syzbot

 sign-in | mailing list | source | docs
🐞 Open [993] Subsystems 🐞 Fixed [5244] 🐞 Invalid [12515] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in usb_set_interface

Status: fixed on 2019/12/13 00:31
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+7fa38a608b1075dfd634@syzkaller.appspotmail.com
Fix commit: c7a191464078 media: usbvision: Fix invalid accesses after device disconnect
First crash: 1692d, last: 1681d
Duplicate bugs (5)
duplicates (5):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: invalid-free in usbvision_release media 1 1684d 1684d 0/26 closed as dup on 2019/09/20 15:35
KASAN: use-after-free Write in usbvision_scratch_alloc media 5 1611d 1733d 0/26 closed as dup on 2019/09/20 15:34
KASAN: use-after-free Read in v4l2_release (2) media 9 1599d 1677d 0/26 closed as dup on 2019/09/23 15:12
KASAN: use-after-free Read in usbvision_release fs 1 1680d 1680d 0/26 closed as dup on 2019/09/20 18:29
KASAN: use-after-free Write in usbvision_decompress_alloc media 1 1693d 1684d 0/26 closed as dup on 2019/09/20 15:35
Discussions (15)
Title Replies (including bot) Last reply
[PATCH 3.16 000/148] 3.16.82-rc1 review 151 (151) 2020/02/09 18:51
general protection fault in usb_set_interface 15 (22) 2019/12/17 13:17
KASAN: use-after-free Read in usbvision_v4l2_open 12 (15) 2019/12/12 16:52
[PATCH 5.4 00/66] 5.4.1-stable review 75 (75) 2019/11/29 08:52
[PATCH 5.3 00/95] 5.3.14-stable review 100 (100) 2019/11/28 21:29
[PATCH 1/2 RESEND] media: usbvision: Fix invalid accesses after device disconnect 1 (1) 2019/10/07 15:09
[PATCH 1/2] media: usbvision: Fix invalid accesses after device disconnect 1 (1) 2019/10/01 20:18
WARNING in pvr2_i2c_core_done 5 (6) 2019/09/27 14:21
Re: general protection fault in usb_set_interface 1 (1) 2019/09/26 21:03
KASAN: use-after-free Read in v4l2_release (2) 1 (2) 2019/09/23 15:12
KASAN: use-after-free Read in usbvision_release 1 (2) 2019/09/20 18:29
KASAN: invalid-free in usbvision_release 1 (2) 2019/09/20 15:35
KASAN: use-after-free Write in usbvision_decompress_alloc 1 (2) 2019/09/20 15:34
KASAN: use-after-free Write in usbvision_scratch_alloc 1 (2) 2019/09/20 15:34
Reminder: 52 active syzbot reports in usb subsystem 4 (4) 2019/09/19 19:01
Last patch testing requests (25)
Created Duration User Patch Repo Result
2019/12/12 16:52 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 1f22d15c OK
2019/12/10 20:17 5m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 1f22d15c error OK
2019/09/28 17:10 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/26 19:39 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/26 18:20 11m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/26 17:41 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/26 14:21 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/26 02:00 9m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/26 01:38 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/26 01:18 4m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b error OK
2019/09/25 21:34 11m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/25 21:27 4m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b error OK
2019/09/25 21:19 2m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b error OK
2019/09/25 20:08 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/25 19:06 9m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/25 18:26 11m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/19 14:03 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/18 15:50 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/18 14:35 9m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/17 20:17 11m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/17 18:31 11m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/17 18:08 5m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b error OK
2019/09/17 15:54 11m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/17 15:16 10m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log
2019/09/16 20:51 11m stern@rowland.harvard.edu patch https://github.com/google/kasan.git f0df5c1b report log

Sample crash report:
usb 3-1: usbvision_write_reg: failed: error -2
usbvision_set_audio: can't write iopin register for audio switching
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 1 PID: 1955 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:usb_set_interface+0x34/0xa50 drivers/usb/core/message.c:1362
Code: fc 55 53 48 83 ec 40 89 54 24 18 89 74 24 10 e8 22 1c ef fd 49 8d 7c 24 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 fb 08 00 00 49 8b 44 24 48 49 8d 7c 24 18 48 89
RSP: 0018:ffff8881cb19fd50 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000009 RSI: ffffffff834ebe7e RDI: 0000000000000048
RBP: ffff8881cb8e4200 R08: ffffffff88d21878 R09: ffffed103971cb43
R10: ffff8881cb19fdc8 R11: ffff8881cb8e5a17 R12: 0000000000000000
R13: ffff8881cb8e5a10 R14: ffff8881cb8e4cc8 R15: ffff8881cb8e5178
FS:  00007f4f60b6d700(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f6060c330 CR3: 00000001cc3a8000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 usbvision_radio_close+0x105/0x250 drivers/media/usb/usbvision/usbvision-video.c:1114
 v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
 __fput+0x2d7/0x840 fs/file_table.c:280
 task_work_run+0x13f/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f4f6069b2b0
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0 07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007ffde2d50ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f4f6069b2b0
RDX: 00007f4f60951df0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007f4f60951df0 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007ffde2d51040 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 62bd2b7512ab49ee ]---
RIP: 0010:usb_set_interface+0x34/0xa50 drivers/usb/core/message.c:1362
Code: fc 55 53 48 83 ec 40 89 54 24 18 89 74 24 10 e8 22 1c ef fd 49 8d 7c 24 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 fb 08 00 00 49 8b 44 24 48 49 8d 7c 24 18 48 89
RSP: 0018:ffff8881cb19fd50 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000009 RSI: ffffffff834ebe7e RDI: 0000000000000048
RBP: ffff8881cb8e4200 R08: ffffffff88d21878 R09: ffffed103971cb43
R10: ffff8881cb19fdc8 R11: ffff8881cb8e5a17 R12: 0000000000000000
R13: ffff8881cb8e5a10 R14: ffff8881cb8e4cc8 R15: ffff8881cb8e5178
FS:  00007f4f60b6d700(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f6060c330 CR3: 00000001cc3a8000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/12 01:00 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 f4e53c10 .config console log report syz C ci2-upstream-usb
2019/09/19 09:31 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 eb940044 .config console log report ci2-upstream-usb
2019/09/08 10:56 https://github.com/google/kasan.git usb-fuzzer f0df5c1be1e9 a60cb4cd .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.