Re: general protection fault in cdev_del

From: Andrey Konovalov
Date: Tue Aug 13 2019 - 09:03:21 EST

Next message: Vlastimil Babka: "Re: [patch] mm, page_alloc: move_freepages should not examine struct page of reserved memory"
Previous message: Helen Koike: "Re: [PATCH] media: vimc: add configfs API to configure the topology"
Next in thread: syzbot: "Re: general protection fault in cdev_del"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, May 28, 2019 at 12:48 PM syzbot
<syzbot+67b2bd0e34f952d0321e@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=178e4526a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c309d28e15db39c5
> dashboard link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dc5d54a00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cae526a00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+67b2bd0e34f952d0321e@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN PTI
> CPU: 1 PID: 2486 Comm: kworker/1:2 Not tainted 5.2.0-rc1+ #9
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:592
> Code: cf 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 a5 d5 ff 48 8d
> 7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
> 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48
> RSP: 0018:ffff8881d18e7218 EFLAGS: 00010207
> RAX: dffffc0000000000 RBX: ffff8881d249a100 RCX: ffffffff820d879e
> RDX: 000000000000000c RSI: ffffffff8167705d RDI: 0000000000000064
> RBP: 0000000000000000 R08: ffff8881d18d1800 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: ffff8881d25c9100 R14: 0000000000000000 R15: ffff8881cc2a8070
> FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f35af318000 CR3: 00000001cc182000 CR4: 00000000001406e0
> Call Trace:
> tty_unregister_device drivers/tty/tty_io.c:3192 [inline]
> tty_unregister_device+0x10d/0x1a0 drivers/tty/tty_io.c:3187
> hso_serial_tty_unregister drivers/net/usb/hso.c:2245 [inline]
> hso_create_bulk_serial_device drivers/net/usb/hso.c:2682 [inline]
> hso_probe.cold+0xc8/0x120 drivers/net/usb/hso.c:2948
> usb_probe_interface+0x30b/0x7a0 drivers/usb/core/driver.c:361
> really_probe+0x287/0x660 drivers/base/dd.c:509
> driver_probe_device+0x104/0x210 drivers/base/dd.c:670
> __device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777
> bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454
> __device_attach+0x217/0x360 drivers/base/dd.c:843
> bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514
> device_add+0xae6/0x1700 drivers/base/core.c:2111
> usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
> generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
> usb_probe_device+0xa2/0x100 drivers/usb/core/driver.c:266
> really_probe+0x287/0x660 drivers/base/dd.c:509
> driver_probe_device+0x104/0x210 drivers/base/dd.c:670
> __device_attach_driver+0x1c4/0x230 drivers/base/dd.c:777
> bus_for_each_drv+0x15e/0x1e0 drivers/base/bus.c:454
> __device_attach+0x217/0x360 drivers/base/dd.c:843
> bus_probe_device+0x1e6/0x290 drivers/base/bus.c:514
> device_add+0xae6/0x1700 drivers/base/core.c:2111
> usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534
> hub_port_connect drivers/usb/core/hub.c:5089 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
> port_event drivers/usb/core/hub.c:5350 [inline]
> hub_event+0x1adc/0x35a0 drivers/usb/core/hub.c:5432
> process_one_work+0x90a/0x1580 kernel/workqueue.c:2268
> worker_thread+0x96/0xe20 kernel/workqueue.c:2414
> kthread+0x30e/0x420 kernel/kthread.c:254
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
> Modules linked in:
> ---[ end trace 3b56fa5a205cba42 ]---
> RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:592
> Code: cf 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 a5 d5 ff 48 8d
> 7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
> 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48
> RSP: 0018:ffff8881d18e7218 EFLAGS: 00010207
> RAX: dffffc0000000000 RBX: ffff8881d249a100 RCX: ffffffff820d879e
> RDX: 000000000000000c RSI: ffffffff8167705d RDI: 0000000000000064
> RBP: 0000000000000000 R08: ffff8881d18d1800 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: ffff8881d25c9100 R14: 0000000000000000 R15: ffff8881cc2a8070
> FS: 0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f35af318000 CR3: 00000001cc182000 CR4: 00000000001406e0

Trying Oliver's fix from [1]:

#syz test: https://github.com/google/kasan.git 69bbe8c7

[1] https://groups.google.com/forum/#!msg/syzkaller-bugs/5qVDUDTxXYQ/OlN_ZX6LBwAJ

>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
From 6867abc1701f18892d32e8aeaf644901e9bcbf82 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@xxxxxxxx>
Date: Wed, 5 Jun 2019 13:49:21 +0200
Subject: [PATCH] usb: hso: initialize so that we can tear down in the error
case

Initualization must follow the sequence stuff is undone in case
we bail out. Thus the parent pointer must be set earlier.

Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
---
drivers/net/usb/hso.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 6a0ecddff310..4d9100fb9f6e 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2653,6 +2653,9 @@ static struct hso_device *hso_create_bulk_serial_device(
BULK_URB_TX_SIZE))
goto exit;

+ /* and record this serial */
+ set_serial_by_index(serial->minor, serial);
+
serial->in_endp = hso_get_ep(interface, USB_ENDPOINT_XFER_BULK,
USB_DIR_IN);
if (!serial->in_endp) {
@@ -2669,9 +2672,6 @@ static struct hso_device *hso_create_bulk_serial_device(

serial->write_data = hso_std_serial_write_data;

- /* and record this serial */
- set_serial_by_index(serial->minor, serial);
-
/* setup the proc dirs and files if needed */
hso_log_port(hso_dev);

--
2.16.4

Next message: Vlastimil Babka: "Re: [patch] mm, page_alloc: move_freepages should not examine struct page of reserved memory"
Previous message: Helen Koike: "Re: [PATCH] media: vimc: add configfs API to configure the topology"
Next in thread: syzbot: "Re: general protection fault in cdev_del"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]