[syzbot] WARNING in driver_unregister
18 views
Skip to first unread message
syzbot
May 27, 2022, 5:25:20 AM5/27/22
to gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 97fa5887cf28 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=170ebdc3f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1124ad81f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d6004df00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+02b163...@syzkaller.appspotmail.com
kobject_add_internal failed for raw-gadget with -EEXIST, don't try to register things with the same name in the same directory.
UDC core: USB Raw Gadget: driver registration failed: -17
misc raw-gadget: fail, usb_gadget_register_driver returned -17
------------[ cut here ]------------
Unexpected driver unregister!
WARNING: CPU: 0 PID: 1308 at drivers/base/driver.c:194 driver_unregister drivers/base/driver.c:194 [inline]
WARNING: CPU: 0 PID: 1308 at drivers/base/driver.c:194 driver_unregister+0x8c/0xb0 drivers/base/driver.c:191
Modules linked in:
CPU: 0 PID: 1308 Comm: syz-executor314 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:driver_unregister drivers/base/driver.c:194 [inline]
RIP: 0010:driver_unregister+0x8c/0xb0 drivers/base/driver.c:191
Code: 68 4c 89 e7 e8 65 b9 db fe 48 89 ef e8 fd a0 ff ff 5d 41 5c e9 75 fa 78 fe e8 70 fa 78 fe 48 c7 c7 80 7a 81 86 e8 12 96 ee 02 <0f> 0b 5d 41 5c e9 5a fa 78 fe e8 75 93 ad fe eb 96 e8 6e 93 ad fe
RSP: 0018:ffffc90001087a78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88811d184050 RCX: 0000000000000000
RDX: ffff88810902d580 RSI: ffffffff812bdce8 RDI: fffff52000210f41
RBP: ffff88811d184098 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff812b86be R11: 0000000000000000 R12: 0000000000000000
R13: ffff88811d184008 R14: ffff88811d05b1a8 R15: ffff8881008456a0
FS: 0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fea994ab2d0 CR3: 0000000007825000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_gadget_unregister_driver+0x48/0x70 drivers/usb/gadget/udc/core.c:1590
raw_release+0x18a/0x290 drivers/usb/gadget/legacy/raw_gadget.c:401
__fput+0x277/0x9d0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:37 [inline]
do_exit+0xaff/0x2980 kernel/exit.c:795
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
get_signal+0x22df/0x24c0 kernel/signal.c:2864
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x156/0x200 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fea99520a57
Code: Unable to access opcode bytes at RIP 0x7fea99520a2d.
RSP: 002b:00007fea994aa258 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffef RBX: 00007fea994ab2d0 RCX: 00007fea99520a57
RDX: 0000000000000000 RSI: 0000000000005501 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000ffff R09: 000000000000000b
R10: 00007fea994aa300 R11: 0000000000000246 R12: 00007fea995a55e0
R13: 00007fea994aa2a0 R14: 00007fea994ac400 R15: 0000000000000003
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 97fa5887cf28 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=170ebdc3f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1124ad81f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d6004df00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+02b163...@syzkaller.appspotmail.com
kobject_add_internal failed for raw-gadget with -EEXIST, don't try to register things with the same name in the same directory.
UDC core: USB Raw Gadget: driver registration failed: -17
misc raw-gadget: fail, usb_gadget_register_driver returned -17
------------[ cut here ]------------
Unexpected driver unregister!
WARNING: CPU: 0 PID: 1308 at drivers/base/driver.c:194 driver_unregister drivers/base/driver.c:194 [inline]
WARNING: CPU: 0 PID: 1308 at drivers/base/driver.c:194 driver_unregister+0x8c/0xb0 drivers/base/driver.c:191
Modules linked in:
CPU: 0 PID: 1308 Comm: syz-executor314 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:driver_unregister drivers/base/driver.c:194 [inline]
RIP: 0010:driver_unregister+0x8c/0xb0 drivers/base/driver.c:191
Code: 68 4c 89 e7 e8 65 b9 db fe 48 89 ef e8 fd a0 ff ff 5d 41 5c e9 75 fa 78 fe e8 70 fa 78 fe 48 c7 c7 80 7a 81 86 e8 12 96 ee 02 <0f> 0b 5d 41 5c e9 5a fa 78 fe e8 75 93 ad fe eb 96 e8 6e 93 ad fe
RSP: 0018:ffffc90001087a78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88811d184050 RCX: 0000000000000000
RDX: ffff88810902d580 RSI: ffffffff812bdce8 RDI: fffff52000210f41
RBP: ffff88811d184098 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff812b86be R11: 0000000000000000 R12: 0000000000000000
R13: ffff88811d184008 R14: ffff88811d05b1a8 R15: ffff8881008456a0
FS: 0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fea994ab2d0 CR3: 0000000007825000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_gadget_unregister_driver+0x48/0x70 drivers/usb/gadget/udc/core.c:1590
raw_release+0x18a/0x290 drivers/usb/gadget/legacy/raw_gadget.c:401
__fput+0x277/0x9d0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:37 [inline]
do_exit+0xaff/0x2980 kernel/exit.c:795
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
get_signal+0x22df/0x24c0 kernel/signal.c:2864
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x156/0x200 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fea99520a57
Code: Unable to access opcode bytes at RIP 0x7fea99520a2d.
RSP: 002b:00007fea994aa258 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffef RBX: 00007fea994ab2d0 RCX: 00007fea99520a57
RDX: 0000000000000000 RSI: 0000000000005501 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000ffff R09: 000000000000000b
R10: 00007fea994aa300 R11: 0000000000000246 R12: 00007fea995a55e0
R13: 00007fea994aa2a0 R14: 00007fea994ac400 R15: 0000000000000003
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
May 27, 2022, 3:29:09 PM5/27/22
to andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in sysfs_create_file_ns
really_probe: driver_sysfs_add(gadget.0) failed
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
Modules linked in:
CPU: 0 PID: 2361 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
Code: e9 03 80 3c 01 00 75 7f 8b 4c 24 38 4d 89 e9 48 89 ee 48 8b 7b 30 44 8b 44 24 48 e8 e9 fa ff ff 41 89 c5 eb 0d e8 cf 7c 9d ff <0f> 0b 41 bd ea ff ff ff e8 c2 7c 9d ff 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc900028ffca0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88810efd6600 RCX: 0000000000000000
RDX: ffff888117a68000 RSI: ffffffff81a6f891 RDI: ffff88810efd6600
RBP: ffffffff88041fc0 R08: 0000000000000000 R09: ffff88810095ba13
R10: ffffed102012b742 R11: 0000000000000001 R12: 1ffff9200051ff95
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88810efd6630
FS: 00007f830048d700(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
driver_create_file+0x48/0x70 drivers/base/driver.c:107
bus_add_driver+0x309/0x630 drivers/base/bus.c:624
driver_register+0x220/0x3a0 drivers/base/driver.c:171
usb_gadget_register_driver_owner+0xfb/0x1e0 drivers/usb/gadget/udc/core.c:1558
raw_ioctl_run drivers/usb/gadget/legacy/raw_gadget.c:513 [inline]
raw_ioctl+0x1883/0x2730 drivers/usb/gadget/legacy/raw_gadget.c:1220
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f83005590e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f830048d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f830066c100 RCX: 00007f83005590e9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc1dbfbf0f R14: 00007f830048d300 R15: 0000000000022000
</TASK>
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
console output: https://syzkaller.appspot.com/x/log.txt?x=154282bdf00000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in sysfs_create_file_ns
really_probe: driver_sysfs_add(gadget.0) failed
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
Modules linked in:
CPU: 0 PID: 2361 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
Code: e9 03 80 3c 01 00 75 7f 8b 4c 24 38 4d 89 e9 48 89 ee 48 8b 7b 30 44 8b 44 24 48 e8 e9 fa ff ff 41 89 c5 eb 0d e8 cf 7c 9d ff <0f> 0b 41 bd ea ff ff ff e8 c2 7c 9d ff 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc900028ffca0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88810efd6600 RCX: 0000000000000000
RDX: ffff888117a68000 RSI: ffffffff81a6f891 RDI: ffff88810efd6600
RBP: ffffffff88041fc0 R08: 0000000000000000 R09: ffff88810095ba13
R10: ffffed102012b742 R11: 0000000000000001 R12: 1ffff9200051ff95
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88810efd6630
FS: 00007f830048d700(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f830048d718 CR3: 000000010cb4c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sysfs_create_file include/linux/sysfs.h:607 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
driver_create_file+0x48/0x70 drivers/base/driver.c:107
bus_add_driver+0x309/0x630 drivers/base/bus.c:624
driver_register+0x220/0x3a0 drivers/base/driver.c:171
usb_gadget_register_driver_owner+0xfb/0x1e0 drivers/usb/gadget/udc/core.c:1558
raw_ioctl_run drivers/usb/gadget/legacy/raw_gadget.c:513 [inline]
raw_ioctl+0x1883/0x2730 drivers/usb/gadget/legacy/raw_gadget.c:1220
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f83005590e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f830048d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f830066c100 RCX: 00007f83005590e9
RDX: 0000000000000000 RSI: 0000000000005501 RDI: 0000000000000003
RBP: 00007f83005b308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc1dbfbf0f R14: 00007f830048d300 R15: 0000000000022000
</TASK>
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
console output: https://syzkaller.appspot.com/x/log.txt?x=154282bdf00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17eec23df00000
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Alan Stern
May 27, 2022, 5:36:53 PM5/27/22
to syzbot, andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, May 27, 2022 at 12:29:08PM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in sysfs_create_file_ns
>
> really_probe: driver_sysfs_add(gadget.0) failed
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
> Modules linked in:
> CPU: 0 PID: 2361 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
> Code: e9 03 80 3c 01 00 75 7f 8b 4c 24 38 4d 89 e9 48 89 ee 48 8b 7b 30 44 8b 44 24 48 e8 e9 fa ff ff 41 89 c5 eb 0d e8 cf 7c 9d ff <0f> 0b 41 bd ea ff ff ff e8 c2 7c 9d ff 48 b8 00 00 00 00 00 fc ff
> RSP: 0018:ffffc900028ffca0 EFLAGS: 00010293
Here's some extra detail, taken from the console log:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in sysfs_create_file_ns
>
> really_probe: driver_sysfs_add(gadget.0) failed
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
> Modules linked in:
> CPU: 0 PID: 2361 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
> Code: e9 03 80 3c 01 00 75 7f 8b 4c 24 38 4d 89 e9 48 89 ee 48 8b 7b 30 44 8b 44 24 48 e8 e9 fa ff ff 41 89 c5 eb 0d e8 cf 7c 9d ff <0f> 0b 41 bd ea ff ff ff e8 c2 7c 9d ff 48 b8 00 00 00 00 00 fc ff
> RSP: 0018:ffffc900028ffca0 EFLAGS: 00010293
[ 98.336685][ T2361] really_probe: driver_sysfs_add(gadget.0) failed
[ 98.336836][ T2360] sysfs: cannot create duplicate filename '/bus/gadget/drivers/dummy_udc'
[ 98.343498][ T2361] ------------[ cut here ]------------
[ 98.352154][ T2360] CPU: 1 PID: 2360 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
[ 98.357802][ T2361] WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0
Simultaneous splats from two different threads trying to add drivers with
the same name suggests there might be a concurrency bug in the sysfs
filesystem. This sort of thing should be an error but it shouldn't bring
the kernel to its knees.
Greg, do you know anyone who could take a look at this? I don't know much
about sysfs.
Alan Stern
Hillf Danton
May 27, 2022, 10:31:09 PM5/27/22
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, 27 May 2022 02:25:19 -0700
Add a device state to prevent registering device more than once.
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 97fa5887cf28
--- x/drivers/usb/gadget/legacy/raw_gadget.c
+++ y/drivers/usb/gadget/legacy/raw_gadget.c
@@ -145,6 +145,7 @@ enum dev_state {
STATE_DEV_INVALID = 0,
STATE_DEV_OPENED,
STATE_DEV_INITIALIZED,
+ STATE_DEV_REGISTERING,
STATE_DEV_RUNNING,
STATE_DEV_CLOSED,
STATE_DEV_FAILED
@@ -508,6 +509,7 @@ static int raw_ioctl_run(struct raw_dev
ret = -EINVAL;
goto out_unlock;
}
+ dev->state = STATE_DEV_REGISTERING;
spin_unlock_irqrestore(&dev->lock, flags);
ret = usb_gadget_register_driver(&dev->driver);
--
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 97fa5887cf28
--- x/drivers/usb/gadget/legacy/raw_gadget.c
+++ y/drivers/usb/gadget/legacy/raw_gadget.c
@@ -145,6 +145,7 @@ enum dev_state {
STATE_DEV_INVALID = 0,
STATE_DEV_OPENED,
STATE_DEV_INITIALIZED,
+ STATE_DEV_REGISTERING,
STATE_DEV_RUNNING,
STATE_DEV_CLOSED,
STATE_DEV_FAILED
@@ -508,6 +509,7 @@ static int raw_ioctl_run(struct raw_dev
ret = -EINVAL;
goto out_unlock;
}
+ dev->state = STATE_DEV_REGISTERING;
spin_unlock_irqrestore(&dev->lock, flags);
ret = usb_gadget_register_driver(&dev->driver);
--
syzbot
May 27, 2022, 10:53:08 PM5/27/22
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+02b163...@syzkaller.appspotmail.com
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+02b163...@syzkaller.appspotmail.com
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13564f6bf00000
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
Greg KH
May 28, 2022, 8:08:51 AM5/28/22
to Alan Stern, syzbot, andre...@gmail.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, May 27, 2022 at 05:36:51PM -0400, Alan Stern wrote:
> On Fri, May 27, 2022 at 12:29:08PM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > WARNING in sysfs_create_file_ns
> >
> > really_probe: driver_sysfs_add(gadget.0) failed
> > ------------[ cut here ]------------
> > WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
> > Modules linked in:
> > CPU: 0 PID: 2361 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
> > Code: e9 03 80 3c 01 00 75 7f 8b 4c 24 38 4d 89 e9 48 89 ee 48 8b 7b 30 44 8b 44 24 48 e8 e9 fa ff ff 41 89 c5 eb 0d e8 cf 7c 9d ff <0f> 0b 41 bd ea ff ff ff e8 c2 7c 9d ff 48 b8 00 00 00 00 00 fc ff
> > RSP: 0018:ffffc900028ffca0 EFLAGS: 00010293
>
> Here's some extra detail, taken from the console log:
>
> [ 98.336685][ T2361] really_probe: driver_sysfs_add(gadget.0) failed
> [ 98.336836][ T2360] sysfs: cannot create duplicate filename '/bus/gadget/drivers/dummy_udc'
> [ 98.343498][ T2361] ------------[ cut here ]------------
> [ 98.352154][ T2360] CPU: 1 PID: 2360 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
> [ 98.357802][ T2361] WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0
>
> Simultaneous splats from two different threads trying to add drivers with
> the same name suggests there might be a concurrency bug in the sysfs
> filesystem. This sort of thing should be an error but it shouldn't bring
> the kernel to its knees.
It's not bringing anything down, it's just giving you a big fat warning
> On Fri, May 27, 2022 at 12:29:08PM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > WARNING in sysfs_create_file_ns
> >
> > really_probe: driver_sysfs_add(gadget.0) failed
> > ------------[ cut here ]------------
> > WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
> > Modules linked in:
> > CPU: 0 PID: 2361 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:sysfs_create_file_ns+0x131/0x1c0 fs/sysfs/file.c:351
> > Code: e9 03 80 3c 01 00 75 7f 8b 4c 24 38 4d 89 e9 48 89 ee 48 8b 7b 30 44 8b 44 24 48 e8 e9 fa ff ff 41 89 c5 eb 0d e8 cf 7c 9d ff <0f> 0b 41 bd ea ff ff ff e8 c2 7c 9d ff 48 b8 00 00 00 00 00 fc ff
> > RSP: 0018:ffffc900028ffca0 EFLAGS: 00010293
>
> Here's some extra detail, taken from the console log:
>
> [ 98.336685][ T2361] really_probe: driver_sysfs_add(gadget.0) failed
> [ 98.336836][ T2360] sysfs: cannot create duplicate filename '/bus/gadget/drivers/dummy_udc'
> [ 98.343498][ T2361] ------------[ cut here ]------------
> [ 98.352154][ T2360] CPU: 1 PID: 2360 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
> [ 98.357802][ T2361] WARNING: CPU: 0 PID: 2361 at fs/sysfs/file.c:351 sysfs_create_file_ns+0x131/0x1c0
>
> Simultaneous splats from two different threads trying to add drivers with
> the same name suggests there might be a concurrency bug in the sysfs
> filesystem. This sort of thing should be an error but it shouldn't bring
> the kernel to its knees.
that the developer did something wrong and it should be fixed. The
kernel should keep working just fine after this.
> Greg, do you know anyone who could take a look at this? I don't know much
> about sysfs.
name multiple times" thing, so that subsystem needs to be fixed to make
this always a unique name.
thanks,
greg k-h
Alan Stern
May 28, 2022, 10:45:25 AM5/28/22
to Greg KH, syzbot, andre...@gmail.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
Alan Stern
Index: usb-devel/drivers/usb/gadget/legacy/raw_gadget.c
===================================================================
--- usb-devel.orig/drivers/usb/gadget/legacy/raw_gadget.c
+++ usb-devel/drivers/usb/gadget/legacy/raw_gadget.c
@@ -11,6 +11,7 @@
#include <linux/ctype.h>
#include <linux/debugfs.h>
#include <linux/delay.h>
+#include <linux/idr.h>
#include <linux/kref.h>
#include <linux/miscdevice.h>
#include <linux/module.h>
@@ -36,6 +37,9 @@ MODULE_LICENSE("GPL");
/*----------------------------------------------------------------------*/
+static DEFINE_IDA(driver_id_numbers);
+#define DRIVER_DRIVER_NAME_LENGTH_MAX 32
+
#define RAW_EVENT_QUEUE_SIZE 16
struct raw_event_queue {
@@ -160,6 +164,9 @@ struct raw_dev {
/* Reference to misc device: */
struct device *dev;
+ /* Make driver names unique */
+ int driver_id_number;
+
/* Protected by lock: */
enum dev_state state;
bool gadget_registered;
@@ -198,6 +205,8 @@ static void dev_free(struct kref *kref)
kfree(dev->udc_name);
kfree(dev->driver.udc_name);
+ kfree(dev->driver.driver.name);
+ ida_free(&driver_id_numbers, dev->driver_id_number);
if (dev->req) {
if (dev->ep0_urb_queued)
usb_ep_dequeue(dev->gadget->ep0, dev->req);
@@ -421,6 +430,7 @@ static int raw_ioctl_init(struct raw_dev
struct usb_raw_init arg;
char *udc_driver_name;
char *udc_device_name;
+ char *driver_driver_name;
unsigned long flags;
if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
@@ -439,36 +449,44 @@ static int raw_ioctl_init(struct raw_dev
return -EINVAL;
}
+ ret = ida_alloc(&driver_id_numbers, GFP_KERNEL);
+ if (ret < 0)
+ return ret;
+ dev->driver_id_number = ret;
+
+ driver_driver_name = kmalloc(DRIVER_DRIVER_NAME_LENGTH_MAX, GFP_KERNEL);
+ if (!driver_driver_name) {
+ ret = -ENOMEM;
+ goto out_free_driver_id_number;
+ }
+ snprintf(driver_driver_name, DRIVER_DRIVER_NAME_LENGTH_MAX,
+ DRIVER_NAME ".%d", dev->driver_id_number);
+
udc_driver_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL);
- if (!udc_driver_name)
- return -ENOMEM;
+ if (!udc_driver_name) {
+ ret = -ENOMEM;
+ goto out_free_driver_driver_name;
+ }
ret = strscpy(udc_driver_name, &arg.driver_name[0],
UDC_NAME_LENGTH_MAX);
- if (ret < 0) {
- kfree(udc_driver_name);
- return ret;
- }
+ if (ret < 0)
+ goto out_free_udc_driver_name;
ret = 0;
udc_device_name = kmalloc(UDC_NAME_LENGTH_MAX, GFP_KERNEL);
if (!udc_device_name) {
- kfree(udc_driver_name);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto out_free_udc_driver_name;
}
ret = strscpy(udc_device_name, &arg.device_name[0],
UDC_NAME_LENGTH_MAX);
- if (ret < 0) {
- kfree(udc_driver_name);
- kfree(udc_device_name);
- return ret;
- }
+ if (ret < 0)
+ goto out_free_udc_device_name;
ret = 0;
spin_lock_irqsave(&dev->lock, flags);
if (dev->state != STATE_DEV_OPENED) {
dev_dbg(dev->dev, "fail, device is not opened\n");
- kfree(udc_driver_name);
- kfree(udc_device_name);
ret = -EINVAL;
goto out_unlock;
}
@@ -483,14 +501,24 @@ static int raw_ioctl_init(struct raw_dev
goto out_unlock;
}
dev->driver.suspend = gadget_suspend;
dev->driver.resume = gadget_resume;
dev->driver.reset = gadget_reset;
- dev->driver.driver.name = DRIVER_NAME;
+ dev->driver.driver.name = driver_driver_name;
dev->driver.udc_name = udc_device_name;
dev->driver.match_existing_only = 1;
dev->state = STATE_DEV_INITIALIZED;
+ spin_unlock_irqrestore(&dev->lock, flags);
+ return ret;
out_unlock:
spin_unlock_irqrestore(&dev->lock, flags);
+out_free_udc_device_name:
+ kfree(udc_device_name);
+out_free_udc_driver_name:
+ kfree(udc_driver_name);
+out_free_driver_driver_name:
+ kfree(driver_driver_name);
+out_free_driver_id_number:
+ ida_free(&driver_id_numbers, dev->driver_id_number);
return ret;
}
syzbot
May 28, 2022, 11:02:16 AM5/28/22
to andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
KASAN: null-ptr-deref Read in ida_free
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: null-ptr-deref in ida_free+0x1b6/0x2e0 lib/idr.c:510
Read of size 8 at addr 0000000000000000 by task syz-fuzzer/1284
CPU: 1 PID: 1284 Comm: syz-fuzzer Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_report mm/kasan/report.c:432 [inline]
kasan_report.cold+0x61/0x1c6 mm/kasan/report.c:491
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
ida_free+0x1b6/0x2e0 lib/idr.c:510
dev_free+0xdb/0x6e0 drivers/usb/gadget/legacy/raw_gadget.c:209
kref_put include/linux/kref.h:65 [inline]
raw_release+0x219/0x290 drivers/usb/gadget/legacy/raw_gadget.c:421
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x1f7/0x200 kernel/entry/common.c:201
Code: e8 aa 4b fc ff eb 88 cc cc cc cc cc cc cc cc e8 bb 8f fc ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
RSP: 002b:000000c0002fb5f0 EFLAGS: 00000206 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 000000c00001e000 RCX: 000000000049dfbb
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 000000c0002fb630 R08: 0000000000000001 R09: 000000c0002fb650
R10: 000000c0002fb5dc R11: 0000000000000206 R12: 000000c0002fb5e8
R13: 0000000000203000 R14: 000000c0000001a0 R15: 00007f1aab9f437e
</TASK>
==================================================================
Warning: Permanently added '10.128.1.74' (ECDSA) to the list of known hosts.
2022/05/28 15:01:17 fuzzer started
2022/05/28 15:01:17 connecting to host at 10.128.0.163:44569
2022/05/28 15:01:17 checking machine...
2022/05/28 15:01:17 checking revisions...
syzkaller login: [ 28.730807][ T1284] ==================================================================
[ 28.732309][ T1284] BUG: KASAN: null-ptr-deref in ida_free+0x1b6/0x2e0
[ 28.733500][ T1284] Read of size 8 at addr 0000000000000000 by task syz-fuzzer/1284
[ 28.734813][ T1284]
[ 28.735363][ T1284] CPU: 1 PID: 1284 Comm: syz-fuzzer Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
[ 28.737366][ T1284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 28.738920][ T1284] Call Trace:
[ 28.739425][ T1284] <TASK>
[ 28.739871][ T1284] dump_stack_lvl+0xcd/0x134
[ 28.740555][ T1284] kasan_report.cold+0x61/0x1c6
[ 28.741239][ T1284] ? ida_free+0x1b6/0x2e0
[ 28.741875][ T1284] kasan_check_range+0x13d/0x180
[ 28.742577][ T1284] ida_free+0x1b6/0x2e0
[ 28.743209][ T1284] ? ida_destroy+0x3b0/0x3b0
[ 28.743995][ T1284] ? rcu_read_lock_sched_held+0x3a/0x70
[ 28.744853][ T1284] ? kfree+0x36b/0x4f0
[ 28.745531][ T1284] dev_free+0xdb/0x6e0
[ 28.746110][ T1284] ? _raw_spin_unlock_irqrestore+0x38/0x70
[ 28.747069][ T1284] raw_release+0x219/0x290
[ 28.747719][ T1284] __fput+0x277/0x9d0
[ 28.748344][ T1284] ? gadget_unbind+0xd0/0xd0
[ 28.749014][ T1284] task_work_run+0xdd/0x1a0
[ 28.749693][ T1284] exit_to_user_mode_prepare+0x1f7/0x200
[ 28.750523][ T1284] syscall_exit_to_user_mode+0x19/0x60
[ 28.751641][ T1284] do_syscall_64+0x42/0xb0
[ 28.756063][ T1284] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 28.761951][ T1284] RIP: 0033:0x49dfbb
[ 28.765827][ T1284] Code: e8 aa 4b fc ff eb 88 cc cc cc cc cc cc cc cc e8 bb 8f fc ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
[ 28.785433][ T1284] RSP: 002b:000000c0002fb5f0 EFLAGS: 00000206 ORIG_RAX: 0000000000000003
[ 28.793837][ T1284] RAX: 0000000000000000 RBX: 000000c00001e000 RCX: 000000000049dfbb
[ 28.801799][ T1284] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
[ 28.809765][ T1284] RBP: 000000c0002fb630 R08: 0000000000000001 R09: 000000c0002fb650
[ 28.817720][ T1284] R10: 000000c0002fb5dc R11: 0000000000000206 R12: 000000c0002fb5e8
[ 28.825672][ T1284] R13: 0000000000203000 R14: 000000c0000001a0 R15: 00007f1aab9f437e
[ 28.833636][ T1284] </TASK>
[ 28.836678][ T1284] ==================================================================
[ 28.844826][ T1284] Kernel panic - not syncing: panic_on_warn set ...
[ 28.851483][ T1284] CPU: 1 PID: 1284 Comm: syz-fuzzer Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
[ 28.862730][ T1284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 28.872864][ T1284] Call Trace:
[ 28.876128][ T1284] <TASK>
[ 28.879041][ T1284] dump_stack_lvl+0xcd/0x134
[ 28.883617][ T1284] panic+0x2d7/0x636
[ 28.887498][ T1284] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 28.893461][ T1284] ? ida_free+0x1b6/0x2e0
[ 28.897951][ T1284] end_report.part.0+0x3f/0x7c
[ 28.902699][ T1284] kasan_report.cold+0x93/0x1c6
[ 28.907540][ T1284] ? ida_free+0x1b6/0x2e0
[ 28.911848][ T1284] kasan_check_range+0x13d/0x180
[ 28.916765][ T1284] ida_free+0x1b6/0x2e0
[ 28.921001][ T1284] ? ida_destroy+0x3b0/0x3b0
[ 28.925850][ T1284] ? rcu_read_lock_sched_held+0x3a/0x70
[ 28.931386][ T1284] ? kfree+0x36b/0x4f0
[ 28.935444][ T1284] dev_free+0xdb/0x6e0
[ 28.939501][ T1284] ? _raw_spin_unlock_irqrestore+0x38/0x70
[ 28.946270][ T1284] raw_release+0x219/0x290
[ 28.951563][ T1284] __fput+0x277/0x9d0
[ 28.955538][ T1284] ? gadget_unbind+0xd0/0xd0
[ 28.960121][ T1284] task_work_run+0xdd/0x1a0
[ 28.964752][ T1284] exit_to_user_mode_prepare+0x1f7/0x200
[ 28.970391][ T1284] syscall_exit_to_user_mode+0x19/0x60
[ 28.975939][ T1284] do_syscall_64+0x42/0xb0
[ 28.980357][ T1284] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 28.986259][ T1284] RIP: 0033:0x49dfbb
[ 28.990166][ T1284] Code: e8 aa 4b fc ff eb 88 cc cc cc cc cc cc cc cc e8 bb 8f fc ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
[ 29.009849][ T1284] RSP: 002b:000000c0002fb5f0 EFLAGS: 00000206 ORIG_RAX: 0000000000000003
[ 29.018247][ T1284] RAX: 0000000000000000 RBX: 000000c00001e000 RCX: 000000000049dfbb
[ 29.026199][ T1284] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
[ 29.034157][ T1284] RBP: 000000c0002fb630 R08: 0000000000000001 R09: 000000c0002fb650
[ 29.042160][ T1284] R10: 000000c0002fb5dc R11: 0000000000000206 R12: 000000c0002fb5e8
[ 29.050128][ T1284] R13: 0000000000203000 R14: 000000c0000001a0 R15: 00007f1aab9f437e
[ 29.058093][ T1284] </TASK>
[ 29.061162][ T1284] Kernel Offset: disabled
[ 29.065471][ T1284] Rebooting in 86400 seconds..
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10cc0d03f00000
syzbot tried to test the proposed patch but the build/boot failed:
KASAN: null-ptr-deref Read in ida_free
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: null-ptr-deref in ida_free+0x1b6/0x2e0 lib/idr.c:510
Read of size 8 at addr 0000000000000000 by task syz-fuzzer/1284
CPU: 1 PID: 1284 Comm: syz-fuzzer Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_report mm/kasan/report.c:432 [inline]
kasan_report.cold+0x61/0x1c6 mm/kasan/report.c:491
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
ida_free+0x1b6/0x2e0 lib/idr.c:510
dev_free+0xdb/0x6e0 drivers/usb/gadget/legacy/raw_gadget.c:209
kref_put include/linux/kref.h:65 [inline]
raw_release+0x219/0x290 drivers/usb/gadget/legacy/raw_gadget.c:421
__fput+0x277/0x9d0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x1f7/0x200 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x49dfbb
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: e8 aa 4b fc ff eb 88 cc cc cc cc cc cc cc cc e8 bb 8f fc ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
RSP: 002b:000000c0002fb5f0 EFLAGS: 00000206 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 000000c00001e000 RCX: 000000000049dfbb
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 000000c0002fb630 R08: 0000000000000001 R09: 000000c0002fb650
R10: 000000c0002fb5dc R11: 0000000000000206 R12: 000000c0002fb5e8
R13: 0000000000203000 R14: 000000c0000001a0 R15: 00007f1aab9f437e
</TASK>
==================================================================
Warning: Permanently added '10.128.1.74' (ECDSA) to the list of known hosts.
2022/05/28 15:01:17 fuzzer started
2022/05/28 15:01:17 connecting to host at 10.128.0.163:44569
2022/05/28 15:01:17 checking machine...
2022/05/28 15:01:17 checking revisions...
syzkaller login: [ 28.730807][ T1284] ==================================================================
[ 28.732309][ T1284] BUG: KASAN: null-ptr-deref in ida_free+0x1b6/0x2e0
[ 28.733500][ T1284] Read of size 8 at addr 0000000000000000 by task syz-fuzzer/1284
[ 28.734813][ T1284]
[ 28.735363][ T1284] CPU: 1 PID: 1284 Comm: syz-fuzzer Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
[ 28.737366][ T1284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 28.738920][ T1284] Call Trace:
[ 28.739425][ T1284] <TASK>
[ 28.739871][ T1284] dump_stack_lvl+0xcd/0x134
[ 28.740555][ T1284] kasan_report.cold+0x61/0x1c6
[ 28.741239][ T1284] ? ida_free+0x1b6/0x2e0
[ 28.741875][ T1284] kasan_check_range+0x13d/0x180
[ 28.742577][ T1284] ida_free+0x1b6/0x2e0
[ 28.743209][ T1284] ? ida_destroy+0x3b0/0x3b0
[ 28.743995][ T1284] ? rcu_read_lock_sched_held+0x3a/0x70
[ 28.744853][ T1284] ? kfree+0x36b/0x4f0
[ 28.745531][ T1284] dev_free+0xdb/0x6e0
[ 28.746110][ T1284] ? _raw_spin_unlock_irqrestore+0x38/0x70
[ 28.747069][ T1284] raw_release+0x219/0x290
[ 28.747719][ T1284] __fput+0x277/0x9d0
[ 28.748344][ T1284] ? gadget_unbind+0xd0/0xd0
[ 28.749014][ T1284] task_work_run+0xdd/0x1a0
[ 28.749693][ T1284] exit_to_user_mode_prepare+0x1f7/0x200
[ 28.750523][ T1284] syscall_exit_to_user_mode+0x19/0x60
[ 28.751641][ T1284] do_syscall_64+0x42/0xb0
[ 28.756063][ T1284] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 28.761951][ T1284] RIP: 0033:0x49dfbb
[ 28.765827][ T1284] Code: e8 aa 4b fc ff eb 88 cc cc cc cc cc cc cc cc e8 bb 8f fc ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
[ 28.785433][ T1284] RSP: 002b:000000c0002fb5f0 EFLAGS: 00000206 ORIG_RAX: 0000000000000003
[ 28.793837][ T1284] RAX: 0000000000000000 RBX: 000000c00001e000 RCX: 000000000049dfbb
[ 28.801799][ T1284] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
[ 28.809765][ T1284] RBP: 000000c0002fb630 R08: 0000000000000001 R09: 000000c0002fb650
[ 28.817720][ T1284] R10: 000000c0002fb5dc R11: 0000000000000206 R12: 000000c0002fb5e8
[ 28.825672][ T1284] R13: 0000000000203000 R14: 000000c0000001a0 R15: 00007f1aab9f437e
[ 28.833636][ T1284] </TASK>
[ 28.836678][ T1284] ==================================================================
[ 28.844826][ T1284] Kernel panic - not syncing: panic_on_warn set ...
[ 28.851483][ T1284] CPU: 1 PID: 1284 Comm: syz-fuzzer Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
[ 28.862730][ T1284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 28.872864][ T1284] Call Trace:
[ 28.876128][ T1284] <TASK>
[ 28.879041][ T1284] dump_stack_lvl+0xcd/0x134
[ 28.883617][ T1284] panic+0x2d7/0x636
[ 28.887498][ T1284] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 28.893461][ T1284] ? ida_free+0x1b6/0x2e0
[ 28.897951][ T1284] end_report.part.0+0x3f/0x7c
[ 28.902699][ T1284] kasan_report.cold+0x93/0x1c6
[ 28.907540][ T1284] ? ida_free+0x1b6/0x2e0
[ 28.911848][ T1284] kasan_check_range+0x13d/0x180
[ 28.916765][ T1284] ida_free+0x1b6/0x2e0
[ 28.921001][ T1284] ? ida_destroy+0x3b0/0x3b0
[ 28.925850][ T1284] ? rcu_read_lock_sched_held+0x3a/0x70
[ 28.931386][ T1284] ? kfree+0x36b/0x4f0
[ 28.935444][ T1284] dev_free+0xdb/0x6e0
[ 28.939501][ T1284] ? _raw_spin_unlock_irqrestore+0x38/0x70
[ 28.946270][ T1284] raw_release+0x219/0x290
[ 28.951563][ T1284] __fput+0x277/0x9d0
[ 28.955538][ T1284] ? gadget_unbind+0xd0/0xd0
[ 28.960121][ T1284] task_work_run+0xdd/0x1a0
[ 28.964752][ T1284] exit_to_user_mode_prepare+0x1f7/0x200
[ 28.970391][ T1284] syscall_exit_to_user_mode+0x19/0x60
[ 28.975939][ T1284] do_syscall_64+0x42/0xb0
[ 28.980357][ T1284] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 28.986259][ T1284] RIP: 0033:0x49dfbb
[ 28.990166][ T1284] Code: e8 aa 4b fc ff eb 88 cc cc cc cc cc cc cc cc e8 bb 8f fc ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
[ 29.009849][ T1284] RSP: 002b:000000c0002fb5f0 EFLAGS: 00000206 ORIG_RAX: 0000000000000003
[ 29.018247][ T1284] RAX: 0000000000000000 RBX: 000000c00001e000 RCX: 000000000049dfbb
[ 29.026199][ T1284] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
[ 29.034157][ T1284] RBP: 000000c0002fb630 R08: 0000000000000001 R09: 000000c0002fb650
[ 29.042160][ T1284] R10: 000000c0002fb5dc R11: 0000000000000206 R12: 000000c0002fb5e8
[ 29.050128][ T1284] R13: 0000000000203000 R14: 000000c0000001a0 R15: 00007f1aab9f437e
[ 29.058093][ T1284] </TASK>
[ 29.061162][ T1284] Kernel Offset: disabled
[ 29.065471][ T1284] Rebooting in 86400 seconds..
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Alan Stern
May 28, 2022, 12:26:42 PM5/28/22
to syzbot, andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, May 28, 2022 at 08:02:13AM -0700, syzbot wrote:
> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> KASAN: null-ptr-deref Read in ida_free
>
> ==================================================================
> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
> BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
> BUG: KASAN: null-ptr-deref in ida_free+0x1b6/0x2e0 lib/idr.c:510
> Read of size 8 at addr 0000000000000000 by task syz-fuzzer/1284
>
> CPU: 1 PID: 1284 Comm: syz-fuzzer Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> print_report mm/kasan/report.c:432 [inline]
> kasan_report.cold+0x61/0x1c6 mm/kasan/report.c:491
> check_region_inline mm/kasan/generic.c:183 [inline]
> kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
> instrument_atomic_read include/linux/instrumented.h:71 [inline]
> test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
> ida_free+0x1b6/0x2e0 lib/idr.c:510
Oops. I shouldn't try to deallocate an ID number that was never allocated
> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> KASAN: null-ptr-deref Read in ida_free
>
> ==================================================================
> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
> BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
> BUG: KASAN: null-ptr-deref in ida_free+0x1b6/0x2e0 lib/idr.c:510
> Read of size 8 at addr 0000000000000000 by task syz-fuzzer/1284
>
> CPU: 1 PID: 1284 Comm: syz-fuzzer Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> print_report mm/kasan/report.c:432 [inline]
> kasan_report.cold+0x61/0x1c6 mm/kasan/report.c:491
> check_region_inline mm/kasan/generic.c:183 [inline]
> kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
> instrument_atomic_read include/linux/instrumented.h:71 [inline]
> test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
> ida_free+0x1b6/0x2e0 lib/idr.c:510
in the first place.
spin_lock_init(&dev->lock);
init_completion(&dev->ep0_done);
raw_event_queue_init(&dev->queue);
+ dev->driver_id_number = -1;
return dev;
}
@@ -198,6 +206,9 @@ static void dev_free(struct kref *kref)
+ if (dev->driver_id_number >= 0)
+ ida_free(&driver_id_numbers, dev->driver_id_number);
if (dev->req) {
if (dev->ep0_urb_queued)
usb_ep_dequeue(dev->gadget->ep0, dev->req);
@@ -421,6 +432,7 @@ static int raw_ioctl_init(struct raw_dev
if (dev->req) {
if (dev->ep0_urb_queued)
usb_ep_dequeue(dev->gadget->ep0, dev->req);
struct usb_raw_init arg;
char *udc_driver_name;
char *udc_device_name;
+ char *driver_driver_name;
unsigned long flags;
if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
@@ -439,36 +451,44 @@ static int raw_ioctl_init(struct raw_dev
char *udc_driver_name;
char *udc_device_name;
+ char *driver_driver_name;
unsigned long flags;
if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
syzbot
May 28, 2022, 1:02:13 PM5/28/22
to andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in driver_unregister
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
Unexpected driver unregister!
WARNING: CPU: 0 PID: 2335 at drivers/base/driver.c:194 driver_unregister+0x8c/0xb0 drivers/base/driver.c:191
Modules linked in:
CPU: 0 PID: 2335 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller-00157-g97fa5887cf28-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:driver_unregister drivers/base/driver.c:194 [inline]
RIP: 0010:driver_unregister+0x8c/0xb0 drivers/base/driver.c:191
Code: 68 4c 89 e7 e8 65 b9 db fe 48 89 ef e8 fd a0 ff ff 5d 41 5c e9 75 fa 78 fe e8 70 fa 78 fe 48 c7 c7 80 7a 81 86 e8 12 96 ee 02 <0f> 0b 5d 41 5c e9 5a fa 78 fe e8 75 93 ad fe eb 96 e8 6e 93 ad fe
RSP: 0018:ffffc9000267fa78 EFLAGS: 00010282
RIP: 0010:driver_unregister+0x8c/0xb0 drivers/base/driver.c:191
Code: 68 4c 89 e7 e8 65 b9 db fe 48 89 ef e8 fd a0 ff ff 5d 41 5c e9 75 fa 78 fe e8 70 fa 78 fe 48 c7 c7 80 7a 81 86 e8 12 96 ee 02 <0f> 0b 5d 41 5c e9 5a fa 78 fe e8 75 93 ad fe eb 96 e8 6e 93 ad fe
RAX: 0000000000000000 RBX: ffff888118006050 RCX: 0000000000000000
RDX: ffff888114fe8000 RSI: ffffffff812bdce8 RDI: fffff520004cff41
RBP: ffff888118006098 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff812b86be R11: 0000000000000000 R12: 0000000000000000
R13: ffff888118006008 R14: ffff88811785e7a8 R15: ffff888100219ca0
FS: 0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc6f40b3718 CR3: 0000000007825000 CR4: 00000000003506f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_gadget_unregister_driver+0x48/0x70 drivers/usb/gadget/udc/core.c:1590
raw_release+0x18b/0x290 drivers/usb/gadget/legacy/raw_gadget.c:412
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_gadget_unregister_driver+0x48/0x70 drivers/usb/gadget/udc/core.c:1590
__fput+0x277/0x9d0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:37 [inline]
do_exit+0xaff/0x2980 kernel/exit.c:795
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
get_signal+0x22df/0x24c0 kernel/signal.c:2864
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x156/0x200 kernel/entry/common.c:201
do_exit+0xaff/0x2980 kernel/exit.c:795
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
get_signal+0x22df/0x24c0 kernel/signal.c:2864
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc6f417f0e9
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: Unable to access opcode bytes at RIP 0x7fc6f417f0bf.
RSP: 002b:00007fc6f40b3218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fc6f4292108 RCX: 00007fc6f417f0e9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fc6f4292108
RBP: 00007fc6f4292100 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6f429210c
R13: 00007ffd64cd846f R14: 00007fc6f40b3300 R15: 0000000000022000
</TASK>
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13e750ddf00000
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Alan Stern
May 28, 2022, 1:23:21 PM5/28/22
to syzbot, andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
spin_unlock_irqrestore(&dev->lock, flags);
if (unregister) {
+ dev_info(dev->dev, "Unregistering driver %d at %px", dev->driver_id_number, dev);
ret = usb_gadget_unregister_driver(&dev->driver);
if (ret != 0)
dev_err(dev->dev,
@@ -421,6 +433,7 @@ static int raw_ioctl_init(struct raw_dev
struct usb_raw_init arg;
char *udc_driver_name;
char *udc_device_name;
+ char *driver_driver_name;
unsigned long flags;
if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
@@ -439,36 +452,44 @@ static int raw_ioctl_init(struct raw_dev
char *udc_driver_name;
char *udc_device_name;
+ char *driver_driver_name;
unsigned long flags;
if (copy_from_user(&arg, (void __user *)value, sizeof(arg)))
dev->driver.suspend = gadget_suspend;
dev->driver.resume = gadget_resume;
dev->driver.reset = gadget_reset;
- dev->driver.driver.name = DRIVER_NAME;
+ dev->driver.driver.name = driver_driver_name;
dev->driver.udc_name = udc_device_name;
dev->driver.match_existing_only = 1;
dev->state = STATE_DEV_INITIALIZED;
+ spin_unlock_irqrestore(&dev->lock, flags);
+ return ret;
out_unlock:
spin_unlock_irqrestore(&dev->lock, flags);
+out_free_udc_device_name:
+ kfree(udc_device_name);
+out_free_udc_driver_name:
+ kfree(udc_driver_name);
+out_free_driver_driver_name:
+ kfree(driver_driver_name);
+out_free_driver_id_number:
+ ida_free(&driver_id_numbers, dev->driver_id_number);
return ret;
}
@@ -510,6 +541,7 @@ static int raw_ioctl_run(struct raw_dev
dev->driver.resume = gadget_resume;
dev->driver.reset = gadget_reset;
- dev->driver.driver.name = DRIVER_NAME;
+ dev->driver.driver.name = driver_driver_name;
dev->driver.udc_name = udc_device_name;
dev->driver.match_existing_only = 1;
dev->state = STATE_DEV_INITIALIZED;
+ spin_unlock_irqrestore(&dev->lock, flags);
+ return ret;
out_unlock:
spin_unlock_irqrestore(&dev->lock, flags);
+out_free_udc_device_name:
+ kfree(udc_device_name);
+out_free_udc_driver_name:
+ kfree(udc_driver_name);
+out_free_driver_driver_name:
+ kfree(driver_driver_name);
+out_free_driver_id_number:
+ ida_free(&driver_id_numbers, dev->driver_id_number);
return ret;
}
}
spin_unlock_irqrestore(&dev->lock, flags);
+ dev_info(dev->dev, "Registering driver %d at %px", dev->driver_id_number, dev);
ret = usb_gadget_register_driver(&dev->driver);
spin_lock_irqsave(&dev->lock, flags);
syzbot
May 28, 2022, 1:55:24 PM5/28/22
to andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+02b163...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+02b163...@syzkaller.appspotmail.com
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f44625f00000
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Alan Stern
May 28, 2022, 4:22:58 PM5/28/22
to syzbot, andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
In any case, I believe the second problem (unexpected unregistration)
arises because the driver has no protection against multiple threads
calling raw_ioctl_run() concurrently. Fixing that should be a second
patch, but for testing purposes the two are combined below.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 97fa5887cf28
Index: usb-devel/drivers/usb/gadget/legacy/raw_gadget.c
===================================================================
--- usb-devel.orig/drivers/usb/gadget/legacy/raw_gadget.c
+++ usb-devel/drivers/usb/gadget/legacy/raw_gadget.c
@@ -11,6 +11,7 @@
#include <linux/ctype.h>
#include <linux/debugfs.h>
#include <linux/delay.h>
+#include <linux/idr.h>
#include <linux/kref.h>
#include <linux/miscdevice.h>
#include <linux/module.h>
@@ -36,6 +37,9 @@ MODULE_LICENSE("GPL");
/*----------------------------------------------------------------------*/
+static DEFINE_IDA(driver_id_numbers);
+#define DRIVER_DRIVER_NAME_LENGTH_MAX 32
+
#define RAW_EVENT_QUEUE_SIZE 16
struct raw_event_queue {
STATE_DEV_INVALID = 0,
STATE_DEV_OPENED,
STATE_DEV_INITIALIZED,
+ STATE_DEV_REGISTERING,
STATE_DEV_RUNNING,
STATE_DEV_CLOSED,
STATE_DEV_FAILED
@@ -160,6 +165,9 @@ struct raw_dev {
STATE_DEV_OPENED,
STATE_DEV_INITIALIZED,
+ STATE_DEV_REGISTERING,
STATE_DEV_RUNNING,
STATE_DEV_CLOSED,
STATE_DEV_FAILED
/* Reference to misc device: */
struct device *dev;
+ /* Make driver names unique */
+ int driver_id_number;
+
/* Protected by lock: */
enum dev_state state;
bool gadget_registered;
@@ -188,6 +196,7 @@ static struct raw_dev *dev_new(void)
struct device *dev;
+ /* Make driver names unique */
+ int driver_id_number;
+
/* Protected by lock: */
enum dev_state state;
bool gadget_registered;
spin_lock_init(&dev->lock);
init_completion(&dev->ep0_done);
raw_event_queue_init(&dev->queue);
+ dev->driver_id_number = -1;
return dev;
}
@@ -198,6 +207,9 @@ static void dev_free(struct kref *kref)
init_completion(&dev->ep0_done);
raw_event_queue_init(&dev->queue);
+ dev->driver_id_number = -1;
return dev;
}
kfree(dev->udc_name);
kfree(dev->driver.udc_name);
+ kfree(dev->driver.driver.name);
+ if (dev->driver_id_number >= 0)
+ ida_free(&driver_id_numbers, dev->driver_id_number);
if (dev->req) {
if (dev->ep0_urb_queued)
usb_ep_dequeue(dev->gadget->ep0, dev->req);
ret = -EINVAL;
goto out_unlock;
}
goto out_unlock;
}
syzbot
May 28, 2022, 4:40:17 PM5/28/22
to andre...@gmail.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+02b163...@syzkaller.appspotmail.com
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=103c91e3f00000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+02b163...@syzkaller.appspotmail.com
Tested on:
commit: 97fa5887 USB: new quirk for Dell Gen 2 devices
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Hillf Danton
May 28, 2022, 8:56:23 PM5/28/22
to Alan Stern, linux-...@vger.kernel.org, linu...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Hillf Danton
Alan Stern
May 31, 2022, 3:41:47 AM5/31/22
to syzbot, Andrey Konovalov, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, May 27, 2022 at 02:25:19AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 97fa5887cf28 USB: new quirk for Dell Gen 2 devices
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=170ebdc3f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
> dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1124ad81f00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d6004df00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+02b163...@syzkaller.appspotmail.com
There are at least two bugs here. The first is the failure to select a
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 97fa5887cf28 USB: new quirk for Dell Gen 2 devices
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=170ebdc3f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d7b232ec3adf5c8d
> dashboard link: https://syzkaller.appspot.com/bug?extid=02b16343704b3af1667e
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1124ad81f00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d6004df00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+02b163...@syzkaller.appspotmail.com
unique driver name; the raw gadget always uses the name "raw-gadget". As
a result, registrations after the first one fail:
> kobject_add_internal failed for raw-gadget with -EEXIST, don't try to register things with the same name in the same directory.
> UDC core: USB Raw Gadget: driver registration failed: -17
> misc raw-gadget: fail, usb_gadget_register_driver returned -17
the user. That's what the patch below does. However, this has the
drawback that if the user provides a bad name then the registration
attempt will cause a kernel error, because the kernel expects driver names
to be controlled by drivers, not by users. Maybe we should use an
ida-generated suffix: "raw-gadget.N".
The second bug is the unexpected unregistration. The raw-gadget driver is
careful to keep track of whether registration succeeded, and it doesn't
try to unregister itself if registration failed. Nevertheless, that
happened here:
it has something to do with the fact that registration failed for two
separate threads (see the syzbot console log). I can't tell what's going
on.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 97fa5887cf28
Index: usb-devel/drivers/usb/gadget/legacy/raw_gadget.c
===================================================================
--- usb-devel.orig/drivers/usb/gadget/legacy/raw_gadget.c
+++ usb-devel/drivers/usb/gadget/legacy/raw_gadget.c
dev->driver.suspend = gadget_suspend;
dev->driver.resume = gadget_resume;
dev->driver.reset = gadget_reset;
- dev->driver.driver.name = DRIVER_NAME;
+ dev->driver.driver.name = udc_driver_name;
dev->driver.resume = gadget_resume;
dev->driver.reset = gadget_reset;
- dev->driver.driver.name = DRIVER_NAME;
Reply all
Reply to author
Forward
0 new messages