Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
* WARNING in usbhid_raw_request/usb_submit_urb
@ 2019-07-29 11:48 syzbot
  2019-07-30 14:10 ` Alan Stern
  2019-07-30 16:58 ` syzbot
  0 siblings, 2 replies; 14+ messages in thread
From: syzbot @ 2019-07-29 11:48 UTC (permalink / raw)
  To: andreyknvl, gregkh, gustavo, linux-kernel, linux-usb, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    6a3599ce usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=12386cb4600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae
dashboard link: https://syzkaller.appspot.com/bug?extid=a7a6b9c609b9457c62c6
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com

------------[ cut here ]------------
usb 2-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 3730 at drivers/usb/core/urb.c:477  
usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 3730 Comm: syz-executor.1 Not tainted 5.2.0-rc6+ #15
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  panic+0x292/0x6c9 kernel/panic.c:219
  __warn.cold+0x20/0x4b kernel/panic.c:576
  report_bug+0x262/0x2a0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:179 [inline]
  fixup_bug arch/x86/kernel/traps.c:174 [inline]
  do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:986
RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
Code: 4d 85 ed 74 2c e8 f8 d3 f4 fd 4c 89 f7 e8 a0 51 1c ff 41 89 d8 44 89  
e1 4c 89 ea 48 89 c6 48 c7 c7 00 0e f7 85 e8 83 98 ca fd <0f> 0b e9 20 f4  
ff ff e8 cc d3 f4 fd 4c 89 f2 48 b8 00 00 00 00 00
RSP: 0018:ffff8881d4f479d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000005dfa RSI: ffffffff8127ef3d RDI: ffffed103a9e8f2c
RBP: 0000000000000000 R08: ffff8881af663000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: ffff8881d462ed38 R14: ffff8881d18f9a20 R15: ffff8881d80e1c00
  usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
  usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
  usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
  usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
  usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
  hid_hw_raw_request include/linux/hid.h:1079 [inline]
  hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
  hidraw_ioctl+0x5b4/0xaf0 drivers/hid/hidraw.c:421
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0xcda/0x12e0 fs/ioctl.c:696
  ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
  do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe142c43c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
RDX: 0000000020000000 RSI: 00000000c0404806 RDI: 0000000000000004
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe142c446d4
R13: 00000000004c22ab R14: 00000000004d5630 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
  2019-07-29 11:48 WARNING in usbhid_raw_request/usb_submit_urb syzbot
@ 2019-07-30 14:10 ` Alan Stern
  2019-07-30 14:12   ` Andrey Konovalov
  2019-07-30 16:58 ` syzbot
  1 sibling, 1 reply; 14+ messages in thread
From: Alan Stern @ 2019-07-30 14:10 UTC (permalink / raw)
  To: syzbot
  Cc: andreyknvl, gregkh, gustavo, Kernel development list, USB list,
	syzkaller-bugs

On Mon, 29 Jul 2019, syzbot wrote:

> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    6a3599ce usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=12386cb4600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae
> dashboard link: https://syzkaller.appspot.com/bug?extid=a7a6b9c609b9457c62c6
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> 
> Unfortunately, I don't have any reproducer for this crash yet.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> usb 2-1: BOGUS urb xfer, pipe 2 != type 2
> WARNING: CPU: 0 PID: 3730 at drivers/usb/core/urb.c:477  
> usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 0 PID: 3730 Comm: syz-executor.1 Not tainted 5.2.0-rc6+ #15
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xca/0x13e lib/dump_stack.c:113
>   panic+0x292/0x6c9 kernel/panic.c:219
>   __warn.cold+0x20/0x4b kernel/panic.c:576
>   report_bug+0x262/0x2a0 lib/bug.c:186
>   fixup_bug arch/x86/kernel/traps.c:179 [inline]
>   fixup_bug arch/x86/kernel/traps.c:174 [inline]
>   do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
>   do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
>   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:986
> RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> Code: 4d 85 ed 74 2c e8 f8 d3 f4 fd 4c 89 f7 e8 a0 51 1c ff 41 89 d8 44 89  
> e1 4c 89 ea 48 89 c6 48 c7 c7 00 0e f7 85 e8 83 98 ca fd <0f> 0b e9 20 f4  
> ff ff e8 cc d3 f4 fd 4c 89 f2 48 b8 00 00 00 00 00
> RSP: 0018:ffff8881d4f479d0 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
> RDX: 0000000000005dfa RSI: ffffffff8127ef3d RDI: ffffed103a9e8f2c
> RBP: 0000000000000000 R08: ffff8881af663000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
> R13: ffff8881d462ed38 R14: ffff8881d18f9a20 R15: ffff8881d80e1c00
>   usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
>   usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
>   usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
>   usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
>   usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
>   hid_hw_raw_request include/linux/hid.h:1079 [inline]
>   hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
>   hidraw_ioctl+0x5b4/0xaf0 drivers/hid/hidraw.c:421
>   vfs_ioctl fs/ioctl.c:46 [inline]
>   file_ioctl fs/ioctl.c:509 [inline]
>   do_vfs_ioctl+0xcda/0x12e0 fs/ioctl.c:696
>   ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
>   __do_sys_ioctl fs/ioctl.c:720 [inline]
>   __se_sys_ioctl fs/ioctl.c:718 [inline]
>   __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
>   do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe

This is very strange.  It looks like the kernel is complaining that 2
!= 2.

A more likely explanation is a race in the usbhid driver.  If
usbhid_set_raw_report() gets called _after_ usbhid has been unbound
from the device and while the endpoint is being destroyed, we could get
something like this.

Perhaps one of Oliver's patches will also fix this.

Alan Stern


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
  2019-07-30 14:10 ` Alan Stern
@ 2019-07-30 14:12   ` Andrey Konovalov
  2019-07-30 14:24     ` Oliver Neukum
  0 siblings, 1 reply; 14+ messages in thread
From: Andrey Konovalov @ 2019-07-30 14:12 UTC (permalink / raw)
  To: Alan Stern
  Cc: syzbot, Greg Kroah-Hartman, Gustavo A. R. Silva,
	Kernel development list, USB list, syzkaller-bugs

On Tue, Jul 30, 2019 at 4:10 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Mon, 29 Jul 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    6a3599ce usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12386cb4600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a7a6b9c609b9457c62c6
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > usb 2-1: BOGUS urb xfer, pipe 2 != type 2
> > WARNING: CPU: 0 PID: 3730 at drivers/usb/core/urb.c:477
> > usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> > Kernel panic - not syncing: panic_on_warn set ...
> > CPU: 0 PID: 3730 Comm: syz-executor.1 Not tainted 5.2.0-rc6+ #15
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xca/0x13e lib/dump_stack.c:113
> >   panic+0x292/0x6c9 kernel/panic.c:219
> >   __warn.cold+0x20/0x4b kernel/panic.c:576
> >   report_bug+0x262/0x2a0 lib/bug.c:186
> >   fixup_bug arch/x86/kernel/traps.c:179 [inline]
> >   fixup_bug arch/x86/kernel/traps.c:174 [inline]
> >   do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
> >   do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
> >   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:986
> > RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> > Code: 4d 85 ed 74 2c e8 f8 d3 f4 fd 4c 89 f7 e8 a0 51 1c ff 41 89 d8 44 89
> > e1 4c 89 ea 48 89 c6 48 c7 c7 00 0e f7 85 e8 83 98 ca fd <0f> 0b e9 20 f4
> > ff ff e8 cc d3 f4 fd 4c 89 f2 48 b8 00 00 00 00 00
> > RSP: 0018:ffff8881d4f479d0 EFLAGS: 00010282
> > RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
> > RDX: 0000000000005dfa RSI: ffffffff8127ef3d RDI: ffffed103a9e8f2c
> > RBP: 0000000000000000 R08: ffff8881af663000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
> > R13: ffff8881d462ed38 R14: ffff8881d18f9a20 R15: ffff8881d80e1c00
> >   usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
> >   usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
> >   usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
> >   usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
> >   usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
> >   hid_hw_raw_request include/linux/hid.h:1079 [inline]
> >   hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
> >   hidraw_ioctl+0x5b4/0xaf0 drivers/hid/hidraw.c:421
> >   vfs_ioctl fs/ioctl.c:46 [inline]
> >   file_ioctl fs/ioctl.c:509 [inline]
> >   do_vfs_ioctl+0xcda/0x12e0 fs/ioctl.c:696
> >   ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
> >   __do_sys_ioctl fs/ioctl.c:720 [inline]
> >   __se_sys_ioctl fs/ioctl.c:718 [inline]
> >   __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
> >   do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
> >   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> This is very strange.  It looks like the kernel is complaining that 2
> != 2.
>
> A more likely explanation is a race in the usbhid driver.  If
> usbhid_set_raw_report() gets called _after_ usbhid has been unbound
> from the device and while the endpoint is being destroyed, we could get
> something like this.
>
> Perhaps one of Oliver's patches will also fix this.

Since there's no reproducer this is quite likely some kind of race. We
can close this bug once Oliver's patches are applied, and if it gets
triggered again syzbot will rereport it.

>
> Alan Stern
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
  2019-07-30 14:12   ` Andrey Konovalov
@ 2019-07-30 14:24     ` Oliver Neukum
  0 siblings, 0 replies; 14+ messages in thread
From: Oliver Neukum @ 2019-07-30 14:24 UTC (permalink / raw)
  To: Andrey Konovalov, Alan Stern
  Cc: Gustavo A. R. Silva, syzkaller-bugs, Greg Kroah-Hartman, syzbot,
	Kernel development list, USB list

Am Dienstag, den 30.07.2019, 16:12 +0200 schrieb Andrey Konovalov:
> On Tue, Jul 30, 2019 at 4:10 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> > 
> > On Mon, 29 Jul 2019, syzbot wrote:
> > 
> > > Hello,
> > > 
> > > syzbot found the following crash on:
> > > 
> > > HEAD commit:    6a3599ce usb-fuzzer: main usb gadget fuzzer driver
> > > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12386cb4600000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=a7a6b9c609b9457c62c6
> > > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > > 
> > > Unfortunately, I don't have any reproducer for this crash yet.
> > > 
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com
> > > 
> > > ------------[ cut here ]------------
> > > usb 2-1: BOGUS urb xfer, pipe 2 != type 2
> > > WARNING: CPU: 0 PID: 3730 at drivers/usb/core/urb.c:477
> > > usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> > > Kernel panic - not syncing: panic_on_warn set ...
> > > CPU: 0 PID: 3730 Comm: syz-executor.1 Not tainted 5.2.0-rc6+ #15
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > >   __dump_stack lib/dump_stack.c:77 [inline]
> > >   dump_stack+0xca/0x13e lib/dump_stack.c:113
> > >   panic+0x292/0x6c9 kernel/panic.c:219
> > >   __warn.cold+0x20/0x4b kernel/panic.c:576
> > >   report_bug+0x262/0x2a0 lib/bug.c:186
> > >   fixup_bug arch/x86/kernel/traps.c:179 [inline]
> > >   fixup_bug arch/x86/kernel/traps.c:174 [inline]
> > >   do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
> > >   do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
> > >   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:986
> > > RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> > > Code: 4d 85 ed 74 2c e8 f8 d3 f4 fd 4c 89 f7 e8 a0 51 1c ff 41 89 d8 44 89
> > > e1 4c 89 ea 48 89 c6 48 c7 c7 00 0e f7 85 e8 83 98 ca fd <0f> 0b e9 20 f4
> > > ff ff e8 cc d3 f4 fd 4c 89 f2 48 b8 00 00 00 00 00
> > > RSP: 0018:ffff8881d4f479d0 EFLAGS: 00010282
> > > RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
> > > RDX: 0000000000005dfa RSI: ffffffff8127ef3d RDI: ffffed103a9e8f2c
> > > RBP: 0000000000000000 R08: ffff8881af663000 R09: 0000000000000000
> > > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
> > > R13: ffff8881d462ed38 R14: ffff8881d18f9a20 R15: ffff8881d80e1c00
> > >   usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
> > >   usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
> > >   usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
> > >   usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
> > >   usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
> > >   hid_hw_raw_request include/linux/hid.h:1079 [inline]
> > >   hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
> > >   hidraw_ioctl+0x5b4/0xaf0 drivers/hid/hidraw.c:421
> > >   vfs_ioctl fs/ioctl.c:46 [inline]
> > >   file_ioctl fs/ioctl.c:509 [inline]
> > >   do_vfs_ioctl+0xcda/0x12e0 fs/ioctl.c:696
> > >   ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
> > >   __do_sys_ioctl fs/ioctl.c:720 [inline]
> > >   __se_sys_ioctl fs/ioctl.c:718 [inline]
> > >   __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
> > >   do_syscall_64+0xb7/0x560 arch/x86/entry/common.c:301
> > >   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > 
> > This is very strange.  It looks like the kernel is complaining that 2
> > != 2.
> > 
> > A more likely explanation is a race in the usbhid driver.  If
> > usbhid_set_raw_report() gets called _after_ usbhid has been unbound
> > from the device and while the endpoint is being destroyed, we could get
> > something like this.
> > 
> > Perhaps one of Oliver's patches will also fix this.
> 
> Since there's no reproducer this is quite likely some kind of race. We
> can close this bug once Oliver's patches are applied, and if it gets
> triggered again syzbot will rereport it.

AFAICT my patch right now introduces another race. This will require
a fresh look.

	Regards
		Oliver


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
  2019-07-29 11:48 WARNING in usbhid_raw_request/usb_submit_urb syzbot
  2019-07-30 14:10 ` Alan Stern
@ 2019-07-30 16:58 ` syzbot
  2019-08-12 12:46   ` Andrey Konovalov
  1 sibling, 1 reply; 14+ messages in thread
From: syzbot @ 2019-07-30 16:58 UTC (permalink / raw)
  To: andreyknvl, gregkh, gustavo, linux-kernel, linux-usb, oneukum,
	stern, syzkaller-bugs

syzbot has found a reproducer for the following crash on:

HEAD commit:    7f7867ff usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=10619cec600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
dashboard link: https://syzkaller.appspot.com/bug?extid=a7a6b9c609b9457c62c6
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10606c42600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com

------------[ cut here ]------------
usb 2-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 1 PID: 7429 at drivers/usb/core/urb.c:477  
usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7429 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  panic+0x2a3/0x6da kernel/panic.c:219
  __warn.cold+0x20/0x4a kernel/panic.c:576
  report_bug+0x262/0x2a0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:179 [inline]
  fixup_bug arch/x86/kernel/traps.c:174 [inline]
  do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026
RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
Code: 4d 85 ed 74 2c e8 38 e8 ed fd 4c 89 f7 e8 70 dc 1a ff 41 89 d8 44 89  
e1 4c 89 ea 48 89 c6 48 c7 c7 60 cc f8 85 e8 4d b9 c3 fd <0f> 0b e9 20 f4  
ff ff e8 0c e8 ed fd 4c 89 f2 48 b8 00 00 00 00 00
RSP: 0018:ffff8881cef0f9d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff812830fd RDI: ffffed1039de1f2c
RBP: 0000000000000000 R08: ffff8881c853e000 R09: fffffbfff115e1a2
R10: fffffbfff115e1a1 R11: ffffffff88af0d0f R12: 0000000000000002
R13: ffff8881d976b0a8 R14: ffff8881d0e02b20 R15: ffff8881d1720600
  usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
  usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
  usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
  usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
  usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
  hid_hw_raw_request include/linux/hid.h:1079 [inline]
  hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
  hidraw_ioctl+0x5b4/0xae0 drivers/hid/hidraw.c:421
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
  ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
  do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459829
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f6a91f44c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
RDX: 0000000020000240 RSI: 00000000c0404806 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6a91f456d4
R13: 00000000004c22c3 R14: 00000000004d5688 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
  2019-07-30 16:58 ` syzbot
@ 2019-08-12 12:46   ` Andrey Konovalov
  2019-08-12 13:03     ` syzbot
                       ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Andrey Konovalov @ 2019-08-12 12:46 UTC (permalink / raw)
  To: syzbot
  Cc: Greg Kroah-Hartman, Gustavo A. R. Silva, LKML, USB list,
	Oliver Neukum, Alan Stern, syzkaller-bugs, Hillf Danton

[-- Attachment #1: Type: text/plain, Size: 4091 bytes --]

On Tue, Jul 30, 2019 at 6:58 PM syzbot
<syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:    7f7867ff usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=10619cec600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
> dashboard link: https://syzkaller.appspot.com/bug?extid=a7a6b9c609b9457c62c6
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10606c42600000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com

Let's try Hillf's patch here as well:

#syz test: https://github.com/google/kasan.git 7f7867ff

>
> ------------[ cut here ]------------
> usb 2-1: BOGUS urb xfer, pipe 2 != type 2
> WARNING: CPU: 1 PID: 7429 at drivers/usb/core/urb.c:477
> usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 7429 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #23
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xca/0x13e lib/dump_stack.c:113
>   panic+0x2a3/0x6da kernel/panic.c:219
>   __warn.cold+0x20/0x4a kernel/panic.c:576
>   report_bug+0x262/0x2a0 lib/bug.c:186
>   fixup_bug arch/x86/kernel/traps.c:179 [inline]
>   fixup_bug arch/x86/kernel/traps.c:174 [inline]
>   do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
>   do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
>   invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026
> RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> Code: 4d 85 ed 74 2c e8 38 e8 ed fd 4c 89 f7 e8 70 dc 1a ff 41 89 d8 44 89
> e1 4c 89 ea 48 89 c6 48 c7 c7 60 cc f8 85 e8 4d b9 c3 fd <0f> 0b e9 20 f4
> ff ff e8 0c e8 ed fd 4c 89 f2 48 b8 00 00 00 00 00
> RSP: 0018:ffff8881cef0f9d0 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff812830fd RDI: ffffed1039de1f2c
> RBP: 0000000000000000 R08: ffff8881c853e000 R09: fffffbfff115e1a2
> R10: fffffbfff115e1a1 R11: ffffffff88af0d0f R12: 0000000000000002
> R13: ffff8881d976b0a8 R14: ffff8881d0e02b20 R15: ffff8881d1720600
>   usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
>   usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
>   usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
>   usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
>   usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
>   hid_hw_raw_request include/linux/hid.h:1079 [inline]
>   hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
>   hidraw_ioctl+0x5b4/0xae0 drivers/hid/hidraw.c:421
>   vfs_ioctl fs/ioctl.c:46 [inline]
>   file_ioctl fs/ioctl.c:509 [inline]
>   do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
>   ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
>   __do_sys_ioctl fs/ioctl.c:720 [inline]
>   __se_sys_ioctl fs/ioctl.c:718 [inline]
>   __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
>   do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x459829
> Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f6a91f44c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
> RDX: 0000000020000240 RSI: 00000000c0404806 RDI: 0000000000000004
> RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6a91f456d4
> R13: 00000000004c22c3 R14: 00000000004d5688 R15: 00000000ffffffff
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>

[-- Attachment #2: hid-core.patch --]
[-- Type: text/x-patch, Size: 351 bytes --]

--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1410,6 +1410,7 @@ static void usbhid_disconnect(struct usb
 	spin_lock_irq(&usbhid->lock);	/* Sync with error and led handlers */
 	set_bit(HID_DISCONNECTED, &usbhid->iofl);
 	spin_unlock_irq(&usbhid->lock);
+	hid_hw_stop(hid);
 	hid_destroy_device(hid);
 	kfree(usbhid);
 }

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
  2019-08-12 12:46   ` Andrey Konovalov
@ 2019-08-12 13:03     ` syzbot
  2019-08-12 14:23       ` Andrey Konovalov
  2019-08-13 20:13       ` Alan Stern
       [not found]     ` <20190812144720.1980-1-hdanton@sina.com>
       [not found]     ` <20190813042649.888-1-hdanton@sina.com>
  2 siblings, 2 replies; 14+ messages in thread
From: syzbot @ 2019-08-12 13:03 UTC (permalink / raw)
  To: andreyknvl, gregkh, gustavo, hdanton, linux-kernel, linux-usb,
	oneukum, stern, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
KASAN: invalid-free in hcd_buffer_free

usb 5-1: USB disconnect, device number 2
==================================================================
BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260  
drivers/usb/core/buffer.c:165

CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x6a/0x32c mm/kasan/report.c:351
  kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444
  __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428
  slab_free_hook mm/slub.c:1423 [inline]
  slab_free_freelist_hook mm/slub.c:1470 [inline]
  slab_free mm/slub.c:3012 [inline]
  kfree+0xe4/0x2f0 mm/slub.c:3953
  hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
  usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
  hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
  usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
  logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797
  hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242
  __device_release_driver drivers/base/dd.c:1118 [inline]
  device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151
  bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
  device_del+0x420/0xb10 drivers/base/core.c:2288
  hid_remove_device drivers/hid/hid-core.c:2413 [inline]
  hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432
  usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414
  usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
  __device_release_driver drivers/base/dd.c:1120 [inline]
  device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
  bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
  device_del+0x420/0xb10 drivers/base/core.c:2288
  usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
  usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
  hub_port_connect drivers/usb/core/hub.c:4949 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  process_scheduled_works kernel/workqueue.c:2331 [inline]
  worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 1745:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc mm/kasan/common.c:487 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
  kmalloc include/linux/slab.h:557 [inline]
  hcd_buffer_alloc+0x1ca/0x290 drivers/usb/core/buffer.c:135
  usb_alloc_coherent+0x5d/0x80 drivers/usb/core/usb.c:910
  hid_alloc_buffers drivers/hid/usbhid/hid-core.c:846 [inline]
  usbhid_start+0x60b/0x22f0 drivers/hid/usbhid/hid-core.c:1075
  hid_hw_start+0x5d/0x130 drivers/hid/hid-core.c:1976
  logi_dj_probe+0x808/0xcd7 drivers/hid/hid-logitech-dj.c:1703
  hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
  usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x650 drivers/base/dd.c:548
  driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:882
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2114
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5098 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 1745:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
  slab_free_hook mm/slub.c:1423 [inline]
  slab_free_freelist_hook mm/slub.c:1470 [inline]
  slab_free mm/slub.c:3012 [inline]
  kfree+0xe4/0x2f0 mm/slub.c:3953
  hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
  usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
  hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
  usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
  usbhid_disconnect+0xa5/0xd0 drivers/hid/usbhid/hid-core.c:1413
  usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
  __device_release_driver drivers/base/dd.c:1120 [inline]
  device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
  bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
  device_del+0x420/0xb10 drivers/base/core.c:2288
  usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
  usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
  hub_port_connect drivers/usb/core/hub.c:4949 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  process_scheduled_works kernel/workqueue.c:2331 [inline]
  worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8881d5875500
  which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 0 bytes inside of
  4096-byte region [ffff8881d5875500, ffff8881d5876500)
The buggy address belongs to the page:
page:ffffea0007561c00 refcount:1 mapcount:0 mapping:ffff8881da00c280  
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8881d5875400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8881d5875480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8881d5875500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                    ^
  ffff8881d5875580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881d5875600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         7f7867ff usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13833b9a600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=167d2a0e600000


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
  2019-08-12 13:03     ` syzbot
@ 2019-08-12 14:23       ` Andrey Konovalov
  2019-08-13 20:13       ` Alan Stern
  1 sibling, 0 replies; 14+ messages in thread
From: Andrey Konovalov @ 2019-08-12 14:23 UTC (permalink / raw)
  To: syzbot
  Cc: Greg Kroah-Hartman, Gustavo A. R. Silva, Hillf Danton, LKML,
	USB list, Oliver Neukum, Alan Stern, syzkaller-bugs

On Mon, Aug 12, 2019 at 3:03 PM syzbot
<syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> KASAN: invalid-free in hcd_buffer_free
>
> usb 5-1: USB disconnect, device number 2
> ==================================================================
> BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260
> drivers/usb/core/buffer.c:165

Hm, looks like a different bug...

>
> CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xca/0x13e lib/dump_stack.c:113
>   print_address_description+0x6a/0x32c mm/kasan/report.c:351
>   kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444
>   __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428
>   slab_free_hook mm/slub.c:1423 [inline]
>   slab_free_freelist_hook mm/slub.c:1470 [inline]
>   slab_free mm/slub.c:3012 [inline]
>   kfree+0xe4/0x2f0 mm/slub.c:3953
>   hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
>   usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
>   hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
>   usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
>   logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797
>   hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242
>   __device_release_driver drivers/base/dd.c:1118 [inline]
>   device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151
>   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
>   device_del+0x420/0xb10 drivers/base/core.c:2288
>   hid_remove_device drivers/hid/hid-core.c:2413 [inline]
>   hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432
>   usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414
>   usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
>   __device_release_driver drivers/base/dd.c:1120 [inline]
>   device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
>   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
>   device_del+0x420/0xb10 drivers/base/core.c:2288
>   usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
>   usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
>   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
>   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
>   port_event drivers/usb/core/hub.c:5359 [inline]
>   hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
>   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
>   process_scheduled_works kernel/workqueue.c:2331 [inline]
>   worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
>   kthread+0x318/0x420 kernel/kthread.c:255
>   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
>
> Allocated by task 1745:
>   save_stack+0x1b/0x80 mm/kasan/common.c:69
>   set_track mm/kasan/common.c:77 [inline]
>   __kasan_kmalloc mm/kasan/common.c:487 [inline]
>   __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
>   kmalloc include/linux/slab.h:557 [inline]
>   hcd_buffer_alloc+0x1ca/0x290 drivers/usb/core/buffer.c:135
>   usb_alloc_coherent+0x5d/0x80 drivers/usb/core/usb.c:910
>   hid_alloc_buffers drivers/hid/usbhid/hid-core.c:846 [inline]
>   usbhid_start+0x60b/0x22f0 drivers/hid/usbhid/hid-core.c:1075
>   hid_hw_start+0x5d/0x130 drivers/hid/hid-core.c:1976
>   logi_dj_probe+0x808/0xcd7 drivers/hid/hid-logitech-dj.c:1703
>   hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
>   really_probe+0x281/0x650 drivers/base/dd.c:548
>   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
>   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
>   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
>   __device_attach+0x217/0x360 drivers/base/dd.c:882
>   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
>   device_add+0xae6/0x16f0 drivers/base/core.c:2114
>   hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
>   usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
>   usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
>   really_probe+0x281/0x650 drivers/base/dd.c:548
>   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
>   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
>   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
>   __device_attach+0x217/0x360 drivers/base/dd.c:882
>   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
>   device_add+0xae6/0x16f0 drivers/base/core.c:2114
>   usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
>   generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
>   usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
>   really_probe+0x281/0x650 drivers/base/dd.c:548
>   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
>   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
>   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
>   __device_attach+0x217/0x360 drivers/base/dd.c:882
>   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
>   device_add+0xae6/0x16f0 drivers/base/core.c:2114
>   usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
>   hub_port_connect drivers/usb/core/hub.c:5098 [inline]
>   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
>   port_event drivers/usb/core/hub.c:5359 [inline]
>   hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
>   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
>   worker_thread+0x96/0xe20 kernel/workqueue.c:2415
>   kthread+0x318/0x420 kernel/kthread.c:255
>   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
>
> Freed by task 1745:
>   save_stack+0x1b/0x80 mm/kasan/common.c:69
>   set_track mm/kasan/common.c:77 [inline]
>   __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
>   slab_free_hook mm/slub.c:1423 [inline]
>   slab_free_freelist_hook mm/slub.c:1470 [inline]
>   slab_free mm/slub.c:3012 [inline]
>   kfree+0xe4/0x2f0 mm/slub.c:3953
>   hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
>   usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
>   hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
>   usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
>   usbhid_disconnect+0xa5/0xd0 drivers/hid/usbhid/hid-core.c:1413
>   usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
>   __device_release_driver drivers/base/dd.c:1120 [inline]
>   device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
>   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
>   device_del+0x420/0xb10 drivers/base/core.c:2288
>   usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
>   usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
>   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
>   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
>   port_event drivers/usb/core/hub.c:5359 [inline]
>   hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
>   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
>   process_scheduled_works kernel/workqueue.c:2331 [inline]
>   worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
>   kthread+0x318/0x420 kernel/kthread.c:255
>   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
>
> The buggy address belongs to the object at ffff8881d5875500
>   which belongs to the cache kmalloc-4k of size 4096
> The buggy address is located 0 bytes inside of
>   4096-byte region [ffff8881d5875500, ffff8881d5876500)
> The buggy address belongs to the page:
> page:ffffea0007561c00 refcount:1 mapcount:0 mapping:ffff8881da00c280
> index:0x0 compound_mapcount: 0
> flags: 0x200000000010200(slab|head)
> raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
> raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>   ffff8881d5875400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>   ffff8881d5875480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > ffff8881d5875500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                     ^
>   ffff8881d5875580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>   ffff8881d5875600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> Tested on:
>
> commit:         7f7867ff usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git
> console output: https://syzkaller.appspot.com/x/log.txt?x=13833b9a600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=167d2a0e600000
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
       [not found]     ` <20190812144720.1980-1-hdanton@sina.com>
@ 2019-08-12 14:55       ` Andrey Konovalov
  2019-08-12 15:06       ` general protection fault in __pm_runtime_resume syzbot
  1 sibling, 0 replies; 14+ messages in thread
From: Andrey Konovalov @ 2019-08-12 14:55 UTC (permalink / raw)
  To: Hillf Danton
  Cc: syzbot, Greg Kroah-Hartman, Gustavo A. R. Silva, LKML, USB list,
	Oliver Neukum, Alan Stern, syzkaller-bugs,
	syzbot+3cbe5cd105d2ad56a1df

On Mon, Aug 12, 2019 at 4:47 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> Hi Andrey
>
> On Mon, 12 Aug 2019 06:03:01 -0700
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > KASAN: invalid-free in hcd_buffer_free
> >
> > usb 5-1: USB disconnect, device number 2
> > ==================================================================
> > BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260
> > drivers/usb/core/buffer.c:165
>
> JFYI:
> 1, the hid-core.patch in the attachment at
> https://lore.kernel.org/lkml/CAAeHK+z-uCr-bWu9uVDynU2S=wCrtxRbuA-Cut=h5zYuYcS-Cw@mail.gmail.com/
>
> ===quote begin===
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a7a6b9c609b9457c62c6@syzkaller.appspotmail.com
>
> Let's try Hillf's patch here as well:
>
> #syz test: https://github.com/google/kasan.git 7f7867ff

Remove # when quoting syzbot commands, as this will trigger syzbot
testing again =)

>
> >
> > ------------[ cut here ]------------
> > usb 2-1: BOGUS urb xfer, pipe 2 != type 2
> > WARNING: CPU: 1 PID: 7429 at drivers/usb/core/urb.c:477
> > usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
> ===quote end===
>
> is identical to the patch for
> #syz test: https://github.com/google/kasan.git 6a3599ce
> Reported-by: syzbot+3cbe5cd105d2ad56a1df@syzkaller.appspotmail.com
>
> --- a/drivers/hid/usbhid/hid-core.c
> +++ b/drivers/hid/usbhid/hid-core.c
> @@ -1410,6 +1410,7 @@ static void usbhid_disconnect(struct usb
>         spin_lock_irq(&usbhid->lock);   /* Sync with error and led handlers */
>         set_bit(HID_DISCONNECTED, &usbhid->iofl);
>         spin_unlock_irq(&usbhid->lock);
> +       hid_hw_stop(hid);
>         hid_destroy_device(hid);
>         kfree(usbhid);
>  }
>
>
> 2, based on the report itself in the quote section above,
>
>         > usb 2-1: BOGUS urb xfer, pipe 2 != type 2
>
> I suggest that we get it invalidated for now. If unfortunately it comes
> up again we know at least what once happened.
>
> 3, this is a new report I did not see before, and worth a new report
> thread with a new subject line. See it soon after 7 hours of sleep and
> prepare patch with Test-by.

Let's dup it into the PM report:

#syz dup: general protection fault in __pm_runtime_resume

Once the fix is in the USB fuzzer tree, the double-free will be
reported in a separate thread (once it gets hit again).

>
> Thanks
> Hillf
>
> >
> > CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xca/0x13e lib/dump_stack.c:113
> >   print_address_description+0x6a/0x32c mm/kasan/report.c:351
> >   kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444
> >   __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428
> >   slab_free_hook mm/slub.c:1423 [inline]
> >   slab_free_freelist_hook mm/slub.c:1470 [inline]
> >   slab_free mm/slub.c:3012 [inline]
> >   kfree+0xe4/0x2f0 mm/slub.c:3953
> >   hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
> >   usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
> >   hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
> >   usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
> >   logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797
> >   hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242
> >   __device_release_driver drivers/base/dd.c:1118 [inline]
> >   device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151
> >   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
> >   device_del+0x420/0xb10 drivers/base/core.c:2288
> >   hid_remove_device drivers/hid/hid-core.c:2413 [inline]
> >   hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432
> >   usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414
> >   usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
> >   __device_release_driver drivers/base/dd.c:1120 [inline]
> >   device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
> >   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
> >   device_del+0x420/0xb10 drivers/base/core.c:2288
> >   usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
> >   usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
> >   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> >   port_event drivers/usb/core/hub.c:5359 [inline]
> >   hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
> >   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
> >   process_scheduled_works kernel/workqueue.c:2331 [inline]
> >   worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
> >   kthread+0x318/0x420 kernel/kthread.c:255
> >   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > Allocated by task 1745:
> >   save_stack+0x1b/0x80 mm/kasan/common.c:69
> >   set_track mm/kasan/common.c:77 [inline]
> >   __kasan_kmalloc mm/kasan/common.c:487 [inline]
> >   __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
> >   kmalloc include/linux/slab.h:557 [inline]
> >   hcd_buffer_alloc+0x1ca/0x290 drivers/usb/core/buffer.c:135
> >   usb_alloc_coherent+0x5d/0x80 drivers/usb/core/usb.c:910
> >   hid_alloc_buffers drivers/hid/usbhid/hid-core.c:846 [inline]
> >   usbhid_start+0x60b/0x22f0 drivers/hid/usbhid/hid-core.c:1075
> >   hid_hw_start+0x5d/0x130 drivers/hid/hid-core.c:1976
> >   logi_dj_probe+0x808/0xcd7 drivers/hid/hid-logitech-dj.c:1703
> >   hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
> >   really_probe+0x281/0x650 drivers/base/dd.c:548
> >   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
> >   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
> >   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
> >   __device_attach+0x217/0x360 drivers/base/dd.c:882
> >   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
> >   device_add+0xae6/0x16f0 drivers/base/core.c:2114
> >   hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
> >   usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
> >   usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
> >   really_probe+0x281/0x650 drivers/base/dd.c:548
> >   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
> >   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
> >   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
> >   __device_attach+0x217/0x360 drivers/base/dd.c:882
> >   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
> >   device_add+0xae6/0x16f0 drivers/base/core.c:2114
> >   usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
> >   generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
> >   usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
> >   really_probe+0x281/0x650 drivers/base/dd.c:548
> >   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
> >   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
> >   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
> >   __device_attach+0x217/0x360 drivers/base/dd.c:882
> >   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
> >   device_add+0xae6/0x16f0 drivers/base/core.c:2114
> >   usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
> >   hub_port_connect drivers/usb/core/hub.c:5098 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> >   port_event drivers/usb/core/hub.c:5359 [inline]
> >   hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
> >   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
> >   worker_thread+0x96/0xe20 kernel/workqueue.c:2415
> >   kthread+0x318/0x420 kernel/kthread.c:255
> >   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > Freed by task 1745:
> >   save_stack+0x1b/0x80 mm/kasan/common.c:69
> >   set_track mm/kasan/common.c:77 [inline]
> >   __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
> >   slab_free_hook mm/slub.c:1423 [inline]
> >   slab_free_freelist_hook mm/slub.c:1470 [inline]
> >   slab_free mm/slub.c:3012 [inline]
> >   kfree+0xe4/0x2f0 mm/slub.c:3953
> >   hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
> >   usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
> >   hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
> >   usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
> >   usbhid_disconnect+0xa5/0xd0 drivers/hid/usbhid/hid-core.c:1413
> >   usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
> >   __device_release_driver drivers/base/dd.c:1120 [inline]
> >   device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
> >   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
> >   device_del+0x420/0xb10 drivers/base/core.c:2288
> >   usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
> >   usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
> >   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> >   port_event drivers/usb/core/hub.c:5359 [inline]
> >   hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
> >   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
> >   process_scheduled_works kernel/workqueue.c:2331 [inline]
> >   worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
> >   kthread+0x318/0x420 kernel/kthread.c:255
> >   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > The buggy address belongs to the object at ffff8881d5875500
> >   which belongs to the cache kmalloc-4k of size 4096
> > The buggy address is located 0 bytes inside of
> >   4096-byte region [ffff8881d5875500, ffff8881d5876500)
> > The buggy address belongs to the page:
> > page:ffffea0007561c00 refcount:1 mapcount:0 mapping:ffff8881da00c280
> > index:0x0 compound_mapcount: 0
> > flags: 0x200000000010200(slab|head)
> > raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
> > raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> >   ffff8881d5875400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >   ffff8881d5875480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > ffff8881d5875500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >                     ^
> >   ffff8881d5875580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >   ffff8881d5875600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> >
> >
> > Tested on:
> >
> > commit:         7f7867ff usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git
> > console output: https://syzkaller.appspot.com/x/log.txt?x=13833b9a600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > patch:          https://syzkaller.appspot.com/x/patch.diff?x=167d2a0e600000
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: general protection fault in __pm_runtime_resume
       [not found]     ` <20190812144720.1980-1-hdanton@sina.com>
  2019-08-12 14:55       ` Andrey Konovalov
@ 2019-08-12 15:06       ` syzbot
  2019-08-15 17:43         ` Alan Stern
  1 sibling, 1 reply; 14+ messages in thread
From: syzbot @ 2019-08-12 15:06 UTC (permalink / raw)
  To: andreyknvl, gregkh, gustavo, hdanton, linux-kernel, linux-usb,
	oneukum, stern, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger  
crash:

Reported-and-tested-by:  
syzbot+3cbe5cd105d2ad56a1df@syzkaller.appspotmail.com

Tested on:

commit:         7f7867ff usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=177252d2600000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
       [not found]     ` <20190813042649.888-1-hdanton@sina.com>
@ 2019-08-13  7:35       ` Dmitry Vyukov
  2019-08-13  8:14       ` Oliver Neukum
  1 sibling, 0 replies; 14+ messages in thread
From: Dmitry Vyukov @ 2019-08-13  7:35 UTC (permalink / raw)
  To: Hillf Danton
  Cc: syzbot, Andrey Konovalov, Greg Kroah-Hartman,
	Gustavo A. R. Silva, open list:HID CORE LAYER, LKML, USB list,
	Oliver Neukum, Alan Stern, Jiri Slaby, Jiri Kosina,
	syzkaller-bugs

On Tue, Aug 13, 2019 at 6:27 AM Hillf Danton <hdanton@sina.com> wrote:
>
> [respin with the mess in Cc list cleaned up]
>
> On Mon, 12 Aug 2019 06:03:01 -0700
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered crash:
> > KASAN: invalid-free in hcd_buffer_free
> >
> > usb 5-1: USB disconnect, device number 2
> > ==================================================================
> > BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260
> > drivers/usb/core/buffer.c:165
> >
> > CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xca/0x13e lib/dump_stack.c:113
> >   print_address_description+0x6a/0x32c mm/kasan/report.c:351
> >   kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444
> >   __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428
> >   slab_free_hook mm/slub.c:1423 [inline]
> >   slab_free_freelist_hook mm/slub.c:1470 [inline]
> >   slab_free mm/slub.c:3012 [inline]
> >   kfree+0xe4/0x2f0 mm/slub.c:3953
> >   hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
> >   usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
> >   hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
> >   usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
> >   logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797
> >   hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242
> >   __device_release_driver drivers/base/dd.c:1118 [inline]
> >   device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151
> >   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
> >   device_del+0x420/0xb10 drivers/base/core.c:2288
> >   hid_remove_device drivers/hid/hid-core.c:2413 [inline]
> >   hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432
> >   usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414
> >   usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
> >   __device_release_driver drivers/base/dd.c:1120 [inline]
> >   device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
> >   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
> >   device_del+0x420/0xb10 drivers/base/core.c:2288
> >   usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
> >   usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
> >   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> >   port_event drivers/usb/core/hub.c:5359 [inline]
> >   hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
> >   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
> >   process_scheduled_works kernel/workqueue.c:2331 [inline]
> >   worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
> >   kthread+0x318/0x420 kernel/kthread.c:255
> >   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > Allocated by task 1745:
> >   save_stack+0x1b/0x80 mm/kasan/common.c:69
> >   set_track mm/kasan/common.c:77 [inline]
> >   __kasan_kmalloc mm/kasan/common.c:487 [inline]
> >   __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
> >   kmalloc include/linux/slab.h:557 [inline]
> >   hcd_buffer_alloc+0x1ca/0x290 drivers/usb/core/buffer.c:135
> >   usb_alloc_coherent+0x5d/0x80 drivers/usb/core/usb.c:910
> >   hid_alloc_buffers drivers/hid/usbhid/hid-core.c:846 [inline]
> >   usbhid_start+0x60b/0x22f0 drivers/hid/usbhid/hid-core.c:1075
> >   hid_hw_start+0x5d/0x130 drivers/hid/hid-core.c:1976
> >   logi_dj_probe+0x808/0xcd7 drivers/hid/hid-logitech-dj.c:1703
> >   hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
> >   really_probe+0x281/0x650 drivers/base/dd.c:548
> >   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
> >   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
> >   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
> >   __device_attach+0x217/0x360 drivers/base/dd.c:882
> >   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
> >   device_add+0xae6/0x16f0 drivers/base/core.c:2114
> >   hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
> >   usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
> >   usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
> >   really_probe+0x281/0x650 drivers/base/dd.c:548
> >   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
> >   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
> >   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
> >   __device_attach+0x217/0x360 drivers/base/dd.c:882
> >   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
> >   device_add+0xae6/0x16f0 drivers/base/core.c:2114
> >   usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
> >   generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
> >   usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
> >   really_probe+0x281/0x650 drivers/base/dd.c:548
> >   driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
> >   __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
> >   bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
> >   __device_attach+0x217/0x360 drivers/base/dd.c:882
> >   bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
> >   device_add+0xae6/0x16f0 drivers/base/core.c:2114
> >   usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
> >   hub_port_connect drivers/usb/core/hub.c:5098 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> >   port_event drivers/usb/core/hub.c:5359 [inline]
> >   hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
> >   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
> >   worker_thread+0x96/0xe20 kernel/workqueue.c:2415
> >   kthread+0x318/0x420 kernel/kthread.c:255
> >   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > Freed by task 1745:
> >   save_stack+0x1b/0x80 mm/kasan/common.c:69
> >   set_track mm/kasan/common.c:77 [inline]
> >   __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
> >   slab_free_hook mm/slub.c:1423 [inline]
> >   slab_free_freelist_hook mm/slub.c:1470 [inline]
> >   slab_free mm/slub.c:3012 [inline]
> >   kfree+0xe4/0x2f0 mm/slub.c:3953
> >   hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
> >   usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
> >   hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
> >   usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
> >   usbhid_disconnect+0xa5/0xd0 drivers/hid/usbhid/hid-core.c:1413
> >   usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
> >   __device_release_driver drivers/base/dd.c:1120 [inline]
> >   device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
> >   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
> >   device_del+0x420/0xb10 drivers/base/core.c:2288
> >   usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
> >   usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
> >   hub_port_connect drivers/usb/core/hub.c:4949 [inline]
> >   hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
> >   port_event drivers/usb/core/hub.c:5359 [inline]
> >   hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
> >   process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
> >   process_scheduled_works kernel/workqueue.c:2331 [inline]
> >   worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
> >   kthread+0x318/0x420 kernel/kthread.c:255
> >   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > The buggy address belongs to the object at ffff8881d5875500
> >   which belongs to the cache kmalloc-4k of size 4096
> > The buggy address is located 0 bytes inside of
> >   4096-byte region [ffff8881d5875500, ffff8881d5876500)
> > The buggy address belongs to the page:
> > page:ffffea0007561c00 refcount:1 mapcount:0 mapping:ffff8881da00c280
> > index:0x0 compound_mapcount: 0
> > flags: 0x200000000010200(slab|head)
> > raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
> > raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> >   ffff8881d5875400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >   ffff8881d5875480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > ffff8881d5875500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >                     ^
> >   ffff8881d5875580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >   ffff8881d5875600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> >
> >
> > Tested on:
> >
> > commit:         7f7867ff usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git
> > console output: https://syzkaller.appspot.com/x/log.txt?x=13833b9a600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > patch:          https://syzkaller.appspot.com/x/patch.diff?x=167d2a0e600000
>
> Followup of commit e3e14de50dff ("HID: fix start/stop cycle in usbhid driver")
>
> --- a/drivers/hid/usbhid/hid-core.c
> +++ b/drivers/hid/usbhid/hid-core.c
> @@ -1214,6 +1214,8 @@ static void usbhid_stop(struct hid_devic
>
>         hid->claimed = 0;
>
> +       if (!usbhid->urbin) /* freeing buffers only once */
> +               return;

I have not read all the code, but the last report was a double-free,
which suggests that usbhid->urbin is actually not reset to NULL, so
this check won't help. Potentially we need both this check and reset
the fields to NULL after freeing.

>         usb_free_urb(usbhid->urbin);
>         usb_free_urb(usbhid->urbctrl);
>         usb_free_urb(usbhid->urbout);

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
       [not found]     ` <20190813042649.888-1-hdanton@sina.com>
  2019-08-13  7:35       ` WARNING in usbhid_raw_request/usb_submit_urb Dmitry Vyukov
@ 2019-08-13  8:14       ` Oliver Neukum
  1 sibling, 0 replies; 14+ messages in thread
From: Oliver Neukum @ 2019-08-13  8:14 UTC (permalink / raw)
  To: Hillf Danton, syzbot
  Cc: gustavo, Jiri Slaby, andreyknvl, syzkaller-bugs, gregkh, stern,
	Jiri Kosina, linux-input, linux-kernel, linux-usb

Am Dienstag, den 13.08.2019, 12:26 +0800 schrieb Hillf Danton:
> [respin with the mess in Cc list cleaned up]

> Followup of commit e3e14de50dff ("HID: fix start/stop cycle in usbhid driver")
> 
> --- a/drivers/hid/usbhid/hid-core.c
> +++ b/drivers/hid/usbhid/hid-core.c
> @@ -1214,6 +1214,8 @@ static void usbhid_stop(struct hid_devic
>  
>  	hid->claimed = 0;
>  
> +	if (!usbhid->urbin) /* freeing buffers only once */
> +		return;
>  	usb_free_urb(usbhid->urbin);
>  	usb_free_urb(usbhid->urbctrl);
>  	usb_free_urb(usbhid->urbout);

This looks rather suspicious. Why is stop() called multiple times?
Do we have a refcounting issue? If not, what controls locking?

	Regards
		Oliver


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: WARNING in usbhid_raw_request/usb_submit_urb
  2019-08-12 13:03     ` syzbot
  2019-08-12 14:23       ` Andrey Konovalov
@ 2019-08-13 20:13       ` Alan Stern
  1 sibling, 0 replies; 14+ messages in thread
From: Alan Stern @ 2019-08-13 20:13 UTC (permalink / raw)
  To: syzbot
  Cc: andreyknvl, gregkh, gustavo, hdanton, linux-kernel, linux-usb,
	oneukum, syzkaller-bugs

On Mon, 12 Aug 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> KASAN: invalid-free in hcd_buffer_free

This bug report shows that Hillf's fix isn't exactly right.

> usb 5-1: USB disconnect, device number 2
> ==================================================================
> BUG: KASAN: double-free or invalid-free in hcd_buffer_free+0x199/0x260  
> drivers/usb/core/buffer.c:165
> 
> CPU: 0 PID: 1745 Comm: kworker/0:2 Not tainted 5.3.0-rc2+ #1
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xca/0x13e lib/dump_stack.c:113
>   print_address_description+0x6a/0x32c mm/kasan/report.c:351
>   kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:444
>   __kasan_slab_free+0x162/0x180 mm/kasan/common.c:428
>   slab_free_hook mm/slub.c:1423 [inline]
>   slab_free_freelist_hook mm/slub.c:1470 [inline]
>   slab_free mm/slub.c:3012 [inline]
>   kfree+0xe4/0x2f0 mm/slub.c:3953
>   hcd_buffer_free+0x199/0x260 drivers/usb/core/buffer.c:165
>   usb_free_coherent+0x67/0x80 drivers/usb/core/usb.c:932
>   hid_free_buffers.isra.0+0x94/0x290 drivers/hid/usbhid/hid-core.c:964
>   usbhid_stop+0x308/0x450 drivers/hid/usbhid/hid-core.c:1224
>   logi_dj_remove+0x107/0x210 drivers/hid/hid-logitech-dj.c:1797

Here the double-free occurred when logi_dj_remove() called 
hd_hw_stop()...

>   hid_device_remove+0xed/0x240 drivers/hid/hid-core.c:2242
>   __device_release_driver drivers/base/dd.c:1118 [inline]
>   device_release_driver_internal+0x206/0x4c0 drivers/base/dd.c:1151
>   bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
>   device_del+0x420/0xb10 drivers/base/core.c:2288
>   hid_remove_device drivers/hid/hid-core.c:2413 [inline]
>   hid_destroy_device+0xe1/0x150 drivers/hid/hid-core.c:2432
>   usbhid_disconnect+0xad/0xd0 drivers/hid/usbhid/hid-core.c:1414

which occurred inside usbhid_disconnect()'s call to
hid_destroy_device().

But just above the call to hid_destroy_device(), Hillf's patch adds a 
direct call to hid_hw_stop(), which is what did the original free.

So it looks like the problem here is that some paths in the original
unpatched code end up calling hid_hw_stop() by way of the hid_device's
driver, and other paths do not.

I haven't had time to track down this difference.  Maybe somebody 
on the mailing list already knows why it occurs.

Alan Stern


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: general protection fault in __pm_runtime_resume
  2019-08-12 15:06       ` general protection fault in __pm_runtime_resume syzbot
@ 2019-08-15 17:43         ` Alan Stern
  0 siblings, 0 replies; 14+ messages in thread
From: Alan Stern @ 2019-08-15 17:43 UTC (permalink / raw)
  To: syzbot, Jiri Kosina
  Cc: andreyknvl, gregkh, gustavo, hdanton, Kernel development list,
	USB list, Oliver Neukum, syzkaller-bugs, linux-input

On Mon, 12 Aug 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch and the reproducer did not trigger  
> crash:
> 
> Reported-and-tested-by:  
> syzbot+3cbe5cd105d2ad56a1df@syzkaller.appspotmail.com
> 
> Tested on:
> 
> commit:         7f7867ff usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git
> kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=177252d2600000
> 
> Note: testing is done by a robot and is best-effort only.

That was the result from testing Hillf's patch:

--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1410,6 +1410,7 @@ static void usbhid_disconnect(struct usb
        spin_lock_irq(&usbhid->lock);   /* Sync with error and led handlers */
        set_bit(HID_DISCONNECTED, &usbhid->iofl);
        spin_unlock_irq(&usbhid->lock);
+       hid_hw_stop(hid);
        hid_destroy_device(hid);
        kfree(usbhid);
 }

There is very good reason to believe this patch is not the correct
solution to the problem.  For one thing, in some circumstances the
patch ends up calling hid_hw_stop() twice (not shown here, but we have 
seen this in other bug reports from syzbot).

For another, I have just tested a different patch and found that it 
also prevents this particular crash:

> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> syzbot+3cbe5cd105d2ad56a1df@syzkaller.appspotmail.com
>
> Tested on:
>
> commit:         6a3599ce usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git
> kernel config:  https://syzkaller.appspot.com/x/.config?x=700ca426ab83faae
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=170b66a6600000
>
> Note: testing is done by a robot and is best-effort only.

My patch:

Index: usb-devel/drivers/hid/hid-lg.c
===================================================================
--- usb-devel.orig/drivers/hid/hid-lg.c
+++ usb-devel/drivers/hid/hid-lg.c
@@ -818,7 +818,7 @@ static int lg_probe(struct hid_device *h
 
 		if (!buf) {
 			ret = -ENOMEM;
-			goto err_free;
+			goto err_stop;
 		}
 
 		ret = hid_hw_raw_request(hdev, buf[0], buf, sizeof(cbuf),
@@ -850,9 +850,12 @@ static int lg_probe(struct hid_device *h
 		ret = lg4ff_init(hdev);
 
 	if (ret)
-		goto err_free;
+		goto err_stop;
 
 	return 0;
+
+err_stop:
+	hid_hw_stop(hdev);
 err_free:
 	kfree(drv_data);
 	return ret;
@@ -863,8 +866,7 @@ static void lg_remove(struct hid_device
 	struct lg_drv_data *drv_data = hid_get_drvdata(hdev);
 	if (drv_data->quirks & LG_FF4)
 		lg4ff_deinit(hdev);
-	else
-		hid_hw_stop(hdev);
+	hid_hw_stop(hdev);
 	kfree(drv_data);
 }
 
Index: usb-devel/drivers/hid/hid-lg4ff.c
===================================================================
--- usb-devel.orig/drivers/hid/hid-lg4ff.c
+++ usb-devel/drivers/hid/hid-lg4ff.c
@@ -1477,7 +1477,6 @@ int lg4ff_deinit(struct hid_device *hid)
 		}
 	}
 #endif
-	hid_hw_stop(hid);
 	drv_data->device_props = NULL;
 
 	kfree(entry);

This fixes a fairly obvious bug in the hid-lg driver: It does not 
always call hid_hw_stop() in all pathways after calling hid_hw_start().

Presumably the same is true for the other related bugs found by syzbot.  
I'm doing some more testing and we will see...

Alan Stern


^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, back to index

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29 11:48 WARNING in usbhid_raw_request/usb_submit_urb syzbot
2019-07-30 14:10 ` Alan Stern
2019-07-30 14:12   ` Andrey Konovalov
2019-07-30 14:24     ` Oliver Neukum
2019-07-30 16:58 ` syzbot
2019-08-12 12:46   ` Andrey Konovalov
2019-08-12 13:03     ` syzbot
2019-08-12 14:23       ` Andrey Konovalov
2019-08-13 20:13       ` Alan Stern
     [not found]     ` <20190812144720.1980-1-hdanton@sina.com>
2019-08-12 14:55       ` Andrey Konovalov
2019-08-12 15:06       ` general protection fault in __pm_runtime_resume syzbot
2019-08-15 17:43         ` Alan Stern
     [not found]     ` <20190813042649.888-1-hdanton@sina.com>
2019-08-13  7:35       ` WARNING in usbhid_raw_request/usb_submit_urb Dmitry Vyukov
2019-08-13  8:14       ` Oliver Neukum

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org linux-usb@archiver.kernel.org
	public-inbox-index linux-usb


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/ public-inbox