* WARNING in hso_free_net_device
@ 2019-09-03 12:08 syzbot
2019-09-04 20:27 ` Hui Peng
0 siblings, 1 reply; 11+ messages in thread
From: syzbot @ 2019-09-03 12:08 UTC (permalink / raw)
To: alexios.zavras, andreyknvl, benquike, davem, gregkh,
linux-kernel, linux-usb, mathias.payer, netdev, rfontana,
syzkaller-bugs, tglx
Hello,
syzbot found the following crash on:
HEAD commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=15f17e61600000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10ffdd12600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15a738fe600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com
usb 1-1: config 0 has no interface number 0
usb 1-1: New USB device found, idVendor=0af0, idProduct=d257,
bcdDevice=4e.87
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
hso 1-1:0.15: Can't find BULK IN endpoint
------------[ cut here ]------------
WARNING: CPU: 1 PID: 83 at net/core/dev.c:8167
rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0-rc5+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Code: ff e8 c7 26 90 fc 48 c7 c7 40 ec 63 86 e8 24 c8 7a fc 0f 0b e9 93 be
ff ff e8 af 26 90 fc 48 c7 c7 40 ec 63 86 e8 0c c8 7a fc <0f> 0b 4c 89 e7
e8 f9 12 34 fd 31 ff 41 89 c4 89 c6 e8 bd 27 90 fc
RSP: 0018:ffff8881d934f088 EFLAGS: 00010282
RAX: 0000000000000024 RBX: ffff8881d2ad4400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288cfd RDI: ffffed103b269e03
RBP: ffff8881d934f1b8 R08: 0000000000000024 R09: fffffbfff11ad794
R10: fffffbfff11ad793 R11: ffffffff88d6bc9f R12: ffff8881d2ad4470
R13: ffff8881d934f148 R14: dffffc0000000000 R15: 0000000000000000
rollback_registered+0xf2/0x1c0 net/core/dev.c:8243
unregister_netdevice_queue net/core/dev.c:9290 [inline]
unregister_netdevice_queue+0x1d7/0x2b0 net/core/dev.c:9283
unregister_netdevice include/linux/netdevice.h:2631 [inline]
unregister_netdev+0x18/0x20 net/core/dev.c:9331
hso_free_net_device+0xff/0x300 drivers/net/usb/hso.c:2366
hso_create_net_device+0x76d/0x9c0 drivers/net/usb/hso.c:2554
hso_probe+0x28d/0x1a46 drivers/net/usb/hso.c:2931
usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
hub_port_connect drivers/usb/core/hub.c:5098 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: WARNING in hso_free_net_device
2019-09-03 12:08 WARNING in hso_free_net_device syzbot
@ 2019-09-04 20:27 ` Hui Peng
2019-09-04 22:41 ` Stephen Hemminger
0 siblings, 1 reply; 11+ messages in thread
From: Hui Peng @ 2019-09-04 20:27 UTC (permalink / raw)
To: syzbot+44d53c7255bb1aea22d2, alexios.zavras, andreyknvl, davem,
gregkh, linux-kernel, linux-usb, mathias.payer, netdev, rfontana,
syzkaller-bugs, tglx
Hi, all:
I looked at the bug a little.
The issue is that in the error handling code, hso_free_net_device
unregisters
the net_device (hso_net->net) by calling unregister_netdev. In the
error handling code path,
hso_net->net has not been registered yet.
I think there are two ways to solve the issue:
1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
net_device when it is still not registered
2. fix it in unregister_netdev. We can add a field in net_device to
record whether it is registered, and make unregister_netdev return if
the net_device is not registered yet.
What do you guys think ?
On 9/3/19 8:08 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=15f17e61600000
> kernel config:
> https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:
> https://syzkaller.appspot.com/x/repro.syz?x=10ffdd12600000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15a738fe600000
>
> IMPORTANT: if you fix the bug, please add the following tag to the
> commit:
> Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com
>
> usb 1-1: config 0 has no interface number 0
> usb 1-1: New USB device found, idVendor=0af0, idProduct=d257,
> bcdDevice=4e.87
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> usb 1-1: config 0 descriptor??
> hso 1-1:0.15: Can't find BULK IN endpoint
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 83 at net/core/dev.c:8167
> rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0-rc5+ #28
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xca/0x13e lib/dump_stack.c:113
> panic+0x2a3/0x6da kernel/panic.c:219
> __warn.cold+0x20/0x4a kernel/panic.c:576
> report_bug+0x262/0x2a0 lib/bug.c:186
> fixup_bug arch/x86/kernel/traps.c:179 [inline]
> fixup_bug arch/x86/kernel/traps.c:174 [inline]
> do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
> do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
> invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
> RIP: 0010:rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
> Code: ff e8 c7 26 90 fc 48 c7 c7 40 ec 63 86 e8 24 c8 7a fc 0f 0b e9
> 93 be ff ff e8 af 26 90 fc 48 c7 c7 40 ec 63 86 e8 0c c8 7a fc <0f> 0b
> 4c 89 e7 e8 f9 12 34 fd 31 ff 41 89 c4 89 c6 e8 bd 27 90 fc
> RSP: 0018:ffff8881d934f088 EFLAGS: 00010282
> RAX: 0000000000000024 RBX: ffff8881d2ad4400 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff81288cfd RDI: ffffed103b269e03
> RBP: ffff8881d934f1b8 R08: 0000000000000024 R09: fffffbfff11ad794
> R10: fffffbfff11ad793 R11: ffffffff88d6bc9f R12: ffff8881d2ad4470
> R13: ffff8881d934f148 R14: dffffc0000000000 R15: 0000000000000000
> rollback_registered+0xf2/0x1c0 net/core/dev.c:8243
> unregister_netdevice_queue net/core/dev.c:9290 [inline]
> unregister_netdevice_queue+0x1d7/0x2b0 net/core/dev.c:9283
> unregister_netdevice include/linux/netdevice.h:2631 [inline]
> unregister_netdev+0x18/0x20 net/core/dev.c:9331
> hso_free_net_device+0xff/0x300 drivers/net/usb/hso.c:2366
> hso_create_net_device+0x76d/0x9c0 drivers/net/usb/hso.c:2554
> hso_probe+0x28d/0x1a46 drivers/net/usb/hso.c:2931
> usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
> really_probe+0x281/0x6d0 drivers/base/dd.c:548
> driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
> __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
> bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
> __device_attach+0x217/0x360 drivers/base/dd.c:894
> bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
> device_add+0xae6/0x16f0 drivers/base/core.c:2165
> usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
> generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
> usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
> really_probe+0x281/0x6d0 drivers/base/dd.c:548
> driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
> __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
> bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
> __device_attach+0x217/0x360 drivers/base/dd.c:894
> bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
> device_add+0xae6/0x16f0 drivers/base/core.c:2165
> usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
> hub_port_connect drivers/usb/core/hub.c:5098 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> port_event drivers/usb/core/hub.c:5359 [inline]
> hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
> process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
> worker_thread+0x96/0xe20 kernel/workqueue.c:2415
> kthread+0x318/0x420 kernel/kthread.c:255
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: WARNING in hso_free_net_device
2019-09-04 20:27 ` Hui Peng
@ 2019-09-04 22:41 ` Stephen Hemminger
2019-09-05 2:20 ` Hui Peng
0 siblings, 1 reply; 11+ messages in thread
From: Stephen Hemminger @ 2019-09-04 22:41 UTC (permalink / raw)
To: Hui Peng
Cc: syzbot+44d53c7255bb1aea22d2, alexios.zavras, andreyknvl, davem,
gregkh, linux-kernel, linux-usb, mathias.payer, netdev, rfontana,
syzkaller-bugs, tglx
On Wed, 4 Sep 2019 16:27:50 -0400
Hui Peng <benquike@gmail.com> wrote:
> Hi, all:
>
> I looked at the bug a little.
>
> The issue is that in the error handling code, hso_free_net_device
> unregisters
>
> the net_device (hso_net->net) by calling unregister_netdev. In the
> error handling code path,
>
> hso_net->net has not been registered yet.
>
> I think there are two ways to solve the issue:
>
> 1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
> net_device when it is still not registered
>
> 2. fix it in unregister_netdev. We can add a field in net_device to
> record whether it is registered, and make unregister_netdev return if
> the net_device is not registered yet.
>
> What do you guys think ?
#1
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: WARNING in hso_free_net_device
2019-09-04 22:41 ` Stephen Hemminger
@ 2019-09-05 2:20 ` Hui Peng
2019-09-05 11:24 ` Andrey Konovalov
0 siblings, 1 reply; 11+ messages in thread
From: Hui Peng @ 2019-09-05 2:20 UTC (permalink / raw)
To: Stephen Hemminger
Cc: syzbot+44d53c7255bb1aea22d2, alexios.zavras, andreyknvl, davem,
gregkh, linux-kernel, linux-usb, mathias.payer, netdev, rfontana,
syzkaller-bugs, tglx
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]
Can you guys have a look at the attached patch?
On 9/4/19 6:41 PM, Stephen Hemminger wrote:
> On Wed, 4 Sep 2019 16:27:50 -0400
> Hui Peng <benquike@gmail.com> wrote:
>
>> Hi, all:
>>
>> I looked at the bug a little.
>>
>> The issue is that in the error handling code, hso_free_net_device
>> unregisters
>>
>> the net_device (hso_net->net) by calling unregister_netdev. In the
>> error handling code path,
>>
>> hso_net->net has not been registered yet.
>>
>> I think there are two ways to solve the issue:
>>
>> 1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
>> net_device when it is still not registered
>>
>> 2. fix it in unregister_netdev. We can add a field in net_device to
>> record whether it is registered, and make unregister_netdev return if
>> the net_device is not registered yet.
>>
>> What do you guys think ?
> #1
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Fix-a-wrong-unregistering-bug-in-hso_free_net_device.patch --]
[-- Type: text/x-patch; name="0001-Fix-a-wrong-unregistering-bug-in-hso_free_net_device.patch", Size: 2399 bytes --]
From f3fdee8fc03aa2bc982f22da1d29bbf6bca72935 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Wed, 4 Sep 2019 21:38:35 -0400
Subject: [PATCH] Fix a wrong unregistering bug in hso_free_net_device
As shown below, hso_create_net_device may call hso_free_net_device
before the net_device is registered. hso_free_net_device will
unregister the network device no matter it is registered or not,
unregister_netdev is not able to handle unregistered net_device,
resulting in the bug reported by the syzbot.
```
static struct hso_device *hso_create_net_device(struct usb_interface *interface,
int port_spec)
{
......
net = alloc_netdev(sizeof(struct hso_net), "hso%d", NET_NAME_UNKNOWN,
hso_net_init);
......
if (!hso_net->out_endp) {
dev_err(&interface->dev, "Can't find BULK OUT endpoint\n");
goto exit;
}
......
result = register_netdev(net);
......
exit:
hso_free_net_device(hso_dev);
return NULL;
}
static void hso_free_net_device(struct hso_device *hso_dev)
{
......
if (hso_net->net)
unregister_netdev(hso_net->net);
......
}
```
This patch adds a net_registered field in struct hso_net to record whether
the containing net_device is registered or not, and avoid unregistering it
if it is not registered yet.
Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com
Signed-off-by: Hui Peng <benquike@gmail.com>
---
drivers/net/usb/hso.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index ce78714..5b3df33 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -128,6 +128,7 @@ struct hso_shared_int {
struct hso_net {
struct hso_device *parent;
struct net_device *net;
+ bool net_registered;
struct rfkill *rfkill;
char name[24];
@@ -2362,7 +2363,7 @@ static void hso_free_net_device(struct hso_device *hso_dev)
remove_net_device(hso_net->parent);
- if (hso_net->net)
+ if (hso_net->net && hso_net->net_registered)
unregister_netdev(hso_net->net);
/* start freeing */
@@ -2544,6 +2545,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
dev_err(&interface->dev, "Failed to register device\n");
goto exit;
}
+ hso_net->net_registered = true;
hso_log_port(hso_dev);
--
2.7.4
[-- Attachment #3: pEpkey.asc --]
[-- Type: application/pgp-keys, Size: 2489 bytes --]
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: WARNING in hso_free_net_device
2019-09-05 2:20 ` Hui Peng
@ 2019-09-05 11:24 ` Andrey Konovalov
2019-09-05 11:47 ` syzbot
2019-09-06 2:05 ` Hui Peng
0 siblings, 2 replies; 11+ messages in thread
From: Andrey Konovalov @ 2019-09-05 11:24 UTC (permalink / raw)
To: Hui Peng
Cc: Stephen Hemminger, syzbot+44d53c7255bb1aea22d2, alexios.zavras,
David S. Miller, Greg Kroah-Hartman, LKML, USB list,
Mathias Payer, netdev, rfontana, syzkaller-bugs, Thomas Gleixner,
Oliver Neukum
[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]
On Thu, Sep 5, 2019 at 4:20 AM Hui Peng <benquike@gmail.com> wrote:
>
> Can you guys have a look at the attached patch?
Let's try it:
#syz test: https://github.com/google/kasan.git eea39f24
FYI: there are two more reports coming from this driver, which might
(or might not) have the same root cause. One of them has a suggested
fix by Oliver.
https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
https://syzkaller.appspot.com/bug?extid=93f2f45b19519b289613
>
> On 9/4/19 6:41 PM, Stephen Hemminger wrote:
> > On Wed, 4 Sep 2019 16:27:50 -0400
> > Hui Peng <benquike@gmail.com> wrote:
> >
> >> Hi, all:
> >>
> >> I looked at the bug a little.
> >>
> >> The issue is that in the error handling code, hso_free_net_device
> >> unregisters
> >>
> >> the net_device (hso_net->net) by calling unregister_netdev. In the
> >> error handling code path,
> >>
> >> hso_net->net has not been registered yet.
> >>
> >> I think there are two ways to solve the issue:
> >>
> >> 1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
> >> net_device when it is still not registered
> >>
> >> 2. fix it in unregister_netdev. We can add a field in net_device to
> >> record whether it is registered, and make unregister_netdev return if
> >> the net_device is not registered yet.
> >>
> >> What do you guys think ?
> > #1
[-- Attachment #2: 0001-Fix-a-wrong-unregistering-bug-in-hso_free_net_device.patch --]
[-- Type: text/x-patch, Size: 2399 bytes --]
From f3fdee8fc03aa2bc982f22da1d29bbf6bca72935 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Wed, 4 Sep 2019 21:38:35 -0400
Subject: [PATCH] Fix a wrong unregistering bug in hso_free_net_device
As shown below, hso_create_net_device may call hso_free_net_device
before the net_device is registered. hso_free_net_device will
unregister the network device no matter it is registered or not,
unregister_netdev is not able to handle unregistered net_device,
resulting in the bug reported by the syzbot.
```
static struct hso_device *hso_create_net_device(struct usb_interface *interface,
int port_spec)
{
......
net = alloc_netdev(sizeof(struct hso_net), "hso%d", NET_NAME_UNKNOWN,
hso_net_init);
......
if (!hso_net->out_endp) {
dev_err(&interface->dev, "Can't find BULK OUT endpoint\n");
goto exit;
}
......
result = register_netdev(net);
......
exit:
hso_free_net_device(hso_dev);
return NULL;
}
static void hso_free_net_device(struct hso_device *hso_dev)
{
......
if (hso_net->net)
unregister_netdev(hso_net->net);
......
}
```
This patch adds a net_registered field in struct hso_net to record whether
the containing net_device is registered or not, and avoid unregistering it
if it is not registered yet.
Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com
Signed-off-by: Hui Peng <benquike@gmail.com>
---
drivers/net/usb/hso.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index ce78714..5b3df33 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -128,6 +128,7 @@ struct hso_shared_int {
struct hso_net {
struct hso_device *parent;
struct net_device *net;
+ bool net_registered;
struct rfkill *rfkill;
char name[24];
@@ -2362,7 +2363,7 @@ static void hso_free_net_device(struct hso_device *hso_dev)
remove_net_device(hso_net->parent);
- if (hso_net->net)
+ if (hso_net->net && hso_net->net_registered)
unregister_netdev(hso_net->net);
/* start freeing */
@@ -2544,6 +2545,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
dev_err(&interface->dev, "Failed to register device\n");
goto exit;
}
+ hso_net->net_registered = true;
hso_log_port(hso_dev);
--
2.7.4
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: WARNING in hso_free_net_device
2019-09-05 11:24 ` Andrey Konovalov
@ 2019-09-05 11:47 ` syzbot
2019-09-06 2:05 ` Hui Peng
1 sibling, 0 replies; 11+ messages in thread
From: syzbot @ 2019-09-05 11:47 UTC (permalink / raw)
To: alexios.zavras, andreyknvl, benquike, davem, gregkh,
linux-kernel, linux-usb, mathias.payer, netdev, oneukum,
rfontana, stephen, syzkaller-bugs, tglx
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com
Tested on:
commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1188fcc6600000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: WARNING in hso_free_net_device
2019-09-05 11:24 ` Andrey Konovalov
2019-09-05 11:47 ` syzbot
@ 2019-09-06 2:05 ` Hui Peng
2019-09-09 9:47 ` Oliver Neukum
1 sibling, 1 reply; 11+ messages in thread
From: Hui Peng @ 2019-09-06 2:05 UTC (permalink / raw)
To: Andrey Konovalov
Cc: Stephen Hemminger, syzbot+44d53c7255bb1aea22d2, alexios.zavras,
David S. Miller, Greg Kroah-Hartman, LKML, USB list,
Mathias Payer, netdev, rfontana, syzkaller-bugs, Thomas Gleixner,
Oliver Neukum
On 9/5/2019 7:24 AM, Andrey Konovalov wrote:
> On Thu, Sep 5, 2019 at 4:20 AM Hui Peng <benquike@gmail.com> wrote:
>>
>> Can you guys have a look at the attached patch?
>
> Let's try it:
>
> #syz test: https://github.com/google/kasan.git eea39f24
>
> FYI: there are two more reports coming from this driver, which might
> (or might not) have the same root cause. One of them has a suggested
> fix by Oliver.
>
> https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
> https://syzkaller.appspot.com/bug?extid=93f2f45b19519b289613
>
I think they are different, though similar.
This one is resulted from unregistering a network device.
These 2 are resulted from unregistering a tty device.
>>
>> On 9/4/19 6:41 PM, Stephen Hemminger wrote:
>>> On Wed, 4 Sep 2019 16:27:50 -0400
>>> Hui Peng <benquike@gmail.com> wrote:
>>>
>>>> Hi, all:
>>>>
>>>> I looked at the bug a little.
>>>>
>>>> The issue is that in the error handling code, hso_free_net_device
>>>> unregisters
>>>>
>>>> the net_device (hso_net->net) by calling unregister_netdev. In the
>>>> error handling code path,
>>>>
>>>> hso_net->net has not been registered yet.
>>>>
>>>> I think there are two ways to solve the issue:
>>>>
>>>> 1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
>>>> net_device when it is still not registered
>>>>
>>>> 2. fix it in unregister_netdev. We can add a field in net_device to
>>>> record whether it is registered, and make unregister_netdev return if
>>>> the net_device is not registered yet.
>>>>
>>>> What do you guys think ?
>>> #1
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: WARNING in hso_free_net_device
2019-09-06 2:05 ` Hui Peng
@ 2019-09-09 9:47 ` Oliver Neukum
0 siblings, 0 replies; 11+ messages in thread
From: Oliver Neukum @ 2019-09-09 9:47 UTC (permalink / raw)
To: Hui Peng, Andrey Konovalov
Cc: David S. Miller, syzkaller-bugs, alexios.zavras, Thomas Gleixner,
Greg Kroah-Hartman, Mathias Payer, Stephen Hemminger, rfontana,
syzbot+44d53c7255bb1aea22d2, LKML, USB list, netdev
Am Donnerstag, den 05.09.2019, 22:05 -0400 schrieb Hui Peng:
>
> On 9/5/2019 7:24 AM, Andrey Konovalov wrote:
> > On Thu, Sep 5, 2019 at 4:20 AM Hui Peng <benquike@gmail.com> wrote:
> > >
> > > Can you guys have a look at the attached patch?
> >
> > Let's try it:
> >
> > #syz test: https://github.com/google/kasan.git eea39f24
> >
> > FYI: there are two more reports coming from this driver, which might
> > (or might not) have the same root cause. One of them has a suggested
> > fix by Oliver.
> >
> > https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
> > https://syzkaller.appspot.com/bug?extid=93f2f45b19519b289613
> >
>
> I think they are different, though similar.
> This one is resulted from unregistering a network device.
> These 2 are resulted from unregistering a tty device.
Hi,
looks like it. That may indeed be the issue.
Please try to have syzbot test your patch and we will
know more.
Regards
Oliver
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: WARNING in hso_free_net_device
@ 2019-11-19 15:16 Oliver Neukum
2019-11-20 23:37 ` syzbot
0 siblings, 1 reply; 11+ messages in thread
From: Oliver Neukum @ 2019-11-19 15:16 UTC (permalink / raw)
To: syzbot+44d53c7255bb1aea22d2; +Cc: Andrey Konovalov, linux-usb
#syz test: https://github.com/google/kasan.git eea39f24
From 9293e8ccebbe11e9f04f7ed88a0029e52d2aa617 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 19 Nov 2019 16:11:31 +0100
Subject: [PATCH] hso: fix bailout in error case of probe
If resources need to be freed after an error in probe, the
netdev must not be freed because it has never been registered.
The network layer dislikes that.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/net/usb/hso.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index dfb8dbbc8015..1b767c1c1411 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2351,7 +2351,7 @@ static int remove_net_device(struct hso_device *hso_dev)
}
/* Frees our network device */
-static void hso_free_net_device(struct hso_device *hso_dev)
+static void hso_free_net_device(struct hso_device *hso_dev, bool bailout)
{
int i;
struct hso_net *hso_net = dev2net(hso_dev);
@@ -2374,7 +2374,7 @@ static void hso_free_net_device(struct hso_device *hso_dev)
kfree(hso_net->mux_bulk_tx_buf);
hso_net->mux_bulk_tx_buf = NULL;
- if (hso_net->net)
+ if (hso_net->net && !bailout)
free_netdev(hso_net->net);
kfree(hso_dev);
@@ -2549,7 +2549,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
return hso_dev;
exit:
- hso_free_net_device(hso_dev);
+ hso_free_net_device(hso_dev, true);
return NULL;
}
@@ -3126,7 +3126,7 @@ static void hso_free_interface(struct usb_interface *interface)
rfkill_unregister(rfk);
rfkill_destroy(rfk);
}
- hso_free_net_device(network_table[i]);
+ hso_free_net_device(network_table[i], false);
}
}
}
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: WARNING in hso_free_net_device
2019-11-19 15:16 Oliver Neukum
@ 2019-11-20 23:37 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2019-11-20 23:37 UTC (permalink / raw)
To: andreyknvl, linux-usb, oneukum, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in hso_free_net_device
hso 6-1:0.15: Can't find BULK IN endpoint
------------[ cut here ]------------
WARNING: CPU: 1 PID: 83 at net/core/dev.c:8167
rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Code: ff e8 c7 26 90 fc 48 c7 c7 40 ec 63 86 e8 24 c8 7a fc 0f 0b e9 93 be
ff ff e8 af 26 90 fc 48 c7 c7 40 ec 63 86 e8 0c c8 7a fc <0f> 0b 4c 89 e7
e8 f9 12 34 fd 31 ff 41 89 c4 89 c6 e8 bd 27 90 fc
RSP: 0018:ffff8881d938f080 EFLAGS: 00010286
RAX: 0000000000000024 RBX: ffff8881d5ef8000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288cfd RDI: ffffed103b271e02
RBP: ffff8881d938f1b0 R08: 0000000000000024 R09: fffffbfff11ad794
R10: fffffbfff11ad793 R11: ffffffff88d6bc9f R12: ffff8881d5ef8070
R13: ffff8881d938f140 R14: dffffc0000000000 R15: 0000000000000000
rollback_registered+0xf2/0x1c0 net/core/dev.c:8243
unregister_netdevice_queue net/core/dev.c:9290 [inline]
unregister_netdevice_queue+0x1d7/0x2b0 net/core/dev.c:9283
unregister_netdevice include/linux/netdevice.h:2631 [inline]
unregister_netdev+0x18/0x20 net/core/dev.c:9331
hso_free_net_device+0x100/0x310 drivers/net/usb/hso.c:2366
hso_create_net_device+0x772/0x9c0 drivers/net/usb/hso.c:2554
hso_probe+0x28d/0x1a46 drivers/net/usb/hso.c:2931
usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
hub_port_connect drivers/usb/core/hub.c:5098 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16dea1cee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11bc631ce00000
^ permalink raw reply [flat|nested] 11+ messages in thread
[parent not found: <1574176549.28617.24.camel@neukum.org>]
* Re: WARNING in hso_free_net_device
[not found] <1574176549.28617.24.camel@neukum.org>
@ 2019-11-20 23:27 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2019-11-20 23:27 UTC (permalink / raw)
To: andreyknvl, linux-usb, oliver, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in hso_free_net_device
hso 1-1:0.15: Can't find BULK IN endpoint
------------[ cut here ]------------
WARNING: CPU: 1 PID: 21 at net/core/dev.c:8167
rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.3.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Code: ff e8 c7 26 90 fc 48 c7 c7 40 ec 63 86 e8 24 c8 7a fc 0f 0b e9 93 be
ff ff e8 af 26 90 fc 48 c7 c7 40 ec 63 86 e8 0c c8 7a fc <0f> 0b 4c 89 e7
e8 f9 12 34 fd 31 ff 41 89 c4 89 c6 e8 bd 27 90 fc
RSP: 0018:ffff8881da2f7080 EFLAGS: 00010286
RAX: 0000000000000024 RBX: ffff8881d5c21100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288cfd RDI: ffffed103b45ee02
RBP: ffff8881da2f71b0 R08: 0000000000000024 R09: fffffbfff11ad794
R10: fffffbfff11ad793 R11: ffffffff88d6bc9f R12: ffff8881d5c21170
R13: ffff8881da2f7140 R14: dffffc0000000000 R15: 0000000000000000
rollback_registered+0xf2/0x1c0 net/core/dev.c:8243
unregister_netdevice_queue net/core/dev.c:9290 [inline]
unregister_netdevice_queue+0x1d7/0x2b0 net/core/dev.c:9283
unregister_netdevice include/linux/netdevice.h:2631 [inline]
unregister_netdev+0x18/0x20 net/core/dev.c:9331
hso_free_net_device+0x100/0x310 drivers/net/usb/hso.c:2366
hso_create_net_device+0x772/0x9c0 drivers/net/usb/hso.c:2554
hso_probe+0x28d/0x1a46 drivers/net/usb/hso.c:2931
usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
hub_port_connect drivers/usb/core/hub.c:5098 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16da8926e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=12b3d3bae00000
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-11-20 23:37 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-03 12:08 WARNING in hso_free_net_device syzbot
2019-09-04 20:27 ` Hui Peng
2019-09-04 22:41 ` Stephen Hemminger
2019-09-05 2:20 ` Hui Peng
2019-09-05 11:24 ` Andrey Konovalov
2019-09-05 11:47 ` syzbot
2019-09-06 2:05 ` Hui Peng
2019-09-09 9:47 ` Oliver Neukum
2019-11-19 15:16 Oliver Neukum
2019-11-20 23:37 ` syzbot
[not found] <1574176549.28617.24.camel@neukum.org>
2019-11-20 23:27 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).