syzbot

 sign-in | mailing list | source | docs
🐞 Open [167]
🐞 Fixed [23]
🐞 Invalid [196]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
💬 Send us feedback

UBSAN: shift-out-of-bounds in parse_audio_unit

Status: upstream: reported C repro on 2024/07/22 02:50
Bug presence: origin:lts
[Documentation on labels]
Reported-by: syzbot+564c9cc7746f2a77d21e@syzkaller.appspotmail.com
First crash: 56d, last: 20d
Bug presence (2)
Date Name Commit Repro Result
2024/07/22 lts (merge base) 574362648507 C [report] UBSAN: shift-out-of-bounds in parse_audio_unit
2024/07/22 upstream (ToT) 527eff227d43 C Didn't crash
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: shift-out-of-bounds in parse_audio_unit sound C error 3 65d 63d 27/28 fixed on 2024/08/14 03:44
android-6-1 UBSAN: shift-out-of-bounds in parse_audio_unit origin:lts C 3 22d 36d 0/2 upstream: reported C repro on 2024/08/11 11:03
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/08/27 00:26 5m retest repro android13-5.15-lts report log

Sample crash report:
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: 0:2 : does not exist
================================================================================
UBSAN: shift-out-of-bounds in sound/usb/mixer.c:2021:20
shift exponent 41 is too large for 32-bit type 'int'
CPU: 1 PID: 39 Comm: kworker/1:1 Not tainted 5.15.151-syzkaller-00415-gdb06c48ab67e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 dump_stack+0x15/0x17 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3bf/0x420 lib/ubsan.c:321
 parse_audio_feature_unit sound/usb/mixer.c:2021 [inline]
 parse_audio_unit+0x270d/0x3d90 sound/usb/mixer.c:2871
 snd_usb_mixer_controls sound/usb/mixer.c:3216 [inline]
 snd_usb_create_mixer+0x122f/0x2dd0 sound/usb/mixer.c:3563
 usb_audio_probe+0x1412/0x2260 sound/usb/card.c:858
 usb_probe_interface+0x5b6/0xa90 drivers/usb/core/driver.c:396
 really_probe+0x28d/0x970 drivers/base/dd.c:595
 __driver_probe_device+0x1a0/0x310 drivers/base/dd.c:755
 driver_probe_device+0x54/0x3d0 drivers/base/dd.c:785
 __device_attach_driver+0x2c5/0x470 drivers/base/dd.c:907
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x312/0x510 drivers/base/dd.c:979
 device_initial_probe+0x1a/0x20 drivers/base/dd.c:1028
 bus_probe_device+0xbe/0x1e0 drivers/base/bus.c:487
 device_add+0xb60/0xf10 drivers/base/core.c:3404
 usb_set_configuration+0x190f/0x1e80 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8b/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x144/0x260 drivers/usb/core/driver.c:293
 really_probe+0x28d/0x970 drivers/base/dd.c:595
 __driver_probe_device+0x1a0/0x310 drivers/base/dd.c:755
 driver_probe_device+0x54/0x3d0 drivers/base/dd.c:785
 __device_attach_driver+0x2c5/0x470 drivers/base/dd.c:907
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x312/0x510 drivers/base/dd.c:979
 device_initial_probe+0x1a/0x20 drivers/base/dd.c:1028
 bus_probe_device+0xbe/0x1e0 drivers/base/bus.c:487
 device_add+0xb60/0xf10 drivers/base/core.c:3404
 usb_new_device+0x1038/0x1c00 drivers/usb/core/hub.c:2590
 hub_port_connect drivers/usb/core/hub.c:5503 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5643 [inline]
 port_event drivers/usb/core/hub.c:5793 [inline]
 hub_event+0x2def/0x4770 drivers/usb/core/hub.c:5875
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2325
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2472
 kthread+0x421/0x510 kernel/kthread.c:337
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/07/22 02:44 android13-5.15-lts db06c48ab67e b88348e9 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/08/12 22:33 android13-5.15-lts 70e1a731d986 842184b3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/08/11 20:03 android13-5.15-lts 70e1a731d986 6f4edef4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/08/10 17:39 android13-5.15-lts 70e1a731d986 6f4edef4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/08/08 23:51 android13-5.15-lts 70e1a731d986 61405512 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/08/07 05:57 android13-5.15-lts 70e1a731d986 1ef9fe42 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/07/28 13:21 android13-5.15-lts 4edafe6c0231 46eb10b7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/07/22 02:20 android13-5.15-lts db06c48ab67e b88348e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit
* Struck through repros no longer work on HEAD.