* [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse
@ 2023-10-16 17:01 syzbot
2023-11-17 14:23 ` [syzbot] Test syzbot
` (2 more replies)
0 siblings, 3 replies; 30+ messages in thread
From: syzbot @ 2023-10-16 17:01 UTC (permalink / raw)
To: benjamin.tissoires, jikos, linux-input, linux-kernel, linux-usb,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ad7f1baed071 Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1056d5c5680000
kernel config: https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1081f1e5680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c7bc4d680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3074ad3ff92/disk-ad7f1bae.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b298a1e285/vmlinux-ad7f1bae.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1ad5cd9c2a48/bzImage-ad7f1bae.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com
usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
================================================================================
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1024:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.0-rc5-syzkaller-00227-gad7f1baed071 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
usbhid_parse+0x94a/0xa20 drivers/hid/usbhid/hid-core.c:1024
hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2783
usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1429
usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x234/0xc90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
__device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
device_add+0x117e/0x1aa0 drivers/base/core.c:3624
usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x234/0xc90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
__device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
device_add+0x117e/0x1aa0 drivers/base/core.c:3624
usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589
hub_port_connect drivers/usb/core/hub.c:5440 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
port_event drivers/usb/core/hub.c:5740 [inline]
hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822
process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread* Re: [syzbot] Test
2023-10-16 17:01 [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse syzbot
@ 2023-11-17 14:23 ` syzbot
2023-11-21 19:19 ` [syzbot] [PATCH] Tried to correct syzbot
2023-12-23 19:59 ` [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning syzbot
2 siblings, 0 replies; 30+ messages in thread
From: syzbot @ 2023-11-17 14:23 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Test
Author: tintinm2017@gmail.com
#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [syzbot] [PATCH] Tried to correct
2023-10-16 17:01 [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse syzbot
2023-11-17 14:23 ` [syzbot] Test syzbot
@ 2023-11-21 19:19 ` syzbot
2023-11-22 8:08 ` kernel test robot
2023-12-23 19:59 ` [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning syzbot
2 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-11-21 19:19 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Tried to correct
Author: tintinm2017@gmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Signed-off-by: attreyee-muk <tintinm2017@gmail.com>
---
drivers/hid/usbhid/hid-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..582ddbef448f 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
for (n = 0; n < num_descriptors; n++)
+ if (n >= ARRAY_SIZE(hdesc->desc))
+ break;
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* Re: [PATCH] Tried to correct
2023-11-21 19:19 ` [syzbot] [PATCH] Tried to correct syzbot
@ 2023-11-22 8:08 ` kernel test robot
0 siblings, 0 replies; 30+ messages in thread
From: kernel test robot @ 2023-11-22 8:08 UTC (permalink / raw)
To: syzbot, linux-kernel; +Cc: llvm, oe-kbuild-all
Hi syzbot,
kernel test robot noticed the following build warnings:
[auto build test WARNING on hid/for-next]
[also build test WARNING on linus/master v6.7-rc2 next-20231122]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/syzbot/Tried-to-correct/20231122-032130
base: https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
patch link: https://lore.kernel.org/r/000000000000c0be0d060aae7c5b%40google.com
patch subject: [PATCH] Tried to correct
config: x86_64-rhel-8.3-rust (https://download.01.org/0day-ci/archive/20231122/202311221446.bQ7tsWmE-lkp@intel.com/config)
compiler: clang version 16.0.4 (https://github.com/llvm/llvm-project.git ae42196bc493ffe877a7e3dff8be32035dea4d07)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231122/202311221446.bQ7tsWmE-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202311221446.bQ7tsWmE-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/hid/usbhid/hid-core.c:1026:3: warning: misleading indentation; statement is not part of the previous 'for' [-Wmisleading-indentation]
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
^
drivers/hid/usbhid/hid-core.c:1023:2: note: previous statement is here
for (n = 0; n < num_descriptors; n++)
^
1 warning generated.
vim +/for +1026 drivers/hid/usbhid/hid-core.c
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 978
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 979 static int usbhid_parse(struct hid_device *hid)
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 980 {
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 981 struct usb_interface *intf = to_usb_interface(hid->dev.parent);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 982 struct usb_host_interface *interface = intf->cur_altsetting;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 983 struct usb_device *dev = interface_to_usbdev (intf);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 984 struct hid_descriptor *hdesc;
2eb5dc30eb87aa drivers/hid/usbhid/hid-core.c Paul Walmsley 2007-04-19 985 u32 quirks = 0;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 986 unsigned int rsize = 0;
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 987 char *rdesc;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 988 int ret, n;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 989 int num_descriptors;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 990 size_t offset = offsetof(struct hid_descriptor, desc);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 991
d5d3e202753cc0 drivers/hid/usbhid/hid-core.c Benjamin Tissoires 2017-11-20 992 quirks = hid_lookup_quirk(hid);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 993
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 994 if (quirks & HID_QUIRK_IGNORE)
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 995 return -ENODEV;
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 996
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 997 /* Many keyboards and mice don't like to be polled for reports,
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 998 * so we will always set the HID_QUIRK_NOGET flag for them. */
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 999 if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1000 if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1001 interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1002 quirks |= HID_QUIRK_NOGET;
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1003 }
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1004
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 1005 if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 1006 (!interface->desc.bNumEndpoints ||
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1007 usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1008 dbg_hid("class descriptor not present\n");
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1009 return -ENODEV;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1010 }
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1011
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1012 if (hdesc->bLength < sizeof(struct hid_descriptor)) {
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1013 dbg_hid("hid descriptor is too short\n");
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1014 return -EINVAL;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1015 }
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1016
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1017 hid->version = le16_to_cpu(hdesc->bcdHID);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1018 hid->country = hdesc->bCountryCode;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1019
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1020 num_descriptors = min_t(int, hdesc->bNumDescriptors,
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1021 (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1022
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1023 for (n = 0; n < num_descriptors; n++)
6d33ae790f1855 drivers/hid/usbhid/hid-core.c syzbot 2023-11-21 1024 if (n >= ARRAY_SIZE(hdesc->desc))
6d33ae790f1855 drivers/hid/usbhid/hid-core.c syzbot 2023-11-21 1025 break;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 @1026 if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1027 rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1028
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1029 if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1030 dbg_hid("weird size of report descriptor (%u)\n", rsize);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1031 return -EINVAL;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1032 }
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1033
52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches 2017-03-01 1034 rdesc = kmalloc(rsize, GFP_KERNEL);
52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches 2017-03-01 1035 if (!rdesc)
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1036 return -ENOMEM;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1037
854561b019285a drivers/usb/input/hid-core.c Vojtech Pavlik 2005-05-29 1038 hid_set_idle(dev, interface->desc.bInterfaceNumber, 0, 0);
854561b019285a drivers/usb/input/hid-core.c Vojtech Pavlik 2005-05-29 1039
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1040 ret = hid_get_class_descriptor(dev, interface->desc.bInterfaceNumber,
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1041 HID_DT_REPORT, rdesc, rsize);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1042 if (ret < 0) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1043 dbg_hid("reading report descriptor failed\n");
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1044 kfree(rdesc);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1045 goto err;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1046 }
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1047
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1048 ret = hid_parse_report(hid, rdesc, rsize);
85cdaf524b7dda drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1049 kfree(rdesc);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1050 if (ret) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1051 dbg_hid("parsing report descriptor failed\n");
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1052 goto err;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1053 }
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1054
f5208997087e6e drivers/hid/usbhid/hid-core.c Zoltan Karcagi 2009-05-06 1055 hid->quirks |= quirks;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1056
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1057 return 0;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1058 err:
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1059 return ret;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1060 }
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1061
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
2023-10-16 17:01 [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse syzbot
2023-11-17 14:23 ` [syzbot] Test syzbot
2023-11-21 19:19 ` [syzbot] [PATCH] Tried to correct syzbot
@ 2023-12-23 19:59 ` syzbot
2024-01-03 14:12 ` Dan Carpenter
2024-03-05 18:55 ` [syzbot] " Kees Cook
2 siblings, 2 replies; 30+ messages in thread
From: syzbot @ 2023-12-23 19:59 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
Author: tintinm2017@gmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error.
Requesting help from the maintainers to understand what is really going wrong in the code.
Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop.
Signed-off-by: Attreyee Mukherjee <tintinm2017@gmail.com>
---
drivers/hid/usbhid/hid-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..582ddbef448f 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
for (n = 0; n < num_descriptors; n++)
+ if (n >= ARRAY_SIZE(hdesc->desc))
+ break;
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
--
2.34.1
^ permalink raw reply related [flat|nested] 30+ messages in thread
* Re: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
2023-12-23 19:59 ` [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning syzbot
@ 2024-01-03 14:12 ` Dan Carpenter
2024-01-03 14:29 ` Aleksandr Nogikh
2024-03-05 18:55 ` [syzbot] " Kees Cook
1 sibling, 1 reply; 30+ messages in thread
From: Dan Carpenter @ 2024-01-03 14:12 UTC (permalink / raw)
To: oe-kbuild, syzbot, linux-kernel, syzkaller-bugs; +Cc: lkp, oe-kbuild-all
Hi syzbot,
kernel test robot noticed the following build warnings:
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/syzbot/usbhid-fix-array-index-out-of-bounds-in-usbhid_parse-UBSAN-warning/20231225-153341
base: https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
patch link: https://lore.kernel.org/r/0000000000009ae37b060d32c643%40google.com
patch subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
config: x86_64-randconfig-161-20231225 (https://download.01.org/0day-ci/archive/20231226/202312260900.gRDPofL9-lkp@intel.com/config)
compiler: clang version 16.0.4 (https://github.com/llvm/llvm-project.git ae42196bc493ffe877a7e3dff8be32035dea4d07)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202312260900.gRDPofL9-lkp@intel.com/
smatch warnings:
drivers/hid/usbhid/hid-core.c:1026 usbhid_parse() warn: curly braces intended?
drivers/hid/usbhid/hid-core.c:1029 usbhid_parse() warn: inconsistent indenting
vim +1026 drivers/hid/usbhid/hid-core.c
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 979 static int usbhid_parse(struct hid_device *hid)
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 980 {
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 981 struct usb_interface *intf = to_usb_interface(hid->dev.parent);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 982 struct usb_host_interface *interface = intf->cur_altsetting;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 983 struct usb_device *dev = interface_to_usbdev (intf);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 984 struct hid_descriptor *hdesc;
2eb5dc30eb87aa drivers/hid/usbhid/hid-core.c Paul Walmsley 2007-04-19 985 u32 quirks = 0;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 986 unsigned int rsize = 0;
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 987 char *rdesc;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 988 int ret, n;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 989 int num_descriptors;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 990 size_t offset = offsetof(struct hid_descriptor, desc);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 991
d5d3e202753cc0 drivers/hid/usbhid/hid-core.c Benjamin Tissoires 2017-11-20 992 quirks = hid_lookup_quirk(hid);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 993
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 994 if (quirks & HID_QUIRK_IGNORE)
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 995 return -ENODEV;
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 996
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 997 /* Many keyboards and mice don't like to be polled for reports,
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 998 * so we will always set the HID_QUIRK_NOGET flag for them. */
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 999 if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1000 if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1001 interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1002 quirks |= HID_QUIRK_NOGET;
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1003 }
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1004
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 1005 if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 1006 (!interface->desc.bNumEndpoints ||
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1007 usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1008 dbg_hid("class descriptor not present\n");
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1009 return -ENODEV;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1010 }
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1011
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1012 if (hdesc->bLength < sizeof(struct hid_descriptor)) {
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1013 dbg_hid("hid descriptor is too short\n");
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1014 return -EINVAL;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1015 }
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1016
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1017 hid->version = le16_to_cpu(hdesc->bcdHID);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1018 hid->country = hdesc->bCountryCode;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1019
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1020 num_descriptors = min_t(int, hdesc->bNumDescriptors,
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1021 (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1022
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1023 for (n = 0; n < num_descriptors; n++)
This for loop needs curly braces now.
d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot 2023-12-23 1024 if (n >= ARRAY_SIZE(hdesc->desc))
d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot 2023-12-23 1025 break;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 @1026 if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1027 rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1028
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 @1029 if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1030 dbg_hid("weird size of report descriptor (%u)\n", rsize);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1031 return -EINVAL;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1032 }
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1033
52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches 2017-03-01 1034 rdesc = kmalloc(rsize, GFP_KERNEL);
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 30+ messages in thread* Re: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
2024-01-03 14:12 ` Dan Carpenter
@ 2024-01-03 14:29 ` Aleksandr Nogikh
0 siblings, 0 replies; 30+ messages in thread
From: Aleksandr Nogikh @ 2024-01-03 14:29 UTC (permalink / raw)
To: Dan Carpenter
Cc: oe-kbuild, syzbot, linux-kernel, syzkaller-bugs, lkp, oe-kbuild-all
Hi Dan,
In this particular case syzbot just forwarded a user's patch testing
request to the LKML. I think there's not much value in kernel test
robot analyzing such emails.
--
Aleksandr
On Wed, Jan 3, 2024 at 3:12 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> Hi syzbot,
>
> kernel test robot noticed the following build warnings:
>
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/syzbot/usbhid-fix-array-index-out-of-bounds-in-usbhid_parse-UBSAN-warning/20231225-153341
> base: https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
> patch link: https://lore.kernel.org/r/0000000000009ae37b060d32c643%40google.com
> patch subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
> config: x86_64-randconfig-161-20231225 (https://download.01.org/0day-ci/archive/20231226/202312260900.gRDPofL9-lkp@intel.com/config)
> compiler: clang version 16.0.4 (https://github.com/llvm/llvm-project.git ae42196bc493ffe877a7e3dff8be32035dea4d07)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> | Closes: https://lore.kernel.org/r/202312260900.gRDPofL9-lkp@intel.com/
>
> smatch warnings:
> drivers/hid/usbhid/hid-core.c:1026 usbhid_parse() warn: curly braces intended?
> drivers/hid/usbhid/hid-core.c:1029 usbhid_parse() warn: inconsistent indenting
>
> vim +1026 drivers/hid/usbhid/hid-core.c
>
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 979 static int usbhid_parse(struct hid_device *hid)
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 980 {
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 981 struct usb_interface *intf = to_usb_interface(hid->dev.parent);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 982 struct usb_host_interface *interface = intf->cur_altsetting;
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 983 struct usb_device *dev = interface_to_usbdev (intf);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 984 struct hid_descriptor *hdesc;
> 2eb5dc30eb87aa drivers/hid/usbhid/hid-core.c Paul Walmsley 2007-04-19 985 u32 quirks = 0;
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 986 unsigned int rsize = 0;
> c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 987 char *rdesc;
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 988 int ret, n;
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 989 int num_descriptors;
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 990 size_t offset = offsetof(struct hid_descriptor, desc);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 991
> d5d3e202753cc0 drivers/hid/usbhid/hid-core.c Benjamin Tissoires 2017-11-20 992 quirks = hid_lookup_quirk(hid);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 993
> 6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 994 if (quirks & HID_QUIRK_IGNORE)
> 6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 995 return -ENODEV;
> 6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 996
> 0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 997 /* Many keyboards and mice don't like to be polled for reports,
> 0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 998 * so we will always set the HID_QUIRK_NOGET flag for them. */
> 0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 999 if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
> 0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1000 if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
> 0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1001 interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
> 0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1002 quirks |= HID_QUIRK_NOGET;
> 0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1003 }
> 0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1004
> c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 1005 if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
> c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 1006 (!interface->desc.bNumEndpoints ||
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1007 usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
> 58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1008 dbg_hid("class descriptor not present\n");
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1009 return -ENODEV;
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1010 }
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1011
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1012 if (hdesc->bLength < sizeof(struct hid_descriptor)) {
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1013 dbg_hid("hid descriptor is too short\n");
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1014 return -EINVAL;
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1015 }
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1016
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1017 hid->version = le16_to_cpu(hdesc->bcdHID);
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1018 hid->country = hdesc->bCountryCode;
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1019
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1020 num_descriptors = min_t(int, hdesc->bNumDescriptors,
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1021 (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1022
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1023 for (n = 0; n < num_descriptors; n++)
>
> This for loop needs curly braces now.
>
> d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot 2023-12-23 1024 if (n >= ARRAY_SIZE(hdesc->desc))
> d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot 2023-12-23 1025 break;
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 @1026 if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1027 rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1028
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 @1029 if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
> 58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1030 dbg_hid("weird size of report descriptor (%u)\n", rsize);
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1031 return -EINVAL;
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1032 }
> ^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1033
> 52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches 2017-03-01 1034 rdesc = kmalloc(rsize, GFP_KERNEL);
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/5e68be46-caab-40f4-8e0f-543566fd7c28%40moroto.mountain.
^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
2023-12-23 19:59 ` [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning syzbot
2024-01-03 14:12 ` Dan Carpenter
@ 2024-03-05 18:55 ` Kees Cook
1 sibling, 0 replies; 30+ messages in thread
From: Kees Cook @ 2024-03-05 18:55 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires, Attreyee Mukherjee
Cc: linux-kernel, syzkaller-bugs, syzbot, linux-usb, linux-hardening
Hi,
What's happened to getting a new version of this patch? This flaw is
still reachable in -next from what I can see?
Thanks,
-Kees
On Sat, Dec 23, 2023 at 11:59:51AM -0800, syzbot wrote:
> For archival purposes, forwarding an incoming command email to
> linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
>
> ***
>
> Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
> Author: tintinm2017@gmail.com
>
> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>
> Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error.
> Requesting help from the maintainers to understand what is really going wrong in the code.
>
> Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop.
>
> Signed-off-by: Attreyee Mukherjee <tintinm2017@gmail.com>
> ---
> drivers/hid/usbhid/hid-core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> index a90ed2ceae84..582ddbef448f 100644
> --- a/drivers/hid/usbhid/hid-core.c
> +++ b/drivers/hid/usbhid/hid-core.c
> @@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
> (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
>
> for (n = 0; n < num_descriptors; n++)
> + if (n >= ARRAY_SIZE(hdesc->desc))
> + break;
> if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
> rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
>
> --
> 2.34.1
>
--
Kees Cook
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [input?] WARNING in bcm5974_start_traffic/usb_submit_urb (2)
@ 2024-04-15 1:54 syzbot
2024-04-15 10:18 ` [syzbot] test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2024-04-15 1:54 UTC (permalink / raw)
To: dmitry.torokhov, linux-input, linux-kernel, rydberg, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: fec50db7033e Linux 6.9-rc3
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14439bd3180000
kernel config: https://syzkaller.appspot.com/x/.config?x=560f5db1d0b3f6d0
dashboard link: https://syzkaller.appspot.com/bug?extid=b064b5599f18f7ebb1e1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c2c5bd180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13cbbf5b180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ab4d6cae2eca/disk-fec50db7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b67542cc5860/vmlinux-fec50db7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3eeebb470b79/Image-fec50db7.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b064b5599f18f7ebb1e1@syzkaller.appspotmail.com
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 6237 at drivers/usb/core/urb.c:504 usb_submit_urb+0xa00/0x1434 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 0 PID: 6237 Comm: udevd Not tainted 6.9.0-rc3-syzkaller-gfec50db7033e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usb_submit_urb+0xa00/0x1434 drivers/usb/core/urb.c:503
lr : usb_submit_urb+0xa00/0x1434 drivers/usb/core/urb.c:503
sp : ffff80009f8b73b0
x29: ffff80009f8b73f0 x28: ffff0000d4fee000 x27: 0000000000000001
x26: ffff80008c6919e8 x25: ffff0000c8bd1fe0 x24: ffff0000c1d45a50
x23: ffff80008c698500 x22: dfff800000000000 x21: 0000000000000002
x20: 0000000000000cc0 x19: ffff0000c1d45a00 x18: 0000000000000008
x17: 0000000000000000 x16: ffff80008ae6d1bc x15: 0000000000000001
x14: 1fffe000367b9a02 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000002 x10: 0000000000ff0100 x9 : b1573c5f9bab7600
x8 : b1573c5f9bab7600 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80009f8b6b18 x4 : ffff80008ef65000 x3 : ffff8000805e9200
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
usb_submit_urb+0xa00/0x1434 drivers/usb/core/urb.c:503
bcm5974_start_traffic+0xe0/0x154 drivers/input/mouse/bcm5974.c:799
bcm5974_open+0x98/0x134 drivers/input/mouse/bcm5974.c:839
input_open_device+0x170/0x29c drivers/input/input.c:654
evdev_open_device drivers/input/evdev.c:400 [inline]
evdev_open+0x308/0x4b4 drivers/input/evdev.c:487
chrdev_open+0x3c8/0x4dc fs/char_dev.c:414
do_dentry_open+0x778/0x12b4 fs/open.c:955
vfs_open+0x7c/0x90 fs/open.c:1089
do_open fs/namei.c:3642 [inline]
path_openat+0x1f6c/0x2830 fs/namei.c:3799
do_filp_open+0x1bc/0x3cc fs/namei.c:3826
do_sys_openat2+0x124/0x1b8 fs/open.c:1406
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1432
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 5626
hardirqs last enabled at (5625): [<ffff8000803749b0>] __up_console_sem kernel/printk/printk.c:341 [inline]
hardirqs last enabled at (5625): [<ffff8000803749b0>] __console_unlock kernel/printk/printk.c:2731 [inline]
hardirqs last enabled at (5625): [<ffff8000803749b0>] console_unlock+0x17c/0x3d4 kernel/printk/printk.c:3050
hardirqs last disabled at (5626): [<ffff80008ae68608>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last enabled at (2362): [<ffff800080031848>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (2360): [<ffff800080031814>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [bluetooth?] WARNING in hci_conn_set_handle
@ 2024-04-14 6:05 syzbot
2024-04-15 9:33 ` [syzbot] test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2024-04-14 6:05 UTC (permalink / raw)
To: johan.hedberg, linux-bluetooth, linux-kernel, luiz.dentz, marcel,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 480e035fc4c7 Merge tag 'drm-next-2024-03-13' of https://gi..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=138825a1180000
kernel config: https://syzkaller.appspot.com/x/.config?x=1e5b814e91787669
dashboard link: https://syzkaller.appspot.com/bug?extid=d6282a21a27259b5f7e7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10f3e213180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162d4723180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f73b6ef963d/disk-480e035f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/46c949396aad/vmlinux-480e035f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e3b4d0f5a5f8/bzImage-480e035f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6282a21a27259b5f7e7@syzkaller.appspotmail.com
------------[ cut here ]------------
ida_free called for id=8192 which is not allocated.
WARNING: CPU: 0 PID: 5073 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525
Modules linked in:
CPU: 0 PID: 5073 Comm: kworker/u9:2 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: hci0 hci_rx_work
RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525
Code: 10 42 80 3c 28 00 74 05 e8 8d de 90 f6 48 8b 7c 24 40 4c 89 fe e8 c0 93 17 00 90 48 c7 c7 c0 e6 c6 8c 89 de e8 81 63 f0 f5 90 <0f> 0b 90 90 eb 3d e8 45 8f 2d f6 49 bd 00 00 00 00 00 fc ff df 4d
RSP: 0018:ffffc90003a0f780 EFLAGS: 00010246
RAX: d8e6756074d01200 RBX: 0000000000002000 RCX: ffff888022703c00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003a0f880 R08: ffffffff8157cc12 R09: 1ffff92000741e90
R10: dffffc0000000000 R11: fffff52000741e91 R12: ffffc90003a0f7c0
R13: dffffc0000000000 R14: ffff88801fce00a0 R15: 0000000000000246
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78c634e9c3 CR3: 0000000078b22000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
hci_conn_set_handle+0x193/0x270 net/bluetooth/hci_conn.c:1257
hci_le_create_big_complete_evt+0x345/0xae0 net/bluetooth/hci_event.c:6924
hci_event_func net/bluetooth/hci_event.c:7514 [inline]
hci_event_packet+0xa53/0x1540 net/bluetooth/hci_event.c:7569
hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f0/0x390 kernel/kthread.c:388
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [ntfs3?] WARNING in do_open_execat (2)
@ 2024-04-09 22:42 syzbot
2024-04-15 5:22 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2024-04-09 22:42 UTC (permalink / raw)
To: almaz.alexandrovich, brauner, ebiederm, jack, keescook,
linux-fsdevel, linux-kernel, linux-mm, ntfs3, syzkaller-bugs,
viro
Hello,
syzbot found the following issue on:
HEAD commit: 707081b61156 Merge branch 'for-next/core', remote-tracking..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=106d6d15180000
kernel config: https://syzkaller.appspot.com/x/.config?x=caeac3f3565b057a
dashboard link: https://syzkaller.appspot.com/bug?extid=fe18c63ce101f2b358bb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=156040bd180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149d2ead180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6cad68bf7532/disk-707081b6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1a27e5400778/vmlinux-707081b6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/67dfc53755d0/Image-707081b6.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e198b7a8a7f2/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fe18c63ce101f2b358bb@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6164 at fs/exec.c:940 do_open_execat+0x2bc/0x3bc
Modules linked in:
CPU: 0 PID: 6164 Comm: syz-executor379 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : do_open_execat+0x2bc/0x3bc
lr : do_open_execat+0x2b8/0x3bc fs/exec.c:939
sp : ffff8000977a7b60
x29: ffff8000977a7bd0 x28: 0000000000000000 x27: ffff0000d609da2c
x26: 00000000ffffff9c x25: dfff800000000000 x24: ffff700012ef4f6c
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
x20: fffffffffffffff3 x19: ffff0000d5ba0000 x18: ffff8000977a7100
x17: 000000000000c791 x16: ffff80008aca6dc0 x15: 0000000000000002
x14: 1ffff00012ef4f34 x13: 0000000000000000 x12: 0000000000000000
x11: ffff700012ef4f36 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000d609da00 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000010
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000008000
Call trace:
do_open_execat+0x2bc/0x3bc
alloc_bprm+0x44/0x934 fs/exec.c:1541
do_execveat_common+0x158/0x814 fs/exec.c:1935
do_execveat fs/exec.c:2069 [inline]
__do_sys_execveat fs/exec.c:2143 [inline]
__se_sys_execveat fs/exec.c:2137 [inline]
__arm64_sys_execveat+0xd0/0xec fs/exec.c:2137
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 24796
hardirqs last enabled at (24795): [<ffff80008ae5ce28>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (24795): [<ffff80008ae5ce28>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (24796): [<ffff80008ad66988>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last enabled at (24766): [<ffff80008002189c>] softirq_handle_end kernel/softirq.c:399 [inline]
softirqs last enabled at (24766): [<ffff80008002189c>] __do_softirq+0xac8/0xce4 kernel/softirq.c:582
softirqs last disabled at (24737): [<ffff80008002ab48>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:81
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] Test
@ 2023-11-19 12:31 syzbot
0 siblings, 0 replies; 30+ messages in thread
From: syzbot @ 2023-11-19 12:31 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Test
Author: tintinm2017@gmail.com
#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [kvm?] WARNING in kvm_mmu_notifier_invalidate_range_start (3)
@ 2023-11-17 5:01 syzbot
2023-11-17 10:55 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-11-17 5:01 UTC (permalink / raw)
To: kvm, linux-kernel, pbonzini, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: b57b17e88bf5 Merge tag 'parisc-for-6.7-rc1-2' of git://git..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14460084e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d950a2e2e34359e2
dashboard link: https://syzkaller.appspot.com/bug?extid=c74f40907a9c0479af10
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15785fc4e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1469c9a8e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f611e08f3538/disk-b57b17e8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/035697c78f4a/vmlinux-b57b17e8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5fd2581edc0c/bzImage-b57b17e8.xz
Bisection is inconclusive: the first bad commit could be any of:
d61ea1cb0095 userfaultfd: UFFD_FEATURE_WP_ASYNC
52526ca7fdb9 fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1338e5a8e80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c74f40907a9c0479af10@syzkaller.appspotmail.com
kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5071 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:592 __kvm_handle_hva_range arch/x86/kvm/../../../virt/kvm/kvm_main.c:592 [inline]
WARNING: CPU: 1 PID: 5071 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:592 kvm_mmu_notifier_invalidate_range_start+0x91b/0xa90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:811
Modules linked in:
CPU: 1 PID: 5071 Comm: syz-executor531 Not tainted 6.6.0-syzkaller-16201-gb57b17e88bf5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__kvm_handle_hva_range arch/x86/kvm/../../../virt/kvm/kvm_main.c:592 [inline]
RIP: 0010:kvm_mmu_notifier_invalidate_range_start+0x91b/0xa90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:811
Code: 1b 8c 7e 00 45 84 e4 0f 85 9f f8 ff ff e8 dd 90 7e 00 0f 0b e9 93 f8 ff ff e8 d1 90 7e 00 0f 0b e9 d9 fd ff ff e8 c5 90 7e 00 <0f> 0b e9 e6 fc ff ff e8 b9 90 7e 00 0f 0b e9 a9 fc ff ff e8 ad 90
RSP: 0018:ffffc90003877ac8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000020ffc000 RCX: ffffffff810a0d7b
RDX: ffff88807e9d1dc0 RSI: ffffffff810a141b RDI: 0000000000000006
RBP: ffffc90003877d60 R08: 0000000000000006 R09: 0000000020ffc000
R10: 0000000020ffc000 R11: ffffffff916014f0 R12: ffffc900015aea30
R13: 0000000000000001 R14: 0000000020ffc000 R15: ffffc900015b7810
FS: 00005555562b2380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd7cef33ae0 CR3: 000000007bde5000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mn_hlist_invalidate_range_start mm/mmu_notifier.c:493 [inline]
__mmu_notifier_invalidate_range_start+0x3b5/0x8e0 mm/mmu_notifier.c:548
mmu_notifier_invalidate_range_start include/linux/mmu_notifier.h:457 [inline]
do_pagemap_scan+0xbd3/0xcc0 fs/proc/task_mmu.c:2422
do_pagemap_cmd+0x5e/0x80 fs/proc/task_mmu.c:2478
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f826e81d5e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc43d7c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc43d7c2e0 RCX: 00007f826e81d5e9
RDX: 0000000020000040 RSI: 00000000c0606610 RDI: 0000000000000005
RBP: 00007f826e890610 R08: 0000000000000000 R09: 68742f636f72702f
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc43d7c518 R14: 0000000000000001 R15: 0000000000000001
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [kernel?] inconsistent lock state in ptrace_attach
@ 2023-11-16 11:09 syzbot
2023-11-17 13:51 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-11-16 11:09 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs, tglx
Hello,
syzbot found the following issue on:
HEAD commit: f31817cbcf48 Add linux-next specific files for 20231116
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=112158fb680000
kernel config: https://syzkaller.appspot.com/x/.config?x=f59345f1d0a928c
dashboard link: https://syzkaller.appspot.com/bug?extid=cbb25bb9b4d29a773985
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/987488cb251e/disk-f31817cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d4a82d8bd4b/vmlinux-f31817cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fc43dee9cb86/bzImage-f31817cb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cbb25bb9b4d29a773985@syzkaller.appspotmail.com
================================
WARNING: inconsistent lock state
6.7.0-rc1-next-20231116-syzkaller #0 Not tainted
--------------------------------
inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
syz-executor.1/5657 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff88807ba4a518 (&sighand->siglock){?.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88807ba4a518 (&sighand->siglock){?.-.}-{2:2}, at: class_spinlock_constructor include/linux/spinlock.h:530 [inline]
ffff88807ba4a518 (&sighand->siglock){?.-.}-{2:2}, at: ptrace_set_stopped kernel/ptrace.c:391 [inline]
ffff88807ba4a518 (&sighand->siglock){?.-.}-{2:2}, at: ptrace_attach+0x401/0x650 kernel/ptrace.c:478
{IN-HARDIRQ-W} state was registered at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
__lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
lock_task_sighand include/linux/sched/signal.h:748 [inline]
send_sigqueue+0x1d4/0x840 kernel/signal.c:1996
posix_timer_event kernel/time/posix-timers.c:298 [inline]
posix_timer_fn+0x181/0x3d0 kernel/time/posix-timers.c:324
__run_hrtimer kernel/time/hrtimer.c:1688 [inline]
__hrtimer_run_queues+0x20c/0xc20 kernel/time/hrtimer.c:1752
hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1814
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1065 [inline]
__sysvec_apic_timer_interrupt+0x10c/0x410 arch/x86/kernel/apic/apic.c:1082
sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1076
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
lock_acquire+0x1f2/0x530 kernel/locking/lockdep.c:5721
rcu_lock_acquire include/linux/rcupdate.h:301 [inline]
rcu_read_lock include/linux/rcupdate.h:747 [inline]
batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:408 [inline]
batadv_nc_worker+0x16e/0x10e0 net/batman-adv/network-coding.c:719
process_one_work+0x8a4/0x15f0 kernel/workqueue.c:2636
process_scheduled_works kernel/workqueue.c:2709 [inline]
worker_thread+0x8b6/0x1290 kernel/workqueue.c:2790
kthread+0x2c1/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
irq event stamp: 1111
hardirqs last enabled at (1111): [<ffffffff8a84a34e>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (1111): [<ffffffff8a84a34e>] _raw_spin_unlock_irqrestore+0x4e/0x70 kernel/locking/spinlock.c:194
hardirqs last disabled at (1110): [<ffffffff8a84a0fe>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (1110): [<ffffffff8a84a0fe>] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162
softirqs last enabled at (1016): [<ffffffff81310072>] local_bh_enable include/linux/bottom_half.h:33 [inline]
softirqs last enabled at (1016): [<ffffffff81310072>] fpregs_unlock arch/x86/include/asm/fpu/api.h:80 [inline]
softirqs last enabled at (1016): [<ffffffff81310072>] fpu_clone+0x342/0xb60 arch/x86/kernel/fpu/core.c:634
softirqs last disabled at (1014): [<ffffffff81310007>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last disabled at (1014): [<ffffffff81310007>] fpregs_lock arch/x86/include/asm/fpu/api.h:72 [inline]
softirqs last disabled at (1014): [<ffffffff81310007>] fpu_clone+0x2d7/0xb60 arch/x86/kernel/fpu/core.c:630
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&sighand->siglock);
<Interrupt>
lock(&sighand->siglock);
*** DEADLOCK ***
2 locks held by syz-executor.1/5657:
#0: ffff888022a1e3c8 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: class_mutex_intr_constructor include/linux/mutex.h:225 [inline]
#0: ffff888022a1e3c8 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: ptrace_attach+0x1eb/0x650 kernel/ptrace.c:455
#1: ffffffff8cc0a098 (tasklist_lock){++++}-{2:2}, at: class_write_lock_constructor include/linux/spinlock.h:564 [inline]
#1: ffffffff8cc0a098 (tasklist_lock){++++}-{2:2}, at: ptrace_attach+0x2c3/0x650 kernel/ptrace.c:464
stack backtrace:
CPU: 0 PID: 5657 Comm: syz-executor.1 Not tainted 6.7.0-rc1-next-20231116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_usage_bug kernel/locking/lockdep.c:3970 [inline]
valid_state kernel/locking/lockdep.c:4012 [inline]
mark_lock_irq kernel/locking/lockdep.c:4215 [inline]
mark_lock+0x91a/0xc50 kernel/locking/lockdep.c:4677
mark_usage kernel/locking/lockdep.c:4586 [inline]
__lock_acquire+0x919/0x3b10 kernel/locking/lockdep.c:5090
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:530 [inline]
ptrace_set_stopped kernel/ptrace.c:391 [inline]
ptrace_attach+0x401/0x650 kernel/ptrace.c:478
__do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
RIP: 0033:0x7f390ac7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f390ba5a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000065
RAX: ffffffffffffffda RBX: 00007f390ad9c1f0 RCX: 00007f390ac7cae9
RDX: 0000000000000000 RSI: 000000000000005c RDI: 0000000000000010
RBP: 00007f390acc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f390ad9c1f0 R15: 00007ffe8ba90308
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread* [syzbot] [cgroups?] possible deadlock in cgroup_free
@ 2023-11-16 11:08 syzbot
2023-11-17 10:58 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-11-16 11:08 UTC (permalink / raw)
To: cgroups, hannes, linux-kernel, lizefan.x, syzkaller-bugs, tj
Hello,
syzbot found the following issue on:
HEAD commit: f31817cbcf48 Add linux-next specific files for 20231116
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17d0aca7680000
kernel config: https://syzkaller.appspot.com/x/.config?x=f59345f1d0a928c
dashboard link: https://syzkaller.appspot.com/bug?extid=cef555184e66963dabc2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/987488cb251e/disk-f31817cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d4a82d8bd4b/vmlinux-f31817cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fc43dee9cb86/bzImage-f31817cb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cef555184e66963dabc2@syzkaller.appspotmail.com
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
6.7.0-rc1-next-20231116-syzkaller #0 Not tainted
-----------------------------------------------------
syz-executor.3/8188 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
ffff88801f641298 (&sighand->siglock){+.+.}-{2:2}, at: __lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
and this task is already holding:
ffffffff8cff86b8 (css_set_lock){..-.}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:376 [inline]
ffffffff8cff86b8 (css_set_lock){..-.}-{2:2}, at: cgroup_migrate_execute+0xd8/0x1230 kernel/cgroup/cgroup.c:2566
which would create a new lock dependency:
(css_set_lock){..-.}-{2:2} -> (&sighand->siglock){+.+.}-{2:2}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(css_set_lock){..-.}-{2:2}
... which became SOFTIRQ-irq-safe at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
put_css_set kernel/cgroup/cgroup-internal.h:208 [inline]
put_css_set kernel/cgroup/cgroup-internal.h:196 [inline]
cgroup_free+0x7c/0x1d0 kernel/cgroup/cgroup.c:6748
__put_task_struct+0x10b/0x3d0 kernel/fork.c:992
put_task_struct include/linux/sched/task.h:136 [inline]
put_task_struct include/linux/sched/task.h:123 [inline]
delayed_put_task_struct+0x22c/0x2d0 kernel/exit.c:227
rcu_do_batch kernel/rcu/tree.c:2158 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2431
__do_softirq+0x216/0x8d5 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb5/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
lock_acquire+0x1f2/0x530 kernel/locking/lockdep.c:5721
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
lockref_put_or_lock+0x18/0x80 lib/lockref.c:147
fast_dput fs/dcache.c:775 [inline]
fast_dput fs/dcache.c:765 [inline]
dput+0x4c4/0xd90 fs/dcache.c:900
shmem_unlink+0x1bc/0x310 mm/shmem.c:3373
shmem_rename2+0x1ff/0x3b0 mm/shmem.c:3451
vfs_rename+0xe20/0x1c30 fs/namei.c:4844
do_renameat2+0xc3c/0xdc0 fs/namei.c:4996
__do_sys_rename fs/namei.c:5042 [inline]
__se_sys_rename fs/namei.c:5040 [inline]
__x64_sys_rename+0x81/0xa0 fs/namei.c:5040
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
to a SOFTIRQ-irq-unsafe lock:
(&sighand->siglock){+.+.}-{2:2}
... which became SOFTIRQ-irq-unsafe at:
...
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:530 [inline]
ptrace_set_stopped kernel/ptrace.c:391 [inline]
ptrace_attach+0x401/0x650 kernel/ptrace.c:478
__do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&sighand->siglock);
local_irq_disable();
lock(css_set_lock);
lock(&sighand->siglock);
<Interrupt>
lock(css_set_lock);
*** DEADLOCK ***
8 locks held by syz-executor.3/8188:
#0: ffff88801d0e0d48 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe7/0x170 fs/file.c:1177
#1: ffff888014b44420 (sb_writers#10){.+.+}-{0:0}, at: ksys_write+0x12f/0x250 fs/read_write.c:637
#2: ffff88807ad7f088 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27d/0x500 fs/kernfs/file.c:325
#3: ffffffff8cff8768 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock include/linux/cgroup.h:368 [inline]
#3: ffffffff8cff8768 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock_and_drain_offline+0xad/0x6d0 kernel/cgroup/cgroup.c:3092
#4: ffffffff8ce51f70 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2413 [inline]
#4: ffffffff8ce51f70 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_update_dfl_csses+0x2fb/0x640 kernel/cgroup/cgroup.c:3050
#5: ffffffff8cff8530 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2415 [inline]
#5: ffffffff8cff8530 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2411 [inline]
#5: ffffffff8cff8530 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_update_dfl_csses+0x3d1/0x640 kernel/cgroup/cgroup.c:3050
#6: ffffffff8cff86b8 (css_set_lock){..-.}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:376 [inline]
#6: ffffffff8cff86b8 (css_set_lock){..-.}-{2:2}, at: cgroup_migrate_execute+0xd8/0x1230 kernel/cgroup/cgroup.c:2566
#7: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:301 [inline]
#7: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]
#7: ffffffff8cfad060 (rcu_read_lock){....}-{1:2}, at: __lock_task_sighand+0x3f/0x340 kernel/signal.c:1405
the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
-> (css_set_lock){..-.}-{2:2} {
IN-SOFTIRQ-W at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
put_css_set kernel/cgroup/cgroup-internal.h:208 [inline]
put_css_set kernel/cgroup/cgroup-internal.h:196 [inline]
cgroup_free+0x7c/0x1d0 kernel/cgroup/cgroup.c:6748
__put_task_struct+0x10b/0x3d0 kernel/fork.c:992
put_task_struct include/linux/sched/task.h:136 [inline]
put_task_struct include/linux/sched/task.h:123 [inline]
delayed_put_task_struct+0x22c/0x2d0 kernel/exit.c:227
rcu_do_batch kernel/rcu/tree.c:2158 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2431
__do_softirq+0x216/0x8d5 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb5/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
lock_acquire+0x1f2/0x530 kernel/locking/lockdep.c:5721
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
lockref_put_or_lock+0x18/0x80 lib/lockref.c:147
fast_dput fs/dcache.c:775 [inline]
fast_dput fs/dcache.c:765 [inline]
dput+0x4c4/0xd90 fs/dcache.c:900
shmem_unlink+0x1bc/0x310 mm/shmem.c:3373
shmem_rename2+0x1ff/0x3b0 mm/shmem.c:3451
vfs_rename+0xe20/0x1c30 fs/namei.c:4844
do_renameat2+0xc3c/0xdc0 fs/namei.c:4996
__do_sys_rename fs/namei.c:5042 [inline]
__se_sys_rename fs/namei.c:5040 [inline]
__x64_sys_rename+0x81/0xa0 fs/namei.c:5040
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
INITIAL USE at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
cgroup_setup_root+0x62c/0xa00 kernel/cgroup/cgroup.c:2138
cgroup_init+0x23f/0x1100 kernel/cgroup/cgroup.c:6120
start_kernel+0x385/0x480 init/main.c:1063
x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:555
x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:536
secondary_startup_64_no_verify+0x166/0x16b
}
... key at: [<ffffffff8cff86b8>] css_set_lock+0x18/0x60
the dependencies between the lock to be acquired
and SOFTIRQ-irq-unsafe lock:
-> (&sighand->siglock){+.+.}-{2:2} {
HARDIRQ-ON-W at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:530 [inline]
ptrace_set_stopped kernel/ptrace.c:391 [inline]
ptrace_attach+0x401/0x650 kernel/ptrace.c:478
__do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
SOFTIRQ-ON-W at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:530 [inline]
ptrace_set_stopped kernel/ptrace.c:391 [inline]
ptrace_attach+0x401/0x650 kernel/ptrace.c:478
__do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
INITIAL USE at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
calculate_sigpending+0x44/0xa0 kernel/signal.c:197
ret_from_fork+0x23/0x80 arch/x86/kernel/process.c:143
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
}
... key at: [<ffffffff90b49f80>] __key.341+0x0/0x40
... acquired at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
__lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
lock_task_sighand include/linux/sched/signal.h:748 [inline]
cgroup_freeze_task+0x80/0x190 kernel/cgroup/freezer.c:160
cgroup_freezer_migrate_task+0x1b7/0x3a0 kernel/cgroup/freezer.c:257
cgroup_migrate_execute+0x2d3/0x1230 kernel/cgroup/cgroup.c:2580
cgroup_update_dfl_csses+0x51b/0x640 kernel/cgroup/cgroup.c:3068
cgroup_apply_control kernel/cgroup/cgroup.c:3308 [inline]
cgroup_subtree_control_write+0xb94/0xed0 kernel/cgroup/cgroup.c:3453
cgroup_file_write+0x209/0x7c0 kernel/cgroup/cgroup.c:4092
kernfs_fop_write_iter+0x33f/0x500 fs/kernfs/file.c:334
call_write_iter include/linux/fs.h:2021 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x64d/0xdf0 fs/read_write.c:584
ksys_write+0x12f/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
stack backtrace:
CPU: 1 PID: 8188 Comm: syz-executor.3 Not tainted 6.7.0-rc1-next-20231116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_bad_irq_dependency kernel/locking/lockdep.c:2626 [inline]
check_irq_usage+0xe18/0x1470 kernel/locking/lockdep.c:2865
check_prev_add kernel/locking/lockdep.c:3138 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x247c/0x3b10 kernel/locking/lockdep.c:5136
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
__lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
lock_task_sighand include/linux/sched/signal.h:748 [inline]
cgroup_freeze_task+0x80/0x190 kernel/cgroup/freezer.c:160
cgroup_freezer_migrate_task+0x1b7/0x3a0 kernel/cgroup/freezer.c:257
cgroup_migrate_execute+0x2d3/0x1230 kernel/cgroup/cgroup.c:2580
cgroup_update_dfl_csses+0x51b/0x640 kernel/cgroup/cgroup.c:3068
cgroup_apply_control kernel/cgroup/cgroup.c:3308 [inline]
cgroup_subtree_control_write+0xb94/0xed0 kernel/cgroup/cgroup.c:3453
cgroup_file_write+0x209/0x7c0 kernel/cgroup/cgroup.c:4092
kernfs_fop_write_iter+0x33f/0x500 fs/kernfs/file.c:334
call_write_iter include/linux/fs.h:2021 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x64d/0xdf0 fs/read_write.c:584
ksys_write+0x12f/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
RIP: 0033:0x7f83f387cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f83f466d0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f83f399bf80 RCX: 00007f83f387cae9
RDX: 0000000000000006 RSI: 0000000020000100 RDI: 0000000000000004
RBP: 00007f83f38c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f83f399bf80 R15: 00007ffdda059fd8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread* [syzbot] [wireless?] [net?] WARNING in ieee80211_rfkill_poll
@ 2023-11-08 12:38 syzbot
2023-11-15 6:33 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-11-08 12:38 UTC (permalink / raw)
To: davem, edumazet, johannes, kuba, linux-kernel, linux-usb,
linux-wireless, netdev, pabeni, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 90b0c2b2edd1 Merge tag 'pinctrl-v6.7-1' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1437f47b680000
kernel config: https://syzkaller.appspot.com/x/.config?x=b0220f5f3436eb1a
dashboard link: https://syzkaller.appspot.com/bug?extid=7e59a5bfc7a897247e18
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c670c0e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1310d47b680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/38f32e2d2d96/disk-90b0c2b2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ec454d0d1d26/vmlinux-90b0c2b2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/110137c447a9/bzImage-90b0c2b2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7e59a5bfc7a897247e18@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 1 PID: 732 at net/mac80211/driver-ops.h:688 drv_rfkill_poll net/mac80211/driver-ops.h:688 [inline]
WARNING: CPU: 1 PID: 732 at net/mac80211/driver-ops.h:688 ieee80211_rfkill_poll+0x134/0x170 net/mac80211/cfg.c:3100
Modules linked in:
CPU: 1 PID: 732 Comm: kworker/1:2 Not tainted 6.6.0-syzkaller-14142-g90b0c2b2edd1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Workqueue: events_power_efficient rfkill_poll
RIP: 0010:drv_rfkill_poll net/mac80211/driver-ops.h:688 [inline]
RIP: 0010:ieee80211_rfkill_poll+0x134/0x170 net/mac80211/cfg.c:3100
Code: 60 07 00 00 be ff ff ff ff 48 8d 78 68 e8 44 f4 38 00 31 ff 89 c5 89 c6 e8 89 59 39 fb 85 ed 0f 85 44 ff ff ff e8 0c 5e 39 fb <0f> 0b e9 38 ff ff ff e8 00 5e 39 fb 0f 0b 48 c7 c7 f8 16 34 89 e8
RSP: 0018:ffffc90001cafc90 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888100ff0700 RCX: ffffffff8614b267
RDX: ffff888107368000 RSI: ffffffff8614b274 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 1ffffffff15c0565 R12: ffff888100ff0700
R13: 0000000000000001 R14: ffffc90001cafd80 R15: ffff8881f673ad40
FS: 0000000000000000(0000) GS:ffff8881f6700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6477ad0e40 CR3: 00000001122fe000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rdev_rfkill_poll net/wireless/rdev-ops.h:636 [inline]
cfg80211_rfkill_poll+0xc9/0x240 net/wireless/core.c:224
rfkill_poll+0x8d/0x110 net/rfkill/core.c:1037
process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready
@ 2023-11-03 23:11 syzbot
2023-11-13 11:16 ` [syzbot] test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-11-03 23:11 UTC (permalink / raw)
To: andrii, ast, bpf, daniel, davem, edumazet, jakub, john.fastabend,
kuba, linux-kernel, netdev, pabeni, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 55c900477f5b net: fill in MODULE_DESCRIPTION()s under driv..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12586b51680000
kernel config: https://syzkaller.appspot.com/x/.config?x=429fa76d04cf393c
dashboard link: https://syzkaller.appspot.com/bug?extid=fd7b34375c1c8ce29c93
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154a6ac7680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c2f876eca348/disk-55c90047.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fae06633f86c/vmlinux-55c90047.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9bdbf63cb857/bzImage-55c90047.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fd7b34375c1c8ce29c93@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 637d5067 P4D 637d5067 PUD 631c2067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6103 Comm: syz-executor.1 Not tainted 6.6.0-rc7-syzkaller-02075-g55c900477f5b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000314f868 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888028b0b000 RCX: 0000000000000000
RDX: 1ffff1100f3c305c RSI: ffffffff8848f069 RDI: ffff888028b0b000
RBP: 0000000000000004 R08: 0000000000000007 R09: 0000000000000000
R10: ffff888079e18000 R11: 0000000000000000 R12: ffff888079e18000
R13: 0000000000000000 R14: ffff888028b0b000 R15: ffff888028b0b000
FS: 00007fc30c5666c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000025154000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sk_psock_verdict_data_ready net/core/skmsg.c:1228 [inline]
sk_psock_verdict_data_ready+0x207/0x3d0 net/core/skmsg.c:1208
unix_dgram_sendmsg+0x11b3/0x1ca0 net/unix/af_unix.c:2116
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
____sys_sendmsg+0x2ac/0x940 net/socket.c:2558
___sys_sendmsg+0x135/0x1d0 net/socket.c:2612
__sys_sendmmsg+0x1a1/0x450 net/socket.c:2698
__do_sys_sendmmsg net/socket.c:2727 [inline]
__se_sys_sendmmsg net/socket.c:2724 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2724
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc30b87cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc30c5660c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fc30b99bf80 RCX: 00007fc30b87cae9
RDX: 0000000000000002 RSI: 0000000020001680 RDI: 0000000000000003
RBP: 00007fc30b8c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc30b99bf80 R15: 00007ffc0cccf7e8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000314f868 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888028b0b000 RCX: 0000000000000000
RDX: 1ffff1100f3c305c RSI: ffffffff8848f069 RDI: ffff888028b0b000
RBP: 0000000000000004 R08: 0000000000000007 R09: 0000000000000000
R10: ffff888079e18000 R11: 0000000000000000 R12: ffff888079e18000
R13: 0000000000000000 R14: ffff888028b0b000 R15: ffff888028b0b000
FS: 00007fc30c5666c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000025154000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in sk_msg_recvmsg
@ 2023-10-26 18:32 syzbot
2023-11-06 13:35 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-10-26 18:32 UTC (permalink / raw)
To: andrii, ast, bpf, daniel, davem, edumazet, jakub, john.fastabend,
kuba, linux-kernel, netdev, pabeni, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 7cf4bea77ab6 Merge tag 'for-6.6-rc6-tag' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b76415680000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4436b383d761e86
dashboard link: https://syzkaller.appspot.com/bug?extid=84f695756ed0c4bb3aba
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1780cabd680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157c04fe680000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-7cf4bea7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8097f65801fe/vmlinux-7cf4bea7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1824f0c42bd6/Image-7cf4bea7.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+84f695756ed0c4bb3aba@syzkaller.appspotmail.com
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000097c38006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
Access size = 8 byte(s)
SSE = 0, SRT = 3
SF = 1, AR = 0
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046851000
[0000000000000000] pgd=0800000047e00003, p4d=0800000047e00003, pud=080000004684b003, pmd=0000000000000000
Internal error: Oops: 0000000097c38006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3098 Comm: syz-executor448 Not tainted 6.6.0-rc6-syzkaller-00045-g7cf4bea77ab6 #0
Hardware name: linux,dummy-virt (DT)
pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : page_kasan_tag include/linux/mm.h:1801 [inline]
pc : lowmem_page_address include/linux/mm.h:2172 [inline]
pc : kmap_local_page include/linux/highmem-internal.h:185 [inline]
pc : copy_page_to_iter+0xb0/0x150 lib/iov_iter.c:479
lr : sk_msg_recvmsg+0xf8/0x37c net/core/skmsg.c:437
sp : ffff800082b43940
x29: ffff800082b43940 x28: 0000000000000000 x27: fdff00000526c000
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
x23: 0000000000000000 x22: 0000040000000000 x21: ffff000000000000
x20: 0000000000001000 x19: ffff800082b43d50 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdf150998
x14: 000000000000012a x13: 000000000000012a x12: 0000000000000002
x11: 0000000000000001 x10: b5bbc95fda8a2138 x9 : 9908e50d67e0cf7a
x8 : f6ff000004f48f88 x7 : 0000000000000000 x6 : f9ff000004e6ed40
x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff800082b43d50
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
arch_static_branch_jump arch/arm64/include/asm/jump_label.h:38 [inline]
kasan_enabled include/linux/kasan-enabled.h:13 [inline]
page_kasan_tag include/linux/mm.h:1800 [inline]
lowmem_page_address include/linux/mm.h:2172 [inline]
kmap_local_page include/linux/highmem-internal.h:185 [inline]
copy_page_to_iter+0xb0/0x150 lib/iov_iter.c:479
sk_msg_recvmsg+0xf8/0x37c net/core/skmsg.c:437
unix_bpf_recvmsg net/unix/unix_bpf.c:73 [inline]
unix_bpf_recvmsg+0x13c/0x4f0 net/unix/unix_bpf.c:50
unix_dgram_recvmsg+0x30/0x4c net/unix/af_unix.c:2457
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg net/socket.c:1066 [inline]
sock_recvmsg net/socket.c:1062 [inline]
____sys_recvmsg+0x1d0/0x268 net/socket.c:2777
___sys_recvmsg+0x90/0xe8 net/socket.c:2819
do_recvmmsg+0xc8/0x2f4 net/socket.c:2913
__sys_recvmmsg net/socket.c:2992 [inline]
__do_sys_recvmmsg net/socket.c:3015 [inline]
__se_sys_recvmmsg net/socket.c:3008 [inline]
__arm64_sys_recvmmsg+0xd0/0xec net/socket.c:3008
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595
Code: 8b160320 d346fc00 8b0032a0 d503201f (f9400323)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 8b160320 add x0, x25, x22
4: d346fc00 lsr x0, x0, #6
8: 8b0032a0 add x0, x21, x0, lsl #12
c: d503201f nop
* 10: f9400323 ldr x3, [x25] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [ntfs3?] WARNING in attr_data_get_block (3)
@ 2023-10-05 19:47 syzbot
2023-11-19 11:27 ` [syzbot] test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-10-05 19:47 UTC (permalink / raw)
To: almaz.alexandrovich, clang-built-linux, linux-fsdevel,
linux-kernel, nathan, ndesaulniers, ntfs3, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: e402b08634b3 Merge tag 'soc-fixes-6.6' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=111e0d01680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=a9850b21d99643eadbb8
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12b684e6680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ede4d6680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/41cd2d7ae4a2/disk-e402b086.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/06c5c0caa862/vmlinux-e402b086.xz
kernel image: https://storage.googleapis.com/syzbot-assets/483b777ed71c/bzImage-e402b086.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/f17ff5020b6d/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/6aff89451d15/mount_2.gz
The issue was bisected to:
commit 6e5be40d32fb1907285277c02e74493ed43d77fe
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date: Fri Aug 13 14:21:30 2021 +0000
fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15f20a7c680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=17f20a7c680000
console output: https://syzkaller.appspot.com/x/log.txt?x=13f20a7c680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a9850b21d99643eadbb8@syzkaller.appspotmail.com
Fixes: 6e5be40d32fb ("fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile")
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5033 at fs/ntfs3/attrib.c:1059 attr_data_get_block+0x1926/0x2da0
Modules linked in:
CPU: 1 PID: 5033 Comm: syz-executor106 Not tainted 6.6.0-rc3-syzkaller-00214-ge402b08634b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:attr_data_get_block+0x1926/0x2da0 fs/ntfs3/attrib.c:1059
Code: 80 e1 07 80 c1 03 38 c1 0f 8c 48 ff ff ff 48 8d bc 24 e0 01 00 00 e8 19 74 18 ff 48 8b 54 24 58 e9 31 ff ff ff e8 ba 01 be fe <0f> 0b bb ea ff ff ff e9 11 fa ff ff e8 a9 01 be fe e9 0f f9 ff ff
RSP: 0018:ffffc9000406f6a0 EFLAGS: 00010293
RAX: ffffffff82d008b6 RBX: 00000000ffffffff RCX: ffff888025380000
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 00000000ffffffff
RBP: ffffc9000406f908 R08: ffffffff82d0038f R09: 1ffffffff20df689
R10: dffffc0000000000 R11: fffffbfff20df68a R12: 1ffff9200080def4
R13: 000000000000001c R14: ffff888076620140 R15: dffffc0000000000
FS: 00007f36f9b9c6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f36f9b9cd58 CR3: 0000000026956000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ntfs_fallocate+0xc6d/0x1100 fs/ntfs3/file.c:610
vfs_fallocate+0x551/0x6b0 fs/open.c:324
do_vfs_ioctl+0x22da/0x2b40 fs/ioctl.c:850
__do_sys_ioctl fs/ioctl.c:869 [inline]
__se_sys_ioctl+0x81/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f37091ff5a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f36f9b9c218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000000003f RCX: 00007f37091ff5a9
RDX: 0000000020000780 RSI: 0000000040305828 RDI: 0000000000000004
RBP: 00007f37092aa6d8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f37092aa6d0
R13: 00007f3709277a14 R14: 726665646f747561 R15: 61635f6563617073
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread* [syzbot] [bluetooth?] possible deadlock in hci_dev_do_close
@ 2023-09-25 5:15 syzbot
2023-11-15 5:18 ` [syzbot] test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-09-25 5:15 UTC (permalink / raw)
To: arkadiusz.bokowy, johan.hedberg, linux-bluetooth, linux-kernel,
luiz.dentz, luiz.von.dentz, marcel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 940fcc189c51 Add linux-next specific files for 20230921
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=127d4f64680000
kernel config: https://syzkaller.appspot.com/x/.config?x=1f140ae6e669ac24
dashboard link: https://syzkaller.appspot.com/bug?extid=4e3a76c5c505a3f49083
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1081124a680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10cfe14a680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b8921b235c24/disk-940fcc18.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c80a9f6bcdd4/vmlinux-940fcc18.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ed10a4df6950/bzImage-940fcc18.xz
The issue was bisected to:
commit 091e25d6b54992d1d702ae91cbac139d4c243251
Author: Arkadiusz Bokowy <arkadiusz.bokowy@gmail.com>
Date: Wed Sep 20 15:30:07 2023 +0000
Bluetooth: vhci: Fix race when opening vhci device
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1326e53c680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10a6e53c680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1726e53c680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4e3a76c5c505a3f49083@syzkaller.appspotmail.com
Fixes: 091e25d6b549 ("Bluetooth: vhci: Fix race when opening vhci device")
======================================================
WARNING: possible circular locking dependency detected
6.6.0-rc2-next-20230921-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor126/5053 is trying to acquire lock:
ffff88807df1cdc0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 kernel/workqueue.c:3403
but task is already holding lock:
ffff88807df1d0b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:552
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&hdev->req_lock){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x181/0x1340 kernel/locking/mutex.c:747
hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:552
hci_rfkill_set_block+0x1b9/0x200 net/bluetooth/hci_core.c:956
rfkill_set_block+0x200/0x550 net/rfkill/core.c:346
rfkill_fop_write+0x2d4/0x570 net/rfkill/core.c:1306
vfs_write+0x2a4/0xe40 fs/read_write.c:582
ksys_write+0x1f0/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #2 (rfkill_global_mutex){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x181/0x1340 kernel/locking/mutex.c:747
rfkill_register+0x3a/0xb30 net/rfkill/core.c:1075
hci_register_dev+0x43a/0xd40 net/bluetooth/hci_core.c:2656
__vhci_create_device+0x393/0x800 drivers/bluetooth/hci_vhci.c:437
vhci_create_device drivers/bluetooth/hci_vhci.c:478 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:535 [inline]
vhci_write+0x2c7/0x470 drivers/bluetooth/hci_vhci.c:615
call_write_iter include/linux/fs.h:1957 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x650/0xe40 fs/read_write.c:584
ksys_write+0x12f/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #1 (&data->open_mutex){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x181/0x1340 kernel/locking/mutex.c:747
vhci_send_frame+0x67/0xa0 drivers/bluetooth/hci_vhci.c:78
hci_send_frame+0x220/0x470 net/bluetooth/hci_core.c:3039
hci_sched_acl_pkt net/bluetooth/hci_core.c:3651 [inline]
hci_sched_acl net/bluetooth/hci_core.c:3736 [inline]
hci_tx_work+0x1456/0x1e40 net/bluetooth/hci_core.c:3835
process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
-> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5136
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
__flush_work+0x103/0xa10 kernel/workqueue.c:3403
hci_dev_close_sync+0x22d/0x1160 net/bluetooth/hci_sync.c:4982
hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:554
hci_rfkill_set_block+0x1b9/0x200 net/bluetooth/hci_core.c:956
rfkill_set_block+0x200/0x550 net/rfkill/core.c:346
rfkill_fop_write+0x2d4/0x570 net/rfkill/core.c:1306
vfs_write+0x2a4/0xe40 fs/read_write.c:582
ksys_write+0x1f0/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
other info that might help us debug this:
Chain exists of:
(work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&hdev->req_lock);
lock(rfkill_global_mutex);
lock(&hdev->req_lock);
lock((work_completion)(&hdev->tx_work));
*** DEADLOCK ***
2 locks held by syz-executor126/5053:
#0: ffffffff8ea842a8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 net/rfkill/core.c:1298
#1: ffff88807df1d0b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:552
stack backtrace:
CPU: 1 PID: 5053 Comm: syz-executor126 Not tainted 6.6.0-rc2-next-20230921-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
check_noncircular+0x311/0x3f0 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5136
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
__flush_work+0x103/0xa10 kernel/workqueue.c:3403
hci_dev_close_sync+0x22d/0x1160 net/bluetooth/hci_sync.c:4982
hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:554
hci_rfkill_set_block+0x1b9/0x200 net/bluetooth/hci_core.c:956
rfkill_set_block+0x200/0x550 net/rfkill/core.c:346
rfkill_fop_write+0x2d4/0x570 net/rfkill/core.c:1306
vfs_write+0x2a4/0xe40 fs/read_write.c:582
ksys_write+0x1f0/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8297388479
Code: 48 83 c4 28 c3 e8 e7 18 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc9ef0d068 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f82973df043 RCX: 00007f8297388479
RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007ffc9ef0d0b0 R08: 000000ff00ffa650 R09: 000000ff00ffa650
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc9ef0d098
R13: 00007f829740c5b0 R14: 0000000000000000 R15: 0000000000000001
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread* [syzbot] [mm?] [hfs?] KASAN: slab-out-of-bounds Read in generic_perform_write
@ 2023-09-24 7:49 syzbot
2023-11-17 14:24 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-09-24 7:49 UTC (permalink / raw)
To: akpm, hughd, linux-fsdevel, linux-kernel, linux-mm, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 2cf0f7156238 Merge tag 'nfs-for-6.6-2' of git://git.linux-..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=153cd286680000
kernel config: https://syzkaller.appspot.com/x/.config?x=e4ca82a1bedd37e4
dashboard link: https://syzkaller.appspot.com/bug?extid=4a2376bc62e59406c414
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e88918680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10aea78c680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eac482f1f6bc/disk-2cf0f715.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7a69dad9f1ff/vmlinux-2cf0f715.xz
kernel image: https://storage.googleapis.com/syzbot-assets/16676b650375/bzImage-2cf0f715.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c040f8fc7107/mount_0.gz
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10e0a282680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12e0a282680000
console output: https://syzkaller.appspot.com/x/log.txt?x=14e0a282680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4a2376bc62e59406c414@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy_from_iter lib/iov_iter.c:380 [inline]
BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0x908/0x12f0 lib/iov_iter.c:590
Read of size 1024 at addr ffff888020b4ec00 by task kworker/u4:7/1273
CPU: 0 PID: 1273 Comm: kworker/u4:7 Not tainted 6.6.0-rc2-syzkaller-00018-g2cf0f7156238 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: loop0 loop_rootcg_workfn
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
memcpy_from_iter lib/iov_iter.c:380 [inline]
copy_page_from_iter_atomic+0x908/0x12f0 lib/iov_iter.c:590
generic_perform_write+0x392/0x630 mm/filemap.c:3950
shmem_file_write_iter+0xfc/0x120 mm/shmem.c:2865
do_iter_write+0x84f/0xde0 fs/read_write.c:860
lo_write_bvec drivers/block/loop.c:249 [inline]
lo_write_simple drivers/block/loop.c:271 [inline]
do_req_filebacked drivers/block/loop.c:495 [inline]
loop_handle_cmd drivers/block/loop.c:1915 [inline]
loop_process_work+0x14c3/0x22a0 drivers/block/loop.c:1950
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x90f/0x1400 kernel/workqueue.c:2703
worker_thread+0xa5f/0xff0 kernel/workqueue.c:2784
kthread+0x2d3/0x370 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
Allocated by task 5038:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1023 [inline]
__kmalloc+0xb9/0x230 mm/slab_common.c:1036
kmalloc include/linux/slab.h:603 [inline]
hfsplus_read_wrapper+0x545/0x1330 fs/hfsplus/wrapper.c:178
hfsplus_fill_super+0x38e/0x1c90 fs/hfsplus/super.c:413
mount_bdev+0x237/0x300 fs/super.c:1629
legacy_get_tree+0xef/0x190 fs/fs_context.c:638
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888020b4ec00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
allocated 512-byte region [ffff888020b4ec00, ffff888020b4ee00)
The buggy address belongs to the physical page:
page:ffffea000082d300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20b4c
head:ffffea000082d300 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012841c80 ffffea000085e900 dead000000000002
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 12443144717, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
alloc_page_interleave+0x22/0x1d0 mm/mempolicy.c:2131
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1114
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
dev_pm_qos_constraints_allocate+0x8f/0x400 drivers/base/power/qos.c:204
__dev_pm_qos_add_request+0x121/0x4a0 drivers/base/power/qos.c:344
dev_pm_qos_add_request+0x3a/0x60 drivers/base/power/qos.c:394
usb_hub_create_port_device+0x4c6/0xc40 drivers/usb/core/port.c:727
hub_configure drivers/usb/core/hub.c:1685 [inline]
hub_probe+0x2469/0x3570 drivers/usb/core/hub.c:1922
usb_probe_interface+0x5c4/0xb00 drivers/usb/core/driver.c:396
really_probe+0x294/0xc30 drivers/base/dd.c:658
page_owner free stack trace missing
Memory state around the buggy address:
ffff888020b4ed00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888020b4ed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888020b4ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888020b4ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888020b4ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread* [syzbot] [dri?] WARNING in drm_gem_object_handle_put_unlocked
@ 2023-09-16 1:22 syzbot
2023-11-15 6:33 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-09-16 1:22 UTC (permalink / raw)
To: airlied, christian.koenig, daniel, dri-devel, linaro-mm-sig,
linux-kernel, linux-media, maarten.lankhorst, mripard,
sumit.semwal, syzkaller-bugs, tzimmermann
Hello,
syzbot found the following issue on:
HEAD commit: 0bb80ecc33a8 Linux 6.6-rc1
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1002530c680000
kernel config: https://syzkaller.appspot.com/x/.config?x=f4894cf58531f
dashboard link: https://syzkaller.appspot.com/bug?extid=ef3256a360c02207a4cb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a79ca0680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16900402680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eeb0cac260c7/disk-0bb80ecc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3c360110254/vmlinux-0bb80ecc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/22b81065ba5f/bzImage-0bb80ecc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef3256a360c02207a4cb@syzkaller.appspotmail.com
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fda971e917c
R13: 00007fda97153210 R14: 0023647261632f69 R15: 6972642f7665642f
</TASK>
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5043 at drivers/gpu/drm/drm_gem.c:225 drm_gem_object_handle_put_unlocked+0x299/0x390 drivers/gpu/drm/drm_gem.c:225
Modules linked in:
CPU: 1 PID: 5043 Comm: syz-executor141 Not tainted 6.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
RIP: 0010:drm_gem_object_handle_put_unlocked+0x299/0x390 drivers/gpu/drm/drm_gem.c:225
Code: ea 03 0f b6 04 02 84 c0 74 0c 3c 03 7f 08 4c 89 f7 e8 2b 06 2a fd c7 83 20 01 00 00 00 00 00 00 e9 98 fe ff ff e8 57 44 d4 fc <0f> 0b 5b 5d 41 5c 41 5d 41 5e e9 48 44 d4 fc e8 43 44 d4 fc 48 8d
RSP: 0018:ffffc90003d5fbb8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888027b61000 RCX: 0000000000000000
RDX: ffff888014fcbb80 RSI: ffffffff84b38a29 RDI: 0000000000000005
RBP: ffff888027b61004 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88801d140000
R13: ffff888027b61008 R14: 0000000000000000 R15: ffff888027b61018
FS: 00007fda971536c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fda971fe794 CR3: 0000000072975000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_gem_handle_create_tail+0x32f/0x540 drivers/gpu/drm/drm_gem.c:407
drm_gem_shmem_create_with_handle drivers/gpu/drm/drm_gem_shmem_helper.c:417 [inline]
drm_gem_shmem_dumb_create+0x21a/0x310 drivers/gpu/drm/drm_gem_shmem_helper.c:505
drm_mode_create_dumb drivers/gpu/drm/drm_dumb_buffers.c:96 [inline]
drm_mode_create_dumb_ioctl+0x268/0x2f0 drivers/gpu/drm/drm_dumb_buffers.c:102
drm_ioctl_kernel+0x280/0x4c0 drivers/gpu/drm/drm_ioctl.c:789
drm_ioctl+0x5cb/0xbf0 drivers/gpu/drm/drm_ioctl.c:892
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fda971954e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fda971531f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fda9721c3e8 RCX: 00007fda971954e9
RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 00007fda9721c3e0 R08: 00007fda97152f96 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fda971e917c
R13: 00007fda97153210 R14: 0023647261632f69 R15: 6972642f7665642f
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [ext4?] WARNING in ext4_discard_allocated_blocks
@ 2023-09-11 13:35 syzbot
2023-11-17 14:17 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-09-11 13:35 UTC (permalink / raw)
To: adilger.kernel, linux-ext4, linux-fsdevel, linux-kernel,
syzkaller-bugs, tytso
Hello,
syzbot found the following issue on:
HEAD commit: 7ba2090ca64e Merge tag 'ceph-for-6.6-rc1' of https://githu..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12c57f2fa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=ed626705db308b2d
dashboard link: https://syzkaller.appspot.com/bug?extid=628e71e1cb809306030f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=111acb20680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=112d9f34680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7abbf7618c3a/disk-7ba2090c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/694adc723518/vmlinux-7ba2090c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3c5d9addc4e4/bzImage-7ba2090c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a4604150b51d/mount_0.gz
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13e3dba8680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1013dba8680000
console output: https://syzkaller.appspot.com/x/log.txt?x=17e3dba8680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+628e71e1cb809306030f@syzkaller.appspotmail.com
ext4: mb_load_buddy failed (-117)
WARNING: CPU: 0 PID: 5538 at fs/ext4/mballoc.c:4620 ext4_discard_allocated_blocks+0x5d4/0x750 fs/ext4/mballoc.c:4619
Modules linked in:
CPU: 0 PID: 5538 Comm: syz-executor264 Not tainted 6.5.0-syzkaller-12107-g7ba2090ca64e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:ext4_discard_allocated_blocks+0x5d4/0x750 fs/ext4/mballoc.c:4619
Code: 00 0f 85 9a 01 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 eb 99 48 ff 48 c7 c7 00 42 1d 8b 44 89 fe e8 8c 14 0f ff <0f> 0b 49 bf 00 00 00 00 00 fc ff df eb 98 e8 c9 99 48 ff e9 19 fe
RSP: 0018:ffffc90005006cc0 EFLAGS: 00010246
RAX: da27be545f79de00 RBX: 0000000000000001 RCX: ffff888026741dc0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90005006dd0 R08: ffffffff81541672 R09: 1ffff1101730516a
R10: dffffc0000000000 R11: ffffed101730516b R12: ffff888076b7a124
R13: 1ffff92000a00da0 R14: ffff888076b7a0d8 R15: 00000000ffffff8b
FS: 00007f095582f6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020100000 CR3: 000000001c40b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_mb_new_blocks+0x148f/0x4b30 fs/ext4/mballoc.c:6244
ext4_ext_map_blocks+0x1e13/0x7150 fs/ext4/extents.c:4285
ext4_map_blocks+0xa2f/0x1cb0 fs/ext4/inode.c:621
_ext4_get_block+0x238/0x6a0 fs/ext4/inode.c:763
ext4_block_write_begin+0x53d/0x1550 fs/ext4/inode.c:1043
ext4_write_begin+0x619/0x10b0
ext4_da_write_begin+0x300/0xa40 fs/ext4/inode.c:2865
generic_perform_write+0x31b/0x630 mm/filemap.c:3942
ext4_buffered_write_iter+0xc6/0x350 fs/ext4/file.c:299
ext4_file_write_iter+0x1d3/0x1ad0 fs/ext4/file.c:717
call_write_iter include/linux/fs.h:1985 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x782/0xaf0 fs/read_write.c:584
ksys_write+0x1a0/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0955872bd9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f095582f218 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f09558fc6c8 RCX: 00007f0955872bd9
RDX: 000000000000a000 RSI: 0000000020000780 RDI: 0000000000000005
RBP: 00007f09558fc6c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f09558c8a38
R13: 0000000000000000 R14: 6f6f6c2f7665642f R15: 0032656c69662f2e
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [ntfs3?] WARNING in do_symlinkat (2)
@ 2023-08-19 10:47 syzbot
2023-11-28 17:38 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-08-19 10:47 UTC (permalink / raw)
To: almaz.alexandrovich, brauner, linux-fsdevel, linux-kernel, ntfs3,
syzkaller-bugs, viro
Hello,
syzbot found the following issue on:
HEAD commit: d4ddefee5160 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1684c769a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c37cc0e4fcc5f8d
dashboard link: https://syzkaller.appspot.com/bug?extid=d123d9a1df4f9a897854
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1610933da80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d81e5fa80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/faa4473182fa/disk-d4ddefee.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f12b676582f4/vmlinux-d4ddefee.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e8c9cea34485/bzImage-d4ddefee.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/027d8c9977f5/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d123d9a1df4f9a897854@syzkaller.appspotmail.com
DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff8880715bea70, owner = 0x0, curr 0xffff88802212bb80, list empty
WARNING: CPU: 1 PID: 5387 at kernel/locking/rwsem.c:1370 __up_write kernel/locking/rwsem.c:1369 [inline]
WARNING: CPU: 1 PID: 5387 at kernel/locking/rwsem.c:1370 up_write+0x4f4/0x580 kernel/locking/rwsem.c:1626
Modules linked in:
CPU: 1 PID: 5387 Comm: syz-executor310 Not tainted 6.5.0-rc6-syzkaller-00200-gd4ddefee5160 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:__up_write kernel/locking/rwsem.c:1369 [inline]
RIP: 0010:up_write+0x4f4/0x580 kernel/locking/rwsem.c:1626
Code: 48 c7 c7 20 8c 0a 8b 48 c7 c6 60 8e 0a 8b 48 8b 54 24 28 48 8b 4c 24 18 4d 89 e0 4c 8b 4c 24 30 53 e8 30 59 e8 ff 48 83 c4 08 <0f> 0b e9 75 fd ff ff 48 c7 c1 88 ab 98 8e 80 e1 07 80 c1 03 38 c1
RSP: 0018:ffffc900042afd40 EFLAGS: 00010292
RAX: 083997afe1a51c00 RBX: ffffffff8b0a8d00 RCX: ffff88802212bb80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900042afe10 R08: ffffffff8152d442 R09: 1ffff92000855f20
R10: dffffc0000000000 R11: fffff52000855f21 R12: 0000000000000000
R13: ffff8880715bea70 R14: 1ffff92000855fb0 R15: dffffc0000000000
FS: 00007f472f84f6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4737a71000 CR3: 000000002634e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
inode_unlock include/linux/fs.h:776 [inline]
done_path_create fs/namei.c:3937 [inline]
do_symlinkat+0x25e/0x610 fs/namei.c:4505
__do_sys_symlink fs/namei.c:4524 [inline]
__se_sys_symlink fs/namei.c:4522 [inline]
__x64_sys_symlink+0x7e/0x90 fs/namei.c:4522
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4737ab3d89
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f472f84f218 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007f4737b5b6d8 RCX: 00007f4737ab3d89
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000020000540
RBP: 00007f4737b5b6d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4737b27954
R13: 00007f4737b27850 R14: 0031656c69662f2e R15: 0030656c69662f2e
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread
* [syzbot] [bpf?] [reiserfs?] WARNING: locking bug in corrupted (2)
@ 2023-07-11 1:53 syzbot
2023-11-17 14:27 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2023-07-11 1:53 UTC (permalink / raw)
To: andrii, ast, bpf, daniel, davem, haoluo, hawk, jack,
john.fastabend, jolsa, kpsingh, kuba, linux-fsdevel,
linux-kernel, luto, martin.lau, netdev, peterz, reiserfs-devel,
sdf, song, syzkaller-bugs, tglx, yhs, yukuai3
Hello,
syzbot found the following issue on:
HEAD commit: c17414a273b8 Merge tag 'sh-for-v6.5-tag1' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13cc4baca80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7ad417033279f15a
dashboard link: https://syzkaller.appspot.com/bug?extid=3779764ddb7a3e19437f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bbd544a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13fd50b0a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ea495e93586c/disk-c17414a2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdb03e817e47/vmlinux-c17414a2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/20ba23616f1f/bzImage-c17414a2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/98d086ce1a87/mount_0.gz
The issue was bisected to:
commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78
Author: Yu Kuai <yukuai3@huawei.com>
Date: Fri Jul 2 04:07:43 2021 +0000
reiserfs: add check for root_inode in reiserfs_fill_super
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=143b663ca80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=163b663ca80000
console output: https://syzkaller.appspot.com/x/log.txt?x=123b663ca80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3779764ddb7a3e19437f@syzkaller.appspotmail.com
Fixes: 2acf15b94d5b ("reiserfs: add check for root_inode in reiserfs_fill_super")
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(depth >= MAX_LOCK_DEPTH)
WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:5045 __lock_acquire+0x164b/0x5e20 kernel/locking/lockdep.c:5045
Modules linked in:
CPU: 0 PID: 0 Comm: Not tainted 6.4.0-syzkaller-12069-gc17414a273b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:__lock_acquire+0x164b/0x5e20 kernel/locking/lockdep.c:5045
Code: d2 0f 85 be 47 00 00 44 8b 3d 0d b3 44 0d 45 85 ff 0f 85 40 f8 ff ff 48 c7 c6 40 9f 6c 8a 48 c7 c7 e0 6e 6c 8a e8 b5 46 e6 ff <0f> 0b e9 29 f8 ff ff 48 8d 7d f8 48 b8 00 00 00 00 00 fc ff df 48
RSP: 0018:ffffc90000007ca8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 1ffff92000000fc7 RCX: 0000000000000000
RDX: ffff8880779d5940 RSI: ffffffff814c34f7 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880779d5940
R13: ffff8880b982b898 R14: 0000000000000000 R15: 0000000000000000
FS: 00005555573b8300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffde3197000 CR3: 00000000173e2000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
------------[ cut here ]------------
WARNING: CPU: 0 PID: 0 at kernel/rcu/tree_plugin.h:431 arch_local_irq_enable arch/x86/include/asm/irqflags.h:78 [inline]
WARNING: CPU: 0 PID: 0 at kernel/rcu/tree_plugin.h:431 arch_local_irq_restore arch/x86/include/asm/irqflags.h:135 [inline]
WARNING: CPU: 0 PID: 0 at kernel/rcu/tree_plugin.h:431 rcu_read_unlock_special kernel/rcu/tree_plugin.h:678 [inline]
WARNING: CPU: 0 PID: 0 at kernel/rcu/tree_plugin.h:431 __rcu_read_unlock+0x24b/0x570 kernel/rcu/tree_plugin.h:426
Modules linked in:
CPU: 0 PID: 0 Comm: Not tainted 6.4.0-syzkaller-12069-gc17414a273b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:__rcu_read_unlock+0x24b/0x570 kernel/rcu/tree_plugin.h:431
Code: 00 e8 49 4f df ff 4d 85 f6 74 05 e8 cf c3 1c 00 9c 58 f6 c4 02 0f 85 78 02 00 00 4d 85 f6 0f 84 83 fe ff ff fb e9 7d fe ff ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 e8 25 50 69 00 e9 2a fe ff ff e8
RSP: 0018:ffffc900000079d8 EFLAGS: 00010096
RAX: 00000000ffff8880 RBX: ffff8880779d5940 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8192bb90 RDI: ffff8880779d5d7c
RBP: ffff8880779d5940 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880779d5940
R13: ffffc90000007bf8 R14: 0000000000000000 R15: ffffc90000007a98
FS: 00005555573b8300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffde3197000 CR3: 00000000173e2000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
rcu_read_unlock include/linux/rcupdate.h:781 [inline]
is_bpf_text_address+0x85/0x1b0 kernel/bpf/core.c:721
kernel_text_address kernel/extable.c:125 [inline]
kernel_text_address+0x3d/0x80 kernel/extable.c:94
__kernel_text_address+0xd/0x30 kernel/extable.c:79
show_trace_log_lvl+0x1c7/0x390 arch/x86/kernel/dumpstack.c:259
__warn+0xe6/0x390 kernel/panic.c:671
__report_bug lib/bug.c:199 [inline]
report_bug+0x2da/0x500 lib/bug.c:219
handle_bug+0x3c/0x70 arch/x86/kernel/traps.c:324
exc_invalid_op+0x18/0x50 arch/x86/kernel/traps.c:345
asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:568
RIP: 0010:__lock_acquire+0x164b/0x5e20 kernel/locking/lockdep.c:5045
Code: d2 0f 85 be 47 00 00 44 8b 3d 0d b3 44 0d 45 85 ff 0f 85 40 f8 ff ff 48 c7 c6 40 9f 6c 8a 48 c7 c7 e0 6e 6c 8a e8 b5 46 e6 ff <0f> 0b e9 29 f8 ff ff 48 8d 7d f8 48 b8 00 00 00 00 00 fc ff df 48
RSP: 0018:ffffc90000007ca8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 1ffff92000000fc7 RCX: 0000000000000000
RDX: ffff8880779d5940 RSI: ffffffff814c34f7 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880779d5940
R13: ffff8880b982b898 R14: 0000000000000000 R15: 0000000000000000
lock_acquire kernel/locking/lockdep.c:5761 [inline]
lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5726
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162
hrtimer_interrupt+0x107/0x7b0 kernel/time/hrtimer.c:1795
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1098 [inline]
__sysvec_apic_timer_interrupt+0x14a/0x430 arch/x86/kernel/apic/apic.c:1115
sysvec_apic_timer_interrupt+0x92/0xc0 arch/x86/kernel/apic/apic.c:1109
</IRQ>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 30+ messages in thread* [syzbot] UBSAN: array-index-out-of-bounds in diWrite
@ 2022-10-21 4:45 syzbot
2023-11-02 15:02 ` [syzbot] test syzbot
` (3 more replies)
0 siblings, 4 replies; 30+ messages in thread
From: syzbot @ 2022-10-21 4:45 UTC (permalink / raw)
To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 493ffd6605b2 Merge tag 'ucount-rlimits-cleanups-for-v5.19'..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1512cd9a880000
kernel config: https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
dashboard link: https://syzkaller.appspot.com/bug?extid=c1056fdfe414463fdb33
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12f431d2880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1208894a880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f1ff6481e26f/disk-493ffd66.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/101bd3c7ae47/vmlinux-493ffd66.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/720c16671db9/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c1056fdfe414463fdb33@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:749:4
index 255 is out of range for type 'struct dtslot [128]'
CPU: 1 PID: 3606 Comm: syz-executor322 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283
diWrite+0x1311/0x1f80 fs/jfs/jfs_imap.c:749
txCommit+0xa2e/0x6d40 fs/jfs/jfs_txnmgr.c:1250
jfs_mkdir+0x911/0xb00 fs/jfs/namei.c:290
vfs_mkdir+0x3b3/0x590 fs/namei.c:4013
do_mkdirat+0x279/0x550 fs/namei.c:4038
__do_sys_mkdirat fs/namei.c:4053 [inline]
__se_sys_mkdirat fs/namei.c:4051 [inline]
__x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1a977dfe49
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd8f230c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1a977dfe49
RDX: 00000000000001ff RSI: 00000000200000c0 RDI: ffffffffffffff9c
RBP: 00007f1a9779f610 R08: 0000000000000000 R09: 0000000000000000
R10: 00005555566302c0 R11: 0000000000000246 R12: 00000000f8008000
R13: 0000000000000000 R14: 00083878000000fc R15: 0000000000000000
</TASK>
================================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 30+ messages in thread* [syzbot] general protection fault in l2cap_chan_timeout (3)
@ 2022-02-10 18:27 syzbot
2023-11-06 13:01 ` [syzbot] Test syzbot
0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2022-02-10 18:27 UTC (permalink / raw)
To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel,
luiz.dentz, marcel, netdev, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: f4bc5bbb5fef Merge tag 'nfsd-5.17-2' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172ce872700000
kernel config: https://syzkaller.appspot.com/x/.config?x=88e0a6a3dbf057cf
dashboard link: https://syzkaller.appspot.com/bug?extid=f0908ddc8b64b86e81f2
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1392aa3c700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d514a4700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f0908ddc8b64b86e81f2@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000005a: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000002d0-0x00000000000002d7]
CPU: 1 PID: 5789 Comm: kworker/1:2 Not tainted 5.17.0-rc3-syzkaller-00043-gf4bc5bbb5fef #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
RIP: 0010:__mutex_lock_common+0x110/0x2490 kernel/locking/mutex.c:579
Code: 38 84 c0 0f 85 26 1c 00 00 83 3d 3a c6 aa 06 00 48 8b 5c 24 08 4c 8d ac 24 c0 00 00 00 75 21 48 8d 7b 60 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 74 05 e8 34 7e bc f7 48 39 5b 60 0f 85 b1 17 00 00
RSP: 0018:ffffc9000a4efaa0 EFLAGS: 00010206
RAX: 000000000000005a RBX: 0000000000000270 RCX: ffffffff90bf9803
RDX: dffffc0000000000 RSI: ffff888077be5700 RDI: 00000000000002d0
RBP: ffffc9000a4efc08 R08: dffffc0000000000 R09: ffffc9000a4efb60
R10: fffff5200149df71 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc9000a4efb60 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 0000000018ada000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__mutex_lock kernel/locking/mutex.c:733 [inline]
mutex_lock_nested+0x1a/0x20 kernel/locking/mutex.c:785
l2cap_chan_timeout+0x53/0x280 net/bluetooth/l2cap_core.c:422
process_one_work+0x850/0x1130 kernel/workqueue.c:2307
worker_thread+0xab1/0x1300 kernel/workqueue.c:2454
kthread+0x2a3/0x2d0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__mutex_lock_common+0x110/0x2490 kernel/locking/mutex.c:579
Code: 38 84 c0 0f 85 26 1c 00 00 83 3d 3a c6 aa 06 00 48 8b 5c 24 08 4c 8d ac 24 c0 00 00 00 75 21 48 8d 7b 60 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 74 05 e8 34 7e bc f7 48 39 5b 60 0f 85 b1 17 00 00
RSP: 0018:ffffc9000a4efaa0 EFLAGS: 00010206
RAX: 000000000000005a RBX: 0000000000000270 RCX: ffffffff90bf9803
RDX: dffffc0000000000 RSI: ffff888077be5700 RDI: 00000000000002d0
RBP: ffffc9000a4efc08 R08: dffffc0000000000 R09: ffffc9000a4efb60
R10: fffff5200149df71 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc9000a4efb60 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcd341ae06d CR3: 0000000018ada000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 38 84 c0 0f 85 26 1c cmp %al,0x1c26850f(%rax,%rax,8)
7: 00 00 add %al,(%rax)
9: 83 3d 3a c6 aa 06 00 cmpl $0x0,0x6aac63a(%rip) # 0x6aac64a
10: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx
15: 4c 8d ac 24 c0 00 00 lea 0xc0(%rsp),%r13
1c: 00
1d: 75 21 jne 0x40
1f: 48 8d 7b 60 lea 0x60(%rbx),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction
2f: 74 05 je 0x36
31: e8 34 7e bc f7 callq 0xf7bc7e6a
36: 48 39 5b 60 cmp %rbx,0x60(%rbx)
3a: 0f 85 b1 17 00 00 jne 0x17f1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 30+ messages in thread
end of thread, other threads:[~2024-04-15 10:18 UTC | newest]
Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-16 17:01 [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse syzbot
2023-11-17 14:23 ` [syzbot] Test syzbot
2023-11-21 19:19 ` [syzbot] [PATCH] Tried to correct syzbot
2023-11-22 8:08 ` kernel test robot
2023-12-23 19:59 ` [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning syzbot
2024-01-03 14:12 ` Dan Carpenter
2024-01-03 14:29 ` Aleksandr Nogikh
2024-03-05 18:55 ` [syzbot] " Kees Cook
-- strict thread matches above, loose matches on Subject: below --
2024-04-15 1:54 [syzbot] [input?] WARNING in bcm5974_start_traffic/usb_submit_urb (2) syzbot
2024-04-15 10:18 ` [syzbot] test syzbot
2024-04-14 6:05 [syzbot] [bluetooth?] WARNING in hci_conn_set_handle syzbot
2024-04-15 9:33 ` [syzbot] test syzbot
2024-04-09 22:42 [syzbot] [ntfs3?] WARNING in do_open_execat (2) syzbot
2024-04-15 5:22 ` [syzbot] Test syzbot
2023-11-19 12:31 syzbot
2023-11-17 5:01 [syzbot] [kvm?] WARNING in kvm_mmu_notifier_invalidate_range_start (3) syzbot
2023-11-17 10:55 ` [syzbot] Test syzbot
2023-11-16 11:09 [syzbot] [kernel?] inconsistent lock state in ptrace_attach syzbot
2023-11-17 13:51 ` [syzbot] Test syzbot
2023-11-16 11:08 [syzbot] [cgroups?] possible deadlock in cgroup_free syzbot
2023-11-17 10:58 ` [syzbot] Test syzbot
2023-11-08 12:38 [syzbot] [wireless?] [net?] WARNING in ieee80211_rfkill_poll syzbot
2023-11-15 6:33 ` [syzbot] Test syzbot
2023-11-03 23:11 [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready syzbot
2023-11-13 11:16 ` [syzbot] test syzbot
2023-10-26 18:32 [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in sk_msg_recvmsg syzbot
2023-11-06 13:35 ` [syzbot] Test syzbot
2023-10-05 19:47 [syzbot] [ntfs3?] WARNING in attr_data_get_block (3) syzbot
2023-11-19 11:27 ` [syzbot] test syzbot
2023-09-25 5:15 [syzbot] [bluetooth?] possible deadlock in hci_dev_do_close syzbot
2023-11-15 5:18 ` [syzbot] test syzbot
2023-09-24 7:49 [syzbot] [mm?] [hfs?] KASAN: slab-out-of-bounds Read in generic_perform_write syzbot
2023-11-17 14:24 ` [syzbot] Test syzbot
2023-09-16 1:22 [syzbot] [dri?] WARNING in drm_gem_object_handle_put_unlocked syzbot
2023-11-15 6:33 ` [syzbot] Test syzbot
2023-09-11 13:35 [syzbot] [ext4?] WARNING in ext4_discard_allocated_blocks syzbot
2023-11-17 14:17 ` [syzbot] Test syzbot
2023-08-19 10:47 [syzbot] [ntfs3?] WARNING in do_symlinkat (2) syzbot
2023-11-28 17:38 ` [syzbot] Test syzbot
2023-07-11 1:53 [syzbot] [bpf?] [reiserfs?] WARNING: locking bug in corrupted (2) syzbot
2023-11-17 14:27 ` [syzbot] Test syzbot
2022-10-21 4:45 [syzbot] UBSAN: array-index-out-of-bounds in diWrite syzbot
2023-11-02 15:02 ` [syzbot] test syzbot
2023-11-03 3:12 ` syzbot
2023-11-03 7:18 ` syzbot
2023-11-03 7:29 ` syzbot
2022-02-10 18:27 [syzbot] general protection fault in l2cap_chan_timeout (3) syzbot
2023-11-06 13:01 ` [syzbot] Test syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).