INFO: trying to register non-static key in uhid_char_release

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: fb279f4e Merge branch 'i2c/for-current-fixed' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16bc5181e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b13b05f0e61d957
dashboard link: https://syzkaller.appspot.com/bug?extid=8357fbef0d7bb602de45
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8357fb...@syzkaller.appspotmail.com

INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 9870 Comm: syz-executor.1 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
register_lock_class+0x6f4/0xec0 kernel/locking/lockdep.c:443
__lock_acquire+0x116/0x1bc0 kernel/locking/lockdep.c:3836
lock_acquire+0x154/0x250 kernel/locking/lockdep.c:4484
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x9e/0xc0 kernel/locking/spinlock.c:159
__wake_up_common_lock kernel/sched/wait.c:122 [inline]
__wake_up+0xb8/0x150 kernel/sched/wait.c:142
uhid_dev_destroy drivers/hid/uhid.c:563 [inline]
uhid_char_release+0x99/0x600 drivers/hid/uhid.c:642
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
prepare_exit_to_usermode+0x48a/0x5c0 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd2649c0a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416041
RDX: 0000001b2f820000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00000000a5a41883 R09: 00000000a5a41887
R10: 00007ffd2649c180 R11: 0000000000000293 R12: 000000000076bf20
R13: 00000000007715a0 R14: 000000000003bd20 R15: 000000000076bf2c
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 9870 Comm: syz-executor.1 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__wake_up_common+0x297/0x4d0 kernel/sched/wait.c:86
Code: fb 01 00 00 45 31 f6 eb 13 66 2e 0f 1f 84 00 00 00 00 00 4d 39 fc 0f 84 e3 01 00 00 4c 89 fb 49 8d 6f e8 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 48 89 df e8 eb 48 59 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc900049a7d20 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888048e513c8
RBP: ffffffffffffffe8 R08: 0000000000000000 R09: ffffc900049a7d88
R10: fffff52000934fa4 R11: 0000000000000000 R12: ffff888048e51400
R13: 1ffff92000934fb1 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000ed3940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f822000 CR3: 0000000098f9a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__wake_up_common_lock kernel/sched/wait.c:123 [inline]
__wake_up+0xd4/0x150 kernel/sched/wait.c:142
uhid_dev_destroy drivers/hid/uhid.c:563 [inline]
uhid_char_release+0x99/0x600 drivers/hid/uhid.c:642
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
prepare_exit_to_usermode+0x48a/0x5c0 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd2649c0a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416041
RDX: 0000001b2f820000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00000000a5a41883 R09: 00000000a5a41887
R10: 00007ffd2649c180 R11: 0000000000000293 R12: 000000000076bf20
R13: 00000000007715a0 R14: 000000000003bd20 R15: 000000000076bf2c
Modules linked in:
---[ end trace bb22508a82bfb9e5 ]---
RIP: 0010:__wake_up_common+0x297/0x4d0 kernel/sched/wait.c:86
Code: fb 01 00 00 45 31 f6 eb 13 66 2e 0f 1f 84 00 00 00 00 00 4d 39 fc 0f 84 e3 01 00 00 4c 89 fb 49 8d 6f e8 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 48 89 df e8 eb 48 59 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc900049a7d20 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888048e513c8
RBP: ffffffffffffffe8 R08: 0000000000000000 R09: ffffc900049a7d88
R10: fffff52000934fa4 R11: 0000000000000000 R12: ffff888048e51400
R13: 1ffff92000934fb1 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000ed3940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f822000 CR3: 0000000098f9a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[Hillf Danton]

Fri, 06 Mar 2020 19:05:11 -0800

Only for gpf.

--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -636,9 +636,13 @@ static int uhid_char_open(struct inode *

static int uhid_char_release(struct inode *inode, struct file *file)
{
- struct uhid_device *uhid = file->private_data;
+ struct uhid_device *uhid;
unsigned int i;

+ uhid = xchg(&file->private_data, NULL);
+ if (!uhid)
+ return 0; /* race is benign */
+
uhid_dev_destroy(uhid);

for (i = 0; i < UHID_BUFSIZE; ++i)

[Eric Biggers]

That looks wrong. The normal semantics for files (and uhid looks no different)
is that file->private_data is valid as long as they're open, and then
->release() frees it. ->release() should never see NULL private_data.

[Hillf Danton]

On Sat, 7 Mar 2020 22:08:14 -0800 Eric Biggers wrote:
> On Sun, Mar 08, 2020 at 12:05:35PM +0800, Hillf Danton wrote:
> >

Hi Eric

> That looks wrong.

Quite likely.

> The normal semantics for files (and uhid looks no different)
> is that file->private_data is valid as long as they're open, and then
> ->release() frees it. ->release() should never see NULL private_data.

Correct.

In this particular case, gpf is fixed by only releasing file once on
the assumption that once released the private_data is no longer valid
as it is freed, without idea how much gpf contributed to the report.

Hillf

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 2c523b34 Linux 5.6-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=150bce55e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82

dashboard link: https://syzkaller.appspot.com/bug?extid=8357fbef0d7bb602de45
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b439c3e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dc6fb5e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8357fb...@syzkaller.appspotmail.com

INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.

CPU: 0 PID: 10346 Comm: syz-executor364 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
register_lock_class+0x6f4/0xec0 kernel/locking/lockdep.c:443
__lock_acquire+0x116/0x1bc0 kernel/locking/lockdep.c:3836
lock_acquire+0x154/0x250 kernel/locking/lockdep.c:4484
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x9e/0xc0 kernel/locking/spinlock.c:159
__wake_up_common_lock kernel/sched/wait.c:122 [inline]
__wake_up+0xb8/0x150 kernel/sched/wait.c:142
uhid_dev_destroy drivers/hid/uhid.c:563 [inline]
uhid_char_release+0x99/0x600 drivers/hid/uhid.c:642
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899
__do_sys_exit_group+0x13/0x20 kernel/exit.c:910
__se_sys_exit_group+0x10/0x10 kernel/exit.c:908
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4403d8
Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
RSP: 002b:00007ffd67f7d928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004403d8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004c0d90 R08: 00000000000000e7 R09: ffffffffffffffd4
R10: 0000000000402570 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d3180 R14: 0000000000000000 R15: 0000000000000000

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]

CPU: 0 PID: 10346 Comm: syz-executor364 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__wake_up_common+0x297/0x4d0 kernel/sched/wait.c:86

Code: fb 01 00 00 45 31 f6 eb 13 66 2e 0f 1f 84 00 00 00 00 00 4d 39 fc 0f 84 e3 01 00 00 4c 89 fb 49 8d 6f e8 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 48 89 df e8 eb 4e 59 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90001687c10 EFLAGS: 00010046

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888091fe13c8
RBP: ffffffffffffffe8 R08: 0000000000000000 R09: ffffc90001687c78
R10: fffff520002d0f82 R11: 0000000000000000 R12: ffff888091fe1400
R13: 1ffff920002d0f8f R14: 0000000000000000 R15: 0000000000000000
FS: 00000000023ec940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000088 CR3: 0000000096b74000 CR4: 00000000001406f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__wake_up_common_lock kernel/sched/wait.c:123 [inline]
__wake_up+0xd4/0x150 kernel/sched/wait.c:142
uhid_dev_destroy drivers/hid/uhid.c:563 [inline]
uhid_char_release+0x99/0x600 drivers/hid/uhid.c:642
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899
__do_sys_exit_group+0x13/0x20 kernel/exit.c:910
__se_sys_exit_group+0x10/0x10 kernel/exit.c:908
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4403d8
Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
RSP: 002b:00007ffd67f7d928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004403d8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004c0d90 R08: 00000000000000e7 R09: ffffffffffffffd4
R10: 0000000000402570 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d3180 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 6b49c4c2b7708f14 ]---

RIP: 0010:__wake_up_common+0x297/0x4d0 kernel/sched/wait.c:86

Code: fb 01 00 00 45 31 f6 eb 13 66 2e 0f 1f 84 00 00 00 00 00 4d 39 fc 0f 84 e3 01 00 00 4c 89 fb 49 8d 6f e8 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 48 89 df e8 eb 4e 59 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90001687c10 EFLAGS: 00010046

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888091fe13c8
RBP: ffffffffffffffe8 R08: 0000000000000000 R09: ffffc90001687c78
R10: fffff520002d0f82 R11: 0000000000000000 R12: ffff888091fe1400
R13: 1ffff920002d0f8f R14: 0000000000000000 R15: 0000000000000000
FS: 00000000023ec940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000088 CR3: 0000000096b74000 CR4: 00000000001406f0

[syzbot]

syzbot has bisected this bug to:

commit 84a4062632462c4320704fcdf8e99e89e94c0aba
Author: Johan Korsnes <jkor...@cisco.com>
Date: Fri Jan 17 12:08:36 2020 +0000

HID: core: increase HID report buffer size to 8KiB

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=113098b1e00000
start commit: 2c523b34 Linux 5.6-rc5
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=133098b1e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=153098b1e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=8357fbef0d7bb602de45

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b439c3e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dc6fb5e00000

Reported-by: syzbot+8357fb...@syzkaller.appspotmail.com
Fixes: 84a406263246 ("HID: core: increase HID report buffer size to 8KiB")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Hillf Danton]

On Mon, 09 Mar 2020 08:26:10 -0700
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit: 2c523b34 Linux 5.6-rc5
> git tree: upstream

> console output: https://syzkaller.appspot.com/x/log.txt?x=150bce55e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82

> dashboard link: https://syzkaller.appspot.com/bug?extid=8357fbef0d7bb602de45
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b439c3e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dc6fb5e00000
>

> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+8357fb...@syzkaller.appspotmail.com
>
> INFO: trying to register non-static key.
> the code is fine but needs lockdep annotation.
> turning off the locking correctness validator.

> CPU: 0 PID: 10346 Comm: syz-executor364 Not tainted 5.6.0-rc5-syzkaller #0

> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1e9/0x30e lib/dump_stack.c:118
> register_lock_class+0x6f4/0xec0 kernel/locking/lockdep.c:443
> __lock_acquire+0x116/0x1bc0 kernel/locking/lockdep.c:3836
> lock_acquire+0x154/0x250 kernel/locking/lockdep.c:4484
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> _raw_spin_lock_irqsave+0x9e/0xc0 kernel/locking/spinlock.c:159
> __wake_up_common_lock kernel/sched/wait.c:122 [inline]
> __wake_up+0xb8/0x150 kernel/sched/wait.c:142
> uhid_dev_destroy drivers/hid/uhid.c:563 [inline]
> uhid_char_release+0x99/0x600 drivers/hid/uhid.c:642
> __fput+0x2d8/0x730 fs/file_table.c:280
> task_work_run+0x176/0x1b0 kernel/task_work.c:113

> exit_task_work include/linux/task_work.h:22 [inline]
> do_exit+0x5ef/0x1f80 kernel/exit.c:801
> do_group_exit+0x15e/0x2c0 kernel/exit.c:899
> __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
> __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
> __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4403d8
> Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
> RSP: 002b:00007ffd67f7d928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004403d8
> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> RBP: 00000000004c0d90 R08: 00000000000000e7 R09: ffffffffffffffd4
> R10: 0000000000402570 R11: 0000000000000246 R12: 0000000000000001
> R13: 00000000006d3180 R14: 0000000000000000 R15: 0000000000000000

> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]

> CPU: 0 PID: 10346 Comm: syz-executor364 Not tainted 5.6.0-rc5-syzkaller #0

> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:__wake_up_common+0x297/0x4d0 kernel/sched/wait.c:86

> Code: fb 01 00 00 45 31 f6 eb 13 66 2e 0f 1f 84 00 00 00 00 00 4d 39 fc 0f 84 e3 01 00 00 4c 89 fb 49 8d 6f e8 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 48 89 df e8 eb 4e 59 00 48 ba 00 00 00 00 00 fc
> RSP: 0018:ffffc90001687c10 EFLAGS: 00010046

> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

> RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888091fe13c8
> RBP: ffffffffffffffe8 R08: 0000000000000000 R09: ffffc90001687c78
> R10: fffff520002d0f82 R11: 0000000000000000 R12: ffff888091fe1400

> R13: 1ffff920002d0f8f R14: 0000000000000000 R15: 0000000000000000
> FS: 00000000023ec940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000

> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

> CR2: 0000000020000088 CR3: 0000000096b74000 CR4: 00000000001406f0

> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> __wake_up_common_lock kernel/sched/wait.c:123 [inline]
> __wake_up+0xd4/0x150 kernel/sched/wait.c:142
> uhid_dev_destroy drivers/hid/uhid.c:563 [inline]
> uhid_char_release+0x99/0x600 drivers/hid/uhid.c:642
> __fput+0x2d8/0x730 fs/file_table.c:280
> task_work_run+0x176/0x1b0 kernel/task_work.c:113

> exit_task_work include/linux/task_work.h:22 [inline]
> do_exit+0x5ef/0x1f80 kernel/exit.c:801
> do_group_exit+0x15e/0x2c0 kernel/exit.c:899
> __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
> __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
> __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4403d8
> Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
> RSP: 002b:00007ffd67f7d928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004403d8
> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> RBP: 00000000004c0d90 R08: 00000000000000e7 R09: ffffffffffffffd4
> R10: 0000000000402570 R11: 0000000000000246 R12: 0000000000000001
> R13: 00000000006d3180 R14: 0000000000000000 R15: 0000000000000000

> Modules linked in:
> ---[ end trace 6b49c4c2b7708f14 ]---

> RIP: 0010:__wake_up_common+0x297/0x4d0 kernel/sched/wait.c:86

> Code: fb 01 00 00 45 31 f6 eb 13 66 2e 0f 1f 84 00 00 00 00 00 4d 39 fc 0f 84 e3 01 00 00 4c 89 fb 49 8d 6f e8 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 48 89 df e8 eb 4e 59 00 48 ba 00 00 00 00 00 fc
> RSP: 0018:ffffc90001687c10 EFLAGS: 00010046

> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

> RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888091fe13c8
> RBP: ffffffffffffffe8 R08: 0000000000000000 R09: ffffc90001687c78
> R10: fffff520002d0f82 R11: 0000000000000000 R12: ffff888091fe1400

> R13: 1ffff920002d0f8f R14: 0000000000000000 R15: 0000000000000000
> FS: 00000000023ec940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000

> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

> CR2: 0000000020000088 CR3: 0000000096b74000 CR4: 00000000001406f0

> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -639,7 +639,9 @@ static int uhid_char_release(struct inod

struct uhid_device *uhid = file->private_data;

unsigned int i;

- uhid_dev_destroy(uhid);
+ /* back off if anyone is taking care of uhid */
+ if (uhid_dev_destroy(uhid))
+ return 0;

for (i = 0; i < UHID_BUFSIZE; ++i)

kfree(uhid->outq[i]);

[Hillf Danton]

On Sat, 21 Mar 2020 20:17:27 +0100 David Rheinsberg wrote:

> That looks not correct.

You are right.

>`uhid_dev_destroy()` returns a non-significant
> error code. This is only done to make sure the ioctl that call it can
> return a suitable code to user-space.
>
That code was used in the diff above for detecting the race between
destroyer and releaser. What was missed is the part that releaser
should wait its peer by taking the devlock mutex instead of finishing
its work with nothing else done.

> What is this trying to fix?

Nothing so far as the releaser has no pal to play game on ground.

Hillf

[syzbot]

syzbot suspects this issue was fixed by commit:

commit bce1305c0ece3dc549663605e567655dd701752c
Author: Marc Zyngier <m...@kernel.org>
Date: Sat Aug 29 11:26:01 2020 +0000

HID: core: Correctly handle ReportSize being zero

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12d19370500000
start commit: 1127b219 Merge tag 'fallthrough-fixes-5.9-rc3' of git://gi..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=891ca5711a9f1650
dashboard link: https://syzkaller.appspot.com/bug?extid=8357fbef0d7bb602de45
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=102c472e900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13081056900000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: HID: core: Correctly handle ReportSize being zero

[Dmitry Vyukov]