general protection fault in go7007_usb_probe

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=1263a930100000
kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

usb 3-1: string descriptor 0 read error: -71
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 4298 Comm: kworker/0:5 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:go7007_usb_probe+0x4ba/0x1d49 drivers/media/usb/go7007/go7007-usb.c:1145
Code: c1 ee 03 80 3c 0e 00 0f 85 59 16 00 00 4c 8b a2 e8 05 00 00 48 b9 00 00 00 00 00 fc ff df 49 8d 7c 24 03 48 89 fe 48 c1 ee 03 <0f> b6 0c 0e 48 89 fe 83 e6 07 40 38 f1 7f 08 84 c9 0f 85 11 16 00
RSP: 0018:ffff8881c70bf190 EFLAGS: 00010246
RAX: ffff8881d0024400 RBX: ffff8881cf5a1000 RCX: dffffc0000000000
RDX: ffff8881d40ae000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff8881caadc000 R08: 0000000000000001 R09: fffffbfff1268ad6
R10: ffffffff893456af R11: fffffbfff1268ad5 R12: 0000000000000000
R13: ffff8881d40ae0a0 R14: ffff8881c7f44c00 R15: ffffffff86786240
FS: 0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561ee1bd5160 CR3: 00000001ac56c000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
really_probe+0x290/0xac0 drivers/base/dd.c:527
driver_probe_device+0x223/0x350 drivers/base/dd.c:701
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:808
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x21a/0x390 drivers/base/dd.c:874
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1367/0x1c20 drivers/base/core.c:2533
usb_set_configuration+0xed4/0x1850 drivers/usb/core/message.c:2025
usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
really_probe+0x290/0xac0 drivers/base/dd.c:527
driver_probe_device+0x223/0x350 drivers/base/dd.c:701
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:808
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x21a/0x390 drivers/base/dd.c:874
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1367/0x1c20 drivers/base/core.c:2533
usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
hub_port_connect drivers/usb/core/hub.c:5195 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
port_event drivers/usb/core/hub.c:5481 [inline]
hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
process_one_work+0x965/0x1630 kernel/workqueue.c:2268
worker_thread+0x96/0xe20 kernel/workqueue.c:2414
kthread+0x326/0x430 kernel/kthread.c:268
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 14ebf3362a06b993 ]---
RIP: 0010:go7007_usb_probe+0x4ba/0x1d49 drivers/media/usb/go7007/go7007-usb.c:1145
Code: c1 ee 03 80 3c 0e 00 0f 85 59 16 00 00 4c 8b a2 e8 05 00 00 48 b9 00 00 00 00 00 fc ff df 49 8d 7c 24 03 48 89 fe 48 c1 ee 03 <0f> b6 0c 0e 48 89 fe 83 e6 07 40 38 f1 7f 08 84 c9 0f 85 11 16 00
RSP: 0018:ffff8881c70bf190 EFLAGS: 00010246
RAX: ffff8881d0024400 RBX: ffff8881cf5a1000 RCX: dffffc0000000000
RDX: ffff8881d40ae000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff8881caadc000 R08: 0000000000000001 R09: fffffbfff1268ad6
R10: ffffffff893456af R11: fffffbfff1268ad5 R12: 0000000000000000
R13: ffff8881d40ae0a0 R14: ffff8881c7f44c00 R15: ffffffff86786240
FS: 0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561ee1bd5160 CR3: 0000000007024000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
git tree: https://github.com/google/kasan.git usb-fuzzer

console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000

kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

usb 1-1: New USB device found, idVendor=0eb1, idProduct=7007, bcdDevice= 2.08
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
usb 1-1: string descriptor 0 read error: -71

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.7.0-rc1-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:go7007_usb_probe+0x4ba/0x1d49 drivers/media/usb/go7007/go7007-usb.c:1145
Code: c1 ee 03 80 3c 0e 00 0f 85 59 16 00 00 4c 8b a2 e8 05 00 00 48 b9 00 00 00 00 00 fc ff df 49 8d 7c 24 03 48 89 fe 48 c1 ee 03 <0f> b6 0c 0e 48 89 fe 83 e6 07 40 38 f1 7f 08 84 c9 0f 85 11 16 00

RSP: 0018:ffff8881da21f190 EFLAGS: 00010246
RAX: ffff8881cd522800 RBX: ffff8881cd9de000 RCX: dffffc0000000000
RDX: ffff8881cd9dd000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff8881cd5ac000 R08: 0000000000000001 R09: fffffbfff1268ad6

R10: ffffffff893456af R11: fffffbfff1268ad5 R12: 0000000000000000

R13: ffff8881cd9dd0a0 R14: ffff8881cf81c800 R15: ffffffff86786240

FS: 0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055c401d2c160 CR3: 0000000007024000 CR4: 00000000001406f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

---[ end trace 822665be1be4fef9 ]---

RIP: 0010:go7007_usb_probe+0x4ba/0x1d49 drivers/media/usb/go7007/go7007-usb.c:1145
Code: c1 ee 03 80 3c 0e 00 0f 85 59 16 00 00 4c 8b a2 e8 05 00 00 48 b9 00 00 00 00 00 fc ff df 49 8d 7c 24 03 48 89 fe 48 c1 ee 03 <0f> b6 0c 0e 48 89 fe 83 e6 07 40 38 f1 7f 08 84 c9 0f 85 11 16 00

RSP: 0018:ffff8881da21f190 EFLAGS: 00010246
RAX: ffff8881cd522800 RBX: ffff8881cd9de000 RCX: dffffc0000000000
RDX: ffff8881cd9dd000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff8881cd5ac000 R08: 0000000000000001 R09: fffffbfff1268ad6

R10: ffffffff893456af R11: fffffbfff1268ad5 R12: 0000000000000000

R13: ffff8881cd9dd0a0 R14: ffff8881cf81c800 R15: ffffffff86786240

FS: 0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055c401d2c160 CR3: 0000000007024000 CR4: 00000000001406f0

[Hillf Danton]

Tue, 21 Apr 2020 16:45:17 -0700
> syzbot has found a reproducer for the following crash on:

>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer

> console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000

> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000
>

> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com
>

> usb 1-1: New USB device found, idVendor=0eb1, idProduct=7007, bcdDevice= 2.08
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> usb 1-1: config 0 descriptor??

> usb 1-1: string descriptor 0 read error: -71

> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]

> CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.7.0-rc1-syzkaller #0

> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:go7007_usb_probe+0x4ba/0x1d49 drivers/media/usb/go7007/go7007-usb.c:1145
> Code: c1 ee 03 80 3c 0e 00 0f 85 59 16 00 00 4c 8b a2 e8 05 00 00 48 b9 00 00 00 00 00 fc ff df 49 8d 7c 24 03 48 89 fe 48 c1 ee 03 <0f> b6 0c 0e 48 89 fe 83 e6 07 40 38 f1 7f 08 84 c9 0f 85 11 16 00

> RSP: 0018:ffff8881da21f190 EFLAGS: 00010246
> RAX: ffff8881cd522800 RBX: ffff8881cd9de000 RCX: dffffc0000000000

> RDX: ffff8881cd9dd000 RSI: 0000000000000000 RDI: 0000000000000003
> RBP: ffff8881cd5ac000 R08: 0000000000000001 R09: fffffbfff1268ad6

> R10: ffffffff893456af R11: fffffbfff1268ad5 R12: 0000000000000000

> R13: ffff8881cd9dd0a0 R14: ffff8881cf81c800 R15: ffffffff86786240

> FS: 0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

> CR2: 000055c401d2c160 CR3: 0000000007024000 CR4: 00000000001406f0

> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

On top of a3ea410cac41 ("media: go7007: Fix URB type for interrupt handling")
check endpoit before examining its type altough it may be another option to
bail out and fail the device probe without valid ep.

--- a/drivers/media/usb/go7007/go7007-usb.c
+++ b/drivers/media/usb/go7007/go7007-usb.c
@@ -1142,7 +1142,7 @@ static int go7007_usb_probe(struct usb_i
goto allocfail;

ep = usb->usbdev->ep_in[4];
- if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
+ if (ep && usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,
usb_rcvbulkpipe(usb->usbdev, 4),
usb->intr_urb->transfer_buffer, 2*sizeof(u16),

[Oliver Neukum]

Am Dienstag, den 21.04.2020, 16:45 -0700 schrieb syzbot:
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=12da0b58100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1146eb17e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159d136fe00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

Hi,

this looks to be technically caused by

commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e
Author: Takashi Iwai <ti...@suse.de>
Date: Thu Feb 6 16:45:27 2020 +0100

media: go7007: Fix URB type for interrupt handling

It introduces this check:

+ ep = usb->usbdev->ep_in[4];
+ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)

However, there is no guarantee ep_in[4] exists, if a malicious device
were involved. But, I do not want to just add a check for NULL. That
would just paper over the bug and the driver would fail at a later
stage.

How many endpoints do these devices need to have to operate?

Regards
Oliver

[Takashi Iwai]

Yes, the patch assumed the existence of ep 4, as you can see in the
later code, the driver blindly uses the fixed endpoint for the urb.
So we'll hit a problem in anyway.

> How many endpoints do these devices need to have to operate?

Not sure about that, but the NULL-check of ep there should be right.
If ep_in[4] is NULL, the probe should fail before going to the next
USB_ENDPOINT_XFER_BULK check.


thanks,

Takashi

[Oliver Neukum]

Am Dienstag, den 21.04.2020, 16:36 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=1263a930100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git e9010320

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
general protection fault in go7007_usb_probe

usb 2-1: string descriptor 0 read error: -71
general protection fault, probably for non-canonical address 0xdffffc00000000bd: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000005e8-0x00000000000005ef]
CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.7.0-rc1-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event

RIP: 0010:go7007_usb_probe+0x1e0/0x1dc5 drivers/media/usb/go7007/go7007-usb.c:1125
Code: 03 80 3c 02 00 0f 85 df 18 00 00 4d 8b ae 98 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d bd e8 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 ac 18 00 00 4d 8b ad e8 05 00 00 4d 85 ed 0f 84
RSP: 0018:ffff8881d8aff190 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8881d8caf000 RCX: 1ffffffff126c284
RDX: 00000000000000bd RSI: ffffffff8454389a RDI: 00000000000005e8
RBP: ffff8881d7270000 R08: 0000000000000001 R09: fffffbfff1268ad6
R10: ffffffff893456af R11: fffffbfff1268ad5 R12: ffffffff86785360
R13: 0000000000000000 R14: ffff8881cf6dc400 R15: ffff8881d9741000
FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055a840964160 CR3: 00000001d2972000 CR4: 00000000001406e0

Modules linked in:
---[ end trace 67047f68f48827d5 ]---
RIP: 0010:go7007_usb_probe+0x1e0/0x1dc5 drivers/media/usb/go7007/go7007-usb.c:1125
Code: 03 80 3c 02 00 0f 85 df 18 00 00 4d 8b ae 98 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d bd e8 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 ac 18 00 00 4d 8b ad e8 05 00 00 4d 85 ed 0f 84
RSP: 0018:ffff8881d8aff190 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8881d8caf000 RCX: 1ffffffff126c284
RDX: 00000000000000bd RSI: ffffffff8454389a RDI: 00000000000005e8
RBP: ffff8881d7270000 R08: 0000000000000001 R09: fffffbfff1268ad6
R10: ffffffff893456af R11: fffffbfff1268ad5 R12: ffffffff86785360
R13: 0000000000000000 R14: ffff8881cf6dc400 R15: ffff8881d9741000
FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055a840964160 CR3: 00000001d2972000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
git tree: https://github.com/google/kasan.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11ef7dbfe00000

kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1155b758100000

[Oliver Neukum]

Am Dienstag, den 21.04.2020, 16:36 -0700 schrieb syzbot:

> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=1263a930100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cabfa4...@syzkaller.appspotmail.com

Tested on:

commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
git tree: https://github.com/google/kasan.git

kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=108a4ecfe00000

Note: testing is done by a robot and is best-effort only.

[Oliver Neukum]

Am Dienstag, den 21.04.2020, 16:36 -0700 schrieb syzbot:

> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=1263a930100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cabfa4...@syzkaller.appspotmail.com

Tested on:

commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
git tree: https://github.com/google/kasan.git

kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1396d5bfe00000

[Oliver Neukum]

Am Dienstag, den 21.04.2020, 16:36 -0700 schrieb syzbot:

> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=1263a930100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
general protection fault in go7007_usb_probe

usb 3-1: string descriptor 0 read error: -71

general protection fault, probably for non-canonical address 0xdffffc00000000bd: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000005e8-0x00000000000005ef]

CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.7.0-rc1-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event

RIP: 0010:go7007_usb_probe+0x1ff/0x1de4 drivers/media/usb/go7007/go7007-usb.c:1130
Code: 03 80 3c 02 00 0f 85 00 19 00 00 4d 8b ae 98 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d bd e8 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cd 18 00 00 4d 8b ad e8 05 00 00 4d 85 ed 0f 84
RSP: 0018:ffff8881da317190 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8881d5768000 RCX: 1ffffffff126c1fa
RDX: 00000000000000bd RSI: ffffffff845438b9 RDI: 00000000000005e8
RBP: ffff8881cbc94000 R08: 0000000000000001 R09: fffffbfff1268ad6
R10: ffffffff893456af R11: fffffbfff1268ad5 R12: ffffffff867853e0
R13: 0000000000000000 R14: ffff8881cbd02400 R15: ffff8881c7f23000

FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000056141ffa7578 CR3: 00000001ccc54000 CR4: 00000000001406e0

---[ end trace 3c58732c46bcaa36 ]---
RIP: 0010:go7007_usb_probe+0x1ff/0x1de4 drivers/media/usb/go7007/go7007-usb.c:1130
Code: 03 80 3c 02 00 0f 85 00 19 00 00 4d 8b ae 98 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d bd e8 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cd 18 00 00 4d 8b ad e8 05 00 00 4d 85 ed 0f 84
RSP: 0018:ffff8881da317190 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8881d5768000 RCX: 1ffffffff126c1fa
RDX: 00000000000000bd RSI: ffffffff845438b9 RDI: 00000000000005e8
RBP: ffff8881cbc94000 R08: 0000000000000001 R09: fffffbfff1268ad6
R10: ffffffff893456af R11: fffffbfff1268ad5 R12: ffffffff867853e0
R13: 0000000000000000 R14: ffff8881cbd02400 R15: ffff8881c7f23000

FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000056141ffa7578 CR3: 00000001ccc54000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
git tree: https://github.com/google/kasan.git

console output: https://syzkaller.appspot.com/x/log.txt?x=158aba87e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=12d0bfd7e00000

[Oliver Neukum]

Am Dienstag, den 21.04.2020, 16:36 -0700 schrieb syzbot:

> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=1263a930100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cabfa4...@syzkaller.appspotmail.com

Tested on:

commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
git tree: https://github.com/google/kasan.git

kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=163fcf90100000

[Oliver Neukum]

Am Dienstag, den 21.04.2020, 16:36 -0700 schrieb syzbot:

> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=1263a930100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
> dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cabfa4...@syzkaller.appspotmail.com

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cabfa4...@syzkaller.appspotmail.com

Tested on:

commit: e9010320 usb: cdns3: gadget: make a bunch of functions sta..
git tree: https://github.com/google/kasan.git

kernel config: https://syzkaller.appspot.com/x/.config?x=bd14feb44652cfaf
dashboard link: https://syzkaller.appspot.com/bug?extid=cabfa4b5b05ff6be4ef0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=17327ea8100000