[syzbot] [kernel?] general protection fault in tty_register_device_attr

[syzbot] [kernel?] general protection fault in tty_register_device_attr

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    2ee82481c392 Add linux-next specific files for 20230828
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13da2cc0680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
dashboard link: https://syzkaller.appspot.com/bug?extid=85792f3143e6271d2c97
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10124470680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17a38ecba80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/30801702ce78/disk-2ee82481.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8d9b67709145/vmlinux-2ee82481.xz
kernel image: https://storage.googleapis.com/syzbot-assets/47f8ef9bffd0/bzImage-2ee82481.xz

The issue was bisected to:

commit d21fdd07cea418c0d98c8a15fc95b8b8970801e7
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Thu Aug 17 09:12:21 2023 +0000

    driver core: Return proper error code when dev_set_name() fails

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13f0e057a80000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1008e057a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=17f0e057a80000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+85792f3143e6271d2c97@syzkaller.appspotmail.com
Fixes: d21fdd07cea4 ("driver core: Return proper error code when dev_set_name() fails")

Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff38fc4838 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fac9a3aed89
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000004
RBP: 0000000000000001 R08: 00007fff38fc45d7 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000246 R12: 00007fff38fc4928
R13: 00007fac9a3f5032 R14: 00007fff38fc4980 R15: 0000000000000003
 </TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5046 Comm: syz-executor362 Not tainted 6.5.0-next-20230828-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: a3 ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a1f800 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a1f890 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a1f890
R13: 0000000000000cc0 R14: ffff888014a96000 R15: 0000000000000001
FS:  0000555556b43480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005584fe812978 CR3: 00000000729c5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
 kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
 kobject_add_varg lib/kobject.c:366 [inline]
 kobject_add+0x12a/0x240 lib/kobject.c:424
 device_add+0x290/0x1ac0 drivers/base/core.c:3560
 tty_register_device_attr+0x38f/0x7b0 drivers/tty/tty_io.c:3248
 gsm_register_devices drivers/tty/n_gsm.c:654 [inline]
 gsm_activate_mux+0x157/0x2d0 drivers/tty/n_gsm.c:3138
 gsm_config drivers/tty/n_gsm.c:3383 [inline]
 gsmld_ioctl+0x8cc/0x1550 drivers/tty/n_gsm.c:3786
 tty_ioctl+0x706/0x1580 drivers/tty/tty_io.c:2785
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:871 [inline]
 __se_sys_ioctl fs/ioctl.c:857 [inline]
 __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fac9a3aed89
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff38fc4838 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fac9a3aed89
RDX: 0000000020000040 RSI: 00000000404c4701 RDI: 0000000000000004
RBP: 0000000000000001 R08: 00007fff38fc45d7 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000246 R12: 00007fff38fc4928
R13: 00007fac9a3f5032 R14: 00007fff38fc4980 R15: 0000000000000003
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: a3 ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a1f800 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a1f890 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a1f890
R13: 0000000000000cc0 R14: ffff888014a96000 R15: 0000000000000001
FS:  0000555556b43480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005584fe812978 CR3: 00000000729c5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ff c3                	inc    %ebx
   2:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
   9:	00 00 00
   c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall
* 2a:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax <-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	ret
  33:	48 c7 c1 b8 ff ff ff 	mov    $0xffffffffffffffb8,%rcx
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [kernel?] general protection fault in tty_register_device_attr

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+85792f3143e6271d2c97@syzkaller.appspotmail.com

Tested on:

commit:         2ee82481 Add linux-next specific files for 20230828
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=159eb870680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
dashboard link: https://syzkaller.appspot.com/bug?extid=85792f3143e6271d2c97
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10f39898680000

Note: testing is done by a robot and is best-effort only.

Re: [PATCH] kobject: fix kobj and fmt are both null

[Greg KH]

On Sun, Sep 03, 2023 at 08:42:31PM +0800, Edward AD wrote:
> If kobj and fmt are both NULL, it will cause an exception in kvasprintf_const,
> then when this situation occurs, -EINVAL is directly returned.

How can this happen?  Are there any in-kernel users that cause this to
occur?

If so, which ones, why not fix that?

And your description isn't quite correct here, you are not checking for
kobj, but rather kobj->name.

thanks,

greg k-h

Re: [syzbot] [kernel?] general protection fault in tty_register_device_attr

[Thomas Weißschuh]

On 2023-09-01 20:05:59-0700, syzbot wrote:
> [..]

> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 1 PID: 5046 Comm: syz-executor362 Not tainted 6.5.0-next-20230828-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
> RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
> Code: a3 ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
> RSP: 0018:ffffc90003a1f800 EFLAGS: 00010286
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
> RBP: ffffc90003a1f890 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a1f890
> R13: 0000000000000cc0 R14: ffff888014a96000 R15: 0000000000000001
> FS:  0000555556b43480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005584fe812978 CR3: 00000000729c5000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
>  kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
>  kobject_add_varg lib/kobject.c:366 [inline]
>  kobject_add+0x12a/0x240 lib/kobject.c:424
>  device_add+0x290/0x1ac0 drivers/base/core.c:3560
>  tty_register_device_attr+0x38f/0x7b0 drivers/tty/tty_io.c:3248
>  gsm_register_devices drivers/tty/n_gsm.c:654 [inline]
>  gsm_activate_mux+0x157/0x2d0 drivers/tty/n_gsm.c:3138
>  gsm_config drivers/tty/n_gsm.c:3383 [inline]
>  gsmld_ioctl+0x8cc/0x1550 drivers/tty/n_gsm.c:3786
>  tty_ioctl+0x706/0x1580 drivers/tty/tty_io.c:2785
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:871 [inline]
>  __se_sys_ioctl fs/ioctl.c:857 [inline]
>  __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd

> [..]

#syz dup: general protection fault in netdev_register_kobject

With patch from Andy:

https://lore.kernel.org/all/20230828145824.3895288-1-andriy.shevchenko@linux.intel.com/

Re: [PATCH] kobject: fix kobj and fmt are both null

[Andy Shevchenko]

On Sun, Sep 03, 2023 at 02:54:53PM +0200, Greg KH wrote:
> On Sun, Sep 03, 2023 at 08:42:31PM +0800, Edward AD wrote:
> > If kobj and fmt are both NULL, it will cause an exception in kvasprintf_const,
> > then when this situation occurs, -EINVAL is directly returned.
> 
> How can this happen?  Are there any in-kernel users that cause this to
> occur?

Theoretically anything which uses

	dev_set_name(dev, dev_name(dev));

is affected, but practically it happens only when _previous_ dev_set_name()
fails, which _only_ may happen due to fault injection.

> If so, which ones, why not fix that?

In any case the real fix is here:
https://lore.kernel.org/all/20230828145824.3895288-1-andriy.shevchenko@linux.intel.com/

> And your description isn't quite correct here, you are not checking for
> kobj, but rather kobj->name.

-- 
With Best Regards,
Andy Shevchenko