Hello,
syzbot found the following issue on:
HEAD commit: 9e39aef3 usb: misc: brcmstb-usb-pinmap: Make sync_all_pins..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=145ffa8a500000
kernel config: https://syzkaller.appspot.com/x/.config?x=a05f5efbb00b1465
dashboard link: https://syzkaller.appspot.com/bug?extid=92340f7b2b4789907fdb
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172ae7a8500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13b24746500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
microsoft 0003:045E:07DA.0001: unknown main item tag 0x0
HID 045e:07da: Invalid code 65791 type 1
------------[ cut here ]------------
init_uevent_argv: buffer size too small
WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 init_uevent_argv lib/kobject_uevent.c:259 [inline]
WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 kobject_uevent_env+0x1640/0x1680 lib/kobject_uevent.c:608
Modules linked in:
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:init_uevent_argv lib/kobject_uevent.c:259 [inline]
RIP: 0010:kobject_uevent_env+0x1640/0x1680 lib/kobject_uevent.c:608
Code: 87 e8 24 af fe ff e9 cf f8 ff ff 48 8b 3c 24 e8 06 33 68 ff e9 a9 f8 ff ff e8 cc 9e 3c ff 48 c7 c7 e0 68 00 86 e8 59 b9 71 03 <0f> 0b 41 bf f4 ff ff ff e9 51 ec ff ff 4c 89 ff e8 5b 32 68 ff e9
RSP: 0018:ffffc9000005e8e0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000
RDX: ffff88810022e500 RSI: ffffffff8128fe63 RDI: fffff5200000bd0e
RBP: 00000000000007fb R08: 0000000000000001 R09: ffff8881f6a1febb
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000005
R13: 00000000000007fb R14: 0000000000000005 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d0090 CR3: 0000000103ed4000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
device_add+0xb47/0x1ce0 drivers/base/core.c:2919
input_register_device+0x73a/0xce0 drivers/input/input.c:2212
hidinput_connect+0x5056/0x9d50 drivers/hid/hid-input.c:1949
hid_connect+0x958/0xbc0 drivers/hid/hid-core.c:1949
hid_hw_start drivers/hid/hid-core.c:2053 [inline]
hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2044
ms_probe+0x159/0x4b0 drivers/hid/hid-microsoft.c:391
hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2281
really_probe+0x291/0xde0 drivers/base/dd.c:554
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:738
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:844
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:912
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbb2/0x1ce0 drivers/base/core.c:2938
hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2437
usbhid_probe+0xaae/0xfc0 drivers/hid/usbhid/hid-core.c:1407
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
really_probe+0x291/0xde0 drivers/base/dd.c:554
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:738
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:844
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:912
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbb2/0x1ce0 drivers/base/core.c:2938
usb_set_configuration+0x113c/0x1910 drivers/usb/core/message.c:2168
usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
really_probe+0x291/0xde0 drivers/base/dd.c:554
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:738
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:844
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:912
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbb2/0x1ce0 drivers/base/core.c:2938
usb_new_device.cold+0x71d/0xfe9 drivers/usb/core/hub.c:2555
hub_port_connect drivers/usb/core/hub.c:5223 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
port_event drivers/usb/core/hub.c:5509 [inline]
hub_event+0x2348/0x42d0 drivers/usb/core/hub.c:5591
process_one_work+0x933/0x1520 kernel/workqueue.c:2272
worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
kthread+0x38c/0x460 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
On Fri, Nov 06, 2020 at 04:43:17AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9e39aef3 usb: misc: brcmstb-usb-pinmap: Make sync_all_pins..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=145ffa8a500000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a05f5efbb00b1465
> dashboard link: https://syzkaller.appspot.com/bug?extid=92340f7b2b4789907fdb
> compiler: gcc (GCC) 10.1.0-syz 20200507
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172ae7a8500000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13b24746500000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> microsoft 0003:045E:07DA.0001: unknown main item tag 0x0
> HID 045e:07da: Invalid code 65791 type 1
> ------------[ cut here ]------------
> init_uevent_argv: buffer size too small
> WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 init_uevent_argv lib/kobject_uevent.c:259 [inline]
> WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 kobject_uevent_env+0x1640/0x1680 lib/kobject_uevent.c:608
You gave it a device with a buffer that was "too small", and it rejected
it.
Which, aside from the huge warning message, is to be expected, so I
don't think this is really a bug here.
thanks,
greg k-h
On Fri, Nov 06, 2020 at 03:03:36PM +0100, Greg KH wrote:
> On Fri, Nov 06, 2020 at 04:43:17AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 9e39aef3 usb: misc: brcmstb-usb-pinmap: Make sync_all_pins..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=145ffa8a500000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a05f5efbb00b1465
> > dashboard link: https://syzkaller.appspot.com/bug?extid=92340f7b2b4789907fdb
> > compiler: gcc (GCC) 10.1.0-syz 20200507
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172ae7a8500000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13b24746500000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > microsoft 0003:045E:07DA.0001: unknown main item tag 0x0
> > HID 045e:07da: Invalid code 65791 type 1
> > ------------[ cut here ]------------
> > init_uevent_argv: buffer size too small
> > WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 init_uevent_argv lib/kobject_uevent.c:259 [inline]
> > WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 kobject_uevent_env+0x1640/0x1680 lib/kobject_uevent.c:608
>
> You gave it a device with a buffer that was "too small", and it rejected
> it.
>
> Which, aside from the huge warning message, is to be expected, so I
> don't think this is really a bug here.
The issue is that syzbot thinks "WARNING" indicates a problem in the
kernel. If the problem is really in the device then the message should
say "Warning" instead (not all caps).
Alan Stern
On Fri, Nov 06, 2020 at 03:03:36PM +0100, Greg KH wrote:
> On Fri, Nov 06, 2020 at 04:43:17AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 9e39aef3 usb: misc: brcmstb-usb-pinmap: Make sync_all_pins..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=145ffa8a500000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a05f5efbb00b1465
> > dashboard link: https://syzkaller.appspot.com/bug?extid=92340f7b2b4789907fdb
> > compiler: gcc (GCC) 10.1.0-syz 20200507
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172ae7a8500000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13b24746500000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > microsoft 0003:045E:07DA.0001: unknown main item tag 0x0
> > HID 045e:07da: Invalid code 65791 type 1
> > ------------[ cut here ]------------
> > init_uevent_argv: buffer size too small
> > WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 init_uevent_argv lib/kobject_uevent.c:259 [inline]
> > WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 kobject_uevent_env+0x1640/0x1680 lib/kobject_uevent.c:608
>
> You gave it a device with a buffer that was "too small", and it rejected
> it.
>
> Which, aside from the huge warning message, is to be expected, so I
> don't think this is really a bug here.
>
The purpose of WARN is for reporting recoverable kernel bugs. So a reachable
WARN is a bug. Either it is reporting one, or the bug is that the use of WARN
is wrong.
- Eric
On Fri, Nov 06, 2020 at 09:03:14AM -0800, Eric Biggers wrote:
> On Fri, Nov 06, 2020 at 03:03:36PM +0100, Greg KH wrote:
> > On Fri, Nov 06, 2020 at 04:43:17AM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 9e39aef3 usb: misc: brcmstb-usb-pinmap: Make sync_all_pins..
> > > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=145ffa8a500000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=a05f5efbb00b1465
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=92340f7b2b4789907fdb
> > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172ae7a8500000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13b24746500000
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > >
> > > microsoft 0003:045E:07DA.0001: unknown main item tag 0x0
> > > HID 045e:07da: Invalid code 65791 type 1
> > > ------------[ cut here ]------------
> > > init_uevent_argv: buffer size too small
> > > WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 init_uevent_argv lib/kobject_uevent.c:259 [inline]
> > > WARNING: CPU: 0 PID: 5 at lib/kobject_uevent.c:259 kobject_uevent_env+0x1640/0x1680 lib/kobject_uevent.c:608
> >
> > You gave it a device with a buffer that was "too small", and it rejected
> > it.
> >
> > Which, aside from the huge warning message, is to be expected, so I
> > don't think this is really a bug here.
> >
>
> The purpose of WARN is for reporting recoverable kernel bugs. So a reachable
> WARN is a bug. Either it is reporting one, or the bug is that the use of WARN
> is wrong.
In the past, as you know, we have thought that hardware issues like this
are a "recoverable bug but someone better do something about it". Now
that we can fake hardware devices so easily, it's probably better to
just knock this down to a dev_warn() and keep on moving.
If I get a chance, I'll write up a patch today, but anyone else should
feel free to also do it.
thanks,
greg k-h
syzbot suspects this issue was fixed by commit:
commit c318840fb2a42ce25febc95c4c19357acf1ae5ca
Author: Alan Stern <[email protected]>
Date: Wed Dec 30 16:20:44 2020 +0000
USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10be15d7500000
start commit: 2c85ebc5 Linux 5.10
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=8aff533d6c635e6
dashboard link: https://syzkaller.appspot.com/bug?extid=92340f7b2b4789907fdb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1763d433500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ef12cb500000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: USB: Gadget: dummy-hcd: Fix shift-out-of-bounds bug
For information about bisection process see: https://goo.gl/tpsmEJ#bisection