syzbot


general protection fault in cdev_del (2)

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com
Fix commit: 8a12f8836145 net: hso: fix null-ptr-deref during tty device unregistration 0a360e8b65d6 tty: n_gsm: check error while registering tty devices
First crash: 734d, last: 455d

Cause bisection: failed (bisect log)
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in cdev_del C 315 750d 1218d 17/24 fixed on 2020/09/16 22:51
linux-4.19 general protection fault in cdev_del C 361 6h30m 1023d 0/1 upstream: reported C repro on 2019/12/09 03:59
linux-4.14 general protection fault in cdev_del C 265 5d04h 1028d 0/1 upstream: reported C repro on 2019/12/04 03:14
Patch testing requests:
Created Duration User Patch Repo Result
2021/04/04 16:45 20m mail@anirudhrb.com patch linux-next OK
2021/04/04 12:41 16m mail@anirudhrb.com patch linux-next OK
2021/04/04 12:21 16m mail@anirudhrb.com linux-next report log
2020/10/02 03:52 10m dragonjetli@gmail.com patch upstream report log

Sample crash report:
hso 6-1:0.0: Failed to find BULK IN ep
general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]
CPU: 1 PID: 4401 Comm: kworker/1:3 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:596
Code: b5 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 c0 cd ff 48 8d 7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48
RSP: 0018:ffffc900002f7150 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff88810833ea00 RCX: 0000000000000000
RDX: 000000000000000c RSI: ffffffff8171ca4d RDI: 0000000000000064
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8a1e8737
R10: ffffffff8233a1ef R11: 000000000004e044 R12: ffff88810833ea08
R13: ffff888108658000 R14: 0000000000000000 R15: ffff88810f1c7070
FS:  0000000000000000(0000) GS:ffff8881f6900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004ba438 CR3: 0000000007825000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tty_unregister_device drivers/tty/tty_io.c:3344 [inline]
 tty_unregister_device+0x112/0x1b0 drivers/tty/tty_io.c:3339
 hso_serial_tty_unregister drivers/net/usb/hso.c:2232 [inline]
 hso_create_bulk_serial_device drivers/net/usb/hso.c:2680 [inline]
 hso_probe.cold+0x70/0x16a drivers/net/usb/hso.c:2946
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 really_probe+0x291/0xe60 drivers/base/dd.c:554
 driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:740
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:846
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
 __device_attach+0x228/0x4a0 drivers/base/dd.c:914
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0xbdb/0x1db0 drivers/base/core.c:3242
 usb_set_configuration+0x113f/0x1910 drivers/usb/core/message.c:2164
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
 really_probe+0x291/0xe60 drivers/base/dd.c:554
 driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:740
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:846
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
 __device_attach+0x228/0x4a0 drivers/base/dd.c:914
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0xbdb/0x1db0 drivers/base/core.c:3242
 usb_new_device.cold+0x721/0x1058 drivers/usb/core/hub.c:2555
 hub_port_connect drivers/usb/core/hub.c:5223 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
 port_event drivers/usb/core/hub.c:5509 [inline]
 hub_event+0x2357/0x4320 drivers/usb/core/hub.c:5591
 process_one_work+0x98d/0x1580 kernel/workqueue.c:2275
 process_scheduled_works kernel/workqueue.c:2337 [inline]
 worker_thread+0x82b/0x1120 kernel/workqueue.c:2423
 kthread+0x38c/0x460 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace d72d14656666fdbb ]---
RIP: 0010:cdev_del+0x22/0x90 fs/char_dev.c:596
Code: b5 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 ec 08 e8 93 c0 cd ff 48 8d 7d 64 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 4f 48
RSP: 0018:ffffc900002f7150 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffff88810833ea00 RCX: 0000000000000000
RDX: 000000000000000c RSI: ffffffff8171ca4d RDI: 0000000000000064
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8a1e8737
R10: ffffffff8233a1ef R11: 000000000004e044 R12: ffff88810833ea08
R13: ffff888108658000 R14: 0000000000000000 R15: ffff88810f1c7070
FS:  0000000000000000(0000) GS:ffff8881f6900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004ba438 CR3: 0000000007825000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (45):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-upstream-usb 2021/02/26 01:20 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 29c395c77a9a 76f7fc95 .config log report syz C general protection fault in cdev_del
ci-upstream-kasan-gce 2021/01/05 04:35 upstream 36bbbd0e234d 2a28ff1f .config log report syz C
ci-upstream-kasan-gce 2020/09/22 20:45 upstream 98477740630f 3e8f6c27 .config log report syz C
ci2-upstream-usb 2020/12/09 05:30 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing b175d273d4e4 40cc414d .config log report syz C
ci2-upstream-usb 2020/11/26 15:29 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 7656ca71b0ba 2f1cec62 .config log report syz C
ci-upstream-kasan-gce 2021/04/20 15:42 upstream 7af08140979a c0ced557 .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-smack-root 2021/04/19 00:18 upstream c98ff1d013d2 7e2b734b .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-root 2021/04/18 03:22 upstream 194cf4825638 7e2b734b .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce 2021/04/14 03:07 upstream eebe426d32e1 a184b83e .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-smack-root 2021/04/10 14:47 upstream d4961772226d bfeda1b1 .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-root 2021/04/06 16:59 upstream 0a50438c8436 6a81331a .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce 2021/04/06 10:21 upstream 0a50438c8436 6a81331a .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-root 2021/04/04 03:41 upstream 57fbdb15ec42 6a81331a .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-root 2021/03/30 15:49 upstream 1e43c377a79f 6a81331a .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-smack-root 2021/03/26 13:57 upstream db24726bfefa 6a383ecf .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce 2021/02/19 19:56 upstream f40ddce88593 f689d40a .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce 2021/02/08 18:54 upstream 92bf22614b21 2ce644fc .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-386 2021/03/23 17:26 upstream 84196390620a e613994b .config log report info general protection fault in cdev_del
ci-qemu-upstream-386 2021/02/03 15:36 upstream 3aaf0a27ffc2 624dad51 .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-386 2021/01/21 20:31 upstream 9791581c049c d4f4eca5 .config log report info general protection fault in cdev_del
ci-upstream-linux-next-kasan-gce-root 2021/03/29 09:59 linux-next 931294922e65 a8529b82 .config log report info general protection fault in cdev_del
ci2-upstream-usb 2021/03/21 16:03 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing e00943e91678 4c9a64da .config log report info general protection fault in cdev_del
ci2-upstream-usb 2021/03/13 08:02 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 14b02f023c09 4a003785 .config log report info general protection fault in cdev_del
ci2-upstream-usb 2021/01/29 08:00 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 1a9e38cabd80 6593fd32 .config log report info general protection fault in cdev_del
ci-upstream-linux-next-kasan-gce-root 2021/01/21 18:01 linux-next bc085f8fc88f d4f4eca5 .config log report info general protection fault in cdev_del
ci-upstream-kasan-gce-root 2021/01/16 13:24 upstream 1d94330a437a 65a7a854 .config log report info
ci-upstream-kasan-gce-root 2021/01/03 04:45 upstream 3516bd729358 79264ae3 .config log report info
ci-upstream-kasan-gce 2021/01/02 19:43 upstream eda809aef534 79264ae3 .config log report info
ci-upstream-kasan-gce-selinux-root 2021/01/02 05:16 upstream eda809aef534 79264ae3 .config log report info
ci-upstream-kasan-gce-root 2020/12/28 09:08 upstream 5c8fe583cce5 2242f77f .config log report info
ci-upstream-kasan-gce 2020/12/14 04:18 upstream 6bff9bb8a292 b22a7ec3 .config log report info
ci-upstream-kasan-gce 2020/12/11 19:41 upstream 33dc9614dc20 ba24ffcd .config log report info
ci-upstream-kasan-gce 2020/11/24 12:58 upstream d5beb3140f91 1ab681a4 .config log report info
ci-upstream-kasan-gce-smack-root 2020/11/06 00:26 upstream 521b619acdc8 64069d48 .config log report info
ci-upstream-kasan-gce 2020/10/07 23:57 upstream c85fb28b6f99 1880b4a9 .config log report info
ci-upstream-kasan-gce 2020/09/22 20:22 upstream 98477740630f 3e8f6c27 .config log report info
ci-qemu2-arm32 2021/06/29 07:50 upstream bf152b0b41dc 9d2ab5df .config log report info BUG: unable to handle kernel NULL pointer dereference in cdev_del
ci-qemu2-arm64-compat 2021/02/03 16:48 upstream 3aaf0a27ffc2 624dad51 .config log report info BUG: unable to handle kernel paging request in cdev_del
ci-qemu2-arm64 2021/02/01 07:25 upstream 1048ba83fb1c fc9fd31e .config log report info BUG: unable to handle kernel paging request in cdev_del
ci-upstream-kasan-gce-386 2021/01/16 20:15 upstream 1d94330a437a 65a7a854 .config log report info
ci-upstream-linux-next-kasan-gce-root 2021/01/09 03:26 linux-next 1c925d2030af c104d4a3 .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/12/05 05:24 linux-next 0eedceafd3a6 20366b87 .config log report info
ci2-upstream-usb 2020/11/22 22:28 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 52a0372a38b4 0d27f508 .config log report info
ci2-upstream-usb 2020/11/09 10:25 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 57cde551225b cba33199 .config log report info
ci-qemu2-riscv64 2021/05/25 11:26 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 18a3c5f7abfd 3c7fef33 .config log report info KASAN: null-ptr-deref Read in cdev_del
* Struck through repros no longer work on HEAD.