[syzbot] [kernel?] general protection fault in nfc_register_device

[syzbot] [kernel?] general protection fault in nfc_register_device

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    626932085009 Add linux-next specific files for 20230825
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11f70287a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8a8c992a790e5073
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=127e0db7a80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12fceccba80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/46ec18b3c2fb/disk-62693208.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b4ea0cb78498/vmlinux-62693208.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5fb3938c7272/bzImage-62693208.xz

The issue was bisected to:

commit d21fdd07cea418c0d98c8a15fc95b8b8970801e7
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Thu Aug 17 09:12:21 2023 +0000

    driver core: Return proper error code when dev_set_name() fails

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10abc1e0680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=12abc1e0680000
console output: https://syzkaller.appspot.com/x/log.txt?x=14abc1e0680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bdfb03b1ec8b342c12cb@syzkaller.appspotmail.com
Fixes: d21fdd07cea4 ("driver core: Return proper error code when dev_set_name() fails")

RBP: 0000000000000002 R08: 00007ffdb1dc9296 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb1dc950c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5056 Comm: syz-executor350 Not tainted 6.5.0-rc7-next-20230825-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a3f630 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a3f6c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a3f6c0
R13: 0000000000000cc0 R14: ffff88801e01d180 R15: 0000000000000001
FS:  0000555555c8e380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe716281c00 CR3: 00000000730bb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
 kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
 kobject_add_varg lib/kobject.c:366 [inline]
 kobject_add+0x12a/0x240 lib/kobject.c:424
 device_add+0x290/0x1ac0 drivers/base/core.c:3560
 nfc_register_device+0x41/0x3c0 net/nfc/core.c:1118
 nci_register_device+0x7f4/0xb80 net/nfc/nci/core.c:1257
 virtual_ncidev_open+0x147/0x220 drivers/nfc/virtual_ncidev.c:148
 misc_open+0x3da/0x4c0 drivers/char/misc.c:165
 chrdev_open+0x277/0x700 fs/char_dev.c:414
 do_dentry_open+0x88b/0x1730 fs/open.c:929
 do_open fs/namei.c:3639 [inline]
 path_openat+0x19af/0x29c0 fs/namei.c:3796
 do_filp_open+0x1de/0x430 fs/namei.c:3823
 do_sys_openat2+0x176/0x1e0 fs/open.c:1422
 do_sys_open fs/open.c:1437 [inline]
 __do_sys_openat fs/open.c:1453 [inline]
 __se_sys_openat fs/open.c:1448 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1448
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe71624ecf9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb1dc94f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007ffdb1dc9510 RCX: 00007fe71624ecf9
RDX: 0000000000000002 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 00007ffdb1dc9296 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb1dc950c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90003a3f630 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90003a3f6c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003a3f6c0
R13: 0000000000000cc0 R14: ffff88801e01d180 R15: 0000000000000001
FS:  0000555555c8e380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe716281c00 CR3: 00000000730bb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ad                   	lods   %ds:(%rsi),%eax
   1:	ac                   	lods   %ds:(%rsi),%al
   2:	f7 48 8b 74 24 08 48 	testl  $0x48082474,-0x75(%rax)
   9:	8b 14 24             	mov    (%rsp),%edx
   c:	eb 89                	jmp    0xffffff97
   e:	90                   	nop
   f:	f3 0f 1e fa          	endbr64
  13:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1a:	fc ff df
  1d:	48 89 fa             	mov    %rdi,%rdx
  20:	55                   	push   %rbp
  21:	48 c1 ea 03          	shr    $0x3,%rdx
  25:	53                   	push   %rbx
  26:	48 83 ec 10          	sub    $0x10,%rsp
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	48 89 fa             	mov    %rdi,%rdx
  31:	83 e2 07             	and    $0x7,%edx
  34:	38 d0                	cmp    %dl,%al
  36:	7f 04                	jg     0x3c
  38:	84 c0                	test   %al,%al
  3a:	75 51                	jne    0x8d
  3c:	0f b6 07             	movzbl (%rdi),%eax
  3f:	89                   	.byte 0x89


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [kernel?] general protection fault in nfc_register_device

[Andy Shevchenko]

On Mon, Aug 28, 2023 at 02:53:37AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:

Thanks! Will work on it ASAP.

-- 
With Best Regards,
Andy Shevchenko

Re: [syzbot] [kernel?] general protection fault in nfc_register_device

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in nfc_register_device

RBP: 00007fad795a4120 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007fad7899bf80 R15: 00007fffcac52128
 </TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5480 Comm: syz-executor.0 Not tainted 6.5.0-rc7-next-20230825-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90004def630 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90004def6c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90004def6c0
R13: 0000000000000cc0 R14: ffff8881413d4a00 R15: 0000000000000001
FS:  00007fad795a46c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fad795a3ff8 CR3: 00000000294b2000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 kvasprintf_const+0x25/0x190 lib/kasprintf.c:45
 kobject_set_name_vargs+0x5a/0x130 lib/kobject.c:272
 kobject_add_varg lib/kobject.c:366 [inline]
 kobject_add+0x12a/0x240 lib/kobject.c:424
 device_add+0x2a1/0x1aa0 drivers/base/core.c:3562
 nfc_register_device+0x41/0x3c0 net/nfc/core.c:1118
 nci_register_device+0x7f4/0xb80 net/nfc/nci/core.c:1257
 virtual_ncidev_open+0x147/0x220 drivers/nfc/virtual_ncidev.c:148
 misc_open+0x3da/0x4c0 drivers/char/misc.c:165
 chrdev_open+0x277/0x700 fs/char_dev.c:414
 do_dentry_open+0x88b/0x1730 fs/open.c:929
 do_open fs/namei.c:3639 [inline]
 path_openat+0x19af/0x29c0 fs/namei.c:3796
 do_filp_open+0x1de/0x430 fs/namei.c:3823
 do_sys_openat2+0x176/0x1e0 fs/open.c:1422
 do_sys_open fs/open.c:1437 [inline]
 __do_sys_openat fs/open.c:1453 [inline]
 __se_sys_openat fs/open.c:1448 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1448
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fad7887cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fad795a40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fad7899bf80 RCX: 00007fad7887cae9
RDX: 0000000000000002 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 00007fad795a4120 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007fad7899bf80 R15: 00007fffcac52128
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strchr+0x1b/0xb0 lib/string.c:329
Code: ad ac f7 48 8b 74 24 08 48 8b 14 24 eb 89 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 53 48 83 ec 10 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 51 0f b6 07 89
RSP: 0018:ffffc90004def630 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000025 RDI: 0000000000000000
RBP: ffffc90004def6c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90004def6c0
R13: 0000000000000cc0 R14: ffff8881413d4a00 R15: 0000000000000001
FS:  00007fad795a46c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff66020268 CR3: 00000000294b2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ad                   	lods   %ds:(%rsi),%eax
   1:	ac                   	lods   %ds:(%rsi),%al
   2:	f7 48 8b 74 24 08 48 	testl  $0x48082474,-0x75(%rax)
   9:	8b 14 24             	mov    (%rsp),%edx
   c:	eb 89                	jmp    0xffffff97
   e:	90                   	nop
   f:	f3 0f 1e fa          	endbr64
  13:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1a:	fc ff df
  1d:	48 89 fa             	mov    %rdi,%rdx
  20:	55                   	push   %rbp
  21:	48 c1 ea 03          	shr    $0x3,%rdx
  25:	53                   	push   %rbx
  26:	48 83 ec 10          	sub    $0x10,%rsp
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	48 89 fa             	mov    %rdi,%rdx
  31:	83 e2 07             	and    $0x7,%edx
  34:	38 d0                	cmp    %dl,%al
  36:	7f 04                	jg     0x3c
  38:	84 c0                	test   %al,%al
  3a:	75 51                	jne    0x8d
  3c:	0f b6 07             	movzbl (%rdi),%eax
  3f:	89                   	.byte 0x89


Tested on:

commit:         62693208 Add linux-next specific files for 20230825
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15ac67b7a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8a8c992a790e5073
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1254f9eba80000

Re: [syzbot] [kernel?] general protection fault in nfc_register_device

[Andy Shevchenko]

On Mon, Aug 28, 2023 at 02:35:22PM +0300, Andy Shevchenko wrote:
> On Mon, Aug 28, 2023 at 02:53:37AM -0700, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> 
> Thanks! Will work on it ASAP.

So, can somebody from syzbot explain me what this is?

My readings as follows:
1) syzbot inserts fault injection into

        dev_set_name(&dev->dev, "nfc%d", dev->idx);

2) that becomes a NULL in the corresponding kobj->name, correct?
3) which leads to the device_add() to exercise the paths that check for name
   being NULL, i.e.

     if (dev->init_name) {
        error = dev_set_name(dev, "%s", dev->init_name);
        dev->init_name = NULL;
     }

     if (dev_name(dev))
         error = 0;
     /* subsystems can specify simple device enumeration */
     else if (dev->bus && dev->bus->dev_name)
         error = dev_set_name(dev, "%s%u", dev->bus->dev_name, dev->id);
     if (error)
         goto name_error;

   so, either we have init_name or bus->name defined, but this seems not
   the case; anyway in both cases the dev_set_name() may fail in strchr()
   if and only if the fmt is NULL, which is not, as above calls have it
   hard coded literals.

What's going on here?

(The error check for dev_set_name() in nfc_allocate_device() probably fixes
 this, but it must not affect the code execution, right?)

P.S.
Of course the test patch from hdanton@ doesn't fix it, the error is checked in
the code later on.

-- 
With Best Regards,
Andy Shevchenko

Re: [syzbot] [kernel?] general protection fault in nfc_register_device

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+bdfb03b1ec8b342c12cb@syzkaller.appspotmail.com

Tested on:

commit:         2ee82481 Add linux-next specific files for 20230828
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1329b6ffa80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e82a7781f9208c0d
dashboard link: https://syzkaller.appspot.com/bug?extid=bdfb03b1ec8b342c12cb
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1384729fa80000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [kernel?] general protection fault in nfc_register_device

[Andy Shevchenko]

On Mon, Aug 28, 2023 at 03:42:28PM +0300, Andy Shevchenko wrote:
> On Mon, Aug 28, 2023 at 02:35:22PM +0300, Andy Shevchenko wrote:
> > On Mon, Aug 28, 2023 at 02:53:37AM -0700, syzbot wrote:
> > > Hello,
> > > 
> > > syzbot found the following issue on:
> > 
> > Thanks! Will work on it ASAP.
> 
> So, can somebody from syzbot explain me what this is?
> 
> My readings as follows:
> 1) syzbot inserts fault injection into
> 
>         dev_set_name(&dev->dev, "nfc%d", dev->idx);
> 
> 2) that becomes a NULL in the corresponding kobj->name, correct?
> 3) which leads to the device_add() to exercise the paths that check for name
>    being NULL, i.e.
> 
>      if (dev->init_name) {
>         error = dev_set_name(dev, "%s", dev->init_name);
>         dev->init_name = NULL;
>      }
> 
>      if (dev_name(dev))
>          error = 0;
>      /* subsystems can specify simple device enumeration */
>      else if (dev->bus && dev->bus->dev_name)
>          error = dev_set_name(dev, "%s%u", dev->bus->dev_name, dev->id);
>      if (error)
>          goto name_error;
> 
>    so, either we have init_name or bus->name defined, but this seems not
>    the case; anyway in both cases the dev_set_name() may fail in strchr()
>    if and only if the fmt is NULL, which is not, as above calls have it
>    hard coded literals.
> 
> What's going on here?
> 
> (The error check for dev_set_name() in nfc_allocate_device() probably fixes
>  this, but it must not affect the code execution, right?)
> 
> P.S.
> Of course the test patch from hdanton@ doesn't fix it, the error is checked in
> the code later on.

Looking at the second patch from @hdanton I understand what may have happened.
The value of "error" has been rewritten to 0 and dev_name() the new code
doesn't trigger the bail out.

I'll send the patch soon.

-- 
With Best Regards,
Andy Shevchenko