[syzbot] [fs?] WARNING in sysfs_emit_at

[syzbot] [fs?] WARNING in sysfs_emit_at

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c8ed9b5c02a5 Merge tag 'drm-fixes-2025-09-05' of https://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=112eba42580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fecbb496f75d3d61
dashboard link: https://syzkaller.appspot.com/bug?extid=b6445765657b5855e869
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11ba0962580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15e2a962580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4da8d56aff3a/disk-c8ed9b5c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1366baa37dbc/vmlinux-c8ed9b5c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0674b31d870d/bzImage-c8ed9b5c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com

------------[ cut here ]------------
invalid sysfs_emit_at: buf:ffff88803234000a at:10
WARNING: CPU: 0 PID: 6027 at fs/sysfs/file.c:795 sysfs_emit_at+0xe6/0x1a0 fs/sysfs/file.c:795
Modules linked in:
CPU: 0 UID: 0 PID: 6027 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:sysfs_emit_at+0xe6/0x1a0 fs/sysfs/file.c:795
Code: ff 0f 00 00 4c 89 fe e8 28 e3 5a ff 4d 85 ff 74 68 e8 ae e7 5a ff 90 48 c7 c7 20 66 c3 8b 44 89 e2 48 89 de e8 2b de 19 ff 90 <0f> 0b 90 90 31 db e8 8f e7 5a ff 48 b8 00 00 00 00 00 fc ff df 49
RSP: 0018:ffffc90003d6f860 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803234000a RCX: ffffffff817a02f8
RDX: ffff888032578000 RSI: ffffffff817a0305 RDI: 0000000000000001
RBP: ffffc90003d6f938 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 000000000000000a
R13: 1ffff920007adf0c R14: ffffffff8c742680 R15: 000000000000000a
FS:  000055556eb34500(0000) GS:ffff8881246bd000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000040 CR3: 0000000071308000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 usb_show_dynids+0x17e/0x220 drivers/usb/core/driver.c:126
 drv_attr_show+0x6c/0xa0 drivers/base/bus.c:113
 sysfs_kf_seq_show+0x213/0x3e0 fs/sysfs/file.c:65
 traverse.part.0.constprop.0+0x107/0x640 fs/seq_file.c:111
 traverse fs/seq_file.c:98 [inline]
 seq_read_iter+0x932/0x12c0 fs/seq_file.c:195
 kernfs_fop_read_iter+0x40f/0x5a0 fs/kernfs/file.c:279
 copy_splice_read+0x618/0xc20 fs/splice.c:363
 do_splice_read fs/splice.c:982 [inline]
 do_splice_read+0x282/0x370 fs/splice.c:956
 splice_file_to_pipe+0x109/0x120 fs/splice.c:1292
 do_sendfile+0x400/0xe50 fs/read_write.c:1376
 __do_sys_sendfile64 fs/read_write.c:1431 [inline]
 __se_sys_sendfile64 fs/read_write.c:1417 [inline]
 __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1417
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f645838ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffedc1827c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f64585c5fa0 RCX: 00007f645838ebe9
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000001
RBP: 00007f6458411e19 R08: 0000000000000000 R09: 0000000000000000
R10: 000000007ffff000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f64585c5fa0 R14: 00007f64585c5fa0 R15: 0000000000000004
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [fs?] WARNING in sysfs_emit_at

[Edward Adam Davis]

#syz test

diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index c3177034b779..f441958b0ef4 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -119,11 +119,11 @@ ssize_t usb_show_dynids(struct usb_dynids *dynids, char *buf)
 	guard(mutex)(&usb_dynids_lock);
 	list_for_each_entry(dynid, &dynids->list, node)
 		if (dynid->id.bInterfaceClass != 0)
-			count += sysfs_emit_at(&buf[count], count, "%04x %04x %02x\n",
+			count += sysfs_emit_at(buf, count, "%04x %04x %02x\n",
 					   dynid->id.idVendor, dynid->id.idProduct,
 					   dynid->id.bInterfaceClass);
 		else
-			count += sysfs_emit_at(&buf[count], count, "%04x %04x\n",
+			count += sysfs_emit_at(buf, count, "%04x %04x\n",
 					   dynid->id.idVendor, dynid->id.idProduct);
 	return count;
 }

Re: [syzbot] [fs?] WARNING in sysfs_emit_at

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
Tested-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com

Tested on:

commit:         9dd1835e Merge tag 'dma-mapping-6.17-2025-09-09' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=160a7562580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e0bea6c0b97a2002
dashboard link: https://syzkaller.appspot.com/bug?extid=b6445765657b5855e869
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11d5a642580000

Note: testing is done by a robot and is best-effort only.

[PATCH] USB: core: remove the move buf action

[Edward Adam Davis]

The buffer size of sysfs is fixed at PAGE_SIZE, and the page offset
of the buf parameter of sysfs_emit_at() must be 0, there is no need
to manually manage the buf pointer offset.

Fixes: 711d41ab4a0e ("usb: core: Use sysfs_emit_at() when showing dynamic IDs")
Reported-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b6445765657b5855e869
Tested-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 drivers/usb/core/driver.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index c3177034b779..f441958b0ef4 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -119,11 +119,11 @@ ssize_t usb_show_dynids(struct usb_dynids *dynids, char *buf)
 	guard(mutex)(&usb_dynids_lock);
 	list_for_each_entry(dynid, &dynids->list, node)
 		if (dynid->id.bInterfaceClass != 0)
-			count += sysfs_emit_at(&buf[count], count, "%04x %04x %02x\n",
+			count += sysfs_emit_at(buf, count, "%04x %04x %02x\n",
 					   dynid->id.idVendor, dynid->id.idProduct,
 					   dynid->id.bInterfaceClass);
 		else
-			count += sysfs_emit_at(&buf[count], count, "%04x %04x\n",
+			count += sysfs_emit_at(buf, count, "%04x %04x\n",
 					   dynid->id.idVendor, dynid->id.idProduct);
 	return count;
 }
-- 
2.43.0

Re: [PATCH] USB: core: remove the move buf action

[Greg KH]

On Wed, Sep 10, 2025 at 03:58:47PM +0800, Edward Adam Davis wrote:
> The buffer size of sysfs is fixed at PAGE_SIZE, and the page offset
> of the buf parameter of sysfs_emit_at() must be 0, there is no need
> to manually manage the buf pointer offset.
> 
> Fixes: 711d41ab4a0e ("usb: core: Use sysfs_emit_at() when showing dynamic IDs")
> Reported-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b6445765657b5855e869
> Tested-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  drivers/usb/core/driver.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

While this fix looks correct, your cc: list is very odd as this is a
linux-usb bug, not a driver core issue, right?

At the least, cc: the person who wrote the offending change?

thanks,

greg k-h

Re: [PATCH] USB: core: remove the move buf action

[Edward Adam Davis]

On Wed, 10 Sep 2025 11:00:43 +0200, Greg KH wrote:
> > The buffer size of sysfs is fixed at PAGE_SIZE, and the page offset
> > of the buf parameter of sysfs_emit_at() must be 0, there is no need
> > to manually manage the buf pointer offset.
> >
> > Fixes: 711d41ab4a0e ("usb: core: Use sysfs_emit_at() when showing dynamic IDs")
> > Reported-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=b6445765657b5855e869
> > Tested-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > ---
> >  drivers/usb/core/driver.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> While this fix looks correct, your cc: list is very odd as this is a
> linux-usb bug, not a driver core issue, right?
> 
> At the least, cc: the person who wrote the offending change?

Re: [PATCH] USB: core: remove the move buf action

[Danilo Krummrich]

On Wed Sep 10, 2025 at 11:00 AM CEST, Greg KH wrote:
> On Wed, Sep 10, 2025 at 03:58:47PM +0800, Edward Adam Davis wrote:
>> The buffer size of sysfs is fixed at PAGE_SIZE, and the page offset
>> of the buf parameter of sysfs_emit_at() must be 0, there is no need
>> to manually manage the buf pointer offset.
>> 
>> Fixes: 711d41ab4a0e ("usb: core: Use sysfs_emit_at() when showing dynamic IDs")
>> Reported-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=b6445765657b5855e869
>> Tested-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>> ---
>>  drivers/usb/core/driver.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> While this fix looks correct, your cc: list is very odd as this is a
> linux-usb bug, not a driver core issue, right?

I think Edward derived the Cc: list from the recipients of the syzbot report
in [1].

Not sure how syzbot figures out the relevant recipients to send the report to
though. :)

[1] https://lore.kernel.org/all/68c118e8.a70a0220.3543fc.000e.GAE@google.com/

Re: [PATCH] USB: core: remove the move buf action

[Edward Adam Davis]

On Wed, 10 Sep 2025 12:09:38 +0200, Danilo Krummrich wrote:
>> On Wed, Sep 10, 2025 at 03:58:47PM +0800, Edward Adam Davis wrote:
>>> The buffer size of sysfs is fixed at PAGE_SIZE, and the page offset
>>> of the buf parameter of sysfs_emit_at() must be 0, there is no need
>>> to manually manage the buf pointer offset.
>>>
>>> Fixes: 711d41ab4a0e ("usb: core: Use sysfs_emit_at() when showing dynamic IDs")
>>> Reported-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=b6445765657b5855e869
>>> Tested-by: syzbot+b6445765657b5855e869@syzkaller.appspotmail.com
>>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>>> ---
>>>  drivers/usb/core/driver.c | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> While this fix looks correct, your cc: list is very odd as this is a
>> linux-usb bug, not a driver core issue, right?
>
>I think Edward derived the Cc: list from the recipients of the syzbot report
>in [1].
You understand me.