Received: by 2002:a05:7208:13ce:b0:7f:395a:35b6 with SMTP id r14csp39285rbe;
        Wed, 28 Feb 2024 11:18:15 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCUEEAdDJLsgOxm8P8SFk+vusdJVgmhdvMrBYEBGV4e7jLCQFitWgr+efjAFRqKda9dcqDJNfAAQuL9erOvAIrM8+C2XTlLdDFBIoYOR4Q==
X-Google-Smtp-Source: AGHT+IEQ3QvFSlHPoq08ajvsxGuUShKSndRlMqo5nyAHrXtt1+2lo3nnYIn5GhXW0in+OP39Vjbv
X-Received: by 2002:aa7:d84e:0:b0:566:2f24:b063 with SMTP id f14-20020aa7d84e000000b005662f24b063mr297897eds.23.1709147895546;
        Wed, 28 Feb 2024 11:18:15 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709147895; cv=pass;
        d=google.com; s=arc-20160816;
        b=gewZBwTHusueQu9Ef8DV8MT7ONeQloEAHd86Kr40eCp3TPoPlfgG3Few5CFkxJmBwM
         TSGR3rnDY0oT9lkHHJv6ywnAk21XCrIPvZ74jPyPeO3CUl5kRrvLIE7aD9cpY6n+sSNy
         C2/p2XLD0cczbM1SQTYViSADAoUxDGTCN0eK3eClYt6YFQEWTO6JdDz+th6skawg7IoN
         I151c0p5kb0ZSN8IRJIE6+/aFZZVkILtkVvv92EX/PRet6lM8SjHSm7idiPSrUwpUJPC
         /BiyG6MYkN0xjKF3grOG8m3q5enPwxZ4u7xQ3Hx01HwsdVrdGaKoK+e/okS7RgfWkIRl
         l/kQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date;
        bh=Xa3SVJmK/GgRgAyMbBWeZMJN/MYlXw7D4mN7KBcftlo=;
        fh=QLcpBc4YWpil2uu0+EzDygsjOSd1vnYPMVXMe0jLnEY=;
        b=f/bYngxUbs+ZhD+mzFBoQqllGhkgv2S3VHtx5bVaSAXdCvbw7VuLHjE3SUre2jG/t0
         CtsLws7Cm7akR3J+G12zcoqF7RGqrB03CcSVa8mB1YWdWOy8Tk+YumPiGmBJTFUA1MnG
         uDkA/UICZceDdRFvuMV+A4VJ2rVVNiOAhADDwnuwv4U50miHYSm7hLb3//H2HAvudpxw
         U3TLKaJ4jfAjXlfmxCwPnE1uoSfQY359OTs2lVSOrZzsIVgQAozxjCUZ4fCjEgu676dy
         Q0zBAAh+LLJPk2gB4VUZGIMpoVluA9y4qk9DZ+Lp0n8wDZmTfj6Z3keT+9QSELN/BNFx
         /+Kw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=netrider.rowland.org);
       spf=pass (google.com: domain of linux-kernel+bounces-85583-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85583-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu
Return-Path: <linux-kernel+bounces-85583-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id a13-20020aa7d74d000000b00564c9e5874dsi1874054eds.509.2024.02.28.11.18.15
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 28 Feb 2024 11:18:15 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-85583-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=netrider.rowland.org);
       spf=pass (google.com: domain of linux-kernel+bounces-85583-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85583-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 511311F2543E
	for <linux.lists.archive@gmail.com>; Wed, 28 Feb 2024 19:18:15 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 333A07441A;
	Wed, 28 Feb 2024 19:18:09 +0000 (UTC)
Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5])
	by smtp.subspace.kernel.org (Postfix) with SMTP id 0F8306EEE2
	for <linux-kernel@vger.kernel.org>; Wed, 28 Feb 2024 19:18:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.131.102.5
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709147888; cv=none; b=dSMPbqSGt/8cTlVSJo6DoCHxvwCo5BllrROfD7tmvb3xip8d+D4jYg3YABfa5UUpMUqKDDtyT+94yEmdP/fj9j4Qq7c59jcYiM35rN9V+ilXi5FF913KaVH9CS+9HjGNULXS2DqwHfAILwZ3iVm90ri+lEFIFKFXYr0yUUZ1z0Q=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709147888; c=relaxed/simple;
	bh=OoGhik1CJEg26BYkXqp4KyyBm5Eyqo0YaZozyXpxoPc=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=GMdUSzBayXjMRGSPRe7jzFKCm5TbgbH1k8TQatmTefjoq23gmzawmNPSAZ/DYqgrE7eROiwhTcCgxOtWL9HdCoI6vWtaqqHRIzE9bzRZvddHfRTeGu5CAEsJFcQU1RVLW584B7cOm5wPrNk5gzA1MK4yTS6DJhLQ/JpcTpUpSGw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=rowland.harvard.edu; spf=pass smtp.mailfrom=netrider.rowland.org; arc=none smtp.client-ip=192.131.102.5
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=rowland.harvard.edu
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netrider.rowland.org
Received: (qmail 803099 invoked by uid 1000); 28 Feb 2024 14:18:00 -0500
Date: Wed, 28 Feb 2024 14:18:00 -0500
From: Alan Stern <stern@rowland.harvard.edu>
To: Aleksandr Nogikh <nogikh@google.com>
Cc: syzbot <syzbot+28748250ab47a8f04100@syzkaller.appspotmail.com>,
  bvanassche@acm.org, emilne@redhat.com, gregkh@linuxfoundation.org,
  linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
  martin.petersen@oracle.com, syzkaller-bugs@googlegroups.com,
  tasos@tasossah.com, usb-storage@lists.one-eyed-alien.net
Subject: Re: [syzbot] [usb-storage?] divide error in isd200_ata_command
Message-ID: <380909e4-6e0a-402f-b3ac-de07e520c910@rowland.harvard.edu>
References: <8fe3f46c-4ee5-4597-bf2d-12a5d634a264@rowland.harvard.edu>
 <0000000000008b026406126a4bbe@google.com>
 <13add23d-af18-4f84-9f1a-043932a9712b@rowland.harvard.edu>
 <CANp29Y4DUvL5zsnqQmhPGkbc=EN6UjFrWF9EZGE5U_=0C9+1Nw@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CANp29Y4DUvL5zsnqQmhPGkbc=EN6UjFrWF9EZGE5U_=0C9+1Nw@mail.gmail.com>

On Wed, Feb 28, 2024 at 05:52:50PM +0100, Aleksandr Nogikh wrote:
> Hi Alan,
> 
> Please try it once more with the full commit hash.

Thanks for the advice.  Are you a good person to complain to about the 
difference between what syzbot provides and what it will accept?  This 
bug report states

HEAD commit:    f2e367d6ad3b Merge tag 'for-6.8/dm-fix-3' of git://git.ker..
git tree:       upstream

But if I specify "upstream" as the git tree on a syz test request, it 
doesn't accept it.  Now you're suggesting that if I put f2e367d6ad3b as 
the commit ID, it won't accept it.

There's probably already a bugfix request for this, but I'd like to push 
on it some more.  Syzbot's output should be acceptable as its input!

Okay, here goes with the full commit ID...

Alan Stern

On Mon, Feb 26, 2024 at 01:42:26AM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    f2e367d6ad3b Merge tag 'for-6.8/dm-fix-3' of git://git.ker..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=114e10e4180000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=eff9f3183d0a20dd
> dashboard link: https://syzkaller.appspot.com/bug?extid=28748250ab47a8f04100
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1064b372180000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10aca6ac180000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c55ca1fdc5ad/disk-f2e367d6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4556a82fb4ed/vmlinux-f2e367d6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/95338ed9dad1/bzImage-f2e367d6.xz
> 
> The issue was bisected to:
> 
> commit 321da3dc1f3c92a12e3c5da934090d2992a8814c
> Author: Martin K. Petersen <martin.petersen@oracle.com>
> Date:   Tue Feb 13 14:33:06 2024 +0000
> 
>     scsi: sd: usb_storage: uas: Access media prior to querying device properties
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15a3934a180000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=17a3934a180000
> console output: https://syzkaller.appspot.com/x/log.txt?x=13a3934a180000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+28748250ab47a8f04100@syzkaller.appspotmail.com
> Fixes: 321da3dc1f3c ("scsi: sd: usb_storage: uas: Access media prior to querying device properties")
> 
> divide error: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 PID: 5070 Comm: usb-storage Not tainted 6.8.0-rc5-syzkaller-00297-gf2e367d6ad3b #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
> RIP: 0010:isd200_scsi_to_ata drivers/usb/storage/isd200.c:1318 [inline]
> RIP: 0010:isd200_ata_command+0x776/0x2380 drivers/usb/storage/isd200.c:1529

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ f2e367d6ad3bdc527c2b14e759c2f010d6b2b7a1
Index: usb-devel/drivers/usb/storage/isd200.c
===================================================================
--- usb-devel.orig/drivers/usb/storage/isd200.c
+++ usb-devel/drivers/usb/storage/isd200.c
@@ -1105,7 +1105,7 @@ static void isd200_dump_driveid(struct u
 static int isd200_get_inquiry_data( struct us_data *us )
 {
 	struct isd200_info *info = (struct isd200_info *)us->extra;
-	int retStatus = ISD200_GOOD;
+	int retStatus;
 	u16 *id = info->id;
 
 	usb_stor_dbg(us, "Entering isd200_get_inquiry_data\n");
@@ -1137,6 +1137,13 @@ static int isd200_get_inquiry_data( stru
 				isd200_fix_driveid(id);
 				isd200_dump_driveid(us, id);
 
+				/* Prevent division by 0 in isd200_scsi_to_ata() */
+				if (id[ATA_ID_HEADS] == 0 || id[ATA_ID_SECTORS] == 0) {
+					usb_stor_dbg(us, "   Invalid ATA Identify data\n");
+					retStatus = ISD200_ERROR;
+					goto Done;
+				}
+
 				memset(&info->InquiryData, 0, sizeof(info->InquiryData));
 
 				/* Standard IDE interface only supports disks */
@@ -1202,6 +1209,7 @@ static int isd200_get_inquiry_data( stru
 		}
 	}
 
+ Done:
 	usb_stor_dbg(us, "Leaving isd200_get_inquiry_data %08X\n", retStatus);
 
 	return(retStatus);
@@ -1481,22 +1489,27 @@ static int isd200_init_info(struct us_da
 
 static int isd200_Initialization(struct us_data *us)
 {
+	int rc = 0;
+
 	usb_stor_dbg(us, "ISD200 Initialization...\n");
 
 	/* Initialize ISD200 info struct */
 
-	if (isd200_init_info(us) == ISD200_ERROR) {
+	if (isd200_init_info(us) < 0) {
 		usb_stor_dbg(us, "ERROR Initializing ISD200 Info struct\n");
+		rc = -ENOMEM;
 	} else {
 		/* Get device specific data */
 
-		if (isd200_get_inquiry_data(us) != ISD200_GOOD)
+		if (isd200_get_inquiry_data(us) != ISD200_GOOD) {
 			usb_stor_dbg(us, "ISD200 Initialization Failure\n");
-		else
+			rc = -EINVAL;
+		} else {
 			usb_stor_dbg(us, "ISD200 Initialization complete\n");
+		}
 	}
 
-	return 0;
+	return rc;
 }