Re: general protection fault in release_urbs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Takashi Iwai <tiwai@suse.de>
To: "Sabri N. Ferreiro" <snferreiro1@gmail.com>
Cc: linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
	tiwai@suse.com
Subject: Re: general protection fault in release_urbs
Date: Fri, 30 Sep 2022 11:23:21 +0200	[thread overview]
Message-ID: <87bkqx6ws6.wl-tiwai@suse.de> (raw)
In-Reply-To: <CAKG+3NRjTey+fFfUEGwuxL-pi_=T4cUskYG9OzpzHytF+tzYng@mail.gmail.com>

On Fri, 30 Sep 2022 04:23:23 +0200,
Sabri N. Ferreiro wrote:
> 
> Hi,
> 
> When I used fuzz testing to test Linux kernel 6.0.0-rc6, the kernel
> triggered the following error:
> HEAD commit: 521a547ced6477c54b4b0cc206000406c221b4d6
> git tree: upstream

Could you retest with 6.0-rc7 or later?
A commit reverting the change might influence on the behavior
significantly.


thanks,

Takashi

> kernel config: https://pastebin.com/raw/hekxU61F
> console log: https://pastebin.com/KVwW9VQs
> 
> It seems that the fuzzer failed to extract any C reproducer, but I
> would so appreciate it if you have any idea how to solve this bug.
> 
> general protection fault, probably for non-canonical address
> 0xdffffc000000000d: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
> CPU: 1 PID: 29906 Comm: syz-executor.4 Not tainted 6.0.0-rc6+ #3
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:release_urb_ctx sound/usb/endpoint.c:97 [inline]
> RIP: 0010:release_urbs sound/usb/endpoint.c:1046 [inline]
> RIP: 0010:release_urbs+0x254/0x5a0 sound/usb/endpoint.c:1031
> Code: 44 89 fe 48 c1 e0 08 4c 8b 74 03 58 e8 75 b4 53 fa 45 85 ff 0f
> 84 29 ff ff ff e8 07 b3 53 fa 49 8d 7e 68 48 89 f8 48 c1 e8 03 <42> 80
> 3c 20 00 0f 85 32 03 00 00 49 8d 7e 60 49 8b 4e 68 48 89 f8
> RSP: 0018:ffffc9001698f8d0 EFLAGS: 00010212
> RAX: 000000000000000d RBX: ffff88805fc44000 RCX: 0000000000040000
> RDX: ffffc900169d1000 RSI: ffff888018c21d40 RDI: 0000000000000068
> RBP: 0000000000000000 R08: ffffffff87273539 R09: 0000000000000000
> R10: 0000000000000005 R11: ffffed100bf88805 R12: dffffc0000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000120
> FS: 00007febd6e4e700(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055555663ddc8 CR3: 0000000065e07000 CR4: 0000000000350ee0
> Call Trace:
> <TASK>
> snd_usb_endpoint_set_params+0x1aab/0x2550
> snd_mask_min include/sound/pcm_params.h:49 [inline]
> params_format include/sound/pcm_params.h:315 [inline]
> snd_usb_hw_params+0x934/0x1180 sound/usb/pcm.c:503
> snd_pcm_hw_params+0xbad/0x1da0 sound/core/pcm_native.c:767
> snd_pcm_kernel_ioctl+0x164/0x310 sound/core/pcm_native.c:3437
> snd_pcm_oss_change_params_locked+0x1834/0x3860 sound/core/oss/pcm_oss.c:976
> snd_pcm_oss_change_params+0x76/0xd0 sound/core/oss/pcm_oss.c:1116
> snd_pcm_oss_make_ready+0xb7/0x170 sound/core/oss/pcm_oss.c:1175
> snd_pcm_oss_get_ptr sound/core/oss/pcm_oss.c:2208 [inline]
> snd_pcm_oss_ioctl+0x3cd/0x3270 sound/core/oss/pcm_oss.c:2729
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:870 [inline]
> __se_sys_ioctl fs/ioctl.c:856 [inline]
> __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7febd66a80fd
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007febd6e4dbf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007febd679c340 RCX: 00007febd66a80fd
> RDX: 00000000200000c0 RSI: 00000000800c5011 RDI: 0000000000000003
> RBP: 00007febd6e4dc50 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000005f
> R13: 00007ffc28c4cf7f R14: 00007ffc28c4d120 R15: 00007febd6e4dd80
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:release_urb_ctx sound/usb/endpoint.c:97 [inline]
> RIP: 0010:release_urbs sound/usb/endpoint.c:1046 [inline]
> RIP: 0010:release_urbs+0x254/0x5a0 sound/usb/endpoint.c:1031
> Code: 44 89 fe 48 c1 e0 08 4c 8b 74 03 58 e8 75 b4 53 fa 45 85 ff 0f
> 84 29 ff ff ff e8 07 b3 53 fa 49 8d 7e 68 48 89 f8 48 c1 e8 03 <42> 80
> 3c 20 00 0f 85 32 03 00 00 49 8d 7e 60 49 8b 4e 68 48 89 f8
> RSP: 0018:ffffc9001698f8d0 EFLAGS: 00010212
> RAX: 000000000000000d RBX: ffff88805fc44000 RCX: 0000000000040000
> RDX: ffffc900169d1000 RSI: ffff888018c21d40 RDI: 0000000000000068
> RBP: 0000000000000000 R08: ffffffff87273539 R09: 0000000000000000
> R10: 0000000000000005 R11: ffffed100bf88805 R12: dffffc0000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000120
> FS: 00007febd6e4e700(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b31424000 CR3: 0000000065e07000 CR4: 0000000000350ee0
> ----------------
> Code disassembly (best guess):
> 0: 44 89 fe mov %r15d,%esi
> 3: 48 c1 e0 08 shl $0x8,%rax
> 7: 4c 8b 74 03 58 mov 0x58(%rbx,%rax,1),%r14
> c: e8 75 b4 53 fa callq 0xfa53b486
> 11: 45 85 ff test %r15d,%r15d
> 14: 0f 84 29 ff ff ff je 0xffffff43
> 1a: e8 07 b3 53 fa callq 0xfa53b326
> 1f: 49 8d 7e 68 lea 0x68(%r14),%rdi
> 23: 48 89 f8 mov %rdi,%rax
> 26: 48 c1 e8 03 shr $0x3,%rax
> * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
> 2f: 0f 85 32 03 00 00 jne 0x367
> 35: 49 8d 7e 60 lea 0x60(%r14),%rdi
> 39: 49 8b 4e 68 mov 0x68(%r14),%rcx
> 3d: 48 89 f8 mov %rdi,%rax
>

WARNING: multiple messages have this Message-ID (diff)

From: Takashi Iwai <tiwai@suse.de>
To: "Sabri N. Ferreiro" <snferreiro1@gmail.com>
Cc: perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org,
	linux-kernel@vger.kernel.org
Subject: Re: general protection fault in release_urbs
Date: Fri, 30 Sep 2022 11:23:21 +0200	[thread overview]
Message-ID: <87bkqx6ws6.wl-tiwai@suse.de> (raw)
In-Reply-To: <CAKG+3NRjTey+fFfUEGwuxL-pi_=T4cUskYG9OzpzHytF+tzYng@mail.gmail.com>

On Fri, 30 Sep 2022 04:23:23 +0200,
Sabri N. Ferreiro wrote:
> 
> Hi,
> 
> When I used fuzz testing to test Linux kernel 6.0.0-rc6, the kernel
> triggered the following error:
> HEAD commit: 521a547ced6477c54b4b0cc206000406c221b4d6
> git tree: upstream

Could you retest with 6.0-rc7 or later?
A commit reverting the change might influence on the behavior
significantly.


thanks,

Takashi

> kernel config: https://pastebin.com/raw/hekxU61F
> console log: https://pastebin.com/KVwW9VQs
> 
> It seems that the fuzzer failed to extract any C reproducer, but I
> would so appreciate it if you have any idea how to solve this bug.
> 
> general protection fault, probably for non-canonical address
> 0xdffffc000000000d: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
> CPU: 1 PID: 29906 Comm: syz-executor.4 Not tainted 6.0.0-rc6+ #3
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:release_urb_ctx sound/usb/endpoint.c:97 [inline]
> RIP: 0010:release_urbs sound/usb/endpoint.c:1046 [inline]
> RIP: 0010:release_urbs+0x254/0x5a0 sound/usb/endpoint.c:1031
> Code: 44 89 fe 48 c1 e0 08 4c 8b 74 03 58 e8 75 b4 53 fa 45 85 ff 0f
> 84 29 ff ff ff e8 07 b3 53 fa 49 8d 7e 68 48 89 f8 48 c1 e8 03 <42> 80
> 3c 20 00 0f 85 32 03 00 00 49 8d 7e 60 49 8b 4e 68 48 89 f8
> RSP: 0018:ffffc9001698f8d0 EFLAGS: 00010212
> RAX: 000000000000000d RBX: ffff88805fc44000 RCX: 0000000000040000
> RDX: ffffc900169d1000 RSI: ffff888018c21d40 RDI: 0000000000000068
> RBP: 0000000000000000 R08: ffffffff87273539 R09: 0000000000000000
> R10: 0000000000000005 R11: ffffed100bf88805 R12: dffffc0000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000120
> FS: 00007febd6e4e700(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055555663ddc8 CR3: 0000000065e07000 CR4: 0000000000350ee0
> Call Trace:
> <TASK>
> snd_usb_endpoint_set_params+0x1aab/0x2550
> snd_mask_min include/sound/pcm_params.h:49 [inline]
> params_format include/sound/pcm_params.h:315 [inline]
> snd_usb_hw_params+0x934/0x1180 sound/usb/pcm.c:503
> snd_pcm_hw_params+0xbad/0x1da0 sound/core/pcm_native.c:767
> snd_pcm_kernel_ioctl+0x164/0x310 sound/core/pcm_native.c:3437
> snd_pcm_oss_change_params_locked+0x1834/0x3860 sound/core/oss/pcm_oss.c:976
> snd_pcm_oss_change_params+0x76/0xd0 sound/core/oss/pcm_oss.c:1116
> snd_pcm_oss_make_ready+0xb7/0x170 sound/core/oss/pcm_oss.c:1175
> snd_pcm_oss_get_ptr sound/core/oss/pcm_oss.c:2208 [inline]
> snd_pcm_oss_ioctl+0x3cd/0x3270 sound/core/oss/pcm_oss.c:2729
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:870 [inline]
> __se_sys_ioctl fs/ioctl.c:856 [inline]
> __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7febd66a80fd
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007febd6e4dbf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007febd679c340 RCX: 00007febd66a80fd
> RDX: 00000000200000c0 RSI: 00000000800c5011 RDI: 0000000000000003
> RBP: 00007febd6e4dc50 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000005f
> R13: 00007ffc28c4cf7f R14: 00007ffc28c4d120 R15: 00007febd6e4dd80
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:release_urb_ctx sound/usb/endpoint.c:97 [inline]
> RIP: 0010:release_urbs sound/usb/endpoint.c:1046 [inline]
> RIP: 0010:release_urbs+0x254/0x5a0 sound/usb/endpoint.c:1031
> Code: 44 89 fe 48 c1 e0 08 4c 8b 74 03 58 e8 75 b4 53 fa 45 85 ff 0f
> 84 29 ff ff ff e8 07 b3 53 fa 49 8d 7e 68 48 89 f8 48 c1 e8 03 <42> 80
> 3c 20 00 0f 85 32 03 00 00 49 8d 7e 60 49 8b 4e 68 48 89 f8
> RSP: 0018:ffffc9001698f8d0 EFLAGS: 00010212
> RAX: 000000000000000d RBX: ffff88805fc44000 RCX: 0000000000040000
> RDX: ffffc900169d1000 RSI: ffff888018c21d40 RDI: 0000000000000068
> RBP: 0000000000000000 R08: ffffffff87273539 R09: 0000000000000000
> R10: 0000000000000005 R11: ffffed100bf88805 R12: dffffc0000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000120
> FS: 00007febd6e4e700(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b31424000 CR3: 0000000065e07000 CR4: 0000000000350ee0
> ----------------
> Code disassembly (best guess):
> 0: 44 89 fe mov %r15d,%esi
> 3: 48 c1 e0 08 shl $0x8,%rax
> 7: 4c 8b 74 03 58 mov 0x58(%rbx,%rax,1),%r14
> c: e8 75 b4 53 fa callq 0xfa53b486
> 11: 45 85 ff test %r15d,%r15d
> 14: 0f 84 29 ff ff ff je 0xffffff43
> 1a: e8 07 b3 53 fa callq 0xfa53b326
> 1f: 49 8d 7e 68 lea 0x68(%r14),%rdi
> 23: 48 89 f8 mov %rdi,%rax
> 26: 48 c1 e8 03 shr $0x3,%rax
> * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
> 2f: 0f 85 32 03 00 00 jne 0x367
> 35: 49 8d 7e 60 lea 0x60(%r14),%rdi
> 39: 49 8b 4e 68 mov 0x68(%r14),%rcx
> 3d: 48 89 f8 mov %rdi,%rax
>

next prev parent reply	other threads:[~2022-09-30  9:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-30  2:23 general protection fault in release_urbs Sabri N. Ferreiro
2022-09-30  9:23 ` Takashi Iwai [this message]
2022-09-30  9:23   ` Takashi Iwai
2022-09-30  9:39   ` Takashi Iwai
2022-09-30  9:39     ` Takashi Iwai
2022-09-30 10:00     ` Takashi Iwai
2022-09-30 10:00       ` Takashi Iwai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bkqx6ws6.wl-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=alsa-devel@alsa-project.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=snferreiro1@gmail.com \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.