[syzbot] [input?] [usb?] KMSAN: uninit-value in asus_report_fixup

17 views
Skip to first unread message

syzbot

unread,
May 24, 2024, 4:00:32 PMMay 24
to benjamin....@redhat.com, ben...@kernel.org, ji...@kernel.org, jko...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, lu...@ljones.dev, syzkall...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 70ec81c2e2b4 Merge tag 'linux_kselftest-next-6.10-rc1-fixe..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1477c6dc980000
kernel config: https://syzkaller.appspot.com/x/.config?x=48a63c58ee55467e
dashboard link: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1609f92a980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15b85ca4980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6f3592f38ad8/disk-70ec81c2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5987dcdede63/vmlinux-70ec81c2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f31717c1621a/bzImage-70ec81c2.xz

The issue was bisected to:

commit 59d2f5b7392e988a391e6924e177c1a68d50223d
Author: Luke D. Jones <lu...@ljones.dev>
Date: Tue Apr 16 09:03:59 2024 +0000

HID: asus: fix more n-key report descriptors if n-key quirked

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=154fd644980000
final oops: https://syzkaller.appspot.com/x/report.txt?x=174fd644980000
console output: https://syzkaller.appspot.com/x/log.txt?x=134fd644980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07762f...@syzkaller.appspotmail.com
Fixes: 59d2f5b7392e ("HID: asus: fix more n-key report descriptors if n-key quirked")

usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: slab-out-of-bounds in asus_report_fixup+0x857/0xed0 drivers/hid/hid-asus.c:1210
Read of size 1 at addr ffff88802472ad45 by task kworker/0:1/9

CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.9.0-syzkaller-10219-g70ec81c2e2b4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
asus_report_fixup+0x857/0xed0 drivers/hid/hid-asus.c:1210
hid_open_report+0x1ba/0x14a0 drivers/hid/hid-core.c:1235
hid_parse include/linux/hid.h:1118 [inline]
asus_probe+0x82e/0xc90 drivers/hid/hid-asus.c:1065
__hid_device_probe drivers/hid/hid-core.c:2633 [inline]
hid_device_probe+0x26e/0x4f0 drivers/hid/hid-core.c:2670
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
__device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
__device_attach+0x333/0x520 drivers/base/dd.c:1028
bus_probe_device+0x189/0x260 drivers/base/bus.c:532
device_add+0x8ff/0xca0 drivers/base/core.c:3720
hid_add_device+0x3b6/0x520 drivers/hid/hid-core.c:2816
usbhid_probe+0xb38/0xea0 drivers/hid/usbhid/hid-core.c:1429
usb_probe_interface+0x645/0xbb0 drivers/usb/core/driver.c:399
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
__device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
__device_attach+0x333/0x520 drivers/base/dd.c:1028
bus_probe_device+0x189/0x260 drivers/base/bus.c:532
device_add+0x8ff/0xca0 drivers/base/core.c:3720
usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:254
usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:294
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
__device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
__device_attach+0x333/0x520 drivers/base/dd.c:1028
bus_probe_device+0x189/0x260 drivers/base/bus.c:532
device_add+0x8ff/0xca0 drivers/base/core.c:3720
usb_new_device+0x104a/0x19a0 drivers/usb/core/hub.c:2652
hub_port_connect drivers/usb/core/hub.c:5522 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5662 [inline]
port_event drivers/usb/core/hub.c:5822 [inline]
hub_event+0x2d6a/0x5150 drivers/usb/core/hub.c:5904
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Allocated by task 9:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:4121 [inline]
kmalloc_node_track_caller_noprof+0x22a/0x450 mm/slub.c:4141
kmemdup_noprof+0x2a/0x60 mm/util.c:131
hid_open_report+0x156/0x14a0 drivers/hid/hid-core.c:1230
hid_parse include/linux/hid.h:1118 [inline]
asus_probe+0x82e/0xc90 drivers/hid/hid-asus.c:1065
__hid_device_probe drivers/hid/hid-core.c:2633 [inline]
hid_device_probe+0x26e/0x4f0 drivers/hid/hid-core.c:2670
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
__device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
__device_attach+0x333/0x520 drivers/base/dd.c:1028
bus_probe_device+0x189/0x260 drivers/base/bus.c:532
device_add+0x8ff/0xca0 drivers/base/core.c:3720
hid_add_device+0x3b6/0x520 drivers/hid/hid-core.c:2816
usbhid_probe+0xb38/0xea0 drivers/hid/usbhid/hid-core.c:1429
usb_probe_interface+0x645/0xbb0 drivers/usb/core/driver.c:399
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
__device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
__device_attach+0x333/0x520 drivers/base/dd.c:1028
bus_probe_device+0x189/0x260 drivers/base/bus.c:532
device_add+0x8ff/0xca0 drivers/base/core.c:3720
usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:254
usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:294
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
__device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
__device_attach+0x333/0x520 drivers/base/dd.c:1028
bus_probe_device+0x189/0x260 drivers/base/bus.c:532
device_add+0x8ff/0xca0 drivers/base/core.c:3720
usb_new_device+0x104a/0x19a0 drivers/usb/core/hub.c:2652
hub_port_connect drivers/usb/core/hub.c:5522 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5662 [inline]
port_event drivers/usb/core/hub.c:5822 [inline]
hub_event+0x2d6a/0x5150 drivers/usb/core/hub.c:5904
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88802472ad40
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of
allocated 5-byte region [ffff88802472ad40, ffff88802472ad45)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2472a
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000000 ffff888015041500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080800080 00000001ffffefff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 12879192655, free_ts 12811137824
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
prep_new_page mm/page_alloc.c:1476 [inline]
get_page_from_freelist+0x2e2d/0x2ee0 mm/page_alloc.c:3402
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4660
__alloc_pages_node_noprof include/linux/gfp.h:244 [inline]
alloc_pages_node_noprof include/linux/gfp.h:271 [inline]
alloc_slab_page+0x5f/0x120 mm/slub.c:2264
allocate_slab+0x5a/0x2e0 mm/slub.c:2427
new_slab mm/slub.c:2480 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3666
__slab_alloc+0x58/0xa0 mm/slub.c:3756
__slab_alloc_node mm/slub.c:3809 [inline]
slab_alloc_node mm/slub.c:3988 [inline]
kmalloc_trace_noprof+0x1d5/0x2c0 mm/slub.c:4147
kmalloc_noprof include/linux/slab.h:660 [inline]
usb_control_msg+0xbb/0x4c0 drivers/usb/core/message.c:144
hub_power_on+0x1de/0x460
hub_activate+0x3cd/0x1c70 drivers/usb/core/hub.c:1135
hub_configure drivers/usb/core/hub.c:1742 [inline]
hub_probe+0x274f/0x3640 drivers/usb/core/hub.c:1965
usb_probe_interface+0x645/0xbb0 drivers/usb/core/driver.c:399
really_probe+0x2b8/0xad0 drivers/base/dd.c:656
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
driver_probe_device+0x50/0x430 drivers/base/dd.c:828
page last free pid 785 tgid 785 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1088 [inline]
free_unref_page+0xd22/0xea0 mm/page_alloc.c:2565
vfree+0x186/0x2e0 mm/vmalloc.c:3346
delayed_vfree_work+0x56/0x80 mm/vmalloc.c:3267
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
ffff88802472ac00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
ffff88802472ac80: 06 fc fc fc 06 fc fc fc fa fc fc fc fa fc fc fc
>ffff88802472ad00: fa fc fc fc fa fc fc fc 05 fc fc fc 05 fc fc fc
^
ffff88802472ad80: fa fc fc fc fa fc fc fc 06 fc fc fc 06 fc fc fc
ffff88802472ae00: 07 fc fc fc 06 fc fc fc fa fc fc fc 00 fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,
May 28, 2024, 1:46:05 AMMay 28
to andrewj...@gmail.com, benjamin....@redhat.com, ben...@kernel.org, ji...@kernel.org, jko...@suse.com, linux...@vger.kernel.org, linux-kern...@lists.linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, lu...@ljones.dev, sk...@linuxfoundation.org, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

sert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 50.230614][ T1] Key type encrypted registered
[ 50.235891][ T1] AppArmor: AppArmor sha256 policy hashing enabled
[ 50.242800][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 50.249865][ T1] Loading compiled-in module X.509 certificates
[ 50.292391][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 2ef82123926fa34f508acba9911fce577bb4fe8a'
[ 50.303920][ T1] ima: Allocated hash algorithm: sha256
[ 50.310144][ T1] ima: No architecture policies found
[ 50.316925][ T1] evm: Initialising EVM extended attributes:
[ 50.322973][ T1] evm: security.selinux (disabled)
[ 50.328526][ T1] evm: security.SMACK64 (disabled)
[ 50.334013][ T1] evm: security.SMACK64EXEC (disabled)
[ 50.339602][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 50.345640][ T1] evm: security.SMACK64MMAP (disabled)
[ 50.351386][ T1] evm: security.apparmor
[ 50.355851][ T1] evm: security.ima
[ 50.359745][ T1] evm: security.capability
[ 50.364417][ T1] evm: HMAC attrs: 0x1
[ 50.373466][ T1] PM: Magic number: 8:208:619
[ 50.379889][ T1] usb usb14-port4: hash matches
[ 50.386279][ T1] net ifb0: hash matches
[ 50.391057][ T1] tty ptye9: hash matches
[ 50.396054][ T1] tty ptybc: hash matches
[ 50.401524][ T1] printk: legacy console [netcon0] enabled
[ 50.407774][ T1] netconsole: network logging started
[ 50.414999][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 50.424381][ T1] rdma_rxe: loaded
[ 50.430039][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 50.451536][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 50.469189][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 50.477773][ T1] clk: Disabling unused clocks
[ 50.482816][ T1] ALSA device list:
[ 50.486809][ T1] #0: Dummy 1
[ 50.490724][ T1] #1: Loopback 1
[ 50.494616][ T1] #2: Virtual MIDI Card 1
[ 50.505678][ T10] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 50.506128][ T1] md: Waiting for all devices to be available before autodetect
[ 50.517296][ T10] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 50.524217][ T1] md: If you don't use raid, use raid=noautodetect
[ 50.540178][ T1] md: Autodetecting RAID arrays.
[ 50.545383][ T1] md: autorun ...
[ 50.549388][ T1] md: ... autorun DONE.
[ 50.671837][ T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[ 50.685698][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 50.779387][ T1] devtmpfs: mounted
[ 51.037410][ T1] Freeing unused kernel image (initmem) memory: 37032K
[ 51.049223][ T1] Write protecting the kernel read-only data: 262144k
[ 51.096766][ T1] Freeing unused kernel image (rodata/data gap) memory: 1808K
[ 52.746982][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 52.757511][ T1] x86/mm: Checking user space page tables
[ 54.254031][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 54.263213][ T1] Failed to set sysctl parameter 'kernel.hung_task_all_cpu_backtrace=1': parameter not found
[ 54.285036][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 54.296902][ T1] Run /sbin/init as init process
[ 55.866548][ T4446] mount (4446) used greatest stack depth: 8144 bytes left
[ 55.941342][ T4447] EXT4-fs (sda1): re-mounted 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 r/w. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[ 56.283370][ T4450] mount (4450) used greatest stack depth: 5568 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [ 60.169672][ T4480] udevd[4480]: starting version 3.2.11
[ 63.755909][ T4481] udevd[4481]: starting eudev-3.2.11
[ 63.769352][ T4480] udevd (4480) used greatest stack depth: 5272 bytes left
done
Starting system message bus: done
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-9.4.1 starting
dev: loaded udev
DUID 00:04:c7:fd:4a:df:9d:a6:e9:60:55:7b:b4:5b:1f:77:00:5c
forked to background, child pid 4693
[ 111.458895][ T4694] 8021q: adding VLAN 0 to HW filter on device bond0
[ 111.496440][ T4694] eql: remember to turn off Van-Jacobson compression on your slave devices
[ 111.697880][ T10] cfg80211: failed to load regulatory.db
Starting sshd: [ 113.751142][ T4779] sshd (4779) used greatest stack depth: 4720 bytes left
[ 113.792885][ C0] =====================================================
[ 113.800595][ C0] BUG: KMSAN: uninit-value in receive_buf+0x25e3/0x5fd0
[ 113.807866][ C0] receive_buf+0x25e3/0x5fd0
[ 113.812660][ C0] virtnet_poll+0xd1c/0x23c0
[ 113.817511][ C0] __napi_poll+0xe7/0x980
[ 113.822060][ C0] net_rx_action+0x82a/0x1850
[ 113.827121][ C0] handle_softirqs+0x1ce/0x800
[ 113.832171][ C0] __irq_exit_rcu+0x68/0x120
[ 113.837029][ C0] irq_exit_rcu+0x12/0x20
[ 113.841544][ C0] common_interrupt+0x94/0xa0
[ 113.846507][ C0] asm_common_interrupt+0x2b/0x40
[ 113.851825][ C0] kmsan_internal_set_shadow_origin+0x76/0xe0
[ 113.858320][ C0] kmsan_internal_unpoison_memory+0x14/0x20
[ 113.864659][ C0] kmsan_unpoison_memory+0x28/0x40
[ 113.869970][ C0] prep_new_page+0x115/0x540
[ 113.874876][ C0] get_page_from_freelist+0x1578/0x15f0
[ 113.880730][ C0] __alloc_pages_noprof+0x8a7/0xe70
[ 113.886250][ C0] alloc_pages_mpol_noprof+0x299/0x990
[ 113.892181][ C0] vma_alloc_folio_noprof+0x412/0x750
[ 113.898206][ C0] handle_mm_fault+0x907c/0xe610
[ 113.903457][ C0] exc_page_fault+0x41b/0x700
[ 113.908439][ C0] asm_exc_page_fault+0x2b/0x30
[ 113.913577][ C0]
[ 113.916067][ C0] Uninit was created at:
OK[ 113.920879][ C0] __alloc_pages_noprof+0x9d6/0xe70

[ 113.926417][ C0] alloc_pages_mpol_noprof+0x299/0x990
[ 113.932200][ C0] alloc_pages_noprof+0x1bf/0x1e0
[ 113.937655][ C0] skb_page_frag_refill+0x2bf/0x7c0
[ 113.943288][ C0] virtnet_rq_alloc+0x43/0xbb0
[ 113.948380][ C0] try_fill_recv+0x3f0/0x2f50
[ 113.953224][ C0] virtnet_open+0x1cc/0xb00
[ 113.958077][ C0] __dev_open+0x546/0x6f0
[ 113.962708][ C0] __dev_change_flags+0x309/0x9a0
[ 113.968302][ C0] dev_change_flags+0x8e/0x1d0
[ 113.973240][ C0] devinet_ioctl+0x13ec/0x22c0
[ 113.978437][ C0] inet_ioctl+0x4bd/0x6d0
[ 113.983181][ C0] sock_do_ioctl+0xb7/0x540
[ 113.987928][ C0] sock_ioctl+0x727/0xd70
[ 113.992433][ C0] __se_sys_ioctl+0x261/0x450
[ 113.997393][ C0] __x64_sys_ioctl+0x96/0xe0
[ 114.002313][ C0] x64_sys_call+0x18c0/0x3b90
[ 114.007248][ C0] do_syscall_64+0xcd/0x1e0
[ 114.011927][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 114.018164][ C0]
[ 114.020697][ C0] CPU: 0 PID: 4786 Comm: rm Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5-dirty #0
[ 114.031264][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[ 114.041826][ C0] =====================================================
[ 114.049359][ C0] Disabling lock debugging due to kernel taint
[ 114.055708][ C0] Kernel panic - not syncing: kmsan.panic set ...
[ 114.062795][ C0] CPU: 0 PID: 4786 Comm: rm Tainted: G B 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5-dirty #0
[ 114.075000][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[ 114.085286][ C0] Call Trace:
[ 114.088865][ C0] <IRQ>
[ 114.091913][ C0] dump_stack_lvl+0x216/0x2d0
[ 114.096785][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.102924][ C0] dump_stack+0x1e/0x30
[ 114.107269][ C0] panic+0x4e2/0xcd0
[ 114.111426][ C0] ? kmsan_get_metadata+0x111/0x1d0
[ 114.116837][ C0] kmsan_report+0x2d5/0x2e0
[ 114.121549][ C0] ? kmsan_alloc_page+0x182/0x220
[ 114.126772][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.132180][ C0] ? __msan_warning+0x95/0x120
[ 114.137205][ C0] ? receive_buf+0x25e3/0x5fd0
[ 114.142074][ C0] ? virtnet_poll+0xd1c/0x23c0
[ 114.147049][ C0] ? __napi_poll+0xe7/0x980
[ 114.151760][ C0] ? net_rx_action+0x82a/0x1850
[ 114.156910][ C0] ? handle_softirqs+0x1ce/0x800
[ 114.161958][ C0] ? __irq_exit_rcu+0x68/0x120
[ 114.166911][ C0] ? irq_exit_rcu+0x12/0x20
[ 114.171601][ C0] ? common_interrupt+0x94/0xa0
[ 114.176565][ C0] ? asm_common_interrupt+0x2b/0x40
[ 114.181863][ C0] ? kmsan_internal_set_shadow_origin+0x76/0xe0
[ 114.188207][ C0] ? kmsan_internal_unpoison_memory+0x14/0x20
[ 114.194391][ C0] ? kmsan_unpoison_memory+0x28/0x40
[ 114.199793][ C0] ? prep_new_page+0x115/0x540
[ 114.204666][ C0] ? get_page_from_freelist+0x1578/0x15f0
[ 114.210579][ C0] ? __alloc_pages_noprof+0x8a7/0xe70
[ 114.216060][ C0] ? alloc_pages_mpol_noprof+0x299/0x990
[ 114.221983][ C0] ? vma_alloc_folio_noprof+0x412/0x750
[ 114.227836][ C0] ? handle_mm_fault+0x907c/0xe610
[ 114.233178][ C0] ? exc_page_fault+0x41b/0x700


[ 114.238164][ C0] ? asm_exc_page_fault+0x2b/0x30
[ 114.243578][ C0] ? kmsan_internal_memmove_metadata+0x17b/0x230
syzkaller[ 114.250182][ C0] ? kmsan_get_metadata+0x146/0x1d0

[ 114.256633][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.262332][ C0] ? page_to_skb+0xdae/0x1620
[ 114.267233][ C0] __msan_warning+0x95/0x120
[ 114.272275][ C0] receive_buf+0x25e3/0x5fd0
[ 114.277094][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.282402][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.288519][ C0] virtnet_poll+0xd1c/0x23c0
[ 114.293235][ C0] ? __pfx_virtnet_poll+0x10/0x10
[ 114.298573][ C0] __napi_poll+0xe7/0x980
[ 114.303042][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.308529][ C0] net_rx_action+0x82a/0x1850
[ 114.313443][ C0] ? sched_clock_cpu+0x55/0x870
[ 114.318434][ C0] ? __pfx_net_rx_action+0x10/0x10
[ 114.323766][ C0] handle_softirqs+0x1ce/0x800
[ 114.328788][ C0] __irq_exit_rcu+0x68/0x120
[ 114.333488][ C0] irq_exit_rcu+0x12/0x20
[ 114.337976][ C0] common_interrupt+0x94/0xa0
[ 114.343068][ C0] </IRQ>
[ 114.346080][ C0] <TASK>
[ 114.349188][ C0] asm_common_interrupt+0x2b/0x40
[ 114.354554][ C0] RIP: 0010:kmsan_internal_set_shadow_origin+0x76/0xe0
[ 114.361736][ C0] Code: f0 83 e0 03 49 83 e6 fc 49 8d 5c 07 03 4c 89 f7 be 01 00 00 00 e8 3a 35 00 00 48 83 fb 04 72 1a 48 c1 eb 02 31 c9 44 89 2c 88 <ff> c1 48 63 c9 48 39 cb 77 f2 eb 04 84 db 75 0f 5b 41 5c 41 5d 41
[ 114.382246][ C0] RSP: 0000:ffff88812094b8b0 EFLAGS: 00000216
[ 114.388520][ C0] RAX: ffff8881212ed000 RBX: 0000000000000400 RCX: 000000000000019b
[ 114.396599][ C0] RDX: 00000001216ed000 RSI: ffff88813fff9240 RDI: ffff8881216ed000
[ 114.404856][ C0] RBP: ffff88812094b8d8 R08: ffffea000000000f R09: 0000000000000000
[ 114.413096][ C0] R10: ffff888120eed000 R11: 0000000000000004 R12: 0000000000000000
[ 114.421164][ C0] R13: 0000000000000000 R14: ffff8881216ed000 R15: 0000000000001000
[ 114.429361][ C0] kmsan_internal_unpoison_memory+0x14/0x20
[ 114.435481][ C0] kmsan_unpoison_memory+0x28/0x40
[ 114.441106][ C0] prep_new_page+0x115/0x540
[ 114.445833][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.451866][ C0] get_page_from_freelist+0x1578/0x15f0
[ 114.457804][ C0] __alloc_pages_noprof+0x8a7/0xe70
[ 114.463144][ C0] alloc_pages_mpol_noprof+0x299/0x990
[ 114.469050][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.474479][ C0] vma_alloc_folio_noprof+0x412/0x750
[ 114.480070][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.485509][ C0] handle_mm_fault+0x907c/0xe610
[ 114.491145][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.496501][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.501877][ C0] exc_page_fault+0x41b/0x700
[ 114.506694][ C0] asm_exc_page_fault+0x2b/0x30
[ 114.511959][ C0] RIP: 0033:0x7fbc8aec8b9d
[ 114.517011][ C0] Code: 8b 90 c8 01 00 00 48 81 e2 00 ff ff ff 7e 14 48 89 d1 48 89 15 94 e6 10 00 48 d1 f9 48 89 0d 92 e6 10 00 48 8b 90 d0 01 00 00 <48> 89 15 24 58 11 00 48 8b 90 d8 01 00 00 48 89 15 66 e6 10 00 48
[ 114.536844][ C0] RSP: 002b:00007fffd2152068 EFLAGS: 00010206
[ 114.543432][ C0] RAX: 00007fbc8b0dfa80 RBX: 00007fbc8ae35000 RCX: 0000000000dc0000
[ 114.551697][ C0] RDX: 00000000014a0000 RSI: 00007fbc8ae53540 RDI: 0000000000000000
[ 114.559908][ C0] RBP: 00007fffd2152170 R08: 00007fffd2150000 R09: 00007fbc8b0e0ab0
[ 114.568160][ C0] R10: 00007fbc8ae39ab8 R11: 0000000000000025 R12: 00007fbc8b0a95c0
[ 114.576260][ C0] R13: 00007fbc8b0d4eda R14: 00007fbc8afd68c8 R15: 00007fbc8ae39ab8
[ 114.584358][ C0] </TASK>
[ 114.587837][ C0] Kernel Offset: disabled
[ 114.592358][ C0] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1371669175=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c0f1611a3
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240517-125934'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240517-125934'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15a9822c980000


Tested on:

commit: 2bfcfd58 Merge tag 'pmdomain-v6.10-rc1' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=54d66e52f38a45d8
dashboard link: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1425c62c980000

Andrew Ballance

unread,
May 28, 2024, 2:53:47 AMMay 28
to syzbot+07762f...@syzkaller.appspotmail.com, benjamin....@redhat.com, ben...@kernel.org, ji...@kernel.org, jko...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, lu...@ljones.dev, syzkall...@googlegroups.com, linux-kern...@lists.linuxfoundation.org, sk...@linuxfoundation.org, Andrew Ballance
#syz test

there may be a read out of the bounds of rdesc.
this adds bounds checks

Signed-off-by: Andrew Ballance <andrewj...@gmail.com>
---
drivers/hid/hid-asus.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 02de2bf4f790..37e6d25593c2 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
}

/* match many more n-key devices */
- if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
- for (int i = 0; i < *rsize + 1; i++) {
+ if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
+ for (int i = 0; i < *rsize - 15; i++) {
/* offset to the count from 0x5a report part always 14 */
if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {
--
2.45.1

Edward Adam Davis

unread,
May 28, 2024, 8:29:04 AMMay 28
to syzbot+07762f...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
please test uv asus_report_fixup

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 70ec81c2e2b4

diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 02de2bf4f790..1a92392967fc 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1204,8 +1204,9 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
}

/* match many more n-key devices */
- if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
- for (int i = 0; i < *rsize + 1; i++) {
+ printk("rdesc: %c.%c.%c.%c.%c, %s\n", rdesc[0], rdesc[1], rdesc[2], rdesc[3], rdesc[4], __func__);
+ if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
+ for (int i = 0; i < *rsize - 14; i++) {
/* offset to the count from 0x5a report part always 14 */
if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..9f0e09f667b1 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1029,7 +1029,7 @@ static int usbhid_parse(struct hid_device *hid)
return -EINVAL;
}

- rdesc = kmalloc(rsize, GFP_KERNEL);
+ rdesc = kzalloc(rsize, GFP_KERNEL);
if (!rdesc)
return -ENOMEM;


syzbot

unread,
May 28, 2024, 12:05:07 PMMay 28
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ALSA device list:
[ 50.739608][ T1] #0: Dummy 1
[ 50.745017][ T1] #1: Loopback 1
[ 50.749742][ T1] #2: Virtual MIDI Card 1
[ 50.763313][ T778] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 50.774859][ T778] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 50.785859][ T1] md: Waiting for all devices to be available before autodetect
[ 50.794992][ T1] md: If you don't use raid, use raid=noautodetect
[ 50.802100][ T1] md: Autodetecting RAID arrays.
[ 50.807598][ T1] md: autorun ...
[ 50.811722][ T1] md: ... autorun DONE.
[ 50.909158][ T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[ 50.924682][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 50.979361][ T1] devtmpfs: mounted
[ 51.243177][ T1] Freeing unused kernel image (initmem) memory: 37100K
[ 51.255037][ T1] Write protecting the kernel read-only data: 262144k
[ 51.302877][ T1] Freeing unused kernel image (rodata/data gap) memory: 1792K
[ 52.995659][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 53.007236][ T1] x86/mm: Checking user space page tables
[ 54.561678][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 54.571441][ T1] Failed to set sysctl parameter 'kernel.hung_task_all_cpu_backtrace=1': parameter not found
[ 54.593763][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 54.605883][ T1] Run /sbin/init as init process
[ 56.271672][ T4452] mount (4452) used greatest stack depth: 8096 bytes left
[ 56.349940][ T4453] EXT4-fs (sda1): re-mounted 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 r/w. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[ 56.692709][ T4456] mount (4456) used greatest stack depth: 5536 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [ 60.747411][ T4486] udevd[4486]: starting version 3.2.11
[ 64.471349][ T4488] udevd[4488]: starting eudev-3.2.11
[ 64.483735][ T4486] udevd (4486) used greatest stack depth: 5080 bytes left
done
Starting system message bus: done
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-9.4.1 starting
dev: loaded udev
DUID 00:04:ee:6e:2e:e3:62:a1:1e:1b:9d:a6:87:1c:6e:7e:27:0f
[ 111.688537][ T778] cfg80211: failed to load regulatory.db
forked to background, child pid 4700
[ 113.204518][ T4701] 8021q: adding VLAN 0 to HW filter on device bond0
[ 113.261553][ T4701] eql: remember to turn off Van-Jacobson compression on your slave devices
[ 113.705664][ C0] =====================================================
[ 113.713710][ C0] BUG: KMSAN: uninit-value in receive_buf+0x25e3/0x5fd0
[ 113.721249][ C0] receive_buf+0x25e3/0x5fd0
[ 113.726871][ C0] virtnet_poll+0xd1c/0x23c0
[ 113.732720][ C0] __napi_poll+0xe7/0x980
[ 113.737602][ C0] net_rx_action+0x82a/0x1850
[ 113.742969][ C0] handle_softirqs+0x1d8/0x810
[ 113.748254][ C0] __irq_exit_rcu+0x68/0x120
[ 113.753244][ C0] irq_exit_rcu+0x12/0x20
[ 113.758091][ C0] common_interrupt+0x94/0xa0
[ 113.763187][ C0] asm_common_interrupt+0x2b/0x40
[ 113.769022][ C0] __msan_get_context_state+0x2b/0x40
[ 113.774745][ C0] filter_irq_stacks+0x20/0x1a0
[ 113.780317][ C0] stack_depot_save_flags+0x2c/0x6e0
[ 113.786314][ C0] stack_depot_save+0x12/0x20
[ 113.791479][ C0] __msan_poison_alloca+0x106/0x1b0
[ 113.797810][ C0] rtnl_fill_link_ifmap+0x3d/0x2d0
[ 113.803235][ C0] rtnl_fill_ifinfo+0x2842/0x2d00
[ 113.808831][ C0] rtnl_dump_ifinfo+0x985/0x2040
[ 113.814347][ C0] netlink_dump+0xaa0/0x15b0
[ 113.819296][ C0] netlink_recvmsg+0xc5f/0x1610
[ 113.824980][ C0] sock_recvmsg+0x2c4/0x340
[ 113.830086][ C0] ____sys_recvmsg+0x18a/0x620
[ 113.835352][ C0] ___sys_recvmsg+0x223/0x840
[ 113.840392][ C0] __x64_sys_recvmsg+0x304/0x4a0
[ 113.845552][ C0] x64_sys_call+0x38ff/0x3b50
[ 113.850557][ C0] do_syscall_64+0xcf/0x1e0
[ 113.855339][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 113.861603][ C0]
[ 113.864026][ C0] Uninit was created at:
[ 113.868730][ C0] __alloc_pages_noprof+0x9d6/0xe70
[ 113.874561][ C0] alloc_pages_mpol_noprof+0x299/0x990
[ 113.880362][ C0] alloc_pages_noprof+0x1bf/0x1e0
[ 113.885777][ C0] skb_page_frag_refill+0x2bf/0x7c0
[ 113.891268][ C0] virtnet_rq_alloc+0x43/0xbb0
[ 113.896445][ C0] try_fill_recv+0x3f0/0x2f50
[ 113.901560][ C0] virtnet_open+0x1cc/0xb00
[ 113.906402][ C0] __dev_open+0x546/0x6f0
[ 113.911394][ C0] __dev_change_flags+0x309/0x9a0
[ 113.916674][ C0] dev_change_flags+0x8e/0x1d0
[ 113.921709][ C0] devinet_ioctl+0x13ec/0x22c0
[ 113.926856][ C0] inet_ioctl+0x4bd/0x6d0
[ 113.931354][ C0] sock_do_ioctl+0xb7/0x540
[ 113.936741][ C0] sock_ioctl+0x727/0xd70
[ 113.941310][ C0] __se_sys_ioctl+0x261/0x450
[ 113.946355][ C0] __x64_sys_ioctl+0x96/0xe0
[ 113.951792][ C0] x64_sys_call+0x1883/0x3b50
[ 113.957744][ C0] do_syscall_64+0xcf/0x1e0
[ 113.962489][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 113.968805][ C0]
[ 113.971339][ C0] CPU: 0 PID: 4701 Comm: dhcpcd Not tainted 6.9.0-syzkaller-10219-g70ec81c2e2b4-dirty #0
[ 113.982140][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[ 113.993753][ C0] =====================================================
[ 114.001533][ C0] Disabling lock debugging due to kernel taint
[ 114.009462][ C0] Kernel panic - not syncing: kmsan.panic set ...
[ 114.016998][ C0] CPU: 0 PID: 4701 Comm: dhcpcd Tainted: G B 6.9.0-syzkaller-10219-g70ec81c2e2b4-dirty #0
[ 114.029845][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[ 114.041448][ C0] Call Trace:
[ 114.045419][ C0] <IRQ>
[ 114.048629][ C0] dump_stack_lvl+0x216/0x2d0
[ 114.053807][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.060387][ C0] dump_stack+0x1e/0x30
[ 114.065183][ C0] panic+0x4e2/0xcd0
[ 114.069306][ C0] ? kmsan_get_metadata+0xb1/0x1d0
[ 114.074868][ C0] kmsan_report+0x2d5/0x2e0
[ 114.079600][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.085029][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.090574][ C0] ? __msan_warning+0x95/0x120
[ 114.095997][ C0] ? receive_buf+0x25e3/0x5fd0
[ 114.101178][ C0] ? virtnet_poll+0xd1c/0x23c0
[ 114.106946][ C0] ? __napi_poll+0xe7/0x980
[ 114.111703][ C0] ? net_rx_action+0x82a/0x1850
[ 114.117078][ C0] ? handle_softirqs+0x1d8/0x810
[ 114.122327][ C0] ? __irq_exit_rcu+0x68/0x120
[ 114.127651][ C0] ? irq_exit_rcu+0x12/0x20
[ 114.132722][ C0] ? common_interrupt+0x94/0xa0
[ 114.137888][ C0] ? asm_common_interrupt+0x2b/0x40
[ 114.143487][ C0] ? __msan_get_context_state+0x2b/0x40
[ 114.149332][ C0] ? filter_irq_stacks+0x20/0x1a0
[ 114.154699][ C0] ? stack_depot_save_flags+0x2c/0x6e0
[ 114.160497][ C0] ? stack_depot_save+0x12/0x20
[ 114.165739][ C0] ? __msan_poison_alloca+0x106/0x1b0
[ 114.171348][ C0] ? rtnl_fill_link_ifmap+0x3d/0x2d0
[ 114.177051][ C0] ? rtnl_fill_ifinfo+0x2842/0x2d00
[ 114.183163][ C0] ? rtnl_dump_ifinfo+0x985/0x2040
[ 114.188658][ C0] ? netlink_dump+0xaa0/0x15b0
[ 114.193597][ C0] ? netlink_recvmsg+0xc5f/0x1610
[ 114.198816][ C0] ? sock_recvmsg+0x2c4/0x340
[ 114.203960][ C0] ? ____sys_recvmsg+0x18a/0x620
[ 114.209989][ C0] ? ___sys_recvmsg+0x223/0x840
[ 114.215687][ C0] ? __x64_sys_recvmsg+0x304/0x4a0
[ 114.221034][ C0] ? x64_sys_call+0x38ff/0x3b50
[ 114.226249][ C0] ? do_syscall_64+0xcf/0x1e0
[ 114.231207][ C0] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 114.237587][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.243236][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.248644][ C0] ? page_to_skb+0xdae/0x1620
[ 114.253659][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.259661][ C0] __msan_warning+0x95/0x120
[ 114.264815][ C0] receive_buf+0x25e3/0x5fd0
[ 114.269784][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.275965][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.282750][ C0] virtnet_poll+0xd1c/0x23c0
[ 114.287998][ C0] ? __pfx_virtnet_poll+0x10/0x10
[ 114.293342][ C0] __napi_poll+0xe7/0x980
[ 114.298091][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.303971][ C0] net_rx_action+0x82a/0x1850
[ 114.309134][ C0] ? sched_clock_cpu+0x55/0x870
[ 114.314233][ C0] ? __pfx_net_rx_action+0x10/0x10
[ 114.319884][ C0] handle_softirqs+0x1d8/0x810
[ 114.324898][ C0] __irq_exit_rcu+0x68/0x120
[ 114.329699][ C0] irq_exit_rcu+0x12/0x20
[ 114.334253][ C0] common_interrupt+0x94/0xa0
[ 114.339240][ C0] </IRQ>
[ 114.342278][ C0] <TASK>
[ 114.345577][ C0] asm_common_interrupt+0x2b/0x40
[ 114.350950][ C0] RIP: 0010:__msan_get_context_state+0x2b/0x40
[ 114.357416][ C0] Code: 0f 1e fa 55 48 89 e5 65 8b 05 49 7b c4 7d a9 00 01 ff 00 74 15 65 48 8b 05 92 76 bb 7d 48 8d 80 c0 1b 0a 00 5d c3 cc cc cc cc <65> 48 8b 04 25 80 5e 0a 00 48 05 40 0b 00 00 5d c3 cc cc cc cc 90
[ 114.377420][ C0] RSP: 0018:ffff88811906b260 EFLAGS: 00000246
[ 114.383681][ C0] RAX: 0000000080000000 RBX: ffff88811906b350 RCX: 0000000000000001
[ 114.391913][ C0] RDX: 0000000000000020 RSI: 0000000000000004 RDI: ffff88811906b350
[ 114.400132][ C0] RBP: ffff88811906b260 R08: ffffffff8c92e59b R09: 0000000000000000
[ 114.408277][ C0] R10: ffff888115b33798 R11: ffffffff8da96b10 R12: ffff88811906b3b0
[ 114.416421][ C0] R13: 0000000000000000 R14: 0000000000000004 R15: 0000000000000246
[ 114.424568][ C0] ? __pfx_inet6_fill_link_af+0x10/0x10
[ 114.430580][ C0] ? rtnl_fill_ifinfo+0x27fb/0x2d00
[ 114.435997][ C0] filter_irq_stacks+0x20/0x1a0
[ 114.441101][ C0] ? kmsan_internal_set_shadow_origin+0x66/0xe0
[ 114.447597][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.453118][ C0] stack_depot_save_flags+0x2c/0x6e0
[ 114.458683][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.464102][ C0] stack_depot_save+0x12/0x20
[ 114.469036][ C0] __msan_poison_alloca+0x106/0x1b0
[ 114.474462][ C0] ? rtnl_fill_link_ifmap+0x3d/0x2d0
[ 114.480083][ C0] ? rtnl_fill_ifinfo+0x2842/0x2d00
[ 114.485584][ C0] rtnl_fill_link_ifmap+0x3d/0x2d0
[ 114.490942][ C0] rtnl_fill_ifinfo+0x2842/0x2d00
[ 114.496196][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.501884][ C0] rtnl_dump_ifinfo+0x985/0x2040
[ 114.507588][ C0] ? __x64_sys_recvmsg+0x304/0x4a0
[ 114.513055][ C0] ? should_fail_ex+0x4a/0x800
[ 114.518157][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.523666][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.530413][ C0] ? __pfx_rtnl_dump_ifinfo+0x10/0x10
[ 114.536490][ C0] ? __pfx_rtnl_dump_ifinfo+0x10/0x10
[ 114.542236][ C0] netlink_dump+0xaa0/0x15b0
[ 114.547420][ C0] netlink_recvmsg+0xc5f/0x1610
[ 114.553997][ C0] ? __pfx_netlink_recvmsg+0x10/0x10
[ 114.560431][ C0] ? __pfx_netlink_recvmsg+0x10/0x10
[ 114.566090][ C0] sock_recvmsg+0x2c4/0x340
[ 114.570832][ C0] ____sys_recvmsg+0x18a/0x620
[ 114.576080][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.582080][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.587555][ C0] ___sys_recvmsg+0x223/0x840
[ 114.592520][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.598101][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.604154][ C0] ? kmsan_get_metadata+0x146/0x1d0
[ 114.610172][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[ 114.616296][ C0] __x64_sys_recvmsg+0x304/0x4a0
[ 114.622011][ C0] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
Starting sshd: [ 114.628177][ C0] x64_sys_call+0x38ff/0x3b50
[ 114.634356][ C0] do_syscall_64+0xcf/0x1e0
[ 114.639066][ C0] ? clear_bhb_loop+0x25/0x80
[ 114.644087][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 114.650283][ C0] RIP: 0033:0x7f0e1c10791e
[ 114.654855][ C0] Code: ff 89 ef 48 89 04 24 e8 4f 57 f9 ff 48 8b 04 24 48 83 c4 30 5d c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 21 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 70 48 8b 15 db c4 0c 00 f7 d8 64 89 02 48 83
[ 114.675121][ C0] RSP: 002b:00007ffc9d177108 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
[ 114.684538][ C0] RAX: ffffffffffffffda RBX: 00007ffc9d178230 RCX: 00007f0e1c10791e
[ 114.692957][ C0] RDX: 0000000000000000 RSI: 00007ffc9d178150 RDI: 0000000000000005
[ 114.701110][ C0] RBP: 00007ffc9d1781c0 R08: 0000000000000000 R09: 0000000000000400
[ 114.709257][ C0] R10: 0000000000000101 R11: 0000000000000246 R12: 0000000000000f00
[ 114.717904][ C0] R13: 00007ffc9d178134 R14: 00007ffc9d178150 R15: 00007ffc9d178140
[ 114.726053][ C0] </TASK>
[ 114.729581][ C0] Kernel Offset: disabled
[ 114.733979][ C0] Rebooting in 86400 seconds..
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2172495115=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c0f1611a3
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240517-125934'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240517-125934'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=168f1592980000


Tested on:

commit: 70ec81c2 Merge tag 'linux_kselftest-next-6.10-rc1-fixe..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d66c5ffb962c9d5b
dashboard link: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10d50ad2980000

Harshit Mogalapalli

unread,
May 30, 2024, 10:47:18 AMMay 30
to Edward Adam Davis, syzbot+07762f...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Dan Carpenter
Hi Edward,

On 28/05/24 17:58, Edward Adam Davis wrote:
> please test uv asus_report_fixup
>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 70ec81c2e2b4
>

I have tested the below patch:
and it prints something like this: No KMSAN failure.

[ 1200.138915][ T760] rdesc: g.�.�.�.I, asus_report_fixup

I don't see boot failure like syzbot did(and that looks unrelated to
this bug that is being worked on(hid related))
Thanks,
Harshit
>
>

Dan Carpenter

unread,
May 31, 2024, 4:53:38 AMMay 31
to Harshit Mogalapalli, Edward Adam Davis, syzbot+07762f...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Dan Carpenter
On Thu, May 30, 2024 at 08:16:59PM +0530, Harshit Mogalapalli wrote:
> > diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> > index a90ed2ceae84..9f0e09f667b1 100644
> > --- a/drivers/hid/usbhid/hid-core.c
> > +++ b/drivers/hid/usbhid/hid-core.c
> > @@ -1029,7 +1029,7 @@ static int usbhid_parse(struct hid_device *hid)
> > return -EINVAL;
> > }
> > - rdesc = kmalloc(rsize, GFP_KERNEL);
> > + rdesc = kzalloc(rsize, GFP_KERNEL);

This kzalloc() is unnecessary because hid_get_class_descriptor() has
a memset() built in:

memset(buf, 0, size);

I'm not a huge fan of how if hid_get_class_descriptor() runs out of
retries, we return the number of bytes in a partial read. Then the
caller pretends it was a success instead of using the result. But
that's a different issue.

regards,
dan carpenter

Dan Carpenter

unread,
May 31, 2024, 4:59:46 AMMay 31
to Andrew Ballance, syzbot+07762f...@syzkaller.appspotmail.com, benjamin....@redhat.com, ben...@kernel.org, ji...@kernel.org, jko...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, lu...@ljones.dev, syzkall...@googlegroups.com, linux-kern...@lists.linuxfoundation.org, sk...@linuxfoundation.org
On Tue, May 28, 2024 at 12:05:39AM -0500, Andrew Ballance wrote:
> #syz test
>
> there may be a read out of the bounds of rdesc.
> this adds bounds checks
>
> Signed-off-by: Andrew Ballance <andrewj...@gmail.com>
> ---
> drivers/hid/hid-asus.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
> index 02de2bf4f790..37e6d25593c2 100644
> --- a/drivers/hid/hid-asus.c
> +++ b/drivers/hid/hid-asus.c
> @@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
> }
>
> /* match many more n-key devices */
> - if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
> - for (int i = 0; i < *rsize + 1; i++) {
> + if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
> + for (int i = 0; i < *rsize - 15; i++) {

Yep. This looks correct. Please resend with a complete commit message
and a fixes tag etc.

> /* offset to the count from 0x5a report part always 14 */
> if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
> rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {

regards,
dan carpenter

Andrew Ballance

unread,
Jun 2, 2024, 4:51:51 AMJun 2
to dan.ca...@linaro.org, andrewj...@gmail.com, benjamin....@redhat.com, ben...@kernel.org, ji...@kernel.org, jko...@suse.com, linux...@vger.kernel.org, linux-kern...@lists.linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, lu...@ljones.dev, sk...@linuxfoundation.org, syzbot+07762f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot reported a potential read out of bounds in asus_report_fixup.

this patch adds checks so that a read out of bounds will not occur

Signed-off-by: Andrew Ballance <andrewj...@gmail.com>
Reported-by: syzbot+07762f...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
Fixes: 59d2f5b73921 ("HID: asus: fix more n-key report descriptors if n-key quirked")
---
drivers/hid/hid-asus.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 02de2bf4f790..37e6d25593c2 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
}

/* match many more n-key devices */
- if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
- for (int i = 0; i < *rsize + 1; i++) {
+ if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
+ for (int i = 0; i < *rsize - 15; i++) {
/* offset to the count from 0x5a report part always 14 */
if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {
--
2.45.1

Greg KH

unread,
Jun 2, 2024, 6:57:36 AMJun 2
to Andrew Ballance, dan.ca...@linaro.org, benjamin....@redhat.com, ben...@kernel.org, ji...@kernel.org, jko...@suse.com, linux...@vger.kernel.org, linux-kern...@lists.linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, lu...@ljones.dev, sk...@linuxfoundation.org, syzbot+07762f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
Hi,

This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
did not list below the --- line any changes from the previous version.
Please read the section entitled "The canonical patch format" in the
kernel file, Documentation/process/submitting-patches.rst for what
needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Benjamin Tissoires

unread,
Jun 9, 2024, 7:52:40 PM (7 days ago) Jun 9
to dan.ca...@linaro.org, Andrew Ballance, linux...@vger.kernel.org, linux-kern...@lists.linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, lu...@ljones.dev, sk...@linuxfoundation.org, syzbot+07762f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Benjamin Tissoires, Jiri Kosina
On Sun, 02 Jun 2024 03:50:23 -0500, Andrew Ballance wrote:
> syzbot reported a potential read out of bounds in asus_report_fixup.
>
> this patch adds checks so that a read out of bounds will not occur
>
>

Applied to hid/hid.git (for-6.10/upstream-fixes), thanks!

[1/1] hid: asus: asus_report_fixup: fix potential read out of bounds
https://git.kernel.org/hid/hid/c/cfacaaf33cd7

Cheers,
--
Benjamin Tissoires <ben...@kernel.org>

Reply all
Reply to author
Forward
0 new messages