Re: [syzbot] [usb?] general protection fault in dummy_timer (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+faf3a6cf579fc65591ca@syzkaller.appspotmail.com>
To: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
	 linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] general protection fault in dummy_timer (2)
Date: Mon, 03 Mar 2025 17:01:26 -0800	[thread overview]
Message-ID: <67c650e6.050a0220.1dee4d.01c8.GAE@google.com> (raw)
In-Reply-To: <6742b399.050a0220.1cc393.0033.GAE@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    811d22141369 usb: dwc3: exynos: add support for exynos7870
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1690e464580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f429368eda610a89
dashboard link: https://syzkaller.appspot.com/bug?extid=faf3a6cf579fc65591ca
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11500697980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c0764bd2a6ef/disk-811d2214.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a8d014106735/vmlinux-811d2214.xz
kernel image: https://storage.googleapis.com/syzbot-assets/80062d83482e/bzImage-811d2214.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+faf3a6cf579fc65591ca@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000060: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000300-0x0000000000000307]
CPU: 0 UID: 0 PID: 7918 Comm: syz-executor Not tainted 6.14.0-rc3-syzkaller-00056-g811d22141369 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:strcmp+0x5b/0xb0 lib/string.c:277
Code: fa 48 c1 e8 03 83 e2 07 42 0f b6 04 28 38 d0 7f 04 84 c0 75 58 0f b6 6b ff 4c 8d 66 01 48 89 f0 48 89 f2 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 2c 41 3a 6c 24 ff 74 ae 19 c0
RSP: 0018:ffffc90000007848 EFLAGS: 00010046
RAX: 0000000000000060 RBX: ffffffff8747ce21 RCX: ffffffff8fb2a5e8
RDX: 0000000000000000 RSI: 0000000000000300 RDI: ffffffff8747ce20
RBP: 0000000000000026 R08: 0000000000000001 R09: dffffc0000000000
R10: ffffffff8fb2a5f8 R11: ffffffff8fb2a5e8 R12: 0000000000000301
R13: dffffc0000000000 R14: 00000000000003b1 R15: ffffffff934e19e0
FS:  000055558b609500(0000) GS:ffff8881f5800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f143e94aea2 CR3: 000000012b09c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 count_matching_names kernel/locking/lockdep.c:877 [inline]
 register_lock_class+0x63b/0x1240 kernel/locking/lockdep.c:1342
 __lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103
 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
 complete_with_flags kernel/sched/completion.c:20 [inline]
 complete+0x1d/0x200 kernel/sched/completion.c:47
 transfer drivers/usb/gadget/udc/dummy_hcd.c:1523 [inline]
 dummy_timer+0x1c37/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1978
 __run_hrtimer kernel/time/hrtimer.c:1801 [inline]
 __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1865
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1882
 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire.part.0+0x155/0x380 kernel/locking/lockdep.c:5816
Code: b8 ff ff ff ff 65 0f c1 05 90 2f aa 7e 83 f8 01 0f 85 d0 01 00 00 9c 58 f6 c4 02 0f 85 e5 01 00 00 48 85 ed 0f 85 b6 01 00 00 <48> b8 00 00 00 00 00 fc ff df 48 01 c3 48 c7 03 00 00 00 00 48 c7
RSP: 0018:ffffc9000446fc98 EFLAGS: 00000206
RAX: 0000000000000046 RBX: 1ffff9200088df94 RCX: 00000000521e9cf7
RDX: 0000000000000001 RSI: ffffffff87281ac0 RDI: ffffffff8747c1a0
RBP: 0000000000000200 R08: 0000000000000000 R09: fffffbfff1f5cdc0
R10: ffffffff8fae6e07 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff88ebe3c0 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 rcu_read_lock_sched include/linux/rcupdate.h:941 [inline]
 fd_install+0xc0/0x750 fs/file.c:639
 do_sys_openat2+0x1a4/0x1e0 fs/open.c:1433
 do_sys_open fs/open.c:1443 [inline]
 __do_sys_openat fs/open.c:1459 [inline]
 __se_sys_openat fs/open.c:1454 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1454
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f143e88ba51
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007ffc6205c990 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000080001 RCX: 00007f143e88ba51
RDX: 0000000000080001 RSI: 00007f143e90fadc RDI: 00000000ffffff9c
RBP: 00007f143e90fadc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004
R13: 00007ffc6205ca30 R14: 00000000000aeedc R15: 00007ffc6205cfa0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strcmp+0x5b/0xb0 lib/string.c:277
Code: fa 48 c1 e8 03 83 e2 07 42 0f b6 04 28 38 d0 7f 04 84 c0 75 58 0f b6 6b ff 4c 8d 66 01 48 89 f0 48 89 f2 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 2c 41 3a 6c 24 ff 74 ae 19 c0
RSP: 0018:ffffc90000007848 EFLAGS: 00010046
RAX: 0000000000000060 RBX: ffffffff8747ce21 RCX: ffffffff8fb2a5e8
RDX: 0000000000000000 RSI: 0000000000000300 RDI: ffffffff8747ce20
RBP: 0000000000000026 R08: 0000000000000001 R09: dffffc0000000000
R10: ffffffff8fb2a5f8 R11: ffffffff8fb2a5e8 R12: 0000000000000301
R13: dffffc0000000000 R14: 00000000000003b1 R15: ffffffff934e19e0
FS:  000055558b609500(0000) GS:ffff8881f5800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f143e94aea2 CR3: 000000012b09c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	fa                   	cli
   1:	48 c1 e8 03          	shr    $0x3,%rax
   5:	83 e2 07             	and    $0x7,%edx
   8:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
   d:	38 d0                	cmp    %dl,%al
   f:	7f 04                	jg     0x15
  11:	84 c0                	test   %al,%al
  13:	75 58                	jne    0x6d
  15:	0f b6 6b ff          	movzbl -0x1(%rbx),%ebp
  19:	4c 8d 66 01          	lea    0x1(%rsi),%r12
  1d:	48 89 f0             	mov    %rsi,%rax
  20:	48 89 f2             	mov    %rsi,%rdx
  23:	48 c1 e8 03          	shr    $0x3,%rax
  27:	83 e2 07             	and    $0x7,%edx
* 2a:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax <-- trapping instruction
  2f:	38 d0                	cmp    %dl,%al
  31:	7f 04                	jg     0x37
  33:	84 c0                	test   %al,%al
  35:	75 2c                	jne    0x63
  37:	41 3a 6c 24 ff       	cmp    -0x1(%r12),%bpl
  3c:	74 ae                	je     0xffffffec
  3e:	19 c0                	sbb    %eax,%eax


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

     prev parent reply	other threads:[~2025-03-04  1:01 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-24  5:03 [syzbot] [usb?] general protection fault in dummy_timer (2) syzbot
2025-03-04  1:01 ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=67c650e6.050a0220.1dee4d.01c8.GAE@google.com \
    --to=syzbot+faf3a6cf579fc65591ca@syzkaller.appspotmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.