Hello Dear maintainer!
A new bug was found by our modified syzkaller.
Kernel Version: v6.9-rc7
Reproducer & Kernel config: attachment
=================
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 10871 Comm: usb-storage Not tainted 6.9.0-rc7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
RIP: 0010:alauda_read_data drivers/usb/storage/alauda.c:954 [inline]
RIP: 0010:alauda_transport+0xd34/0x3280 drivers/usb/storage/alauda.c:1184
Code: 01 e8 85 ed 48 89 44 24 58 0f 84 00 02 00 00 89 6c 24 10 44 8b 74 24
18 e8 29 6e 0a fd 31 d2 4c 89 ff 44 89 f0 44 89 74 24 18 <f7> 74 24 78 41
89 c4 89 d5 44 89 e6 e8 8b c2 ff ff 0f b7 5c 24 50
RSP: 0018:ffffc9000b24fa68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff844799be
RDX: 0000000000000000 RSI: ffffffff844799f7 RDI: ffff88813bc6ccc0
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888115508b00 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88813bc6ccc0
FS: 0000000000000000(0000) GS:ffff8881f6400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0e17750658 CR3: 000000010d3c8000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
usb_stor_invoke_transport+0xed/0x1670 drivers/usb/storage/transport.c:611
usb_stor_control_thread+0x5d3/0xa80 drivers/usb/storage/usb.c:368
kthread+0x2c7/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:alauda_read_data drivers/usb/storage/alauda.c:954 [inline]
RIP: 0010:alauda_transport+0xd34/0x3280 drivers/usb/storage/alauda.c:1184
Code: 01 e8 85 ed 48 89 44 24 58 0f 84 00 02 00 00 89 6c 24 10 44 8b 74 24
18 e8 29 6e 0a fd 31 d2 4c 89 ff 44 89 f0 44 89 74 24 18 <f7> 74 24 78 41
89 c4 89 d5 44 89 e6 e8 8b c2 ff ff 0f b7 5c 24 50
RSP: 0018:ffffc9000b24fa68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff844799be
RDX: 0000000000000000 RSI: ffffffff844799f7 RDI: ffff88813bc6ccc0
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888115508b00 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88813bc6ccc0
FS: 0000000000000000(0000) GS:ffff8881f6400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0e17750658 CR3: 000000010d3c8000 CR4: 0000000000750ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 01 e8 add %ebp,%eax
2: 85 ed test %ebp,%ebp
4: 48 89 44 24 58 mov %rax,0x58(%rsp)
9: 0f 84 00 02 00 00 je 0x20f
f: 89 6c 24 10 mov %ebp,0x10(%rsp)
13: 44 8b 74 24 18 mov 0x18(%rsp),%r14d
18: e8 29 6e 0a fd call 0xfd0a6e46
1d: 31 d2 xor %edx,%edx
1f: 4c 89 ff mov %r15,%rdi
22: 44 89 f0 mov %r14d,%eax
25: 44 89 74 24 18 mov %r14d,0x18(%rsp)
* 2a: f7 74 24 78 divl 0x78(%rsp) <-- trapping instruction
2e: 41 89 c4 mov %eax,%r12d
31: 89 d5 mov %edx,%ebp
33: 44 89 e6 mov %r12d,%esi
36: e8 8b c2 ff ff call 0xffffc2c6
3b: 0f b7 5c 24 50 movzwl 0x50(%rsp),%ebx
On Wed, May 22, 2024 at 03:28:01PM +0800, Shichao Lai wrote:
> Hello Dear maintainer!
> A new bug was found by our modified syzkaller.
Nice, do you have a proposed fix for this issue so that we can give you
the credit for resolving the issue?
thanks,
greg k-h
On Wed, May 22, 2024 at 06:01:57PM +0800, Shichao Lai wrote:
> Thanks for your patience. I am a beginner and initially attempted to report
> errors to the community.
> However, I have just discovered that the issue mentioned above has already
> been proposed in the previous three months of the article, and there is an
> ongoing discussion.
To call the discussion "ongoing" is optimistic. There hasn't been any
reply to my last post, which was made on March 17, more than two months
ago.
Maybe you can carry out the tests I described in that post. That
would be a big help.
Alan Stern
> I think this post can be closed later.
>
> https://groups.google.com/g/syzkaller-bugs/c/m8CuxSpLKoQ/m/JfUy1xGnAwAJ
>
> Greg Kroah-Hartman <[email protected]> 于2024年5月22日周三 16:59写道:
>
> > On Wed, May 22, 2024 at 04:22:18PM +0800, Shichao Lai wrote:
> > > patch like this:
> > > ```c
> > > while (sectors > 0) {
> > > if (!uzonesize) {
> > > return USB_STOR_TRANSPORT_ERROR;
> > > }
> > > unsigned int zone = lba / uzonesize; /* integer division */
> > > unsigned int lba_offset = lba - (zone * uzonesize);
> > > unsigned int pages;
> > > ```
> >
> > Please submit this properly and we will be glad to review it.
> >
> > thanks,
> >
> > greg k-h
> >
On Thu, May 23, 2024 at 11:26:48AM +0800, Shichao Lai wrote:
> 在2024年5月23日星期四 UTC+8 03:59:30<Alan Stern> 写道:
>
> > On Wed, May 22, 2024 at 06:01:57PM +0800, Shichao Lai wrote:
> > > Thanks for your patience. I am a beginner and initially attempted to
> > report
> > > errors to the community.
> > > However, I have just discovered that the issue mentioned above has
> > already
> > > been proposed in the previous three months of the article, and there is
> > an
> > > ongoing discussion.
> >
> > To call the discussion "ongoing" is optimistic. There hasn't been any
> > reply to my last post, which was made on March 17, more than two months
> > ago.
> >
> > Maybe you can carry out the tests I described in that post. That
> > would be a big help.
> >
> > Alan Stern
> >
> > > I think this post can be closed later.
> > >
> > > https://groups.google.com/g/syzkaller-bugs/c/m8CuxSpLKoQ/m/JfUy1xGnAwAJ
> > >
> > > Greg Kroah-Hartman <[email protected]
> > <https://groups.google.com/>> 于2024年5月22日周三 16:59写道:
> > >
> > > > On Wed, May 22, 2024 at 04:22:18PM +0800, Shichao Lai wrote:
> > > > > patch like this:
> > > > > ```c
> > > > > while (sectors > 0) {
> > > > > if (!uzonesize) {
> > > > > return USB_STOR_TRANSPORT_ERROR;
> > > > > }
> > > > > unsigned int zone = lba / uzonesize; /* integer division */
> > > > > unsigned int lba_offset = lba - (zone * uzonesize);
> > > > > unsigned int pages;
> > > > > ```
> > > >
> > > > Please submit this properly and we will be glad to review it.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
>
>
>
> Hello Dear Maintainer!
> I found the same divide error yestoday as
> https://groups.google.com/g/syzkaller-bugs/c/m8CuxSpLKoQ
> And I add a patch before drivers/usb/storage/alauda.c:950 in
> alauda_read_data().
> The true cause of this error is that the variable uzonesize may be set to 0.
> Here is my patch:
> ===========
>
> diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c
> index 115f05a6201a..fb54af37efd5 100644
> --- a/drivers/usb/storage/alauda.c
> +++ b/drivers/usb/storage/alauda.c
> @@ -947,6 +947,9 @@ static int alauda_read_data(struct us_data *us,
> unsigned long address,
> sg = NULL;
>
> while (sectors > 0) {
> + if (!uzonesize) {
> + return USB_STOR_TRANSPORT_ERROR;
> + }
> unsigned int zone = lba / uzonesize; /* integer division */
> unsigned int lba_offset = lba - (zone * uzonesize);
> unsigned int pages;
>
Great! Can you turn this into a real patch and send it to us so that we
can apply it properly? Directions for how to do so are in the
Documentation/process/submitting_patches file.
thanks,
greg k-h