[syzbot] [kernel?] general protection fault in nfc_register_device
12 views
Skip to first unread message
syzbot
Aug 28, 2023, 5:53:39āÆAM8/28/23
to andriy.s...@linux.intel.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 626932085009 Add linux-next specific files for 20230825
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11f70287a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a8c992a790e5073
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127e0db7a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12fceccba80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/46ec18b3c2fb/disk-62693208.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b4ea0cb78498/vmlinux-62693208.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5fb3938c7272/bzImage-62693208.xz
The issue was bisected to:
commit d21fdd07cea418c0d98c8a15fc95b8b8970801e7
Author: Andy Shevchenko <andriy.s...@linux.intel.com>
Date: Thu Aug 17 09:12:21 2023 +0000
driver core: Return proper error code when dev_set_name() fails
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10abc1e0680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12abc1e0680000
console output: https://syzkaller.appspot.com/x/log.txt?x=14abc1e0680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bdfb03...@syzkaller.appspotmail.com
Fixes: d21fdd07cea4 ("driver core: Return proper error code when dev_set_name() fails")
RBP: 0000000000000002 R08: 00007ffdb1dc9296 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb1dc950c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5056 Comm: syz-executor350 Not tainted 6.5.0-rc7-next-20230825-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a3f630 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a3f6c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a3f6c0
R13: 0000000000000cc0 R14: ffff88801e01d180 R15: 0000000000000001
FS: 0000555555c8e380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe716281c00 CR3: 00000000730bb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
kobject_add_varg lib/kobject.c:366 [inline]
kobject_add+0x12a/0x240 lib/kobject.c:424
device_add+0x290/0x1ac0 drivers/base/core.c:3560
nfc_register_device+0x41/0x3c0 net/nfc/core.c:1118
nci_register_device+0x7f4/0xb80 net/nfc/nci/core.c:1257
virtual_ncidev_open+0x147/0x220 drivers/nfc/virtual_ncidev.c:148
misc_open+0x3da/0x4c0 drivers/char/misc.c:165
chrdev_open+0x277/0x700 fs/char_dev.c:414
do_dentry_open+0x88b/0x1730 fs/open.c:929
do_open fs/namei.c:3639 [inline]
path_openat+0x19af/0x29c0 fs/namei.c:3796
do_filp_open+0x1de/0x430 fs/namei.c:3823
do_sys_openat2+0x176/0x1e0 fs/open.c:1422
do_sys_open fs/open.c:1437 [inline]
__do_sys_openat fs/open.c:1453 [inline]
__se_sys_openat fs/open.c:1448 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1448
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe71624ecf9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb1dc94f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007ffdb1dc9510 RCX: 00007fe71624ecf9
RDX: 0000000000000002 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 00007ffdb1dc9296 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb1dc950c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a3f630 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a3f6c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a3f6c0
R13: 0000000000000cc0 R14: ffff88801e01d180 R15: 0000000000000001
FS: 0000555555c8e380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe716281c00 CR3: 00000000730bb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: ad lods %ds:(%rsi),%eax
1: ac lods %ds:(%rsi),%al
2: f7 48 8b 74 24 08 48 testl $0x48082474,-0x75(%rax)
9: 8b 14 24 mov (%rsp),%edx
c: eb 89 jmp 0xffffff97
e: 90 nop
f: f3 0f 1e fa endbr64
13: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1a: fc ff df
1d: 48 89 fa mov %rdi,%rdx
20: 55 push %rbp
21: 48 c1 ea 03 shr $0x3,%rdx
25: 53 push %rbx
26: 48 83 ec 10 sub $0x10,%rsp
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 48 89 fa mov %rdi,%rdx
31: 83 e2 07 and $0x7,%edx
34: 38 d0 cmp %dl,%al
36: 7f 04 jg 0x3c
38: 84 c0 test %al,%al
3a: 75 51 jne 0x8d
3c: 0f b6 07 movzbl (%rdi),%eax
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 626932085009 Add linux-next specific files for 20230825
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11f70287a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a8c992a790e5073
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127e0db7a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12fceccba80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/46ec18b3c2fb/disk-62693208.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b4ea0cb78498/vmlinux-62693208.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5fb3938c7272/bzImage-62693208.xz
The issue was bisected to:
commit d21fdd07cea418c0d98c8a15fc95b8b8970801e7
Author: Andy Shevchenko <andriy.s...@linux.intel.com>
Date: Thu Aug 17 09:12:21 2023 +0000
driver core: Return proper error code when dev_set_name() fails
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10abc1e0680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12abc1e0680000
console output: https://syzkaller.appspot.com/x/log.txt?x=14abc1e0680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bdfb03...@syzkaller.appspotmail.com
Fixes: d21fdd07cea4 ("driver core: Return proper error code when dev_set_name() fails")
RBP: 0000000000000002 R08: 00007ffdb1dc9296 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb1dc950c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5056 Comm: syz-executor350 Not tainted 6.5.0-rc7-next-20230825-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a3f630 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a3f6c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a3f6c0
R13: 0000000000000cc0 R14: ffff88801e01d180 R15: 0000000000000001
FS: 0000555555c8e380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe716281c00 CR3: 00000000730bb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
kobject_add_varg lib/kobject.c:366 [inline]
kobject_add+0x12a/0x240 lib/kobject.c:424
device_add+0x290/0x1ac0 drivers/base/core.c:3560
nfc_register_device+0x41/0x3c0 net/nfc/core.c:1118
nci_register_device+0x7f4/0xb80 net/nfc/nci/core.c:1257
virtual_ncidev_open+0x147/0x220 drivers/nfc/virtual_ncidev.c:148
misc_open+0x3da/0x4c0 drivers/char/misc.c:165
chrdev_open+0x277/0x700 fs/char_dev.c:414
do_dentry_open+0x88b/0x1730 fs/open.c:929
do_open fs/namei.c:3639 [inline]
path_openat+0x19af/0x29c0 fs/namei.c:3796
do_filp_open+0x1de/0x430 fs/namei.c:3823
do_sys_openat2+0x176/0x1e0 fs/open.c:1422
do_sys_open fs/open.c:1437 [inline]
__do_sys_openat fs/open.c:1453 [inline]
__se_sys_openat fs/open.c:1448 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1448
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe71624ecf9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb1dc94f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007ffdb1dc9510 RCX: 00007fe71624ecf9
RDX: 0000000000000002 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 00007ffdb1dc9296 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb1dc950c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a3f630 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a3f6c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a3f6c0
R13: 0000000000000cc0 R14: ffff88801e01d180 R15: 0000000000000001
FS: 0000555555c8e380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe716281c00 CR3: 00000000730bb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: ad lods %ds:(%rsi),%eax
1: ac lods %ds:(%rsi),%al
2: f7 48 8b 74 24 08 48 testl $0x48082474,-0x75(%rax)
9: 8b 14 24 mov (%rsp),%edx
c: eb 89 jmp 0xffffff97
e: 90 nop
f: f3 0f 1e fa endbr64
13: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1a: fc ff df
1d: 48 89 fa mov %rdi,%rdx
20: 55 push %rbp
21: 48 c1 ea 03 shr $0x3,%rdx
25: 53 push %rbx
26: 48 83 ec 10 sub $0x10,%rsp
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 48 89 fa mov %rdi,%rdx
31: 83 e2 07 and $0x7,%edx
34: 38 d0 cmp %dl,%al
36: 7f 04 jg 0x3c
38: 84 c0 test %al,%al
3a: 75 51 jne 0x8d
3c: 0f b6 07 movzbl (%rdi),%eax
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Aug 28, 2023, 6:59:25āÆAM8/28/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Mon, 28 Aug 2023 02:53:37 -0700
Check error before going ahead.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 626932085009
--- x/drivers/base/core.c
+++ y/drivers/base/core.c
@@ -3530,6 +3530,8 @@ int device_add(struct device *dev)
if (dev->init_name) {
error = dev_set_name(dev, "%s", dev->init_name);
dev->init_name = NULL;
+ if (error)
+ goto name_error;
}
if (dev_name(dev))
--
> HEAD commit: 626932085009 Add linux-next specific files for 20230825
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12fceccba80000
> git tree: linux-next
Check error before going ahead.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 626932085009
--- x/drivers/base/core.c
+++ y/drivers/base/core.c
@@ -3530,6 +3530,8 @@ int device_add(struct device *dev)
if (dev->init_name) {
error = dev_set_name(dev, "%s", dev->init_name);
dev->init_name = NULL;
+ if (error)
+ goto name_error;
}
if (dev_name(dev))
--
syzbot
Aug 28, 2023, 7:35:35āÆAM8/28/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in nfc_register_device
RBP: 00007fad795a4120 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007fad7899bf80 R15: 00007fffcac52128
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90004def6c0
R13: 0000000000000cc0 R14: ffff8881413d4a00 R15: 0000000000000001
FS: 00007fad795a46c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fad795a40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fad7899bf80 RCX: 00007fad7887cae9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007fad7899bf80 R15: 00007fffcac52128
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90004def6c0
R13: 0000000000000cc0 R14: ffff8881413d4a00 R15: 0000000000000001
FS: 00007fad795a46c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
Tested on:
commit: 62693208 Add linux-next specific files for 20230825
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15ac67b7a80000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in nfc_register_device
RBP: 00007fad795a4120 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007fad7899bf80 R15: 00007fffcac52128
</TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5480 Comm: syz-executor.0 Not tainted 6.5.0-rc7-next-20230825-syzkaller-dirty #0
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90004def630 EFLAGS: 00010286
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90004def6c0 R08: 0000000000000001 R09: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90004def6c0
R13: 0000000000000cc0 R14: ffff8881413d4a00 R15: 0000000000000001
FS: 00007fad795a46c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fad795a3ff8 CR3: 00000000294b2000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
kobject_add_varg lib/kobject.c:366 [inline]
kobject_add+0x12a/0x240 lib/kobject.c:424
device_add+0x2a1/0x1aa0 drivers/base/core.c:3562
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
kobject_add_varg lib/kobject.c:366 [inline]
kobject_add+0x12a/0x240 lib/kobject.c:424
nfc_register_device+0x41/0x3c0 net/nfc/core.c:1118
nci_register_device+0x7f4/0xb80 net/nfc/nci/core.c:1257
virtual_ncidev_open+0x147/0x220 drivers/nfc/virtual_ncidev.c:148
misc_open+0x3da/0x4c0 drivers/char/misc.c:165
chrdev_open+0x277/0x700 fs/char_dev.c:414
do_dentry_open+0x88b/0x1730 fs/open.c:929
do_open fs/namei.c:3639 [inline]
path_openat+0x19af/0x29c0 fs/namei.c:3796
do_filp_open+0x1de/0x430 fs/namei.c:3823
do_sys_openat2+0x176/0x1e0 fs/open.c:1422
do_sys_open fs/open.c:1437 [inline]
__do_sys_openat fs/open.c:1453 [inline]
__se_sys_openat fs/open.c:1448 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1448
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fad7887cae9
nci_register_device+0x7f4/0xb80 net/nfc/nci/core.c:1257
virtual_ncidev_open+0x147/0x220 drivers/nfc/virtual_ncidev.c:148
misc_open+0x3da/0x4c0 drivers/char/misc.c:165
chrdev_open+0x277/0x700 fs/char_dev.c:414
do_dentry_open+0x88b/0x1730 fs/open.c:929
do_open fs/namei.c:3639 [inline]
path_openat+0x19af/0x29c0 fs/namei.c:3796
do_filp_open+0x1de/0x430 fs/namei.c:3823
do_sys_openat2+0x176/0x1e0 fs/open.c:1422
do_sys_open fs/open.c:1437 [inline]
__do_sys_openat fs/open.c:1453 [inline]
__se_sys_openat fs/open.c:1448 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1448
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fad795a40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fad7899bf80 RCX: 00007fad7887cae9
RDX: 0000000000000002 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 00007fad795a4120 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007fad7899bf80 R15: 00007fffcac52128
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90004def630 EFLAGS: 00010286
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90004def6c0 R08: 0000000000000001 R09: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90004def6c0
R13: 0000000000000cc0 R14: ffff8881413d4a00 R15: 0000000000000001
FS: 00007fad795a46c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff66020268 CR3: 00000000294b2000 CR4: 00000000003506f0
commit: 62693208 Add linux-next specific files for 20230825
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15ac67b7a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a8c992a790e5073
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1254f9eba80000
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Andy Shevchenko
Aug 28, 2023, 7:36:42āÆAM8/28/23
to syzbot, gre...@linuxfoundation.org, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
On Mon, Aug 28, 2023 at 02:53:37AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
Thanks! Will work on it ASAP.
> Hello,
>
> syzbot found the following issue on:
--
With Best Regards,
Andy Shevchenko
Hillf Danton
Aug 28, 2023, 8:36:07āÆAM8/28/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Mon, 28 Aug 2023 02:53:37 -0700
> HEAD commit: 626932085009 Add linux-next specific files for 20230825
> git tree: linux-next
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12fceccba80000
Check error before going ahead.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Check error before going ahead.
--- x/drivers/base/core.c
+++ y/drivers/base/core.c
@@ -3539,6 +3539,11 @@ int device_add(struct device *dev)
error = dev_set_name(dev, "%s%u", dev->bus->dev_name, dev->id);
if (error)
goto name_error;
+ dev->init_name = NULL;
+ if (!dev_name(dev)) {
+ error = -ENOMEM;
+ goto name_error;
+ }
pr_debug("device: '%s': %s\n", dev_name(dev), __func__);
--
Andy Shevchenko
Aug 28, 2023, 8:42:39āÆAM8/28/23
to syzbot, hda...@sina.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
On Mon, Aug 28, 2023 at 02:35:22PM +0300, Andy Shevchenko wrote:
> On Mon, Aug 28, 2023 at 02:53:37AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
>
> Thanks! Will work on it ASAP.
So, can somebody from syzbot explain me what this is?
> On Mon, Aug 28, 2023 at 02:53:37AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
>
> Thanks! Will work on it ASAP.
My readings as follows:
1) syzbot inserts fault injection into
dev_set_name(&dev->dev, "nfc%d", dev->idx);
2) that becomes a NULL in the corresponding kobj->name, correct?
3) which leads to the device_add() to exercise the paths that check for name
being NULL, i.e.
if (dev->init_name) {
error = dev_set_name(dev, "%s", dev->init_name);
dev->init_name = NULL;
}
error = 0;
/* subsystems can specify simple device enumeration */
else if (dev->bus && dev->bus->dev_name)
error = dev_set_name(dev, "%s%u", dev->bus->dev_name, dev->id);
if (error)
goto name_error;
so, either we have init_name or bus->name defined, but this seems not
if (error)
goto name_error;
the case; anyway in both cases the dev_set_name() may fail in strchr()
if and only if the fmt is NULL, which is not, as above calls have it
hard coded literals.
What's going on here?
(The error check for dev_set_name() in nfc_allocate_device() probably fixes
this, but it must not affect the code execution, right?)
P.S.
Of course the test patch from hdanton@ doesn't fix it, the error is checked in
the code later on.
syzbot
Aug 28, 2023, 9:10:42āÆAM8/28/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+bdfb03...@syzkaller.appspotmail.com
Tested on:
commit: 2ee82481 Add linux-next specific files for 20230828
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1329b6ffa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+bdfb03...@syzkaller.appspotmail.com
Tested on:
commit: 2ee82481 Add linux-next specific files for 20230828
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1329b6ffa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1384729fa80000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Andy Shevchenko
Aug 28, 2023, 10:44:02āÆAM8/28/23
to syzbot, hda...@sina.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
The value of "error" has been rewritten to 0 and dev_name() the new code
doesn't trigger the bail out.
I'll send the patch soon.
Edward AD
Aug 28, 2023, 9:18:55āÆPM8/28/23
to syzbot+bdfb03...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
From: Edward Adam Davis <ead...@sina.com>
please test kobject->name null
diff --git a/lib/kobject.c b/lib/kobject.c
index 59dbcbdb1c91..29d7738ba590 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -269,6 +269,9 @@ int kobject_set_name_vargs(struct kobject *kobj, const char *fmt,
if (kobj->name && !fmt)
return 0;
+ if (!kobj->name && !fmt)
+ return -EINVAL;
+
s = kvasprintf_const(GFP_KERNEL, fmt, vargs);
if (!s)
return -ENOMEM;
please test kobject->name null
diff --git a/lib/kobject.c b/lib/kobject.c
index 59dbcbdb1c91..29d7738ba590 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -269,6 +269,9 @@ int kobject_set_name_vargs(struct kobject *kobj, const char *fmt,
if (kobj->name && !fmt)
return 0;
+ if (!kobj->name && !fmt)
+ return -EINVAL;
+
s = kvasprintf_const(GFP_KERNEL, fmt, vargs);
if (!s)
return -ENOMEM;
syzbot
Aug 28, 2023, 9:57:41āÆPM8/28/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+bdfb03...@syzkaller.appspotmail.com
Tested on:
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+bdfb03...@syzkaller.appspotmail.com
Tested on:
commit: 62693208 Add linux-next specific files for 20230825
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13cd1e50680000
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8a8c992a790e5073
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14bfe6cba80000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Reply all
Reply to author
Forward
0 new messages