* KASAN: global-out-of-bounds Read in __pm_runtime_resume
@ 2019-09-16 18:49 syzbot
2019-09-17 12:14 ` Andrey Konovalov
2019-09-17 21:44 ` Rafael J. Wysocki
0 siblings, 2 replies; 4+ messages in thread
From: syzbot @ 2019-09-16 18:49 UTC (permalink / raw)
To: andreyknvl, gregkh, len.brown, linux-kernel, linux-pm, linux-usb,
pavel, rjw, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=10efb5fa600000
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=cd157359d82e8d98c17b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cd157359d82e8d98c17b@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in __pm_runtime_resume+0x162/0x180
drivers/base/power/runtime.c:1069
Read of size 1 at addr ffffffff863d87b1 by task syz-executor.2/13622
CPU: 0 PID: 13622 Comm: syz-executor.2 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:618
__pm_runtime_resume+0x162/0x180 drivers/base/power/runtime.c:1069
pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1709
usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
hid_hw_power include/linux/hid.h:1038 [inline]
hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
chrdev_open+0x219/0x5c0 fs/char_dev.c:414
do_dentry_open+0x494/0x1120 fs/open.c:797
do_last fs/namei.c:3416 [inline]
path_openat+0x1430/0x3f50 fs/namei.c:3533
do_filp_open+0x1a1/0x280 fs/namei.c:3563
do_sys_open+0x3c0/0x580 fs/open.c:1089
do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4137d1
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007faea59927a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00000000004137d1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007faea5992850
RBP: 000000000075bf20 R08: 000000000000000f R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007faea59936d4
R13: 00000000004c8cbf R14: 00000000004dfc90 R15: 00000000ffffffff
The buggy address belongs to the variable:
__param_str_xfer_debug+0x91/0x4a0
Memory state around the buggy address:
ffffffff863d8680: fa fa fa fa 00 00 00 02 fa fa fa fa 00 00 00 00
ffffffff863d8700: fa fa fa fa 00 00 00 02 fa fa fa fa 00 07 fa fa
> ffffffff863d8780: fa fa fa fa 00 00 fa fa fa fa fa fa 00 00 07 fa
^
ffffffff863d8800: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
ffffffff863d8880: 00 07 fa fa fa fa fa fa 00 00 06 fa fa fa fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: global-out-of-bounds Read in __pm_runtime_resume
2019-09-16 18:49 KASAN: global-out-of-bounds Read in __pm_runtime_resume syzbot
@ 2019-09-17 12:14 ` Andrey Konovalov
2019-09-17 21:44 ` Rafael J. Wysocki
1 sibling, 0 replies; 4+ messages in thread
From: Andrey Konovalov @ 2019-09-17 12:14 UTC (permalink / raw)
To: syzbot
Cc: Greg Kroah-Hartman, len.brown, LKML, linux-pm, USB list, pavel,
rjw, syzkaller-bugs
On Mon, Sep 16, 2019 at 8:49 PM syzbot
<syzbot+cd157359d82e8d98c17b@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=10efb5fa600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
> dashboard link: https://syzkaller.appspot.com/bug?extid=cd157359d82e8d98c17b
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cd157359d82e8d98c17b@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: global-out-of-bounds in __pm_runtime_resume+0x162/0x180
> drivers/base/power/runtime.c:1069
> Read of size 1 at addr ffffffff863d87b1 by task syz-executor.2/13622
>
> CPU: 0 PID: 13622 Comm: syz-executor.2 Not tainted 5.3.0-rc7+ #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xca/0x13e lib/dump_stack.c:113
> print_address_description+0x6a/0x32c mm/kasan/report.c:351
> __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
> kasan_report+0xe/0x12 mm/kasan/common.c:618
> __pm_runtime_resume+0x162/0x180 drivers/base/power/runtime.c:1069
> pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
> usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1709
> usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
> hid_hw_power include/linux/hid.h:1038 [inline]
> hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
> chrdev_open+0x219/0x5c0 fs/char_dev.c:414
> do_dentry_open+0x494/0x1120 fs/open.c:797
> do_last fs/namei.c:3416 [inline]
> path_openat+0x1430/0x3f50 fs/namei.c:3533
> do_filp_open+0x1a1/0x280 fs/namei.c:3563
> do_sys_open+0x3c0/0x580 fs/open.c:1089
> do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4137d1
> Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
> 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
> 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
> RSP: 002b:00007faea59927a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
> RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00000000004137d1
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007faea5992850
> RBP: 000000000075bf20 R08: 000000000000000f R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000293 R12: 00007faea59936d4
> R13: 00000000004c8cbf R14: 00000000004dfc90 R15: 00000000ffffffff
>
> The buggy address belongs to the variable:
> __param_str_xfer_debug+0x91/0x4a0
>
> Memory state around the buggy address:
> ffffffff863d8680: fa fa fa fa 00 00 00 02 fa fa fa fa 00 00 00 00
> ffffffff863d8700: fa fa fa fa 00 00 00 02 fa fa fa fa 00 07 fa fa
> > ffffffff863d8780: fa fa fa fa 00 00 fa fa fa fa fa fa 00 00 07 fa
> ^
> ffffffff863d8800: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
> ffffffff863d8880: 00 07 fa fa fa fa fa fa 00 00 06 fa fa fa fa fa
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
#syz dup: general protection fault in __pm_runtime_resume
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: global-out-of-bounds Read in __pm_runtime_resume
2019-09-16 18:49 KASAN: global-out-of-bounds Read in __pm_runtime_resume syzbot
2019-09-17 12:14 ` Andrey Konovalov
@ 2019-09-17 21:44 ` Rafael J. Wysocki
2019-09-18 11:04 ` Andrey Konovalov
1 sibling, 1 reply; 4+ messages in thread
From: Rafael J. Wysocki @ 2019-09-17 21:44 UTC (permalink / raw)
To: syzbot
Cc: andreyknvl, Greg Kroah-Hartman, Len Brown,
Linux Kernel Mailing List, Linux PM,
open list:ULTRA-WIDEBAND (UWB) SUBSYSTEM:,
Pavel Machek, Rafael J. Wysocki, syzkaller-bugs
On Mon, Sep 16, 2019 at 8:49 PM syzbot
<syzbot+cd157359d82e8d98c17b@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=10efb5fa600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
> dashboard link: https://syzkaller.appspot.com/bug?extid=cd157359d82e8d98c17b
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cd157359d82e8d98c17b@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: global-out-of-bounds in __pm_runtime_resume+0x162/0x180
> drivers/base/power/runtime.c:1069
This means that the caller of __pm_runtime_resume() did something odd.
> Read of size 1 at addr ffffffff863d87b1 by task syz-executor.2/13622
>
> CPU: 0 PID: 13622 Comm: syz-executor.2 Not tainted 5.3.0-rc7+ #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xca/0x13e lib/dump_stack.c:113
> print_address_description+0x6a/0x32c mm/kasan/report.c:351
> __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
> kasan_report+0xe/0x12 mm/kasan/common.c:618
> __pm_runtime_resume+0x162/0x180 drivers/base/power/runtime.c:1069
> pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
> usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1709
> usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
In this particular case usbhid_power() probably shouldn't have called
pm_runtime_get_sync() or it shouldn't have been called itself or
similar.
> hid_hw_power include/linux/hid.h:1038 [inline]
> hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
> chrdev_open+0x219/0x5c0 fs/char_dev.c:414
> do_dentry_open+0x494/0x1120 fs/open.c:797
> do_last fs/namei.c:3416 [inline]
> path_openat+0x1430/0x3f50 fs/namei.c:3533
> do_filp_open+0x1a1/0x280 fs/namei.c:3563
> do_sys_open+0x3c0/0x580 fs/open.c:1089
> do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4137d1
> Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
> 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
> 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
> RSP: 002b:00007faea59927a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
> RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00000000004137d1
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007faea5992850
> RBP: 000000000075bf20 R08: 000000000000000f R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000293 R12: 00007faea59936d4
> R13: 00000000004c8cbf R14: 00000000004dfc90 R15: 00000000ffffffff
>
> The buggy address belongs to the variable:
> __param_str_xfer_debug+0x91/0x4a0
>
> Memory state around the buggy address:
> ffffffff863d8680: fa fa fa fa 00 00 00 02 fa fa fa fa 00 00 00 00
> ffffffff863d8700: fa fa fa fa 00 00 00 02 fa fa fa fa 00 07 fa fa
> > ffffffff863d8780: fa fa fa fa 00 00 fa fa fa fa fa fa 00 00 07 fa
> ^
> ffffffff863d8800: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
> ffffffff863d8880: 00 07 fa fa fa fa fa fa 00 00 06 fa fa fa fa fa
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: global-out-of-bounds Read in __pm_runtime_resume
2019-09-17 21:44 ` Rafael J. Wysocki
@ 2019-09-18 11:04 ` Andrey Konovalov
0 siblings, 0 replies; 4+ messages in thread
From: Andrey Konovalov @ 2019-09-18 11:04 UTC (permalink / raw)
To: Rafael J. Wysocki
Cc: syzbot, Greg Kroah-Hartman, Len Brown, Linux Kernel Mailing List,
Linux PM, open list:ULTRA-WIDEBAND (UWB) SUBSYSTEM:,
Pavel Machek, Rafael J. Wysocki, syzkaller-bugs
On Tue, Sep 17, 2019 at 11:44 PM Rafael J. Wysocki <rafael@kernel.org> wrote:
>
> On Mon, Sep 16, 2019 at 8:49 PM syzbot
> <syzbot+cd157359d82e8d98c17b@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10efb5fa600000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
> > dashboard link: https://syzkaller.appspot.com/bug?extid=cd157359d82e8d98c17b
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+cd157359d82e8d98c17b@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: global-out-of-bounds in __pm_runtime_resume+0x162/0x180
> > drivers/base/power/runtime.c:1069
>
> This means that the caller of __pm_runtime_resume() did something odd.
>
> > Read of size 1 at addr ffffffff863d87b1 by task syz-executor.2/13622
> >
> > CPU: 0 PID: 13622 Comm: syz-executor.2 Not tainted 5.3.0-rc7+ #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xca/0x13e lib/dump_stack.c:113
> > print_address_description+0x6a/0x32c mm/kasan/report.c:351
> > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
> > kasan_report+0xe/0x12 mm/kasan/common.c:618
> > __pm_runtime_resume+0x162/0x180 drivers/base/power/runtime.c:1069
> > pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
> > usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1709
> > usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
>
> In this particular case usbhid_power() probably shouldn't have called
> pm_runtime_get_sync() or it shouldn't have been called itself or
> similar.
Hi Rafael,
This report is caused by a major memory corruption that can lead to
all kinds of weird things. Let's wait for the fix to be in the
mainline and then see if these bugs are still occurring.
Thanks!
>
> > hid_hw_power include/linux/hid.h:1038 [inline]
> > hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
> > chrdev_open+0x219/0x5c0 fs/char_dev.c:414
> > do_dentry_open+0x494/0x1120 fs/open.c:797
> > do_last fs/namei.c:3416 [inline]
> > path_openat+0x1430/0x3f50 fs/namei.c:3533
> > do_filp_open+0x1a1/0x280 fs/namei.c:3563
> > do_sys_open+0x3c0/0x580 fs/open.c:1089
> > do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
> > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x4137d1
> > Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
> > 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
> > 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
> > RSP: 002b:00007faea59927a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
> > RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00000000004137d1
> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007faea5992850
> > RBP: 000000000075bf20 R08: 000000000000000f R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000293 R12: 00007faea59936d4
> > R13: 00000000004c8cbf R14: 00000000004dfc90 R15: 00000000ffffffff
> >
> > The buggy address belongs to the variable:
> > __param_str_xfer_debug+0x91/0x4a0
> >
> > Memory state around the buggy address:
> > ffffffff863d8680: fa fa fa fa 00 00 00 02 fa fa fa fa 00 00 00 00
> > ffffffff863d8700: fa fa fa fa 00 00 00 02 fa fa fa fa 00 07 fa fa
> > > ffffffff863d8780: fa fa fa fa 00 00 fa fa fa fa fa fa 00 00 07 fa
> > ^
> > ffffffff863d8800: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
> > ffffffff863d8880: 00 07 fa fa fa fa fa fa 00 00 06 fa fa fa fa fa
> > ==================================================================
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-18 11:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-16 18:49 KASAN: global-out-of-bounds Read in __pm_runtime_resume syzbot
2019-09-17 12:14 ` Andrey Konovalov
2019-09-17 21:44 ` Rafael J. Wysocki
2019-09-18 11:04 ` Andrey Konovalov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).