[syzbot] [kernel?] general protection fault in tty_register_device_attr
7 views
Skip to first unread message
syzbot
Sep 1, 2023, 11:06:01 PM9/1/23
to andriy.s...@linux.intel.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2ee82481c392 Add linux-next specific files for 20230828
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13da2cc0680000
kernel config: https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
dashboard link: https://syzkaller.appspot.com/bug?extid=85792f3143e6271d2c97
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10124470680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a38ecba80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/30801702ce78/disk-2ee82481.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8d9b67709145/vmlinux-2ee82481.xz
kernel image: https://storage.googleapis.com/syzbot-assets/47f8ef9bffd0/bzImage-2ee82481.xz
The issue was bisected to:
commit d21fdd07cea418c0d98c8a15fc95b8b8970801e7
Author: Andy Shevchenko <andriy.s...@linux.intel.com>
Date: Thu Aug 17 09:12:21 2023 +0000
driver core: Return proper error code when dev_set_name() fails
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f0e057a80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1008e057a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=17f0e057a80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+85792f...@syzkaller.appspotmail.com
Fixes: d21fdd07cea4 ("driver core: Return proper error code when dev_set_name() fails")
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff38fc4838 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fac9a3aed89
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000004
RBP: 0000000000000001 R08: 00007fff38fc45d7 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000246 R12: 00007fff38fc4928
R13: 00007fac9a3f5032 R14: 00007fff38fc4980 R15: 0000000000000003
</TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5046 Comm: syz-executor362 Not tainted 6.5.0-next-20230828-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: a3 ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a1f800 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a1f890 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a1f890
R13: 0000000000000cc0 R14: ffff888014a96000 R15: 0000000000000001
FS: 0000555556b43480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005584fe812978 CR3: 00000000729c5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
kobject_add_varg lib/kobject.c:366 [inline]
kobject_add+0x12a/0x240 lib/kobject.c:424
device_add+0x290/0x1ac0 drivers/base/core.c:3560
tty_register_device_attr+0x38f/0x7b0 drivers/tty/tty_io.c:3248
gsm_register_devices drivers/tty/n_gsm.c:654 [inline]
gsm_activate_mux+0x157/0x2d0 drivers/tty/n_gsm.c:3138
gsm_config drivers/tty/n_gsm.c:3383 [inline]
gsmld_ioctl+0x8cc/0x1550 drivers/tty/n_gsm.c:3786
tty_ioctl+0x706/0x1580 drivers/tty/tty_io.c:2785
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fac9a3aed89
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff38fc4838 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fac9a3aed89
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000004
RBP: 0000000000000001 R08: 00007fff38fc45d7 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000246 R12: 00007fff38fc4928
R13: 00007fac9a3f5032 R14: 00007fff38fc4980 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: a3 ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a1f800 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a1f890 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a1f890
R13: 0000000000000cc0 R14: ffff888014a96000 R15: 0000000000000001
FS: 0000555556b43480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005584fe812978 CR3: 00000000729c5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
* 2a: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 c7 c1 b8 ff ff ff mov $0xffffffffffffffb8,%rcx
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 2ee82481c392 Add linux-next specific files for 20230828
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13da2cc0680000
kernel config: https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
dashboard link: https://syzkaller.appspot.com/bug?extid=85792f3143e6271d2c97
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10124470680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a38ecba80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/30801702ce78/disk-2ee82481.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8d9b67709145/vmlinux-2ee82481.xz
kernel image: https://storage.googleapis.com/syzbot-assets/47f8ef9bffd0/bzImage-2ee82481.xz
The issue was bisected to:
commit d21fdd07cea418c0d98c8a15fc95b8b8970801e7
Author: Andy Shevchenko <andriy.s...@linux.intel.com>
Date: Thu Aug 17 09:12:21 2023 +0000
driver core: Return proper error code when dev_set_name() fails
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f0e057a80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1008e057a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=17f0e057a80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+85792f...@syzkaller.appspotmail.com
Fixes: d21fdd07cea4 ("driver core: Return proper error code when dev_set_name() fails")
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff38fc4838 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fac9a3aed89
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000004
RBP: 0000000000000001 R08: 00007fff38fc45d7 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000246 R12: 00007fff38fc4928
R13: 00007fac9a3f5032 R14: 00007fff38fc4980 R15: 0000000000000003
</TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5046 Comm: syz-executor362 Not tainted 6.5.0-next-20230828-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: a3 ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a1f800 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a1f890 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a1f890
R13: 0000000000000cc0 R14: ffff888014a96000 R15: 0000000000000001
FS: 0000555556b43480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005584fe812978 CR3: 00000000729c5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
kobject_add_varg lib/kobject.c:366 [inline]
kobject_add+0x12a/0x240 lib/kobject.c:424
device_add+0x290/0x1ac0 drivers/base/core.c:3560
tty_register_device_attr+0x38f/0x7b0 drivers/tty/tty_io.c:3248
gsm_register_devices drivers/tty/n_gsm.c:654 [inline]
gsm_activate_mux+0x157/0x2d0 drivers/tty/n_gsm.c:3138
gsm_config drivers/tty/n_gsm.c:3383 [inline]
gsmld_ioctl+0x8cc/0x1550 drivers/tty/n_gsm.c:3786
tty_ioctl+0x706/0x1580 drivers/tty/tty_io.c:2785
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fac9a3aed89
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff38fc4838 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fac9a3aed89
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000004
RBP: 0000000000000001 R08: 00007fff38fc45d7 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000246 R12: 00007fff38fc4928
R13: 00007fac9a3f5032 R14: 00007fff38fc4980 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: a3 ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a1f800 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a1f890 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a1f890
R13: 0000000000000cc0 R14: ffff888014a96000 R15: 0000000000000001
FS: 0000555556b43480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005584fe812978 CR3: 00000000729c5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
* 2a: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 c7 c1 b8 ff ff ff mov $0xffffffffffffffb8,%rcx
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Sep 2, 2023, 1:13:24 AM9/2/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, 01 Sep 2023 20:05:59 -0700
Bail out in case of error.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2ee82481c392
--- x/drivers/base/core.c
+++ y/drivers/base/core.c
@@ -3537,6 +3537,8 @@ int device_add(struct device *dev)
/* subsystems can specify simple device enumeration */
else if (dev->bus && dev->bus->dev_name)
error = dev_set_name(dev, "%s%u", dev->bus->dev_name, dev->id);
+ else
+ error = -EINVAL;
if (error)
goto name_error;
--
> HEAD commit: 2ee82481c392 Add linux-next specific files for 20230828
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a38ecba80000
> git tree: linux-next
Bail out in case of error.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2ee82481c392
--- x/drivers/base/core.c
+++ y/drivers/base/core.c
@@ -3537,6 +3537,8 @@ int device_add(struct device *dev)
/* subsystems can specify simple device enumeration */
else if (dev->bus && dev->bus->dev_name)
error = dev_set_name(dev, "%s%u", dev->bus->dev_name, dev->id);
+ else
+ error = -EINVAL;
if (error)
goto name_error;
--
syzbot
Sep 2, 2023, 1:51:35 AM9/2/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+85792f...@syzkaller.appspotmail.com
Tested on:
commit: 2ee82481 Add linux-next specific files for 20230828
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=159eb870680000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+85792f...@syzkaller.appspotmail.com
Tested on:
commit: 2ee82481 Add linux-next specific files for 20230828
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=159eb870680000
kernel config: https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
dashboard link: https://syzkaller.appspot.com/bug?extid=85792f3143e6271d2c97
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f39898680000
dashboard link: https://syzkaller.appspot.com/bug?extid=85792f3143e6271d2c97
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Edward AD
Sep 3, 2023, 2:21:31 AM9/3/23
to syzbot+85792f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test kobject->name null
diff --git a/lib/kobject.c b/lib/kobject.c
index 59dbcbdb1c91..29d7738ba590 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -269,6 +269,9 @@ int kobject_set_name_vargs(struct kobject *kobj, const char *fmt,
if (kobj->name && !fmt)
return 0;
+ if (!kobj->name && !fmt)
+ return -EINVAL;
+
s = kvasprintf_const(GFP_KERNEL, fmt, vargs);
if (!s)
return -ENOMEM;
diff --git a/lib/kobject.c b/lib/kobject.c
index 59dbcbdb1c91..29d7738ba590 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -269,6 +269,9 @@ int kobject_set_name_vargs(struct kobject *kobj, const char *fmt,
if (kobj->name && !fmt)
return 0;
+ if (!kobj->name && !fmt)
+ return -EINVAL;
+
s = kvasprintf_const(GFP_KERNEL, fmt, vargs);
if (!s)
return -ENOMEM;
syzbot
Sep 3, 2023, 3:00:44 AM9/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+85792f...@syzkaller.appspotmail.com
Tested on:
commit: 2ee82481 Add linux-next specific files for 20230828
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16fe378fa80000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+85792f...@syzkaller.appspotmail.com
Tested on:
commit: 2ee82481 Add linux-next specific files for 20230828
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
dashboard link: https://syzkaller.appspot.com/bug?extid=85792f3143e6271d2c97
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1760c648680000
dashboard link: https://syzkaller.appspot.com/bug?extid=85792f3143e6271d2c97
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 3, 2023, 8:42:38 AM9/3/23
to syzbot+85792f...@syzkaller.appspotmail.com, andriy.s...@linux.intel.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
If kobj and fmt are both NULL, it will cause an exception in kvasprintf_const,
then when this situation occurs, -EINVAL is directly returned.
Signed-off-by: Edward AD <ead...@sina.com>
---
lib/kobject.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/kobject.c b/lib/kobject.c
index 59dbcbdb1c91..29d7738ba590 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -269,6 +269,9 @@ int kobject_set_name_vargs(struct kobject *kobj, const char *fmt,
if (kobj->name && !fmt)
return 0;
+ if (!kobj->name && !fmt)
+ return -EINVAL;
+
s = kvasprintf_const(GFP_KERNEL, fmt, vargs);
if (!s)
return -ENOMEM;
--
2.25.1
then when this situation occurs, -EINVAL is directly returned.
Signed-off-by: Edward AD <ead...@sina.com>
---
lib/kobject.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/kobject.c b/lib/kobject.c
index 59dbcbdb1c91..29d7738ba590 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -269,6 +269,9 @@ int kobject_set_name_vargs(struct kobject *kobj, const char *fmt,
if (kobj->name && !fmt)
return 0;
+ if (!kobj->name && !fmt)
+ return -EINVAL;
+
s = kvasprintf_const(GFP_KERNEL, fmt, vargs);
if (!s)
return -ENOMEM;
2.25.1
Greg KH
Sep 3, 2023, 9:37:53 AM9/3/23
to Edward AD, syzbot+85792f...@syzkaller.appspotmail.com, andriy.s...@linux.intel.com, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
On Sun, Sep 03, 2023 at 08:42:31PM +0800, Edward AD wrote:
> If kobj and fmt are both NULL, it will cause an exception in kvasprintf_const,
> then when this situation occurs, -EINVAL is directly returned.
How can this happen? Are there any in-kernel users that cause this to
> If kobj and fmt are both NULL, it will cause an exception in kvasprintf_const,
> then when this situation occurs, -EINVAL is directly returned.
occur?
If so, which ones, why not fix that?
And your description isn't quite correct here, you are not checking for
kobj, but rather kobj->name.
thanks,
greg k-h
Thomas Weißschuh
Sep 4, 2023, 4:15:41 AM9/4/23
to syzbot, andriy.s...@linux.intel.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
On 2023-09-01 20:05:59-0700, syzbot wrote:
> [..]
> [..]
#syz dup: general protection fault in netdev_register_kobject
With patch from Andy:
https://lore.kernel.org/all/20230828145824.389528...@linux.intel.com/
> [..]
#syz dup: general protection fault in netdev_register_kobject
With patch from Andy:
https://lore.kernel.org/all/20230828145824.389528...@linux.intel.com/
Andy Shevchenko
Sep 4, 2023, 5:45:06 AM9/4/23
to Greg KH, Edward AD, syzbot+85792f...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
On Sun, Sep 03, 2023 at 02:54:53PM +0200, Greg KH wrote:
> On Sun, Sep 03, 2023 at 08:42:31PM +0800, Edward AD wrote:
> > If kobj and fmt are both NULL, it will cause an exception in kvasprintf_const,
> > then when this situation occurs, -EINVAL is directly returned.
>
> How can this happen? Are there any in-kernel users that cause this to
> occur?
Theoretically anything which uses
> On Sun, Sep 03, 2023 at 08:42:31PM +0800, Edward AD wrote:
> > If kobj and fmt are both NULL, it will cause an exception in kvasprintf_const,
> > then when this situation occurs, -EINVAL is directly returned.
>
> How can this happen? Are there any in-kernel users that cause this to
> occur?
dev_set_name(dev, dev_name(dev));
is affected, but practically it happens only when _previous_ dev_set_name()
fails, which _only_ may happen due to fault injection.
> If so, which ones, why not fix that?
https://lore.kernel.org/all/20230828145824.389528...@linux.intel.com/
> And your description isn't quite correct here, you are not checking for
> kobj, but rather kobj->name.
With Best Regards,
Andy Shevchenko
Reply all
Reply to author
Forward
0 new messages