We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
of syzkaller)
This bug happened during enumeration (i.e., set_config) for an acm gadget.
Although tty (instance of tty_struct) held by port->port in
gs_start_io() is null,
this tries to access its field (tty->flags) in tty_wakeup(), thereby
triggering this error.
kernel config:
https://kt0755.github.io/etc/config_v5.6.11
==================================================================
BUG: KASAN: null-ptr-deref in test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline]
BUG: KASAN: null-ptr-deref in tty_wakeup+0x25/0x110 drivers/tty/tty_io.c:532
Read of size 8 at addr 0000000000000460 by task systemd-udevd/2719
CPU: 2 PID: 2719 Comm: systemd-udevd Not tainted 5.6.11 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xce/0x128 lib/dump_stack.c:118
__kasan_report+0x161/0x1b0 mm/kasan/report.c:510
kasan_report+0x12/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192
__kasan_check_read+0x11/0x20 mm/kasan/common.c:95
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline]
tty_wakeup+0x25/0x110 drivers/tty/tty_io.c:532
gs_start_io+0x1b7/0x2a0 drivers/usb/gadget/function/u_serial.c:568
gserial_connect+0x41c/0x590 drivers/usb/gadget/function/u_serial.c:1333
acm_set_alt+0x251/0x5c0 drivers/usb/gadget/function/f_acm.c:456
set_config drivers/usb/gadget/composite.c:838 [inline]
composite_setup+0x4231/0x6f10 drivers/usb/gadget/composite.c:1717
configfs_composite_setup+0x11a/0x170 drivers/usb/gadget/configfs.c:1466
dummy_timer+0xda5/0x33f0 drivers/usb/gadget/udc/dummy_hcd.c:1898
call_timer_fn+0x20e/0x770 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
run_timer_softirq+0x63f/0x13c0 kernel/time/timer.c:1786
__do_softirq+0x262/0xb46 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x161/0x1b0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x137/0x500 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:create_object+0x74c/0xba0 mm/kmemleak.c:607
Code: e9 44 fc ff ff 65 48 8b 04 25 00 0f 02 00 48 8d b8 90 04 00 00
48 ba 00 00 00 00 00 fc ff df 48 89 fe 48 c1 ee 03 0f b6 14 16 <84> d2
74 09 80 fa 03 0f 8e be 01 00 00 49 8d bf 50 01 00 00 8b 90
RSP: 0018:ffff88805ad17560 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff13
RAX: ffff88803b448000 RBX: 0000000000000120 RCX: ffffffff816e25c4
RDX: 0000000000000000 RSI: 1ffff11007689092 RDI: ffff88803b448490
RBP: ffff88805ad175b0 R08: ffffed100c9a128e R09: ffffed100c9a128e
R10: 0000000000000001 R11: ffffed100c9a128d R12: ffff888057bb8160
R13: ffff888064d09420 R14: ffff888064d09534 R15: ffff888064d093e0
kmemleak_alloc+0x21/0x30 mm/kmemleak.c:893
kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
slab_post_alloc_hook mm/slab.h:586 [inline]
slab_alloc_node mm/slub.c:2786 [inline]
slab_alloc mm/slub.c:2794 [inline]
kmem_cache_alloc+0x157/0x2d0 mm/slub.c:2799
__d_alloc+0x2e/0x8b0 fs/dcache.c:1690
d_alloc+0x4d/0x250 fs/dcache.c:1769
d_alloc_parallel+0xfe/0x1910 fs/dcache.c:2521
__lookup_slow+0x195/0x440 fs/namei.c:1742
lookup_slow fs/namei.c:1774 [inline]
walk_component+0x779/0xe30 fs/namei.c:1915
lookup_last fs/namei.c:2391 [inline]
path_lookupat+0x151/0x3e0 fs/namei.c:2436
filename_lookup+0x191/0x3a0 fs/namei.c:2466
user_path_at_empty+0x40/0x50 fs/namei.c:2746
user_path_at include/linux/namei.h:58 [inline]
vfs_statx+0xe9/0x190 fs/stat.c:197
vfs_lstat include/linux/fs.h:3277 [inline]
__do_sys_newlstat+0x87/0xf0 fs/stat.c:364
__se_sys_newlstat fs/stat.c:358 [inline]
__x64_sys_newlstat+0x54/0x80 fs/stat.c:358
do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f473bb9f335
Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00
83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89
RSP: 002b:00007ffc79ada6f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
RAX: ffffffffffffffda RBX: 000055d54f102c1a RCX: 00007f473bb9f335
RDX: 00007ffc79ada7b0 RSI: 00007ffc79ada7b0 RDI: 00007ffc79ada700
RBP: 00007ffc79ada880 R08: 000000000000fc00 R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000246 R12: 00007ffc79ada890
R13: 00007ffc79ada788 R14: 0000000000000018 R15: 000055d54f846470
==================================================================