[v6.1] UBSAN: shift-out-of-bounds in set_flicker
2 views
Skip to first unread message
syzbot
Nov 26, 2023, 1:40:23 AM11/26/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 69e434a1cb21 Linux 6.1.63
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=116eb3c8e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8936a912d77a129d
dashboard link: https://syzkaller.appspot.com/bug?extid=917ee0d4e8624bfe4e70
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1747bc94e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8f4c34d49102/disk-69e434a1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/415c50ae270f/vmlinux-69e434a1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/71f602f135dc/Image-69e434a1.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+917ee0...@syzkaller.appspotmail.com
gspca_cpia1: usb_control_msg 03, error -71
================================================================================
UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27
shift exponent 245 is too large for 32-bit type 'int'
CPU: 0 PID: 111 Comm: kworker/0:2 Not tainted 6.1.63-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Workqueue: usb_hub_wq hub_event
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x2f4/0x36c lib/ubsan.c:321
set_flicker+0x11d8/0x12c0 drivers/media/usb/gspca/cpia1.c:1031
sd_s_ctrl+0x8ac/0x1714 drivers/media/usb/gspca/cpia1.c:1782
__v4l2_ctrl_handler_setup+0x570/0x674 drivers/media/v4l2-core/v4l2-ctrls-core.c:2218
v4l2_ctrl_handler_setup+0x58/0x94 drivers/media/v4l2-core/v4l2-ctrls-core.c:2235
gspca_set_default_mode drivers/media/usb/gspca/gspca.c:908 [inline]
gspca_dev_probe2+0x814/0x1084 drivers/media/usb/gspca/gspca.c:1541
gspca_dev_probe+0x140/0x210 drivers/media/usb/gspca/gspca.c:1610
sd_probe+0x38/0x48 drivers/media/usb/gspca/benq.c:258
usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
really_probe+0x394/0xacc drivers/base/dd.c:639
__driver_probe_device+0x194/0x3b4 drivers/base/dd.c:785
driver_probe_device+0x78/0x330 drivers/base/dd.c:815
__device_attach_driver+0x2a8/0x4f4 drivers/base/dd.c:943
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:1015
device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3664
usb_set_configuration+0x15c0/0x1b40 drivers/usb/core/message.c:2165
usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
really_probe+0x394/0xacc drivers/base/dd.c:639
__driver_probe_device+0x194/0x3b4 drivers/base/dd.c:785
driver_probe_device+0x78/0x330 drivers/base/dd.c:815
__device_attach_driver+0x2a8/0x4f4 drivers/base/dd.c:943
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:1015
device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3664
usb_new_device+0x904/0x142c drivers/usb/core/hub.c:2583
hub_port_connect drivers/usb/core/hub.c:5434 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5574 [inline]
port_event drivers/usb/core/hub.c:5730 [inline]
hub_event+0x23f4/0x4360 drivers/usb/core/hub.c:5812
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
================================================================================
input: cpia1 as /devices/platform/dummy_hcd.0/usb1/1-1/input/input2
usb 1-1: USB disconnect, device number 19
usb 1-1: new high-speed USB device number 20 using dummy_hcd
usb 1-1: New USB device found, idVendor=0553, idProduct=0002, bcdDevice=b0.11
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
gspca_main: cpia1-2.14.0 probing 0553:0002
cpia1 1-1:0.0: unexpected state after lo power cmd: 01
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 01, error -32
gspca_cpia1: usb_control_msg 01, error -32
gspca_cpia1: usb_control_msg 01, error -32
gspca_cpia1: usb_control_msg 01, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
cpia1 1-1:0.0: unexpected state after hi power cmd: f5
cpia1: probe of 1-1:0.0 failed with error -5
usb 1-1: USB disconnect, device number 20
usb 1-1: new high-speed USB device number 21 using dummy_hcd
usb 1-1: New USB device found, idVendor=0553, idProduct=0002, bcdDevice=b0.11
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
gspca_main: cpia1-2.14.0 probing 0553:0002
cpia1 1-1:0.0: unexpected state after lo power cmd: 01
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
cpia1 1-1:0.0: unexpected systemstate: 01
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 69e434a1cb21 Linux 6.1.63
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=116eb3c8e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8936a912d77a129d
dashboard link: https://syzkaller.appspot.com/bug?extid=917ee0d4e8624bfe4e70
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1747bc94e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8f4c34d49102/disk-69e434a1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/415c50ae270f/vmlinux-69e434a1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/71f602f135dc/Image-69e434a1.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+917ee0...@syzkaller.appspotmail.com
gspca_cpia1: usb_control_msg 03, error -71
================================================================================
UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27
shift exponent 245 is too large for 32-bit type 'int'
CPU: 0 PID: 111 Comm: kworker/0:2 Not tainted 6.1.63-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Workqueue: usb_hub_wq hub_event
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x2f4/0x36c lib/ubsan.c:321
set_flicker+0x11d8/0x12c0 drivers/media/usb/gspca/cpia1.c:1031
sd_s_ctrl+0x8ac/0x1714 drivers/media/usb/gspca/cpia1.c:1782
__v4l2_ctrl_handler_setup+0x570/0x674 drivers/media/v4l2-core/v4l2-ctrls-core.c:2218
v4l2_ctrl_handler_setup+0x58/0x94 drivers/media/v4l2-core/v4l2-ctrls-core.c:2235
gspca_set_default_mode drivers/media/usb/gspca/gspca.c:908 [inline]
gspca_dev_probe2+0x814/0x1084 drivers/media/usb/gspca/gspca.c:1541
gspca_dev_probe+0x140/0x210 drivers/media/usb/gspca/gspca.c:1610
sd_probe+0x38/0x48 drivers/media/usb/gspca/benq.c:258
usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
really_probe+0x394/0xacc drivers/base/dd.c:639
__driver_probe_device+0x194/0x3b4 drivers/base/dd.c:785
driver_probe_device+0x78/0x330 drivers/base/dd.c:815
__device_attach_driver+0x2a8/0x4f4 drivers/base/dd.c:943
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:1015
device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3664
usb_set_configuration+0x15c0/0x1b40 drivers/usb/core/message.c:2165
usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
really_probe+0x394/0xacc drivers/base/dd.c:639
__driver_probe_device+0x194/0x3b4 drivers/base/dd.c:785
driver_probe_device+0x78/0x330 drivers/base/dd.c:815
__device_attach_driver+0x2a8/0x4f4 drivers/base/dd.c:943
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:1015
device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3664
usb_new_device+0x904/0x142c drivers/usb/core/hub.c:2583
hub_port_connect drivers/usb/core/hub.c:5434 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5574 [inline]
port_event drivers/usb/core/hub.c:5730 [inline]
hub_event+0x23f4/0x4360 drivers/usb/core/hub.c:5812
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
================================================================================
input: cpia1 as /devices/platform/dummy_hcd.0/usb1/1-1/input/input2
usb 1-1: USB disconnect, device number 19
usb 1-1: new high-speed USB device number 20 using dummy_hcd
usb 1-1: New USB device found, idVendor=0553, idProduct=0002, bcdDevice=b0.11
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
gspca_main: cpia1-2.14.0 probing 0553:0002
cpia1 1-1:0.0: unexpected state after lo power cmd: 01
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 01, error -32
gspca_cpia1: usb_control_msg 01, error -32
gspca_cpia1: usb_control_msg 01, error -32
gspca_cpia1: usb_control_msg 01, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
cpia1 1-1:0.0: unexpected state after hi power cmd: f5
cpia1: probe of 1-1:0.0 failed with error -5
usb 1-1: USB disconnect, device number 20
usb 1-1: new high-speed USB device number 21 using dummy_hcd
usb 1-1: New USB device found, idVendor=0553, idProduct=0002, bcdDevice=b0.11
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
gspca_main: cpia1-2.14.0 probing 0553:0002
cpia1 1-1:0.0: unexpected state after lo power cmd: 01
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
gspca_cpia1: usb_control_msg 03, error -32
cpia1 1-1:0.0: unexpected systemstate: 01
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages