Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4794795imu; Tue, 8 Jan 2019 06:29:07 -0800 (PST) X-Google-Smtp-Source: ALg8bN6XGEiNnCC9spmhA72w+pz2rE2Wmhy/YLCBn3Fgu0UzIq8p7vGtKityhmpHiMLGbt96baj6 X-Received: by 2002:a62:1043:: with SMTP id y64mr2006878pfi.78.1546957747036; Tue, 08 Jan 2019 06:29:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546957747; cv=none; d=google.com; s=arc-20160816; b=J5eT0KJOEjMndX+eogvLzvxI89TupYp2ZFEx66FnRA2LXezAJLukKqchexDPgkiJ2y sC9OXMnk9EuzvyawWZGskeycG56SvHbfcPi2AkYdwu1gFnwKt/6suP/oL9Go11rrvAMs alIzWwiNb1Rej3O1ZMFmc/hBzQwYNC7lFKj11NCEU6JmMF8EmGkB0gSSocPiEQMghXBl 5hK2tN/5r35oe7koHCZXHCInEJH2YgjSI75M1bX8lf70ZTEHqL2bTSEgkVBV8Y7uqzzh Cwto8b2oVxwXslDNozPxARxv5bEua+RLXhLORpdrIO8Bopqrc+OflkY0d5+RPaOaX7F0 oE+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date; bh=MokAPj49HJpIjWHAqZJpN/8kPMpN1lXgKrxaHmvDJ5o=; b=IHFhUEZs88oewbmKrSTVolktUGQJk541NzHQoEhkQEx9yXovqXH79PScpQ1tpKr1np 3cOfW2JLthB3xstgQc0t38AtNQkdz9SiSiTDJf4W2MPUIhbI2RpicrEqtcKWrVQtOO23 gBvRA5pW2Ej7jq3/Cke+p5A8Na24jszHD+ek6f9s0/zn0BfNzHKhk4uyWMgv6himwMWH 5X9VnmqXqfm1U1m0K9p8xr4bDYj5GbNHNPsj2Ji+gn3L8zYuBPY0dhdTvYrkiF1CKzaY ZbHFaVo/PUWP36sQTQdG7dWppF2e07JodoBCWcU3eAAwdK5vmVSwHN9GKV7MWLkBBPLA qGgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u9si64882506pge.48.2019.01.08.06.28.51; Tue, 08 Jan 2019 06:29:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728873AbfAHO0L (ORCPT + 99 others); Tue, 8 Jan 2019 09:26:11 -0500 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:46134 "EHLO mail2-relais-roc.national.inria.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728752AbfAHO0L (ORCPT ); Tue, 8 Jan 2019 09:26:11 -0500 X-IronPort-AV: E=Sophos;i="5.56,454,1539640800"; d="scan'208";a="363100600" Received: from unknown (HELO function) ([193.50.110.88]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 08 Jan 2019 15:26:09 +0100 Received: from samy by function with local (Exim 4.92-RC3) (envelope-from ) id 1ggsKX-0005Bd-1o; Tue, 08 Jan 2019 15:26:09 +0100 Date: Tue, 8 Jan 2019 15:26:09 +0100 From: Samuel Thibault To: Greg KH Cc: Kyungtae Kim , devel@driverdev.osuosl.org, kirk@reisers.ca, speakup@linux-speakup.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Byoungyoung Lee , DaeRyong Jeong , Christopher Brannon Subject: Re: general protection fault in spk_ttyio_ldisc_close Message-ID: <20190108142609.3nraohfx6msxb4hm@function> Mail-Followup-To: Samuel Thibault , Greg KH , Kyungtae Kim , devel@driverdev.osuosl.org, kirk@reisers.ca, speakup@linux-speakup.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Byoungyoung Lee , DaeRyong Jeong , Christopher Brannon References: <20190108135020.GA10504@kroah.com> <20190108142507.GA13938@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190108142507.GA13938@kroah.com> Organization: I am not organized User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Greg KH, le mar. 08 janv. 2019 15:25:07 +0100, a ecrit: > On Tue, Jan 08, 2019 at 09:15:02AM -0500, Kyungtae Kim wrote: > > On Tue, Jan 8, 2019 at 8:50 AM Greg KH wrote: > > > > > > On Tue, Jan 08, 2019 at 08:37:37AM -0500, Kyungtae Kim wrote: > > > > We report a bug in linux-4.20: "general protection fault in > > > > spk_ttyio_ldisc_close" > > > > > > > > kernel config: https://kt0755.github.io/etc/config_v4.20_stable > > > > repro: https://kt0755.github.io/etc/repro.a670e.c > > > > > > > > This occurs when the function kfree is about to execute > > > > (driver/staging/speakup/spk_ttyio.c:68). > > > > Particularly, kfree takes the argument like speakup_tty->disc_data. > > > > But speakup_tty is invalid, so the pointer dereference causes GPF. > > > > At a glance, it seems that speakup_tty was deallocated somewhere ahead of kfree. > > > > > > How did you trigger this? Did you shut down and close the device > > > already somehow? Do you have a real tty device that is driven by the > > > device? > > > > > > thanks, > > > > > > greg k-h > > > > For this crash, we did without real speakup tty device. > > How did you bind a non-real speakup tty device to the driver? One can tell any device name to the driver and it will attempt to communicate with it. Samuel