From: syzbot <syzbot+dd5f8d6456680e55eb0a@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, qasdev00@gmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [input?] KASAN: null-ptr-deref Write in input_ff_create
Date: Wed, 25 Dec 2024 15:51:04 -0800 [thread overview]
Message-ID: <676c9a68.050a0220.2f3838.03c4.GAE@google.com> (raw)
In-Reply-To: <Z2yV1yo9lKdZ8xiF@qasdev.system>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in input_ff_create_memless
usb 1-1: New USB device found, idVendor=1949, idProduct=85a5, bcdDevice=a3.3a
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 5856 Comm: kworker/0:3 Not tainted 6.13.0-rc3-next-20241220-syzkaller-05236-g8155b4ef3466-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: usb_hub_wq hub_event
RIP: 0010:input_ff_create_memless+0x302/0x630 drivers/input/ff-memless.c:542
Code: f0 41 80 8e c3 00 00 00 01 49 81 c4 e0 00 00 00 4c 89 e3 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 e7 e8 92 2d 36 fa 49 8b 2c 24 <41> 80 7d 01 00 74 0a bf 08 00 00 00 e8 6d 2e 36 fa 48 89 2c 25 08
RSP: 0018:ffffc900041bebe0 EFLAGS: 00010246
RAX: ffffffff87ef7101 RBX: 1ffff1100c8b911c RCX: ffffffff87ef71e8
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88807a8330c0
RBP: ffff888012798000 R08: ffff88807a8330c7 R09: 1ffff1100f506618
R10: dffffc0000000000 R11: ffffed100f506619 R12: ffff8880645c88e0
R13: dffffc0000000000 R14: ffff88807a833000 R15: ffff88807a8330c0
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055597f0d4950 CR3: 000000002f18a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
xpad_init_ff drivers/input/joystick/xpad.c:1562 [inline]
xpad_init_input+0xcef/0x1440 drivers/input/joystick/xpad.c:1960
xpad_probe+0x1427/0x1b90 drivers/input/joystick/xpad.c:2143
usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396
really_probe+0x2b9/0xad0 drivers/base/dd.c:658
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
driver_probe_device+0x50/0x430 drivers/base/dd.c:830
__device_attach_driver+0x2d6/0x530 drivers/base/dd.c:958
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:459
__device_attach+0x333/0x520 drivers/base/dd.c:1030
bus_probe_device+0x189/0x260 drivers/base/bus.c:534
device_add+0x856/0xbf0 drivers/base/core.c:3665
usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:254
usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:291
really_probe+0x2b9/0xad0 drivers/base/dd.c:658
__driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800
driver_probe_device+0x50/0x430 drivers/base/dd.c:830
__device_attach_driver+0x2d6/0x530 drivers/base/dd.c:958
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:459
__device_attach+0x333/0x520 drivers/base/dd.c:1030
bus_probe_device+0x189/0x260 drivers/base/bus.c:534
device_add+0x856/0xbf0 drivers/base/core.c:3665
usb_new_device+0x104a/0x19a0 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d6d/0x5150 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x7a9/0x920 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:input_ff_create_memless+0x302/0x630 drivers/input/ff-memless.c:542
Code: f0 41 80 8e c3 00 00 00 01 49 81 c4 e0 00 00 00 4c 89 e3 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 e7 e8 92 2d 36 fa 49 8b 2c 24 <41> 80 7d 01 00 74 0a bf 08 00 00 00 e8 6d 2e 36 fa 48 89 2c 25 08
RSP: 0018:ffffc900041bebe0 EFLAGS: 00010246
RAX: ffffffff87ef7101 RBX: 1ffff1100c8b911c RCX: ffffffff87ef71e8
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88807a8330c0
RBP: ffff888012798000 R08: ffff88807a8330c7 R09: 1ffff1100f506618
R10: dffffc0000000000 R11: ffffed100f506619 R12: ffff8880645c88e0
R13: dffffc0000000000 R14: ffff88807a833000 R15: ffff88807a8330c0
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005648fbc7d2e8 CR3: 000000002f1b6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: f0 41 80 8e c3 00 00 lock orb $0x1,0xc3(%r14)
7: 00 01
9: 49 81 c4 e0 00 00 00 add $0xe0,%r12
10: 4c 89 e3 mov %r12,%rbx
13: 48 c1 eb 03 shr $0x3,%rbx
17: 42 80 3c 2b 00 cmpb $0x0,(%rbx,%r13,1)
1c: 74 08 je 0x26
1e: 4c 89 e7 mov %r12,%rdi
21: e8 92 2d 36 fa call 0xfa362db8
26: 49 8b 2c 24 mov (%r12),%rbp
* 2a: 41 80 7d 01 00 cmpb $0x0,0x1(%r13) <-- trapping instruction
2f: 74 0a je 0x3b
31: bf 08 00 00 00 mov $0x8,%edi
36: e8 6d 2e 36 fa call 0xfa362ea8
3b: 48 rex.W
3c: 89 .byte 0x89
3d: 2c 25 sub $0x25,%al
3f: 08 .byte 0x8
Tested on:
commit: 8155b4ef Add linux-next specific files for 20241220
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17251adf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
dashboard link: https://syzkaller.appspot.com/bug?extid=dd5f8d6456680e55eb0a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=172262f8580000
next parent reply other threads:[~2024-12-25 23:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Z2yV1yo9lKdZ8xiF@qasdev.system>
2024-12-25 23:51 ` syzbot [this message]
[not found] <Z2w2TbU0lZvCLFkd@qasdev.system>
2024-12-25 17:07 ` [syzbot] [input?] KASAN: null-ptr-deref Write in input_ff_create syzbot
[not found] <Z2w1KoFV04_SzK4-@qasdev.system>
2024-12-25 16:41 ` syzbot
[not found] <Z2wo_z3fPId1OQ49@qasdev.system>
2024-12-25 15:57 ` syzbot
[not found] <Z2tTb2AkzbVjIJ6k@qasdev.system>
2024-12-25 1:09 ` syzbot
2024-12-24 6:38 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=676c9a68.050a0220.2f3838.03c4.GAE@google.com \
--to=syzbot+dd5f8d6456680e55eb0a@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=qasdev00@gmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.