general protection fault in usb_find_alt_setting (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com>
To: gregkh@linuxfoundation.org, johan@kernel.org,
	kai.heng.feng@canonical.com, linux-kernel@vger.kernel.org,
	linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: general protection fault in usb_find_alt_setting (2)
Date: Mon, 03 Sep 2018 10:51:03 -0700	[thread overview]
Message-ID: <0000000000005fbf690574fb2f26@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    58c3f14f86c9 Merge tag 'riscv-for-linus-4.19-rc2' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1046f0ea400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
dashboard link: https://syzkaller.appspot.com/bug?extid=19c3aaef85a89d451eac
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=109ed296400000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11d890ca400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
usb usb1: usbfs: interface 0 claimed by hub while 'syz-executor177' sets  
config #0
usb usb1: usbfs: process 4640 (syz-executor177) did not claim interface 0  
before use
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 1 PID: 4641 Comm: syz-executor177 Not tainted 4.19.0-rc1+ #215
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:usb_find_alt_setting+0x38/0x310 drivers/usb/core/usb.c:231
Code: 89 fb 48 83 ec 10 48 89 7d c8 89 55 d4 89 75 d0 e8 bd 0e 0b fd 48 8d  
7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48  
89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 86 02 00 00
RSP: 0018:ffff8801ba7274a8 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8476da79
RDX: 0000000000000000 RSI: ffffffff8471b1c3 RDI: 0000000000000004
RBP: ffff8801ba7274e0 R08: ffff8801bab5c400 R09: ffffed00374e4eb2
R10: ffffed00374e4eb4 R11: ffff8801ba7275a7 R12: 0000000000000000
R13: ffff8801ce48d500 R14: ffff8801bb55f840 R15: 0000000000000000
FS:  0000000001231880(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006cf090 CR3: 00000001baf94000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  check_ctrlrecip+0x1e6/0x320 drivers/usb/core/devio.c:828
  proc_control+0x151/0xef0 drivers/usb/core/devio.c:1074
  usbdev_do_ioctl+0x1eb4/0x3b30 drivers/usb/core/devio.c:2394
  usbdev_ioctl+0x25/0x30 drivers/usb/core/devio.c:2551
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:501 [inline]
  do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
  ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
  __do_sys_ioctl fs/ioctl.c:709 [inline]
  __se_sys_ioctl fs/ioctl.c:707 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x444b19
Code: e8 0c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 db ce fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffffd7d0408 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444b19
RDX: 0000000020000280 RSI: 00000000c0185500 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000004002e0
R10: 000000000000ffff R11: 0000000000000217 R12: 000000000000893f
R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
Dumping ftrace buffer:
    (ftrace buffer empty)
---[ end trace f80beb69e56f2f62 ]---
RIP: 0010:usb_find_alt_setting+0x38/0x310 drivers/usb/core/usb.c:231
Code: 89 fb 48 83 ec 10 48 89 7d c8 89 55 d4 89 75 d0 e8 bd 0e 0b fd 48 8d  
7b 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48  
89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 86 02 00 00
RSP: 0018:ffff8801ba7274a8 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8476da79
RDX: 0000000000000000 RSI: ffffffff8471b1c3 RDI: 0000000000000004
RBP: ffff8801ba7274e0 R08: ffff8801bab5c400 R09: ffffed00374e4eb2
R10: ffffed00374e4eb4 R11: ffff8801ba7275a7 R12: 0000000000000000
R13: ffff8801ce48d500 R14: ffff8801bb55f840 R15: 0000000000000000
FS:  0000000001231880(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006cf090 CR3: 00000001baf94000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

                 reply	other threads:[~2018-09-03 17:51 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000005fbf690574fb2f26@google.com \
    --to=syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=johan@kernel.org \
    --cc=kai.heng.feng@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.