgCmBZ5dh0O0hNFlEwEBBwEBAQEBBwEBEQEEBAEBg?= =?us-ascii?q?XuBbyxwUzIqhCODSosSgiOLIYtPg0sDTBEBAQEBAQEBAQEgCwYDAQIBAQEBg?= =?us-ascii?q?QKBFIR6IzgTAgMJAQEBAwEBAQIBBQIBAQICEAEBAQoLCQgphRIiDIQBLwEBA?= =?us-ascii?q?QEBAQEBAQEBHwINVCZABQIPERVHCQIkAiYCAgMxAQUBIxIFHYMAAYIKD6Nmg?= =?us-ascii?q?QM8iyaBMoN6EQGEb4FCBhJ6KIUWhniCF4ERg1CCYQICGIRVglgEgTkBAQGLS?= =?us-ascii?q?QmIOIElllcBBgKCJIF4hCxkjhEbgjqHTgWPMgEtjgCCfIQqXCCCcIophBQyg?= =?us-ascii?q?UZagSFwgW6BTh8xEBSBWxeDUIFoiDRXITMBGAEBawEBk10BAQ?= X-IronPort-AV: E=Sophos;i="5.67,277,1566885600"; d="scan'208";a="369368715" X-IronPort-AV: E=Sophos;i="5.67,276,1566885600"; d="scan'208";a="414047926" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown X-Original-Recipients: gasiewsk@o365.colorado.edu X-Original-Recipients: migi9492@g.colorado.edu X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=S0f+uPTlkcg7rA+MA5xNWypkgCmJITL28IHTnWoRHdk=; b=ixANSGVB9B2j5ahgnkKSOzwiwvbCmTZUI99fiyzderzIxYEng6EbfR5JncPXpT4NCF FKUHvKjNGefidu/Flh5SHXW6Xq2aCl4/sf9Xz65U3Ztpar9ISXBNCPKZdGhg0udpr3Yr 4nFjRl/OTskzK02AuRygp/oos3+L5f35v2S+gz202No4nnry6XOGPlq06DnCAOtSDJaM TljSPa8UIna1qDIqjl9a2vlfJAV/Hp+1JEVDQFFzlESvPFWmY0fMBM6Pv/Og4GvWV+rX F57YFP/ALGEBwmVdxCOvdLq//3ikVOBTlN616rR4BnfQlsHWOffi1za8moxGkB2izBF8 wK1w== X-Gm-Message-State: APjAAAWOXo9lK3D8aaOjZTM2Z/L3bgUGc6kdQcyUjo5eRz2e7JMA56ZB JYU0toG1q/qchxdFSI3i282WjZPa5gzVeP9xB6Zrcb4Qbhqp X-Google-Smtp-Source: APXvYqxWmEUcw/k+EDDpTJ7YCb+PtcgFqB4IVox7NPsS/ZG/xrXEKhL+WBf9xHEownLCUThguFzhm4yXtZRBRb4VNfafvlN0nZ22 MIME-Version: 1.0 X-Received: by 2002:a02:e48:: with SMTP id 69mr3981890jae.17.1570637346517; Wed, 09 Oct 2019 09:09:06 -0700 (PDT) Date: Wed, 09 Oct 2019 09:09:06 -0700 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000001c3ae905947c81bd@google.com> Subject: BUG: bad usercopy in read_rio From: syzbot To: "akpm@linux-foundation.org" , "andreyknvl@google.com" , "cai@lca.pw" , "info@metux.net" , "isaacm@codeaurora.org" , "keescook@chromium.org" , "kstewart@linuxfoundation.org" , "linux-kernel@vger.kernel.org" , "linux-mm@kvack.org" , "linux-usb@vger.kernel.org" , "syzkaller-bugs@googlegroups.com" , "tglx@linutronix.de" , "william.kucharski@oracle.com" Content-Type: text/plain; charset="UTF-8" List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-MS-Exchange-Organization-ExpirationStartTime: 09 Oct 2019 17:59:11.3407 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 49812fd3-06a6-4fb4-8027-08d74ce26397 X-EOPAttributedMessage: 0 X-MS-Exchange-Organization-MessageDirectionality: Originating X-Forefront-Antispam-Report: CIP:128.138.67.74;IPV:CAL;CTRY:US;EFV:NLI;SFV:SKN;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:BN7PR03MB4483;H:ipmx3.colorado.edu;FPR:;SPF:None;LANG:en;;SKIP:1; X-MS-Exchange-Organization-AuthSource: BY2NAM01FT047.eop-nam01.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-OriginatorOrg: colorado.edu X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 49812fd3-06a6-4fb4-8027-08d74ce26397 X-MS-TrafficTypeDiagnostic: BN7PR03MB4483:|BN7PR03MB4483: X-MS-Exchange-PUrlCount: 6 X-MS-Exchange-Organization-SCL: -1 X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-Microsoft-Antispam: BCL:0; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Oct 2019 17:59:11.0595 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 49812fd3-06a6-4fb4-8027-08d74ce26397 X-MS-Exchange-CrossTenant-Id: 3ded8b1b-070d-4629-82e4-c0b019f46057 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3ded8b1b-070d-4629-82e4-c0b019f46057;Ip=[128.138.67.74];Helo=[ipmx3.colorado.edu] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR03MB4483 X-MS-Exchange-Transport-EndToEndLatency: 04:04:59.2725178 X-MS-Exchange-Processed-By-BccFoldering: 15.20.2347.014 X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(750127)(520002050)(944506383)(944626516); X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?i31QFlaByUYb/j8Ny6Qi6zd6A/OOVFykrfoOHSFXh6mNehJP7Wn0NADgmfC7?= =?us-ascii?Q?CnbBf6A0GeCgY21Tizb4aBQaeIir+s5rc2dQbvO+znWrBxc4kDz2lKhLL4LZ?= =?us-ascii?Q?w8Es/T1fPER7VMt0k/4171tJRr9tmGovuyBcNuPoFngQub35ZWpviyHUPxNf?= =?us-ascii?Q?eePxvLz897f2IMXlQfKv5tSRQYidbUdnYJYlPZNuKSjMuCR0yIJmH1IsQley?= =?us-ascii?Q?q4TXkqHQ4iDpClFab5WDBOIUBZJT/YPiirv/UXiIfADCPWerucok+YzLocZj?= =?us-ascii?Q?+mS1XNodbREDW5G/Kieqfl+TlziDozTjMSl6zE2g2+0WxXCr7Ba/QqJjVujq?= =?us-ascii?Q?AbaIh4/jQWBeDfPtWDp6U5tqqtHMSRteiHb5oxKj+hUw30FA6cm5DK8Yap1S?= =?us-ascii?Q?VUL/2Yzg4NG+zlQWOkbjpAE2V8VQTpY9fkqbqMNu/aeC+/rcZb4GagBmpwcM?= =?us-ascii?Q?w5K4+U62nec0Cekzi8JGqdWbbPKXP0BkUQacXtkxD7LxqVpwSdFfpAcN2fb4?= =?us-ascii?Q?su8G0kxfqe8e3zUOY1sS6fV0JhUj3WkK8vUnn2N7soBmRRB4KqkNuZokilRG?= =?us-ascii?Q?mdBBI/9nvgnWfwMibQ03uCO5KFiSO1WeiXzgFpxy6khWcgwkpkyQA1wxf+ut?= =?us-ascii?Q?urf0NdJ5vuxADyIcA91IqpCgyFfJuB3MrruvlvN83do8LU6g2vg+8wadChYE?= =?us-ascii?Q?z6woWn6no3uXjpchbk+MYu3ZnseaxqE3RnBEOTgcv249GgU/PGBQSKFcClmn?= =?us-ascii?Q?G5TZIXRipP/+TWKgaPKyNiibjuZscsWVFUXXuP6xIyQ+KnoL/vqU4CkytGgO?= =?us-ascii?Q?oLEcQrlOyjY2dnhU3M3/HXrh+FuzKqzegmhC7+bU0TjLzVk2WlpQyZbqm48g?= =?us-ascii?Q?VL/cPCSu1mXQWlHhnTy3fzsftoMyELHwZAlxHYX03R6n6yB2QxI5murYkMl8?= =?us-ascii?Q?tW6Rzprox+6NrLcMsldD+guRKS6ngdR8kfWMYTFwifwHvhLusfdudlJewWVx?= =?us-ascii?Q?HgHex+u4PiAq0czLgv/NYSzhiRDEmQv/GcawxvuzNrq7zNPWHMfB4tIo8s5A?= =?us-ascii?Q?ngCzTHnc/dCh/Sv2a8AzxUVgy85slXxCYcYCyvBwcSOR5YWUuLMBq4K0Xbp3?= =?us-ascii?Q?pQ0vnfA+OdxZi/5XLxvIpmJW8x+U2mhtBPVlHjqVsfXlPsOGRUFMh4sizmOu?= =?us-ascii?Q?VnHNkqprLh352+blHZ9m/o5J1/1llcqoX2IObpSJ2SEwWdTtAcOVXbQmFzlQ?= =?us-ascii?Q?XAom0bERawP2Nso8P2QGCEzo9obYWQVfjn9jT6d1Dw=3D=3D?= Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Message-ID: <20191009160906.HN8pT8zfJZef_8Hsvhw0CvH6iNODA3kzSZstE3nu57U@z> Hello, syzbot found the following crash on: HEAD commit: 58d5f26a usb-fuzzer: main usb gadget fuzzer driver git tree: https://github=2Ecom/google/kasan=2Egit usb-fuzzer console output: https://syzkaller=2Eappspot=2Ecom/x/log=2Etxt?x=3D149329b36= 00000 kernel config: https://syzkaller=2Eappspot=2Ecom/x/=2Econfig?x=3Daa5dac3cd= a4ffd58 dashboard link: https://syzkaller=2Eappspot=2Ecom/bug?extid=3D43e923a8937c2= 03e9954 compiler: gcc (GCC) 9=2E0=2E0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet=2E IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+43e923a8937c203e9954@syzkaller=2Eappspotmail=2Ecom usb 3-1: Rio opened=2E usercopy: Kernel memory exposure attempt detected from wrapped address =20 (offset 0, size 18446612689754797056)! ------------[ cut here ]------------ kernel BUG at mm/usercopy=2Ec:99! invalid opcode: 0000 [#1] SMP KASAN CPU: 0 PID: 12744 Comm: syz-executor=2E2 Not tainted 5=2E4=2E0-rc1+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS =20 Google 01/01/2011 RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy=2Ec:99 Code: e8 42 55 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 00 = =20 d8 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 b6 e6 c0 ff <0f> 0b e8 16 55 = d6 ff e8 11 8c fd ff 8b 54 24 04 49 89 d8 4c 89 e1 RSP: 0018:ffff8881cf06fc60 EFLAGS: 00010282 RAX: 000000000000006d RBX: ffffffff85cdd520 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8128bf9d RDI: ffffed1039e0df7e RBP: ffffffff85cdd6e0 R08: 000000000000006d R09: ffffed103b645d58 R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffffffff85cdd880 R13: ffffffff85cdd520 R14: ffff8881ca0c3400 R15: ffffffff85cdd520 FS: 00007f3de63a2700(0000) GS:ffff8881db200000(0000) knlGS:000000000000000= 0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3de633edb8 CR3: 00000001c9e27000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: check_bogus_address mm/usercopy=2Ec:152 [inline] __check_object_size mm/usercopy=2Ec:266 [inline] __check_object_size=2Ecold+0xb2/0xbb mm/usercopy=2Ec:256 check_object_size include/linux/thread_info=2Eh:119 [inline] check_copy_size include/linux/thread_info=2Eh:150 [inline] copy_to_user include/linux/uaccess=2Eh:151 [inline] read_rio+0x223/0x47c drivers/usb/misc/rio500=2Ec:423 __vfs_read+0x76/0x100 fs/read_write=2Ec:425 vfs_read+0x1ea/0x430 fs/read_write=2Ec:461 ksys_read+0x127/0x250 fs/read_write=2Ec:587 do_syscall_64+0xb7/0x580 arch/x86/entry/common=2Ec:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a59 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 = =20 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff = ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f3de63a1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459a59 RDX: 00000000000000da RSI: 0000000020000140 RDI: 0000000000000004 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3de63a26d4 R13: 00000000004c70d5 R14: 00000000004dc948 R15: 00000000ffffffff Modules linked in: ---[ end trace 5c4a17213aed3a20 ]--- RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy=2Ec:99 Code: e8 42 55 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 00 = =20 d8 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 b6 e6 c0 ff <0f> 0b e8 16 55 = d6 ff e8 11 8c fd ff 8b 54 24 04 49 89 d8 4c 89 e1 RSP: 0018:ffff8881cf06fc60 EFLAGS: 00010282 RAX: 000000000000006d RBX: ffffffff85cdd520 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8128bf9d RDI: ffffed1039e0df7e RBP: ffffffff85cdd6e0 R08: 000000000000006d R09: ffffed103b645d58 R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffffffff85cdd880 R13: ffffffff85cdd520 R14: ffff8881ca0c3400 R15: ffffffff85cdd520 FS: 00007f3de63a2700(0000) GS:ffff8881db200000(0000) knlGS:000000000000000= 0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3de633edb8 CR3: 00000001c9e27000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 --- This bug is generated by a bot=2E It may contain errors=2E See https://goo=2Egl/tpsmEJ for more information about syzbot=2E syzbot engineers can be reached at syzkaller@googlegroups=2Ecom=2E syzbot will keep track of this bug report=2E See: https://goo=2Egl/tpsmEJ#status for how to communicate with syzbot=2E