syzbot


KASAN: null-ptr-deref Write in event_handler

Status: fixed on 2021/04/09 19:46
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+bf1a360e305ee719e364@syzkaller.appspotmail.com
Fix commit: 9380afd6df70 usbip: fix stub_dev usbip_sockfd_store() races leading to gpf 718ad9693e36 usbip: fix vhci_hcd attach_store() races leading to gpf 46613c9dfa96 usbip: fix vudc usbip_sockfd_store races leading to gpf
First crash: 1262d, last: 1113d
Cause bisection: introduced by (bisect log) [merge commit]:
commit 5acb6052ce304d89e36f599f1e27a7c63d389ca0
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat Oct 8 04:20:33 2016 +0000

  Merge tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Crash: WARNING in nf_unregister_net_hook (log)
Repro: C syz .config
  
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: null-ptr-deref Write in vhci_shutdown_connection usb C unreliable 3322 1099d 1184d 26/26 closed as dup on 2021/01/20 03:12
Discussions (14)
Title Replies (including bot) Last reply
[PATCH 4.14 00/68] 4.14.231-rc1 review 77 (77) 2021/07/28 12:56
[PATCH 4.9 00/47] 4.9.267-rc1 review 51 (51) 2021/04/16 11:50
[PATCH 4.9 00/78] 4.9.262-rc1 review 85 (85) 2021/03/28 20:37
[PATCH 5.10 000/290] 5.10.24-rc1 review 317 (317) 2021/03/22 08:15
[PATCH 5.11 000/306] 5.11.7-rc1 review 313 (313) 2021/03/19 09:50
[PATCH 4.19 000/120] 4.19.181-rc1 review 137 (137) 2021/03/19 09:41
[PATCH 0/6] usbip fixes to crashes found by syzbot 34 (34) 2021/03/18 13:39
[PATCH 4.14 00/95] 4.14.226-rc1 review 105 (105) 2021/03/18 12:00
[PATCH 5.4 000/168] 5.4.106-rc1 review 175 (175) 2021/03/17 03:00
[PATCH 4.4 00/75] 4.4.262-rc1 review 80 (80) 2021/03/16 12:07
[PATCH] usb: usbip: serialize attach/detach operations 30 (30) 2021/03/05 14:44
[PATCH] usb: usbip: fix error handling of kthread_get_run() 11 (11) 2021/02/11 13:40
KASAN: null-ptr-deref Write in event_handler 8 (9) 2020/10/19 15:22
Re: KASAN: null-ptr-deref Write in event_handler 1 (1) 2020/10/09 14:37
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: null-ptr-deref Write in event_handler C error 1046 909d 1262d 0/1 upstream: reported C repro on 2020/10/03 09:17
Last patch testing requests (3)
Created Duration User Patch Repo Result
2021/03/11 06:42 32m mail@anirudhrb.com git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git a38fd8748464831584a19438cbb3082b5a2dab15 error OK
2021/03/11 04:04 18m mail@anirudhrb.com upstream error OK
2021/03/10 19:31 18m mail@anirudhrb.com linux-next error OK
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2021/03/01 16:15 25m bisect fix upstream job log (0) log
2021/02/15 13:54 0m bisect fix upstream error job log (0)
2021/01/16 13:36 18m bisect fix upstream job log (0) log

Sample crash report:
vhci_hcd: release socket
vhci_hcd: disconnect device
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
BUG: KASAN: null-ptr-deref in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: null-ptr-deref in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: null-ptr-deref in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: null-ptr-deref in get_task_struct include/linux/sched/task.h:102 [inline]
BUG: KASAN: null-ptr-deref in kthread_stop+0x2a/0x200 kernel/kthread.c:591
Write of size 4 at addr 0000000000000024 by task kworker/u4:0/8

CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usbip_event event_handler
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:120
 __kasan_report mm/kasan/report.c:549 [inline]
 kasan_report+0x155/0x1e0 mm/kasan/report.c:562
 check_memory_region_inline mm/kasan/generic.c:183 [inline]
 check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:192
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
 __refcount_add include/linux/refcount.h:193 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_task_struct include/linux/sched/task.h:102 [inline]
 kthread_stop+0x2a/0x200 kernel/kthread.c:591
 vhci_shutdown_connection+0x16c/0xad0 drivers/usb/usbip/vhci_hcd.c:1021
 event_handler+0x268/0x4d0 drivers/usb/usbip/usbip_event.c:78
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2275
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2421
 kthread+0x39a/0x3c0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 8 Comm: kworker/u4:0 Tainted: G    B             5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usbip_event event_handler
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:120
 panic+0x291/0x800 kernel/panic.c:231
 end_report mm/kasan/report.c:106 [inline]
 __kasan_report mm/kasan/report.c:552 [inline]
 kasan_report+0x1da/0x1e0 mm/kasan/report.c:562
 check_memory_region_inline mm/kasan/generic.c:183 [inline]
 check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:192
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
 __refcount_add include/linux/refcount.h:193 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_task_struct include/linux/sched/task.h:102 [inline]
 kthread_stop+0x2a/0x200 kernel/kthread.c:591
 vhci_shutdown_connection+0x16c/0xad0 drivers/usb/usbip/vhci_hcd.c:1021
 event_handler+0x268/0x4d0 drivers/usb/usbip/usbip_event.c:78
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2275
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2421
 kthread+0x39a/0x3c0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (2869):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/16 16:17 upstream d635a69dd498 f213e07e .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/15 21:23 upstream 148842c98a24 97183ed7 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/14 23:34 upstream 2c85ebc57b3e 97183ed7 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/14 21:56 upstream 2c85ebc57b3e 97183ed7 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/14 12:09 upstream 6bff9bb8a292 b22a7ec3 .config console log report syz C ci-upstream-kasan-gce
2020/12/13 09:05 upstream 7b1b868e1d91 bca53db9 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/13 02:34 upstream 7b1b868e1d91 bca53db9 .config console log report syz C ci-upstream-kasan-gce
2020/12/12 05:10 upstream 33dc9614dc20 ba24ffcd .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/12 04:05 upstream 33dc9614dc20 ba24ffcd .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/12 02:35 upstream 33dc9614dc20 ba24ffcd .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/12 02:15 upstream 33dc9614dc20 ba24ffcd .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/12/12 01:40 upstream 33dc9614dc20 ba24ffcd .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/10/03 16:00 upstream d3d45f8220d6 2653fa43 .config console log report syz C ci-upstream-kasan-gce-root
2020/10/03 10:16 upstream d3d45f8220d6 2653fa43 .config console log report syz C ci-upstream-kasan-gce
2020/12/16 16:39 upstream d635a69dd498 f213e07e .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/16 16:32 upstream d635a69dd498 f213e07e .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/16 13:06 upstream d635a69dd498 f213e07e .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 23:34 upstream 148842c98a24 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 19:43 upstream 148842c98a24 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 19:32 upstream 148842c98a24 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 17:57 upstream 148842c98a24 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 14:12 upstream 148842c98a24 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 13:39 upstream 148842c98a24 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 04:34 upstream 2c85ebc57b3e 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 02:19 upstream 2c85ebc57b3e 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 01:19 upstream 2c85ebc57b3e 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/15 00:11 upstream 2c85ebc57b3e 97183ed7 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/13 12:25 upstream 7b1b868e1d91 bca53db9 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/13 12:15 upstream 7b1b868e1d91 bca53db9 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/13 12:05 upstream 7b1b868e1d91 bca53db9 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/13 09:19 upstream 7b1b868e1d91 bca53db9 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/13 08:28 upstream 7b1b868e1d91 bca53db9 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/13 08:18 upstream 7b1b868e1d91 bca53db9 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/13 08:07 upstream 7b1b868e1d91 bca53db9 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/13 06:41 upstream 7b1b868e1d91 bca53db9 .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 05:50 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 04:43 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 04:30 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 04:22 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 03:48 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 03:37 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 03:27 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 03:00 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 02:49 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 01:59 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/12/12 01:10 upstream 33dc9614dc20 ba24ffcd .config console log report syz ci-upstream-kasan-gce-smack-root
2020/10/03 09:34 upstream d3d45f8220d6 2653fa43 .config console log report syz ci-upstream-kasan-gce
2020/12/16 12:26 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce
2020/12/16 10:48 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/16 09:19 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce
2020/12/16 07:32 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/16 04:10 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/16 02:40 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/16 01:36 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/15 23:01 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/15 16:16 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/15 15:23 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 22:47 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 21:46 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/14 20:10 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/14 18:19 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-root
2020/12/14 16:34 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-root
2020/12/14 09:39 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce
2020/12/14 07:08 upstream 2c85ebc57b3e b22a7ec3 .config console log report info ci-qemu-upstream
2020/12/14 04:11 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-root
2020/12/14 00:47 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 18:40 upstream 6bff9bb8a292 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 12:26 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/13 10:28 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 07:56 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/13 06:33 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/13 03:38 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/13 02:33 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/13 00:41 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/12 20:57 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/12 17:44 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/12 15:38 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/12 14:00 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/12 10:26 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/15 13:00 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-386
2020/12/15 06:45 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-386
2020/12/14 14:47 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-386
2020/12/14 13:13 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-386
2020/12/14 11:24 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-386
2020/12/14 05:21 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-386
2020/12/14 02:44 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-386
2020/12/13 22:28 upstream ec6f5e0e5ca0 8f160dd5 .config console log report info ci-qemu-upstream-386
2020/12/13 20:01 upstream 6bff9bb8a292 8f160dd5 .config console log report info ci-qemu-upstream-386
2020/12/13 11:28 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-386
2020/12/12 22:21 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-386
2020/12/12 19:46 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-386
2020/12/12 16:47 upstream 7f376f1917d7 bca53db9 .config console log report info ci-upstream-kasan-gce-386
2020/10/03 09:16 upstream d3d45f8220d6 2653fa43 .config console log report info ci-upstream-kasan-gce-386
2020/12/14 07:48 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/13 13:35 linux-next 14240d4c5b25 bca53db9 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/12 23:33 linux-next 14240d4c5b25 bca53db9 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.