WARNING in hso_free_net_device
19 views
Skip to first unread message
syzbot
Sep 3, 2019, 8:08:11 AM9/3/19
to alexios...@intel.com, andre...@google.com, benq...@gmail.com, da...@davemloft.net, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, mathia...@nebelwelt.net, net...@vger.kernel.org, rfon...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzbot found the following crash on:
HEAD commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=15f17e61600000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10ffdd12600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15a738fe600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+44d53c...@syzkaller.appspotmail.com
usb 1-1: config 0 has no interface number 0
usb 1-1: New USB device found, idVendor=0af0, idProduct=d257,
bcdDevice=4e.87
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
hso 1-1:0.15: Can't find BULK IN endpoint
------------[ cut here ]------------
WARNING: CPU: 1 PID: 83 at net/core/dev.c:8167
rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0-rc5+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Code: ff e8 c7 26 90 fc 48 c7 c7 40 ec 63 86 e8 24 c8 7a fc 0f 0b e9 93 be
ff ff e8 af 26 90 fc 48 c7 c7 40 ec 63 86 e8 0c c8 7a fc <0f> 0b 4c 89 e7
e8 f9 12 34 fd 31 ff 41 89 c4 89 c6 e8 bd 27 90 fc
RSP: 0018:ffff8881d934f088 EFLAGS: 00010282
RAX: 0000000000000024 RBX: ffff8881d2ad4400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288cfd RDI: ffffed103b269e03
RBP: ffff8881d934f1b8 R08: 0000000000000024 R09: fffffbfff11ad794
R10: fffffbfff11ad793 R11: ffffffff88d6bc9f R12: ffff8881d2ad4470
R13: ffff8881d934f148 R14: dffffc0000000000 R15: 0000000000000000
rollback_registered+0xf2/0x1c0 net/core/dev.c:8243
unregister_netdevice_queue net/core/dev.c:9290 [inline]
unregister_netdevice_queue+0x1d7/0x2b0 net/core/dev.c:9283
unregister_netdevice include/linux/netdevice.h:2631 [inline]
unregister_netdev+0x18/0x20 net/core/dev.c:9331
hso_free_net_device+0xff/0x300 drivers/net/usb/hso.c:2366
hso_create_net_device+0x76d/0x9c0 drivers/net/usb/hso.c:2554
hso_probe+0x28d/0x1a46 drivers/net/usb/hso.c:2931
usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
hub_port_connect drivers/usb/core/hub.c:5098 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=15f17e61600000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10ffdd12600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15a738fe600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+44d53c...@syzkaller.appspotmail.com
usb 1-1: config 0 has no interface number 0
usb 1-1: New USB device found, idVendor=0af0, idProduct=d257,
bcdDevice=4e.87
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
hso 1-1:0.15: Can't find BULK IN endpoint
------------[ cut here ]------------
WARNING: CPU: 1 PID: 83 at net/core/dev.c:8167
rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0-rc5+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:rollback_registered_many.cold+0x41/0x1bc net/core/dev.c:8167
Code: ff e8 c7 26 90 fc 48 c7 c7 40 ec 63 86 e8 24 c8 7a fc 0f 0b e9 93 be
ff ff e8 af 26 90 fc 48 c7 c7 40 ec 63 86 e8 0c c8 7a fc <0f> 0b 4c 89 e7
e8 f9 12 34 fd 31 ff 41 89 c4 89 c6 e8 bd 27 90 fc
RSP: 0018:ffff8881d934f088 EFLAGS: 00010282
RAX: 0000000000000024 RBX: ffff8881d2ad4400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288cfd RDI: ffffed103b269e03
RBP: ffff8881d934f1b8 R08: 0000000000000024 R09: fffffbfff11ad794
R10: fffffbfff11ad793 R11: ffffffff88d6bc9f R12: ffff8881d2ad4470
R13: ffff8881d934f148 R14: dffffc0000000000 R15: 0000000000000000
rollback_registered+0xf2/0x1c0 net/core/dev.c:8243
unregister_netdevice_queue net/core/dev.c:9290 [inline]
unregister_netdevice_queue+0x1d7/0x2b0 net/core/dev.c:9283
unregister_netdevice include/linux/netdevice.h:2631 [inline]
unregister_netdev+0x18/0x20 net/core/dev.c:9331
hso_free_net_device+0xff/0x300 drivers/net/usb/hso.c:2366
hso_create_net_device+0x76d/0x9c0 drivers/net/usb/hso.c:2554
hso_probe+0x28d/0x1a46 drivers/net/usb/hso.c:2931
usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
hub_port_connect drivers/usb/core/hub.c:5098 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Hui Peng
Sep 4, 2019, 4:27:52 PM9/4/19
to syzbot+44d53c...@syzkaller.appspotmail.com, alexios...@intel.com, andre...@google.com, da...@davemloft.net, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, mathia...@nebelwelt.net, net...@vger.kernel.org, rfon...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de
Hi, all:
I looked at the bug a little.
The issue is that in the error handling code, hso_free_net_device
unregisters
the net_device (hso_net->net) by calling unregister_netdev. In the
error handling code path,
hso_net->net has not been registered yet.
I think there are two ways to solve the issue:
1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
net_device when it is still not registered
2. fix it in unregister_netdev. We can add a field in net_device to
record whether it is registered, and make unregister_netdev return if
the net_device is not registered yet.
What do you guys think ?
I looked at the bug a little.
The issue is that in the error handling code, hso_free_net_device
unregisters
the net_device (hso_net->net) by calling unregister_netdev. In the
error handling code path,
hso_net->net has not been registered yet.
I think there are two ways to solve the issue:
1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
net_device when it is still not registered
2. fix it in unregister_netdev. We can add a field in net_device to
record whether it is registered, and make unregister_netdev return if
the net_device is not registered yet.
What do you guys think ?
Stephen Hemminger
Sep 4, 2019, 6:41:43 PM9/4/19
to Hui Peng, syzbot+44d53c...@syzkaller.appspotmail.com, alexios...@intel.com, andre...@google.com, da...@davemloft.net, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, mathia...@nebelwelt.net, net...@vger.kernel.org, rfon...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de
On Wed, 4 Sep 2019 16:27:50 -0400
Hui Peng <benq...@gmail.com> wrote:
> Hi, all:
>
> I looked at the bug a little.
>
> The issue is that in the error handling code, hso_free_net_device
> unregisters
>
> the net_device (hso_net->net) by calling unregister_netdev. In the
> error handling code path,
>
> hso_net->net has not been registered yet.
>
> I think there are two ways to solve the issue:
>
> 1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
> net_device when it is still not registered
>
> 2. fix it in unregister_netdev. We can add a field in net_device to
> record whether it is registered, and make unregister_netdev return if
> the net_device is not registered yet.
>
> What do you guys think ?
#1
Hui Peng <benq...@gmail.com> wrote:
> Hi, all:
>
> I looked at the bug a little.
>
> The issue is that in the error handling code, hso_free_net_device
> unregisters
>
> the net_device (hso_net->net) by calling unregister_netdev. In the
> error handling code path,
>
> hso_net->net has not been registered yet.
>
> I think there are two ways to solve the issue:
>
> 1. fix it in drivers/net/usb/hso.c to avoiding unregistering the
> net_device when it is still not registered
>
> 2. fix it in unregister_netdev. We can add a field in net_device to
> record whether it is registered, and make unregister_netdev return if
> the net_device is not registered yet.
>
> What do you guys think ?
Hui Peng
Sep 4, 2019, 10:20:31 PM9/4/19
to Stephen Hemminger, syzbot+44d53c...@syzkaller.appspotmail.com, alexios...@intel.com, andre...@google.com, da...@davemloft.net, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, mathia...@nebelwelt.net, net...@vger.kernel.org, rfon...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de
Can you guys have a look at the attached patch?
Andrey Konovalov
Sep 5, 2019, 7:24:34 AM9/5/19
to Hui Peng, Stephen Hemminger, syzbot+44d53c...@syzkaller.appspotmail.com, alexios...@intel.com, David S. Miller, Greg Kroah-Hartman, LKML, USB list, Mathias Payer, netdev, rfon...@redhat.com, syzkaller-bugs, Thomas Gleixner, Oliver Neukum
On Thu, Sep 5, 2019 at 4:20 AM Hui Peng <benq...@gmail.com> wrote:
>
> Can you guys have a look at the attached patch?
Let's try it:
>
> Can you guys have a look at the attached patch?
#syz test: https://github.com/google/kasan.git eea39f24
FYI: there are two more reports coming from this driver, which might
(or might not) have the same root cause. One of them has a suggested
fix by Oliver.
https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
https://syzkaller.appspot.com/bug?extid=93f2f45b19519b289613
syzbot
Sep 5, 2019, 7:47:01 AM9/5/19
to alexios...@intel.com, andre...@google.com, benq...@gmail.com, da...@davemloft.net, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, mathia...@nebelwelt.net, net...@vger.kernel.org, one...@suse.com, rfon...@redhat.com, ste...@networkplumber.org, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+44d53c...@syzkaller.appspotmail.com
Tested on:
commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+44d53c...@syzkaller.appspotmail.com
Tested on:
commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1188fcc6600000
dashboard link: https://syzkaller.appspot.com/bug?extid=44d53c7255bb1aea22d2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Note: testing is done by a robot and is best-effort only.
Hui Peng
Sep 5, 2019, 10:05:56 PM9/5/19
to Andrey Konovalov, Stephen Hemminger, syzbot+44d53c...@syzkaller.appspotmail.com, alexios...@intel.com, David S. Miller, Greg Kroah-Hartman, LKML, USB list, Mathias Payer, netdev, rfon...@redhat.com, syzkaller-bugs, Thomas Gleixner, Oliver Neukum
On 9/5/2019 7:24 AM, Andrey Konovalov wrote:
> On Thu, Sep 5, 2019 at 4:20 AM Hui Peng <benq...@gmail.com> wrote:
>>
>> Can you guys have a look at the attached patch?
>
> Let's try it:
>
> #syz test: https://github.com/google/kasan.git eea39f24
>
> FYI: there are two more reports coming from this driver, which might
> (or might not) have the same root cause. One of them has a suggested
> fix by Oliver.
>
> https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
> https://syzkaller.appspot.com/bug?extid=93f2f45b19519b289613
>
This one is resulted from unregistering a network device.
These 2 are resulted from unregistering a tty device.
Oliver Neukum
Sep 9, 2019, 5:47:32 AM9/9/19
to Hui Peng, Andrey Konovalov, David S. Miller, syzkaller-bugs, alexios...@intel.com, Thomas Gleixner, Greg Kroah-Hartman, Mathias Payer, Stephen Hemminger, rfon...@redhat.com, syzbot+44d53c...@syzkaller.appspotmail.com, LKML, USB list, netdev
Am Donnerstag, den 05.09.2019, 22:05 -0400 schrieb Hui Peng:
>
> On 9/5/2019 7:24 AM, Andrey Konovalov wrote:
> > On Thu, Sep 5, 2019 at 4:20 AM Hui Peng <benq...@gmail.com> wrote:
> > >
> > > Can you guys have a look at the attached patch?
> >
> > Let's try it:
> >
> > #syz test: https://github.com/google/kasan.git eea39f24
> >
> > FYI: there are two more reports coming from this driver, which might
> > (or might not) have the same root cause. One of them has a suggested
> > fix by Oliver.
> >
> > https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
> > https://syzkaller.appspot.com/bug?extid=93f2f45b19519b289613
> >
>
> I think they are different, though similar.
> This one is resulted from unregistering a network device.
> These 2 are resulted from unregistering a tty device.
Hi,
>
> On 9/5/2019 7:24 AM, Andrey Konovalov wrote:
> > On Thu, Sep 5, 2019 at 4:20 AM Hui Peng <benq...@gmail.com> wrote:
> > >
> > > Can you guys have a look at the attached patch?
> >
> > Let's try it:
> >
> > #syz test: https://github.com/google/kasan.git eea39f24
> >
> > FYI: there are two more reports coming from this driver, which might
> > (or might not) have the same root cause. One of them has a suggested
> > fix by Oliver.
> >
> > https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
> > https://syzkaller.appspot.com/bug?extid=93f2f45b19519b289613
> >
>
> I think they are different, though similar.
> This one is resulted from unregistering a network device.
> These 2 are resulted from unregistering a tty device.
looks like it. That may indeed be the issue.
Please try to have syzbot test your patch and we will
know more.
Regards
Oliver
Reply all
Reply to author
Forward
0 new messages