general protection fault in cdev_del
39 views
Skip to first unread message
syzbot
May 28, 2019, 6:48:06āÆAM5/28/19
to andre...@google.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following crash on:
HEAD commit: 69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=178e4526a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c309d28e15db39c5
dashboard link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dc5d54a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cae526a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+67b2bd...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 1 PID: 2486 Comm: kworker/1:2 Not tainted 5.2.0-rc1+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:592
Code: cf 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 a5 d5 ff 48 8d
7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48
RSP: 0018:ffff8881d18e7218 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff8881d249a100 RCX: ffffffff820d879e
RDX: 000000000000000c RSI: ffffffff8167705d RDI: 0000000000000064
RBP: 0000000000000000 R08: ffff8881d18d1800 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8881d25c9100 R14: 0000000000000000 R15: ffff8881cc2a8070
FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f35af318000 CR3: 00000001cc182000 CR4: 00000000001406e0
Call Trace:
tty_unregister_device drivers/tty/tty_io.c:3192 [inline]
tty_unregister_device+0x10d/0x1a0 drivers/tty/tty_io.c:3187
hso_serial_tty_unregister drivers/net/usb/hso.c:2245 [inline]
hso_create_bulk_serial_device drivers/net/usb/hso.c:2682 [inline]
hso_probe.cold+0xc8/0x120 drivers/net/usb/hso.c:2948
usb_probe_interface+0x30b/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x287/0x660 drivers/base/dd.c:509
driver_probe_device+0x104/0x210 drivers/base/dd.c:670
__device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777
bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:843
bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514
device_add+0xae6/0x1700 drivers/base/core.c:2111
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0xa2/0x100 drivers/usb/core/driver.c:266
really_probe+0x287/0x660 drivers/base/dd.c:509
driver_probe_device+0x104/0x210 drivers/base/dd.c:670
__device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777
bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:843
bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514
device_add+0xae6/0x1700 drivers/base/core.c:2111
usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534
hub_port_connect drivers/usb/core/hub.c:5089 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
port_event drivers/usb/core/hub.c:5350 [inline]
hub_event+0x1adc/0x35a0 drivers/usb/core/hub.c:5432
process_one_work+0x90a/0x1580 kernel/workqueue.c:2268
worker_thread+0x96/0xe20 kernel/workqueue.c:2414
kthread+0x30e/0x420 kernel/kthread.c:254
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 3b56fa5a205cba42 ]---
RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:592
Code: cf 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 a5 d5 ff 48 8d
7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48
RSP: 0018:ffff8881d18e7218 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff8881d249a100 RCX: ffffffff820d879e
RDX: 000000000000000c RSI: ffffffff8167705d RDI: 0000000000000064
RBP: 0000000000000000 R08: ffff8881d18d1800 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8881d25c9100 R14: 0000000000000000 R15: ffff8881cc2a8070
FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f35af318000 CR3: 00000001cc182000 CR4: 00000000001406e0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=178e4526a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c309d28e15db39c5
dashboard link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dc5d54a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cae526a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+67b2bd...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 1 PID: 2486 Comm: kworker/1:2 Not tainted 5.2.0-rc1+ #9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:592
Code: cf 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 a5 d5 ff 48 8d
7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48
RSP: 0018:ffff8881d18e7218 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff8881d249a100 RCX: ffffffff820d879e
RDX: 000000000000000c RSI: ffffffff8167705d RDI: 0000000000000064
RBP: 0000000000000000 R08: ffff8881d18d1800 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8881d25c9100 R14: 0000000000000000 R15: ffff8881cc2a8070
FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f35af318000 CR3: 00000001cc182000 CR4: 00000000001406e0
Call Trace:
tty_unregister_device drivers/tty/tty_io.c:3192 [inline]
tty_unregister_device+0x10d/0x1a0 drivers/tty/tty_io.c:3187
hso_serial_tty_unregister drivers/net/usb/hso.c:2245 [inline]
hso_create_bulk_serial_device drivers/net/usb/hso.c:2682 [inline]
hso_probe.cold+0xc8/0x120 drivers/net/usb/hso.c:2948
usb_probe_interface+0x30b/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x287/0x660 drivers/base/dd.c:509
driver_probe_device+0x104/0x210 drivers/base/dd.c:670
__device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777
bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:843
bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514
device_add+0xae6/0x1700 drivers/base/core.c:2111
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0xa2/0x100 drivers/usb/core/driver.c:266
really_probe+0x287/0x660 drivers/base/dd.c:509
driver_probe_device+0x104/0x210 drivers/base/dd.c:670
__device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777
bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:843
bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514
device_add+0xae6/0x1700 drivers/base/core.c:2111
usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534
hub_port_connect drivers/usb/core/hub.c:5089 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
port_event drivers/usb/core/hub.c:5350 [inline]
hub_event+0x1adc/0x35a0 drivers/usb/core/hub.c:5432
process_one_work+0x90a/0x1580 kernel/workqueue.c:2268
worker_thread+0x96/0xe20 kernel/workqueue.c:2414
kthread+0x30e/0x420 kernel/kthread.c:254
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 3b56fa5a205cba42 ]---
RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:592
Code: cf 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 a5 d5 ff 48 8d
7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48
RSP: 0018:ffff8881d18e7218 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff8881d249a100 RCX: ffffffff820d879e
RDX: 000000000000000c RSI: ffffffff8167705d RDI: 0000000000000064
RBP: 0000000000000000 R08: ffff8881d18d1800 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8881d25c9100 R14: 0000000000000000 R15: ffff8881cc2a8070
FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f35af318000 CR3: 00000001cc182000 CR4: 00000000001406e0
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Andrey Konovalov
Aug 13, 2019, 9:03:20āÆAM8/13/19
to syzbot, linux-...@vger.kernel.org, LKML, USB list, syzkaller-bugs, Alexander Viro, Oliver Neukum
#syz test: https://github.com/google/kasan.git 69bbe8c7
[1] https://groups.google.com/forum/#!msg/syzkaller-bugs/5qVDUDTxXYQ/OlN_ZX6LBwAJ
syzbot
Aug 13, 2019, 9:16:01āÆAM8/13/19
to andre...@google.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, one...@suse.com, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in hso_free_interface
==================================================================
BUG: KASAN: use-after-free in hso_free_interface+0x3f2/0x4f0
drivers/net/usb/hso.c:3108
Read of size 8 at addr ffff8881d112d998 by task kworker/0:1/12
CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc1+ #1
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x67/0x231 mm/kasan/report.c:188
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
kasan_report+0xe/0x20 mm/kasan/common.c:614
hso_free_interface+0x3f2/0x4f0 drivers/net/usb/hso.c:3108
hso_probe+0x362/0x1a50 drivers/net/usb/hso.c:2963
Allocated by task 12:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc mm/kasan/common.c:489 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462
kmalloc include/linux/slab.h:547 [inline]
kzalloc include/linux/slab.h:742 [inline]
hso_create_device+0x43/0x390 drivers/net/usb/hso.c:2336
hso_create_bulk_serial_device drivers/net/usb/hso.c:2617 [inline]
hso_probe+0xbb0/0x1a50 drivers/net/usb/hso.c:2948
Freed by task 12:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:451
slab_free_hook mm/slub.c:1421 [inline]
slab_free_freelist_hook mm/slub.c:1448 [inline]
slab_free mm/slub.c:2994 [inline]
kfree+0xd7/0x290 mm/slub.c:3949
hso_create_bulk_serial_device drivers/net/usb/hso.c:2687 [inline]
hso_probe+0x13c6/0x1a50 drivers/net/usb/hso.c:2948
The buggy address belongs to the object at ffff8881d112d900
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 152 bytes inside of
512-byte region [ffff8881d112d900, ffff8881d112db00)
The buggy address belongs to the page:
page:ffffea0007444b00 refcount:1 mapcount:0 mapping:ffff8881dac02c00
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 ffffea000744ea80 0000000400000004 ffff8881dac02c00
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d112d880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881d112d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881d112d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d112da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d112da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14e6156a600000
kernel config: https://syzkaller.appspot.com/x/.config?x=c309d28e15db39c5
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in hso_free_interface
==================================================================
BUG: KASAN: use-after-free in hso_free_interface+0x3f2/0x4f0
drivers/net/usb/hso.c:3108
Read of size 8 at addr ffff8881d112d998 by task kworker/0:1/12
CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x67/0x231 mm/kasan/report.c:188
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
kasan_report+0xe/0x20 mm/kasan/common.c:614
hso_free_interface+0x3f2/0x4f0 drivers/net/usb/hso.c:3108
hso_probe+0x362/0x1a50 drivers/net/usb/hso.c:2963
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc mm/kasan/common.c:489 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462
kmalloc include/linux/slab.h:547 [inline]
kzalloc include/linux/slab.h:742 [inline]
hso_create_device+0x43/0x390 drivers/net/usb/hso.c:2336
hso_create_bulk_serial_device drivers/net/usb/hso.c:2617 [inline]
hso_probe+0xbb0/0x1a50 drivers/net/usb/hso.c:2948
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:451
slab_free_hook mm/slub.c:1421 [inline]
slab_free_freelist_hook mm/slub.c:1448 [inline]
slab_free mm/slub.c:2994 [inline]
kfree+0xd7/0x290 mm/slub.c:3949
hso_create_bulk_serial_device drivers/net/usb/hso.c:2687 [inline]
hso_probe+0x13c6/0x1a50 drivers/net/usb/hso.c:2948
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 152 bytes inside of
512-byte region [ffff8881d112d900, ffff8881d112db00)
The buggy address belongs to the page:
page:ffffea0007444b00 refcount:1 mapcount:0 mapping:ffff8881dac02c00
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 ffffea000744ea80 0000000400000004 ffff8881dac02c00
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d112d880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881d112d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881d112d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d112da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d112da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=c309d28e15db39c5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1715ad4a600000
Andrey Konovalov
Aug 13, 2019, 9:19:11āÆAM8/13/19
to syzbot, Oliver Neukum, linux-...@vger.kernel.org, LKML, USB list, syzkaller-bugs, Alexander Viro
device_del" one, but the fix from that thread doesn't work here.
Reply all
Reply to author
Forward
0 new messages