Re: general protection fault in usb_find_alt_setting

Re: general protection fault in usb_find_alt_setting

[Dmitry Vyukov]

On Sun, Sep 23, 2018 at 11:11 AM, Vladis Dronov <vdronov@redhat.com> wrote:
> #syz fix: USB: handle NULL config in usb_find_alt_setting()
> #syz dup: general protection fault in usb_find_alt_setting (2)

Same here.
syzbot process designed in such way that it will not open second
version of the bug (2) for the same bug. syzbot waits until the fixing
commit reaches all tested tree and only then closes a bug. If the
crash is spotted again _after_ that, then syzbot creates second
version of the bug (2). But at that point it has to be a different bug
requiring a different fix.
So this should not be a dup, and should not fixed with the same commit
as the first version.

Re: general protection fault in usb_find_alt_setting

[Vladis Dronov]

Hello, Dmitry,

Thank you for the reply. I probably do not properly understand how
syzcaller works then. Can you please, have a look at my reasoning.

The bug:

https://syzkaller.appspot.com/bug?id=4b88ff5aa6aa88f9283a45cc62f16e55b0722131
(Reported-by: syzbot+c99ecc8a2c68eb7e06cf2f652e60d63d6fbe2f31@syzkaller.appspotmail.com,
"[upstream] general protection fault in usb_find_alt_setting")

was not fixed. it was closed as invalid, so, afaiu, all the work has stopped for it.

So syzbot did not wait until the fixing commit reached all tested trees, and the
crash was not spotted again _after_ that.

Then I look at the bug:

https://syzkaller.appspot.com/bug?id=a0ec6260a1d37288a4508250fe30a5604ceec666
(Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com,
"[upstream] general protection fault in usb_find_alt_setting (2)")

And I see the crash happens at the same place _and_ at the same code:

(bug id=a0ec6260a1d3)
RIP: 0010:usb_find_alt_setting+0x38/0x310 drivers/usb/core/usb.c:231
Code: ... fd 48 8d 7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 86 02 00 00
(bug id=4b88ff5aa6aa)
Code: ... fd 48 8d 7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a1 02 00 
RIP: usb_find_alt_setting+0x38/0x310 drivers/usb/core/usb.c:231 RSP: ffff88005893f610

This makes me be sure these are the same bug (dup) which are fixed by the same
commit "USB: handle NULL config in usb_find_alt_setting()".

As I'm kinda a perfectionist, I would like to mark (bug id=4b88ff5aa6aa) as
fixed by this commit and not closed as invalid.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

----- Original Message -----
> From: "Dmitry Vyukov" <dvyukov@google.com>
> To: "Vladis Dronov" <vdronov@redhat.com>
> Cc: "syzbot" <bot+c99ecc8a2c68eb7e06cf2f652e60d63d6fbe2f31@syzkaller.appspotmail.com>, "syzkaller-bugs"
> <syzkaller-bugs@googlegroups.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Johan Hovold"
> <johan@kernel.org>, "kai heng feng" <kai.heng.feng@canonical.com>, "LKML" <linux-kernel@vger.kernel.org>, "USB list"
> <linux-usb@vger.kernel.org>
> Sent: Sunday, September 23, 2018 6:27:24 PM
> Subject: Re: general protection fault in usb_find_alt_setting
> 
> On Sun, Sep 23, 2018 at 11:11 AM, Vladis Dronov <vdronov@redhat.com> wrote:
> > #syz fix: USB: handle NULL config in usb_find_alt_setting()
> > #syz dup: general protection fault in usb_find_alt_setting (2)
> 
> Same here.
> syzbot process designed in such way that it will not open second
> version of the bug (2) for the same bug. syzbot waits until the fixing
> commit reaches all tested tree and only then closes a bug. If the
> crash is spotted again _after_ that, then syzbot creates second
> version of the bug (2). But at that point it has to be a different bug
> requiring a different fix.
> So this should not be a dup, and should not fixed with the same commit
> as the first version.

Re: general protection fault in usb_find_alt_setting

[Dmitry Vyukov]

On Sun, Sep 23, 2018 at 11:15 PM, Vladis Dronov <vdronov@redhat.com> wrote:
> Hello, Dmitry,
>
> Thank you for the reply. I probably do not properly understand how
> syzcaller works then. Can you please, have a look at my reasoning.
>
> The bug:
>
> https://syzkaller.appspot.com/bug?id=4b88ff5aa6aa88f9283a45cc62f16e55b0722131
> (Reported-by: syzbot+c99ecc8a2c68eb7e06cf2f652e60d63d6fbe2f31@syzkaller.appspotmail.com,
> "[upstream] general protection fault in usb_find_alt_setting")
>
> was not fixed. it was closed as invalid, so, afaiu, all the work has stopped for it.
>
> So syzbot did not wait until the fixing commit reached all tested trees, and the
> crash was not spotted again _after_ that.
>
> Then I look at the bug:
>
> https://syzkaller.appspot.com/bug?id=a0ec6260a1d37288a4508250fe30a5604ceec666
> (Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com,
> "[upstream] general protection fault in usb_find_alt_setting (2)")
>
> And I see the crash happens at the same place _and_ at the same code:
>
> (bug id=a0ec6260a1d3)
> RIP: 0010:usb_find_alt_setting+0x38/0x310 drivers/usb/core/usb.c:231
> Code: ... fd 48 8d 7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 86 02 00 00
> (bug id=4b88ff5aa6aa)
> Code: ... fd 48 8d 7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a1 02 00
> RIP: usb_find_alt_setting+0x38/0x310 drivers/usb/core/usb.c:231 RSP: ffff88005893f610
>
> This makes me be sure these are the same bug (dup) which are fixed by the same
> commit "USB: handle NULL config in usb_find_alt_setting()".
>
> As I'm kinda a perfectionist, I would like to mark (bug id=4b88ff5aa6aa) as
> fixed by this commit and not closed as invalid.


My bad: I did not check status of the first version of the bug:
https://syzkaller.appspot.com/bug?id=4b88ff5aa6aa88f9283a45cc62f16e55b0722131

The thing is that "fixed" and "invalid" are considered terminal states
for a bug. syzbot ignores all commands for them. This was done to
avoid races between re-opening an old bug and syzbot creating a new
version of the same bug at the same time. And also to simplify overall
process: bugs moving monotonically to terminal states. So at the
moment it's unfortunately not possible to go back and say that this
was a dup rather than invalid, like one would do in a real bug
tracker.
As a rule of thumb: things still on dashboard need some action, things
that are already not on the dashboard do not need any attention.

The reason for closing the first one was noted here:
https://groups.google.com/d/msg/syzkaller-bugs/Iqf80RqXK14/SSYd1aAtAQAJ
Taking into account the huge number of bugs, it can make more sense to
clean up the dashboard from old, most likely irrelevant bugs to
increase chances of fixing other bugs. In this case it was a wrong
decision, probably a part of a sweeping clean up. But syzbot created a
new bug for this since it started happening again, so in the end
everything worked as intended.

I understand this all can look somewhat confusing initially. The
system built as an attempt to chew hundreds of bugs per month with
limited human resources.

But we need perfectionists for lots of the open bugs on the dashboard!
https://syzkaller.appspot.com#upstream


> ----- Original Message -----
>> From: "Dmitry Vyukov" <dvyukov@google.com>
>> On Sun, Sep 23, 2018 at 11:11 AM, Vladis Dronov <vdronov@redhat.com> wrote:
>> > #syz fix: USB: handle NULL config in usb_find_alt_setting()
>> > #syz dup: general protection fault in usb_find_alt_setting (2)
>>
>> Same here.
>> syzbot process designed in such way that it will not open second
>> version of the bug (2) for the same bug. syzbot waits until the fixing
>> commit reaches all tested tree and only then closes a bug. If the
>> crash is spotted again _after_ that, then syzbot creates second
>> version of the bug (2). But at that point it has to be a different bug
>> requiring a different fix.
>> So this should not be a dup, and should not fixed with the same commit
>> as the first version.

Re: general protection fault in usb_find_alt_setting

[Dmitry Vyukov]

On Sun, Nov 12, 2017 at 10:06 AM, syzbot
<bot+c99ecc8a2c68eb7e06cf2f652e60d63d6fbe2f31@syzkaller.appspotmail.com>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> d9e0e63d9a6f88440eb201e1491fcf730272c706
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> Unfortunately, I don't have any reproducer for this bug yet.


This crash happened 779 times, but first 188d ago, and last 175d ago.
Let's consider this fixed by something.

#syz invalid

> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 3 PID: 23503 Comm: syz-executor5 Not tainted 4.14.0-rc8-next-20171110+
> #12
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88007c5e0580 task.stack: ffff88006c3b8000
> RIP: 0010:usb_find_alt_setting+0x38/0x310 drivers/usb/core/usb.c:231
> RSP: 0018:ffff88006c3bf610 EFLAGS: 00010247
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83bf4473
> RDX: 0000000000000000 RSI: ffffc90002773000 RDI: 0000000000000004
> RBP: ffff88006c3bf650 R08: ffffed000d877ee2 R09: ffffed000d877ee2
> R10: 0000000000000003 R11: ffffed000d877ee1 R12: ffff88007c668000
> R13: 00000000000000fd R14: 00000000000007fd R15: 0000000000000000
> FS:  00007f10e9fc8700(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020278000 CR3: 000000006e8fe000 CR4: 00000000000006e0
> DR0: 0000000020000008 DR1: 0000000020000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
> Call Trace:
>  check_ctrlrecip+0xf3/0x290 drivers/usb/core/devio.c:831
>  proc_control+0x13f/0xe30 drivers/usb/core/devio.c:1078
>  usbdev_do_ioctl+0x2097/0x3670 drivers/usb/core/devio.c:2396
> SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0
> sclass=netlink_xfrm_socket pig=23496 comm=syz-executor0
>  usbdev_ioctl+0x25/0x30 drivers/usb/core/devio.c:2553
>  vfs_ioctl fs/ioctl.c:46 [inline]
>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>  SYSC_ioctl fs/ioctl.c:701 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x447c99
> RSP: 002b:00007f10e9fc7bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f10e9fc86cc RCX: 0000000000447c99
> RDX: 000000002003dffa RSI: 00000000c0185500 RDI: 0000000000000014
> RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 00000000000048d8 R14: 00000000006e8978 R15: 00007f10e9fc8700
> Code: 89 d5 53 48 89 fb 48 83 ec 18 48 89 7d c8 89 75 d0 e8 2d 3c b0 fd 48
> 8d 7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48
> 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a1 02 00
> SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
> sclass=netlink_route_socket pig=23514 comm=syz-executor7
> RIP: usb_find_alt_setting+0x38/0x310 drivers/usb/core/usb.c:231 RSP:
> ffff88006c3bf610
> ---[ end trace 53f2c0803d4e1797 ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@googlegroups.com.
> Please credit me with: Reported-by: syzbot <syzkaller@googlegroups.com>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/94eb2c05b4ba7e98d2055dc57696%40google.com.
> For more options, visit https://groups.google.com/d/optout.