Re: general protection fault in __dev_printk

[syzbot <syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com>]

syzbot has found a reproducer for the following crash on:

HEAD commit:    d34f9519 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan/tree/usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=10adfe6b200000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c73d1bb5aeaeae20
dashboard link: https://syzkaller.appspot.com/bug?extid=2eb9121678bdb36e6d57
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145cb7e3200000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17f8bd2d200000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2eb9121678bdb36e6d57@syzkaller.appspotmail.com

yurex 1-1:0.150: yurex_interrupt - unknown status received: -71
usb 1-1: USB disconnect, device number 112
yurex 1-1:0.150: yurex_interrupt - unknown status received: -71
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 1 PID: 5402 Comm: udevd Not tainted 5.1.0-rc5-319617-gd34f951 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:dev_name include/linux/device.h:1087 [inline]
RIP: 0010:__dev_printk+0x3f/0x215 drivers/base/core.c:3208
Code: 89 f5 53 e8 1e 24 1c fc 48 85 ed 0f 84 c9 01 00 00 e8 10 24 1c fc 48  
8d 7d 50 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74  
05 e8 31 39 53 fc 4c 8b 7d 50 4d 85 ff 75 28 e8 e3
RSP: 0018:ffff8880ad107930 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: ffffed1015a20f2d RCX: 00000000ffffffed
RDX: 0000000000000010 RSI: ffffffff85559bf0 RDI: 0000000000000080
RBP: 0000000000000030 R08: ffff888091578000 R09: ffffed1015a24fc9
R10: ffffed1015a24fc8 R11: ffff8880ad127e47 R12: ffffffff8f031a00
R13: ffff8880ad107988 R14: 0000000000000000 R15: ffff88809b9b1600
FS:  00007fcff04907a0(0000) GS:ffff8880ad100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcff0496000 CR3: 0000000097678000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  <IRQ>
  _dev_err+0xdc/0x10e drivers/base/core.c:3251
  yurex_interrupt.cold+0x12e/0x13d drivers/usb/misc/yurex.c:183
  __usb_hcd_giveback_urb+0x1f4/0x470 drivers/usb/core/hcd.c:1758
  usb_hcd_giveback_urb+0x346/0x400 drivers/usb/core/hcd.c:1823
  dummy_timer+0x100b/0x32c0 drivers/usb/gadget/udc/dummy_hcd.c:1968
  call_timer_fn+0x161/0x5f0 kernel/time/timer.c:1325
  expire_timers kernel/time/timer.c:1362 [inline]
  __run_timers kernel/time/timer.c:1681 [inline]
  __run_timers kernel/time/timer.c:1649 [inline]
  run_timer_softirq+0x58b/0x1400 kernel/time/timer.c:1694
  __do_softirq+0x22a/0x8cd kernel/softirq.c:293
  invoke_softirq kernel/softirq.c:374 [inline]
  irq_exit+0x187/0x1b0 kernel/softirq.c:414
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0xfe/0x4a0 arch/x86/kernel/apic/apic.c:1062
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
  </IRQ>
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:syscall_return_slowpath arch/x86/entry/common.c:250 [inline]
RIP: 0010:do_syscall_64+0x115/0x4f0 arch/x86/entry/common.c:293
Code: 03 00 00 48 89 45 50 e8 99 2c 71 00 48 b8 00 00 00 00 00 fc ff df 65  
48 8b 1c 25 00 ee 01 00 48 89 da 48 c1 ea 03 80 3c 02 00 <0f> 85 6f 03 00  
00 4c 8b 23 9c 58 0f 1f 44 00 00 25 00 02 00 00 31
RSP: 0018:ffff88809fceff28 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: ffff888091578000 RCX: 1ffff11013f9dff5
RDX: 1ffff110122af000 RSI: ffffffff81009367 RDI: ffff88809fceffa8
RBP: ffff88809fceff58 R08: 0000000000000000 R09: 0000000000000001
R10: ffffed1015a25c27 R11: ffff8880ad12e13b R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fcfefb99577
Code: f0 ff ff 77 02 f3 c3 48 8b 15 bd 38 2b 00 f7 d8 64 89 02 83 c8 ff c3  
90 90 90 90 90 90 90 90 90 90 90 90 b8 59 00 00 00 0f 05 <48> 3d 01 f0 ff  
ff 73 01 c3 48 8b 0d 91 38 2b 00 31 d2 48 29 c2 64
RSP: 002b:00007ffe20473c28 EFLAGS: 00000246 ORIG_RAX: 0000000000000059
RAX: ffffffffffffffea RBX: 0000000000626250 RCX: 00007fcfefb99577
RDX: 0000000000000400 RSI: 00007ffe20473c30 RDI: 00007ffe20474110
RBP: 0000000000635fd0 R08: 0000000000635fd0 R09: 75642f6d726f6674
R10: 2e6364755f796d6d R11: 0000000000000246 R12: 00007ffe20474110
R13: 0000000000000400 R14: 0000000000626250 R15: 000000000000000b
Modules linked in:
---[ end trace 9119e43ae4e6c65e ]---
RIP: 0010:dev_name include/linux/device.h:1087 [inline]
RIP: 0010:__dev_printk+0x3f/0x215 drivers/base/core.c:3208
Code: 89 f5 53 e8 1e 24 1c fc 48 85 ed 0f 84 c9 01 00 00 e8 10 24 1c fc 48  
8d 7d 50 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74  
05 e8 31 39 53 fc 4c 8b 7d 50 4d 85 ff 75 28 e8 e3
RSP: 0018:ffff8880ad107930 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: ffffed1015a20f2d RCX: 00000000ffffffed
RDX: 0000000000000010 RSI: ffffffff85559bf0 RDI: 0000000000000080
RBP: 0000000000000030 R08: ffff888091578000 R09: ffffed1015a24fc9
R10: ffffed1015a24fc8 R11: ffff8880ad127e47 R12: ffffffff8f031a00
R13: ffff8880ad107988 R14: 0000000000000000 R15: ffff88809b9b1600
FS:  00007fcff04907a0(0000) GS:ffff8880ad100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcff0496000 CR3: 0000000097678000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400