[syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: ad7f1baed071 Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1056d5c5680000
kernel config: https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1081f1e5680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c7bc4d680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3074ad3ff92/disk-ad7f1bae.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b298a1e285/vmlinux-ad7f1bae.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1ad5cd9c2a48/bzImage-ad7f1bae.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c52569...@syzkaller.appspotmail.com

usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
================================================================================
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1024:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.0-rc5-syzkaller-00227-gad7f1baed071 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
usbhid_parse+0x94a/0xa20 drivers/hid/usbhid/hid-core.c:1024
hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2783
usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1429
usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x234/0xc90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
__device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
device_add+0x117e/0x1aa0 drivers/base/core.c:3624
usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x234/0xc90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
__device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
device_add+0x117e/0x1aa0 drivers/base/core.c:3624
usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589
hub_port_connect drivers/usb/core/hub.c:5440 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
port_event drivers/usb/core/hub.c:5740 [inline]
hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822
process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
================================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[ead...@sina.com]

From: Edward AD <ead...@sina.com>

please test UBSAN: array-index-out-of-bounds in usbhid_parse

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 257dd73e37bf..6d098d308707 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1020,6 +1020,9 @@ static int usbhid_parse(struct hid_device *hid)
num_descriptors = min_t(int, hdesc->bNumDescriptors,
(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));

+ printk("%d, %d, %d,%d,%s\n", num_descriptors, offset, hdesc->bNumDescriptors,hdesc->bLength, __func__);
+ if (num_descriptors > 1)
+ num_descriptors = 1;
for (n = 0; n < num_descriptors; n++)
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569...@syzkaller.appspotmail.com

Tested on:

commit: ad7f1bae Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1691f175680000

kernel config: https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17087c4d680000

Note: testing is done by a robot and is best-effort only.

[ead...@sina.com]

From: Edward AD <ead...@sina.com>

please test UBSAN: array-index-out-of-bounds in usbhid_parse

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c

index 257dd73e37bf..ad0a9ff9ecde 100644

--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1020,6 +1020,9 @@ static int usbhid_parse(struct hid_device *hid)
num_descriptors = min_t(int, hdesc->bNumDescriptors,
(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));

+ printk("%s, %d, %d, %d, %d,%d,%s\n", interface->extra, interface->extralen, num_descriptors, offset, hdesc->bNumDescriptors,hdesc->bLength, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569...@syzkaller.appspotmail.com

Tested on:

commit: ad7f1bae Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17f33119680000

kernel config: https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11a047de680000

[ead...@sina.com]

diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
index 2a938cf47ccd..d49a4943f8a3 100644
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -960,11 +960,13 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,

if (header->bDescriptorType == type && header->bLength >= minsize) {
*ptr = header;
+ printk("%p, %s\n", header, __func__);
return 0;
}

buffer += header->bLength;
size -= header->bLength;
+ printk("%p, %d, %s\n", header, header->bLength, __func__);
}
return -1;
}

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569...@syzkaller.appspotmail.com

Tested on:

commit: ad7f1bae Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=147b4c75680000

kernel config: https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13f18275680000

[ead...@sina.com]

From: Edward AD <ead...@sina.com>

please test UBSAN: array-index-out-of-bounds in usbhid_parse

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 257dd73e37bf..ad0a9ff9ecde 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1020,6 +1020,9 @@ static int usbhid_parse(struct hid_device *hid)
num_descriptors = min_t(int, hdesc->bNumDescriptors,
(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));

+ printk("%s, %d, %d, %d, %d,%d,%s\n", interface->extra, interface->extralen, num_descriptors, offset, hdesc->bNumDescriptors,hdesc->bLength, __func__);
+ if (num_descriptors > 1)
+ num_descriptors = 1;
for (n = 0; n < num_descriptors; n++)
if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c

index 2a938cf47ccd..1d266992170c 100644

--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -960,11 +960,13 @@ int __usb_get_extra_descriptor(char *buffer, unsigned size,

if (header->bDescriptorType == type && header->bLength >= minsize) {
*ptr = header;

+ printk("r: %p, %d, %s\n", header, header->bLength, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569...@syzkaller.appspotmail.com

Tested on:

commit: ad7f1bae Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=133be691680000

kernel config: https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12baadc5680000

[Hillf Danton]

On Mon, 16 Oct 2023 10:01:18 -0700

> HEAD commit: ad7f1baed071 Merge tag 'acpi-6.6-rc6' of git://git.kernel...
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c7bc4d680000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/drivers/hid/usbhid/hid-core.c
+++ y/drivers/hid/usbhid/hid-core.c
@@ -1002,9 +1002,7 @@ static int usbhid_parse(struct hid_devic
quirks |= HID_QUIRK_NOGET;
}

- if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
- (!interface->desc.bNumEndpoints ||
- usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
+ if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc)) {
dbg_hid("class descriptor not present\n");
return -ENODEV;
}
--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569...@syzkaller.appspotmail.com

Tested on:

commit: 213f8915 Merge tag 'probes-fixes-v6.6-rc6' of git://gi..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=11583ee5680000
kernel config: https://syzkaller.appspot.com/x/.config?x=3c2b0838e2a16cba

dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17da2e19680000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Test
Author: tinti...@gmail.com

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning

Author: tinti...@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error.
Requesting help from the maintainers to understand what is really going wrong in the code.

Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop.

Signed-off-by: Attreyee Mukherjee <tinti...@gmail.com>
---
drivers/hid/usbhid/hid-core.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..582ddbef448f 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)

(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));

for (n = 0; n < num_descriptors; n++)

+ if (n >= ARRAY_SIZE(hdesc->desc))
+ break;

if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);

--
2.34.1

[Dan Carpenter]

Hi syzbot,

kernel test robot noticed the following build warnings:

https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/syzbot/usbhid-fix-array-index-out-of-bounds-in-usbhid_parse-UBSAN-warning/20231225-153341
base: https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
patch link: https://lore.kernel.org/r/0000000000009ae37b060d32c643%40google.com
patch subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
config: x86_64-randconfig-161-20231225 (https://download.01.org/0day-ci/archive/20231226/202312260900...@intel.com/config)
compiler: clang version 16.0.4 (https://github.com/llvm/llvm-project.git ae42196bc493ffe877a7e3dff8be32035dea4d07)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <l...@intel.com>
| Reported-by: Dan Carpenter <dan.ca...@linaro.org>
| Closes: https://lore.kernel.org/r/202312260900...@intel.com/

smatch warnings:
drivers/hid/usbhid/hid-core.c:1026 usbhid_parse() warn: curly braces intended?
drivers/hid/usbhid/hid-core.c:1029 usbhid_parse() warn: inconsistent indenting

vim +1026 drivers/hid/usbhid/hid-core.c

c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 979 static int usbhid_parse(struct hid_device *hid)
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 980 {
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 981 struct usb_interface *intf = to_usb_interface(hid->dev.parent);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 982 struct usb_host_interface *interface = intf->cur_altsetting;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 983 struct usb_device *dev = interface_to_usbdev (intf);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 984 struct hid_descriptor *hdesc;
2eb5dc30eb87aa drivers/hid/usbhid/hid-core.c Paul Walmsley 2007-04-19 985 u32 quirks = 0;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 986 unsigned int rsize = 0;
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 987 char *rdesc;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 988 int ret, n;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 989 int num_descriptors;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 990 size_t offset = offsetof(struct hid_descriptor, desc);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 991
d5d3e202753cc0 drivers/hid/usbhid/hid-core.c Benjamin Tissoires 2017-11-20 992 quirks = hid_lookup_quirk(hid);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 993
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 994 if (quirks & HID_QUIRK_IGNORE)
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 995 return -ENODEV;
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina 2009-01-29 996
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 997 /* Many keyboards and mice don't like to be polled for reports,
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 998 * so we will always set the HID_QUIRK_NOGET flag for them. */
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 999 if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1000 if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1001 interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1002 quirks |= HID_QUIRK_NOGET;
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1003 }
0f28b55db54300 drivers/usb/input/hid-core.c Alan Stern 2006-05-15 1004
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 1005 if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
c5b7c7c395a34f drivers/usb/input/hid-core.c Dmitry Torokhov 2005-09-15 1006 (!interface->desc.bNumEndpoints ||
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1007 usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1008 dbg_hid("class descriptor not present\n");
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1009 return -ENODEV;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1010 }
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1011
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1012 if (hdesc->bLength < sizeof(struct hid_descriptor)) {
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1013 dbg_hid("hid descriptor is too short\n");
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1014 return -EINVAL;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1015 }
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1016
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1017 hid->version = le16_to_cpu(hdesc->bcdHID);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1018 hid->country = hdesc->bCountryCode;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1019
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1020 num_descriptors = min_t(int, hdesc->bNumDescriptors,
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1021 (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1022
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim 2017-09-28 1023 for (n = 0; n < num_descriptors; n++)

This for loop needs curly braces now.

d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot 2023-12-23 1024 if (n >= ARRAY_SIZE(hdesc->desc))
d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot 2023-12-23 1025 break;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 @1026 if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1027 rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1028
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 @1029 if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina 2007-05-30 1030 dbg_hid("weird size of report descriptor (%u)\n", rsize);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby 2008-05-16 1031 return -EINVAL;
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1032 }
^1da177e4c3f41 drivers/usb/input/hid-core.c Linus Torvalds 2005-04-16 1033
52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches 2017-03-01 1034 rdesc = kmalloc(rsize, GFP_KERNEL);

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

[Aleksandr Nogikh]

Hi Dan,

In this particular case syzbot just forwarded a user's patch testing
request to the LKML. I think there's not much value in kernel test
robot analyzing such emails.

--
Aleksandr

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/5e68be46-caab-40f4-8e0f-543566fd7c28%40moroto.mountain.

[Kees Cook]

Hi,

What's happened to getting a new version of this patch? This flaw is
still reachable in -next from what I can see?

Thanks,

-Kees

--
Kees Cook

[Nikita Zhandarovich]

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
drivers/hid/usbhid/hid-core.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..f38a4bd3a20e 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1020,6 +1020,9 @@ static int usbhid_parse(struct hid_device *hid)

num_descriptors = min_t(int, hdesc->bNumDescriptors,

(hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));

+ if (num_descriptors > ARRAY_SIZE(hdesc->desc))
+ num_descriptors = ARRAY_SIZE(hdesc->desc);
+

for (n = 0; n < num_descriptors; n++)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569...@syzkaller.appspotmail.com

Tested on:

commit: b4d88a60 Merge tag 'block-6.10-20240523' of git://git...

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=117100d8980000
kernel config: https://syzkaller.appspot.com/x/.config?x=34e05c35ec964e75
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1293b80c980000

[Nikita Zhandarovich]

Test to see that changes made to hid_descriptor are fine.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---

drivers/hid/usbhid/hid-core.c | 2 +-
drivers/usb/gadget/function/f_fs.c | 3 ++-
drivers/usb/gadget/function/f_hid.c | 22 ++++++++++++++--------
include/linux/hid.h | 2 +-
4 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a6eb6fe6130d..eb4807785d6d 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1010,7 +1010,7 @@ static int usbhid_parse(struct hid_device *hid)
return -ENODEV;
}

- if (hdesc->bLength < sizeof(struct hid_descriptor)) {
+ if (hdesc->bLength < struct_size(hdesc, desc, hdesc->bNumDescriptors)) {

dbg_hid("hid descriptor is too short\n");

return -EINVAL;
}
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 2dea9e42a0f8..a4b6d7cbf56d 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2550,7 +2550,8 @@ static int __must_check ffs_do_single_desc(char *data, unsigned len,
case USB_TYPE_CLASS | 0x01:
if (*current_class == USB_INTERFACE_CLASS_HID) {
pr_vdebug("hid descriptor\n");
- if (length != sizeof(struct hid_descriptor))
+ if (length < sizeof(struct hid_descriptor) +
+ sizeof(struct hid_class_descriptor))
goto inv_length;
break;
} else if (*current_class == USB_INTERFACE_CLASS_CCID) {
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 740311c4fa24..ec8c2e2d6812 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -139,13 +139,17 @@ static struct usb_interface_descriptor hidg_interface_desc = {
};

static struct hid_descriptor hidg_desc = {
- .bLength = sizeof hidg_desc,
+ .bLength = struct_size(&hidg_desc, desc, 1),
.bDescriptorType = HID_DT_HID,
.bcdHID = cpu_to_le16(0x0101),
.bCountryCode = 0x00,
.bNumDescriptors = 0x1,
- /*.desc[0].bDescriptorType = DYNAMIC */
- /*.desc[0].wDescriptorLenght = DYNAMIC */
+ .desc = {
+ {
+ .bDescriptorType = 0, /* DYNAMIC */
+ .wDescriptorLength = 0, /* DYNAMIC */
+ }
+ }
};

/* Super-Speed Support */
@@ -936,16 +940,18 @@ static int hidg_setup(struct usb_function *f,
switch (value >> 8) {
case HID_DT_HID:
{
- struct hid_descriptor hidg_desc_copy = hidg_desc;
+ DEFINE_FLEX(struct hid_descriptor, hidg_desc_copy,
+ desc, bNumDescriptors, 1);
+ *hidg_desc_copy = hidg_desc;

VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: HID\n");
- hidg_desc_copy.desc[0].bDescriptorType = HID_DT_REPORT;
- hidg_desc_copy.desc[0].wDescriptorLength =
+ hidg_desc_copy->desc[0].bDescriptorType = HID_DT_REPORT;
+ hidg_desc_copy->desc[0].wDescriptorLength =
cpu_to_le16(hidg->report_desc_length);

length = min_t(unsigned short, length,
- hidg_desc_copy.bLength);
- memcpy(req->buf, &hidg_desc_copy, length);
+ hidg_desc_copy->bLength);
+ memcpy(req->buf, hidg_desc_copy, length);
goto respond;
break;
}
diff --git a/include/linux/hid.h b/include/linux/hid.h
index cdc0dc13c87f..85a58ae2c4a0 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -739,7 +739,7 @@ struct hid_descriptor {
__u8 bCountryCode;
__u8 bNumDescriptors;

- struct hid_class_descriptor desc[1];
+ struct hid_class_descriptor desc[] __counted_by(bNumDescriptors);
} __attribute__ ((packed));

#define HID_DEVICE(b, g, ven, prod) \

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

61.124748][ T29] audit: type=1400 audit(1738246367.103:107): avc: denied { mounton } for pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp" dev="sda1" ino=1933 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 61.149125][ T29] audit: type=1400 audit(1738246367.103:108): avc: denied { mount } for pid=5824 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[ 61.172056][ T29] audit: type=1400 audit(1738246367.103:109): avc: denied { mounton } for pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[ 61.199012][ T29] audit: type=1400 audit(1738246367.103:110): avc: denied { mount } for pid=5824 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[ 61.220940][ T29] audit: type=1400 audit(1738246367.113:111): avc: denied { mounton } for pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[ 61.226696][ T5824] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 61.248122][ T29] audit: type=1400 audit(1738246367.113:112): avc: denied { mounton } for pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=4910 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[ 61.407846][ T5829] ==================================================================
[ 61.415938][ T5829] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[ 61.423696][ T5829] Write of size 8 at addr ffff888033ad8c08 by task syz-executor/5829
[ 61.431852][ T5829]
[ 61.434171][ T5829] CPU: 1 UID: 0 PID: 5829 Comm: syz-executor Not tainted 6.13.0-syzkaller-09485-g72deda0abee6-dirty #0
[ 61.434185][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 61.434196][ T5829] Call Trace:
[ 61.434201][ T5829] <TASK>
[ 61.434206][ T5829] dump_stack_lvl+0x116/0x1f0
[ 61.434227][ T5829] print_report+0xc3/0x620
[ 61.434239][ T5829] ? __virt_addr_valid+0x5e/0x590
[ 61.434250][ T5829] ? __phys_addr+0xc6/0x150
[ 61.434261][ T5829] kasan_report+0xd9/0x110
[ 61.434271][ T5829] ? binder_add_device+0xa4/0xb0
[ 61.434284][ T5829] ? binder_add_device+0xa4/0xb0
[ 61.434296][ T5829] binder_add_device+0xa4/0xb0
[ 61.434308][ T5829] binderfs_binder_device_create.isra.0+0x95f/0xb70
[ 61.434325][ T5829] binderfs_fill_super+0x8d6/0x1360
[ 61.434341][ T5829] ? __pfx_binderfs_fill_super+0x10/0x10
[ 61.434360][ T5829] ? shrinker_register+0x1a8/0x260
[ 61.434375][ T5829] ? sget_fc+0x808/0xc20
[ 61.434390][ T5829] ? __pfx_set_anon_super_fc+0x10/0x10
[ 61.434405][ T5829] ? __pfx_binderfs_fill_super+0x10/0x10
[ 61.434418][ T5829] get_tree_nodev+0xda/0x190
[ 61.434433][ T5829] vfs_get_tree+0x8b/0x340
[ 61.434446][ T5829] path_mount+0x14e6/0x1f10
[ 61.434458][ T5829] ? kmem_cache_free+0x2e2/0x4d0
[ 61.434468][ T5829] ? __pfx_path_mount+0x10/0x10
[ 61.434479][ T5829] ? putname+0x13c/0x180
[ 61.434491][ T5829] __x64_sys_mount+0x28f/0x310
[ 61.434502][ T5829] ? __pfx___x64_sys_mount+0x10/0x10
[ 61.434514][ T5829] do_syscall_64+0xcd/0x250
[ 61.434528][ T5829] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 61.434543][ T5829] RIP: 0033:0x7f92ed5816ba
[ 61.434553][ T5829] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 61.434566][ T5829] RSP: 002b:00007f92ed86ff68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 61.434577][ T5829] RAX: ffffffffffffffda RBX: 00007f92ed5f3d49 RCX: 00007f92ed5816ba
[ 61.434584][ T5829] RDX: 00007f92ed5ff2fa RSI: 00007f92ed5f3d49 RDI: 00007f92ed5ff2fa
[ 61.434591][ T5829] RBP: 00007f92ed5f3f58 R08: 0000000000000000 R09: 0000000000000100
[ 61.434597][ T5829] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92ed5de068
[ 61.434603][ T5829] R13: 00007f92ed5de048 R14: 0000000000000009 R15: 0000000000000000
[ 61.434612][ T5829] </TASK>
[ 61.434616][ T5829]
[ 61.662253][ T5829] Allocated by task 5824:
[ 61.666566][ T5829] kasan_save_stack+0x33/0x60
[ 61.671232][ T5829] kasan_save_track+0x14/0x30
[ 61.675901][ T5829] __kasan_kmalloc+0xaa/0xb0
[ 61.680489][ T5829] binderfs_binder_device_create.isra.0+0x17a/0xb70
[ 61.687072][ T5829] binderfs_fill_super+0x8d6/0x1360
[ 61.692351][ T5829] get_tree_nodev+0xda/0x190
[ 61.697019][ T5829] vfs_get_tree+0x8b/0x340
[ 61.701427][ T5829] path_mount+0x14e6/0x1f10
[ 61.705952][ T5829] __x64_sys_mount+0x28f/0x310
[ 61.710702][ T5829] do_syscall_64+0xcd/0x250
[ 61.715192][ T5829] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 61.721074][ T5829]
[ 61.723377][ T5829] Freed by task 5824:
[ 61.727338][ T5829] kasan_save_stack+0x33/0x60
[ 61.732087][ T5829] kasan_save_track+0x14/0x30
[ 61.736952][ T5829] kasan_save_free_info+0x3b/0x60
[ 61.741970][ T5829] __kasan_slab_free+0x51/0x70
[ 61.746718][ T5829] kfree+0x2c4/0x4d0
[ 61.750815][ T5829] binderfs_evict_inode+0x1e0/0x250
[ 61.756001][ T5829] evict+0x409/0x960
[ 61.759886][ T5829] iput+0x52a/0x890
[ 61.763678][ T5829] dentry_unlink_inode+0x29c/0x480
[ 61.768789][ T5829] __dentry_kill+0x1d0/0x600
[ 61.773365][ T5829] shrink_dentry_list+0x140/0x5d0
[ 61.778385][ T5829] shrink_dcache_parent+0xe2/0x530
[ 61.783483][ T5829] shrink_dcache_for_umount+0xa1/0x3e0
[ 61.788936][ T5829] generic_shutdown_super+0x6c/0x390
[ 61.794210][ T5829] kill_litter_super+0x70/0xa0
[ 61.798990][ T5829] binderfs_kill_super+0x3b/0xa0
[ 61.804029][ T5829] deactivate_locked_super+0xbe/0x1a0
[ 61.809396][ T5829] deactivate_super+0xde/0x100
[ 61.814448][ T5829] cleanup_mnt+0x222/0x450
[ 61.818866][ T5829] task_work_run+0x14e/0x250
[ 61.823450][ T5829] do_exit+0xad8/0x2d70
[ 61.827590][ T5829] do_group_exit+0xd3/0x2a0
[ 61.832085][ T5829] get_signal+0x24ed/0x26c0
[ 61.836576][ T5829] arch_do_signal_or_restart+0x90/0x7e0
[ 61.842192][ T5829] syscall_exit_to_user_mode+0x150/0x2a0
[ 61.847808][ T5829] do_syscall_64+0xda/0x250
[ 61.852298][ T5829] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 61.858209][ T5829]
[ 61.860544][ T5829] The buggy address belongs to the object at ffff888033ad8c00
[ 61.860544][ T5829] which belongs to the cache kmalloc-512 of size 512
[ 61.874601][ T5829] The buggy address is located 8 bytes inside of
[ 61.874601][ T5829] freed 512-byte region [ffff888033ad8c00, ffff888033ad8e00)
[ 61.888229][ T5829]
[ 61.890535][ T5829] The buggy address belongs to the physical page:
[ 61.896943][ T5829] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33ad8
[ 61.905689][ T5829] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 61.914167][ T5829] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 61.921715][ T5829] page_type: f5(slab)
[ 61.925679][ T5829] raw: 00fff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[ 61.934259][ T5829] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 61.942830][ T5829] head: 00fff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[ 61.951499][ T5829] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 61.960156][ T5829] head: 00fff00000000002 ffffea0000ceb601 ffffffffffffffff 0000000000000000
[ 61.968812][ T5829] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 61.977484][ T5829] page dumped because: kasan: bad access detected
[ 61.983891][ T5829] page_owner tracks the page as allocated
[ 61.989672][ T5829] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (udevd), ts 20443550863, free_ts 19532985486
[ 62.010416][ T5829] post_alloc_hook+0x181/0x1b0
[ 62.015177][ T5829] get_page_from_freelist+0xfce/0x2f80
[ 62.020624][ T5829] __alloc_frozen_pages_noprof+0x221/0x2470
[ 62.026501][ T5829] alloc_pages_mpol+0x1fc/0x540
[ 62.031336][ T5829] new_slab+0x23d/0x330
[ 62.035480][ T5829] ___slab_alloc+0xc5d/0x1720
[ 62.040177][ T5829] __slab_alloc.constprop.0+0x56/0xb0
[ 62.045542][ T5829] __kmalloc_cache_noprof+0xfa/0x410
[ 62.050830][ T5829] kernfs_fop_open+0x28b/0xdb0
[ 62.055588][ T5829] do_dentry_open+0x735/0x1c40
[ 62.060366][ T5829] vfs_open+0x82/0x3f0
[ 62.064419][ T5829] path_openat+0x1e88/0x2d80
[ 62.068988][ T5829] do_filp_open+0x20c/0x470
[ 62.073484][ T5829] do_sys_openat2+0x17a/0x1e0
[ 62.078160][ T5829] __x64_sys_openat+0x175/0x210
[ 62.082997][ T5829] do_syscall_64+0xcd/0x250
[ 62.087498][ T5829] page last free pid 5205 tgid 5205 stack trace:
[ 62.093813][ T5829] free_frozen_pages+0x6db/0xfb0
[ 62.098734][ T5829] rcu_core+0x79d/0x14d0
[ 62.102960][ T5829] handle_softirqs+0x213/0x8f0
[ 62.107713][ T5829] __irq_exit_rcu+0x109/0x170
[ 62.112387][ T5829] irq_exit_rcu+0x9/0x30
[ 62.116624][ T5829] sysvec_apic_timer_interrupt+0xa4/0xc0
[ 62.122243][ T5829] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 62.128212][ T5829]
[ 62.130521][ T5829] Memory state around the buggy address:
[ 62.136131][ T5829] ffff888033ad8b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 62.144174][ T5829] ffff888033ad8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 62.152216][ T5829] >ffff888033ad8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.160266][ T5829] ^
[ 62.164578][ T5829] ffff888033ad8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.172621][ T5829] ffff888033ad8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.180658][ T5829] ==================================================================
[ 62.199606][ T5829] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 62.206872][ T5829] CPU: 1 UID: 0 PID: 5829 Comm: syz-executor Not tainted 6.13.0-syzkaller-09485-g72deda0abee6-dirty #0
[ 62.217884][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 62.227922][ T5829] Call Trace:
[ 62.231187][ T5829] <TASK>
[ 62.234103][ T5829] dump_stack_lvl+0x3d/0x1f0
[ 62.238731][ T5829] panic+0x71d/0x800
[ 62.242615][ T5829] ? __pfx_panic+0x10/0x10
[ 62.247018][ T5829] ? irqentry_exit+0x3b/0x90
[ 62.251593][ T5829] ? lockdep_hardirqs_on+0x7c/0x110
[ 62.256789][ T5829] ? preempt_schedule_thunk+0x1a/0x30
[ 62.262169][ T5829] ? preempt_schedule_common+0x44/0xc0
[ 62.267619][ T5829] ? check_panic_on_warn+0x1f/0xb0
[ 62.272717][ T5829] check_panic_on_warn+0xab/0xb0
[ 62.277728][ T5829] end_report+0x117/0x180
[ 62.282070][ T5829] kasan_report+0xe9/0x110
[ 62.286521][ T5829] ? binder_add_device+0xa4/0xb0
[ 62.291449][ T5829] ? binder_add_device+0xa4/0xb0
[ 62.296389][ T5829] binder_add_device+0xa4/0xb0
[ 62.301141][ T5829] binderfs_binder_device_create.isra.0+0x95f/0xb70
[ 62.307722][ T5829] binderfs_fill_super+0x8d6/0x1360
[ 62.313001][ T5829] ? __pfx_binderfs_fill_super+0x10/0x10
[ 62.318631][ T5829] ? shrinker_register+0x1a8/0x260
[ 62.323733][ T5829] ? sget_fc+0x808/0xc20
[ 62.327964][ T5829] ? __pfx_set_anon_super_fc+0x10/0x10
[ 62.333409][ T5829] ? __pfx_binderfs_fill_super+0x10/0x10
[ 62.339029][ T5829] get_tree_nodev+0xda/0x190
[ 62.343610][ T5829] vfs_get_tree+0x8b/0x340
[ 62.348123][ T5829] path_mount+0x14e6/0x1f10
[ 62.352612][ T5829] ? kmem_cache_free+0x2e2/0x4d0
[ 62.357536][ T5829] ? __pfx_path_mount+0x10/0x10
[ 62.362372][ T5829] ? putname+0x13c/0x180
[ 62.366603][ T5829] __x64_sys_mount+0x28f/0x310
[ 62.371360][ T5829] ? __pfx___x64_sys_mount+0x10/0x10
[ 62.376630][ T5829] do_syscall_64+0xcd/0x250
[ 62.381121][ T5829] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 62.387019][ T5829] RIP: 0033:0x7f92ed5816ba
[ 62.391443][ T5829] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 62.411242][ T5829] RSP: 002b:00007f92ed86ff68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 62.419651][ T5829] RAX: ffffffffffffffda RBX: 00007f92ed5f3d49 RCX: 00007f92ed5816ba
[ 62.427605][ T5829] RDX: 00007f92ed5ff2fa RSI: 00007f92ed5f3d49 RDI: 00007f92ed5ff2fa
[ 62.435561][ T5829] RBP: 00007f92ed5f3f58 R08: 0000000000000000 R09: 0000000000000100
[ 62.443515][ T5829] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92ed5de068
[ 62.451492][ T5829] R13: 00007f92ed5de048 R14: 0000000000000009 R15: 0000000000000000
[ 62.459483][ T5829] </TASK>
[ 62.462725][ T5829] Kernel Offset: disabled
[ 62.467031][ T5829] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3526199464=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at b50eb251af
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241203-163055'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd\"
/usr/bin/ld: /tmp/ccVS4jTw.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10b9a324580000


Tested on:

commit: 72deda0a Merge tag 'soundwire-6.14-rc1' of git://git.k..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=d1d4677fc8e45064
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10fa0b64580000

[Nikita Zhandarovich]

Test if upstream is broken.

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1

[ 63.252248][ T29] audit: type=1400 audit(1738309108.737:112): avc: denied { mounton } for pid=5825 comm="syz-executor" path="/root/syzkaller.4uglaD/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=4883 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[ 63.279716][ T29] audit: type=1400 audit(1738309108.737:113): avc: denied { unmount } for pid=5825 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[ 63.299322][ T29] audit: type=1400 audit(1738309108.757:114): avc: denied { mounton } for pid=5825 comm="syz-executor" path="/dev/binderfs" dev="devtmpfs" ino=2723 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
[ 63.322245][ T29] audit: type=1400 audit(1738309108.757:115): avc: denied { mount } for pid=5825 comm="syz-executor" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1
[ 63.345302][ T29] audit: type=1400 audit(1738309108.757:116): avc: denied { mounton } for pid=5825 comm="syz-executor" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1
[ 63.349349][ T5825] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 63.601832][ T5830] ==================================================================
[ 63.609917][ T5830] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[ 63.617631][ T5830] Write of size 8 at addr ffff888033fc6c08 by task syz-executor/5830
[ 63.625684][ T5830]
[ 63.628098][ T5830] CPU: 0 UID: 0 PID: 5830 Comm: syz-executor Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[ 63.628112][ T5830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 63.628121][ T5830] Call Trace:
[ 63.628126][ T5830] <TASK>
[ 63.628134][ T5830] dump_stack_lvl+0x116/0x1f0
[ 63.628154][ T5830] print_report+0xc3/0x620
[ 63.628166][ T5830] ? __virt_addr_valid+0x5e/0x590
[ 63.628178][ T5830] ? __phys_addr+0xc6/0x150
[ 63.628188][ T5830] kasan_report+0xd9/0x110
[ 63.628198][ T5830] ? binder_add_device+0xa4/0xb0
[ 63.628212][ T5830] ? binder_add_device+0xa4/0xb0
[ 63.628226][ T5830] binder_add_device+0xa4/0xb0
[ 63.628238][ T5830] binderfs_binder_device_create.isra.0+0x95f/0xb70
[ 63.628255][ T5830] binderfs_fill_super+0x8d6/0x1360
[ 63.628271][ T5830] ? __pfx_binderfs_fill_super+0x10/0x10
[ 63.628290][ T5830] ? shrinker_register+0x1a8/0x260
[ 63.628305][ T5830] ? sget_fc+0x808/0xc20
[ 63.628320][ T5830] ? __pfx_set_anon_super_fc+0x10/0x10
[ 63.628335][ T5830] ? __pfx_binderfs_fill_super+0x10/0x10
[ 63.628349][ T5830] get_tree_nodev+0xda/0x190
[ 63.628364][ T5830] vfs_get_tree+0x8b/0x340
[ 63.628377][ T5830] path_mount+0x14e6/0x1f10
[ 63.628389][ T5830] ? kmem_cache_free+0x2e2/0x4d0
[ 63.628399][ T5830] ? __pfx_path_mount+0x10/0x10
[ 63.628410][ T5830] ? putname+0x13c/0x180
[ 63.628423][ T5830] __x64_sys_mount+0x28f/0x310
[ 63.628434][ T5830] ? __pfx___x64_sys_mount+0x10/0x10
[ 63.628446][ T5830] do_syscall_64+0xcd/0x250
[ 63.628461][ T5830] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 63.628476][ T5830] RIP: 0033:0x7f5c0fd816ba
[ 63.628486][ T5830] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 63.628499][ T5830] RSP: 002b:00007ffc2db5bbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 63.628510][ T5830] RAX: ffffffffffffffda RBX: 00007f5c0fdf3d49 RCX: 00007f5c0fd816ba
[ 63.628517][ T5830] RDX: 00007f5c0fdff2fa RSI: 00007f5c0fdf3d49 RDI: 00007f5c0fdff2fa
[ 63.628524][ T5830] RBP: 00007f5c0fdf3f58 R08: 0000000000000000 R09: 00000000000001ff
[ 63.628531][ T5830] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c0fdde068
[ 63.628537][ T5830] R13: 00007f5c0fdde048 R14: 0000000000000009 R15: 0000000000000000
[ 63.628546][ T5830] </TASK>
[ 63.628550][ T5830]
[ 63.855639][ T5830] Allocated by task 5825:
[ 63.859939][ T5830] kasan_save_stack+0x33/0x60
[ 63.864593][ T5830] kasan_save_track+0x14/0x30
[ 63.869241][ T5830] __kasan_kmalloc+0xaa/0xb0
[ 63.873802][ T5830] binderfs_binder_device_create.isra.0+0x17a/0xb70
[ 63.880372][ T5830] binderfs_fill_super+0x8d6/0x1360
[ 63.885551][ T5830] get_tree_nodev+0xda/0x190
[ 63.890132][ T5830] vfs_get_tree+0x8b/0x340
[ 63.894529][ T5830] path_mount+0x14e6/0x1f10
[ 63.899013][ T5830] __x64_sys_mount+0x28f/0x310
[ 63.903753][ T5830] do_syscall_64+0xcd/0x250
[ 63.908236][ T5830] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 63.914106][ T5830]
[ 63.916406][ T5830] Freed by task 5825:
[ 63.920358][ T5830] kasan_save_stack+0x33/0x60
[ 63.925013][ T5830] kasan_save_track+0x14/0x30
[ 63.929663][ T5830] kasan_save_free_info+0x3b/0x60
[ 63.934667][ T5830] __kasan_slab_free+0x51/0x70
[ 63.939409][ T5830] kfree+0x2c4/0x4d0
[ 63.943291][ T5830] binderfs_evict_inode+0x1e0/0x250
[ 63.948494][ T5830] evict+0x409/0x960
[ 63.952454][ T5830] iput+0x52a/0x890
[ 63.956240][ T5830] dentry_unlink_inode+0x29c/0x480
[ 63.961341][ T5830] __dentry_kill+0x1d0/0x600
[ 63.965923][ T5830] shrink_dentry_list+0x140/0x5d0
[ 63.970955][ T5830] shrink_dcache_parent+0xe2/0x530
[ 63.976049][ T5830] shrink_dcache_for_umount+0xa1/0x3e0
[ 63.981488][ T5830] generic_shutdown_super+0x6c/0x390
[ 63.986757][ T5830] kill_litter_super+0x70/0xa0
[ 63.991514][ T5830] binderfs_kill_super+0x3b/0xa0
[ 63.996437][ T5830] deactivate_locked_super+0xbe/0x1a0
[ 64.001818][ T5830] deactivate_super+0xde/0x100
[ 64.006607][ T5830] cleanup_mnt+0x222/0x450
[ 64.011006][ T5830] task_work_run+0x14e/0x250
[ 64.015574][ T5830] do_exit+0xad8/0x2d70
[ 64.019705][ T5830] do_group_exit+0xd3/0x2a0
[ 64.024189][ T5830] get_signal+0x24ed/0x26c0
[ 64.028671][ T5830] arch_do_signal_or_restart+0x90/0x7e0
[ 64.034189][ T5830] syscall_exit_to_user_mode+0x150/0x2a0
[ 64.039798][ T5830] do_syscall_64+0xda/0x250
[ 64.044368][ T5830] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 64.050240][ T5830]
[ 64.052537][ T5830] The buggy address belongs to the object at ffff888033fc6c00
[ 64.052537][ T5830] which belongs to the cache kmalloc-512 of size 512
[ 64.066582][ T5830] The buggy address is located 8 bytes inside of
[ 64.066582][ T5830] freed 512-byte region [ffff888033fc6c00, ffff888033fc6e00)
[ 64.080181][ T5830]
[ 64.082483][ T5830] The buggy address belongs to the physical page:
[ 64.088873][ T5830] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33fc4
[ 64.097612][ T5830] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 64.106608][ T5830] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 64.114131][ T5830] page_type: f5(slab)
[ 64.118088][ T5830] raw: 00fff00000000040 ffff88801b041c80 ffffea0000d64600 dead000000000002
[ 64.126660][ T5830] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 64.135218][ T5830] head: 00fff00000000040 ffff88801b041c80 ffffea0000d64600 dead000000000002
[ 64.143878][ T5830] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 64.152610][ T5830] head: 00fff00000000002 ffffea0000cff101 ffffffffffffffff 0000000000000000
[ 64.161253][ T5830] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 64.169911][ T5830] page dumped because: kasan: bad access detected
[ 64.176303][ T5830] page_owner tracks the page as allocated
[ 64.182001][ T5830] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (udevd), ts 19812150758, free_ts 19804332293
[ 64.202759][ T5830] post_alloc_hook+0x181/0x1b0
[ 64.207510][ T5830] get_page_from_freelist+0xfce/0x2f80
[ 64.212945][ T5830] __alloc_frozen_pages_noprof+0x221/0x2470
[ 64.218837][ T5830] alloc_pages_mpol+0x1fc/0x540
[ 64.223678][ T5830] new_slab+0x23d/0x330
[ 64.227813][ T5830] ___slab_alloc+0xc5d/0x1720
[ 64.232469][ T5830] __slab_alloc.constprop.0+0x56/0xb0
[ 64.237817][ T5830] __kmalloc_cache_noprof+0xfa/0x410
[ 64.243092][ T5830] kernfs_fop_open+0x28b/0xdb0
[ 64.247841][ T5830] do_dentry_open+0x735/0x1c40
[ 64.252589][ T5830] vfs_open+0x82/0x3f0
[ 64.256632][ T5830] path_openat+0x1e88/0x2d80
[ 64.261192][ T5830] do_filp_open+0x20c/0x470
[ 64.265666][ T5830] do_sys_openat2+0x17a/0x1e0
[ 64.270318][ T5830] __x64_sys_openat+0x175/0x210
[ 64.275142][ T5830] do_syscall_64+0xcd/0x250
[ 64.279635][ T5830] page last free pid 5198 tgid 5198 stack trace:
[ 64.285933][ T5830] free_frozen_pages+0x6db/0xfb0
[ 64.290843][ T5830] qlist_free_all+0x4e/0x120
[ 64.295415][ T5830] kasan_quarantine_reduce+0x195/0x1e0
[ 64.300872][ T5830] __kasan_slab_alloc+0x69/0x90
[ 64.305697][ T5830] __kmalloc_node_noprof+0x1d0/0x510
[ 64.310962][ T5830] __kvmalloc_node_noprof+0xad/0x1a0
[ 64.316225][ T5830] seq_read_iter+0x82a/0x12b0
[ 64.320886][ T5830] kernfs_fop_read_iter+0x414/0x580
[ 64.326074][ T5830] vfs_read+0x886/0xbf0
[ 64.330216][ T5830] ksys_read+0x12b/0x250
[ 64.334453][ T5830] do_syscall_64+0xcd/0x250
[ 64.338943][ T5830] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 64.344831][ T5830]
[ 64.347142][ T5830] Memory state around the buggy address:
[ 64.352755][ T5830] ffff888033fc6b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.360791][ T5830] ffff888033fc6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.368826][ T5830] >ffff888033fc6c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.376859][ T5830] ^
[ 64.381176][ T5830] ffff888033fc6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.389211][ T5830] ffff888033fc6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.397245][ T5830] ==================================================================
[ 64.407234][ T5830] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 64.414448][ T5830] CPU: 0 UID: 0 PID: 5830 Comm: syz-executor Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[ 64.424947][ T5830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 64.434979][ T5830] Call Trace:
[ 64.438234][ T5830] <TASK>
[ 64.441141][ T5830] dump_stack_lvl+0x3d/0x1f0
[ 64.445803][ T5830] panic+0x71d/0x800
[ 64.449679][ T5830] ? __pfx_panic+0x10/0x10
[ 64.454073][ T5830] ? irqentry_exit+0x3b/0x90
[ 64.458641][ T5830] ? lockdep_hardirqs_on+0x7c/0x110
[ 64.463817][ T5830] ? preempt_schedule_thunk+0x1a/0x30
[ 64.469166][ T5830] ? preempt_schedule_common+0x44/0xc0
[ 64.474602][ T5830] ? check_panic_on_warn+0x1f/0xb0
[ 64.479709][ T5830] check_panic_on_warn+0xab/0xb0
[ 64.484639][ T5830] end_report+0x117/0x180
[ 64.488943][ T5830] kasan_report+0xe9/0x110
[ 64.493336][ T5830] ? binder_add_device+0xa4/0xb0
[ 64.498264][ T5830] ? binder_add_device+0xa4/0xb0
[ 64.503177][ T5830] binder_add_device+0xa4/0xb0
[ 64.507917][ T5830] binderfs_binder_device_create.isra.0+0x95f/0xb70
[ 64.514492][ T5830] binderfs_fill_super+0x8d6/0x1360
[ 64.519674][ T5830] ? __pfx_binderfs_fill_super+0x10/0x10
[ 64.525314][ T5830] ? shrinker_register+0x1a8/0x260
[ 64.530418][ T5830] ? sget_fc+0x808/0xc20
[ 64.534643][ T5830] ? __pfx_set_anon_super_fc+0x10/0x10
[ 64.540095][ T5830] ? __pfx_binderfs_fill_super+0x10/0x10
[ 64.545718][ T5830] get_tree_nodev+0xda/0x190
[ 64.550288][ T5830] vfs_get_tree+0x8b/0x340
[ 64.554683][ T5830] path_mount+0x14e6/0x1f10
[ 64.559166][ T5830] ? kmem_cache_free+0x2e2/0x4d0
[ 64.564081][ T5830] ? __pfx_path_mount+0x10/0x10
[ 64.568905][ T5830] ? putname+0x13c/0x180
[ 64.573125][ T5830] __x64_sys_mount+0x28f/0x310
[ 64.577872][ T5830] ? __pfx___x64_sys_mount+0x10/0x10
[ 64.583142][ T5830] do_syscall_64+0xcd/0x250
[ 64.587624][ T5830] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 64.593497][ T5830] RIP: 0033:0x7f5c0fd816ba
[ 64.597888][ T5830] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 64.617482][ T5830] RSP: 002b:00007ffc2db5bbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 64.625976][ T5830] RAX: ffffffffffffffda RBX: 00007f5c0fdf3d49 RCX: 00007f5c0fd816ba
[ 64.633954][ T5830] RDX: 00007f5c0fdff2fa RSI: 00007f5c0fdf3d49 RDI: 00007f5c0fdff2fa
[ 64.641918][ T5830] RBP: 00007f5c0fdf3f58 R08: 0000000000000000 R09: 00000000000001ff
[ 64.649864][ T5830] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c0fdde068
[ 64.657812][ T5830] R13: 00007f5c0fdde048 R14: 0000000000000009 R15: 0000000000000000
[ 64.665767][ T5830] </TASK>
[ 64.668899][ T5830] Kernel Offset: disabled
[ 64.673206][ T5830] Rebooting in 86400 seconds..

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2275386146=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at b50eb251af
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241203-163055'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd\"

/usr/bin/ld: /tmp/ccVVKqYN.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=14b5e5f8580000


Tested on:

commit: 69e858e0 Merge tag 'uml-for-linus-6.14-rc1' of git://g..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=d1d4677fc8e45064
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.