Received: by 2002:ab2:2997:0:b0:1ec:cbc4:63fb with SMTP id n23csp524867lqb; Thu, 29 Feb 2024 07:40:33 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVv6hdx5Nln4/kAlJexZ+ZqfLbHDa6ldFzVuoBGctfOWIFrmasDRzOrByHkvvWTP36Rom900JH6againXus7St3KMTBi82ezsgQVTFGrw== X-Google-Smtp-Source: AGHT+IG298hjO/+H814xDuvdbd3iOx/wLGTqyYdDSACULdNGVvuzmASFnus1bN9LFOeQslyUViNF X-Received: by 2002:a17:906:80c4:b0:a43:ff8c:6d9c with SMTP id a4-20020a17090680c400b00a43ff8c6d9cmr1946431ejx.56.1709221233101; Thu, 29 Feb 2024 07:40:33 -0800 (PST) Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id g19-20020a170906199300b00a43bf146e71si661335ejd.698.2024.02.29.07.40.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Feb 2024 07:40:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-86938-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20230601 header.b=s1L7tTd1; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-86938-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-86938-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id AF6861F23361 for ; Thu, 29 Feb 2024 15:40:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B29C514A0B7; Thu, 29 Feb 2024 15:40:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="s1L7tTd1" Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1CE2B145FE1 for ; Thu, 29 Feb 2024 15:40:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709221221; cv=none; b=Ir1yxfKCos7usJFlYCvvfYcVXMIgwrPhX6iyAENzYpHfNsuKduzzduMaAvu+/3XedMZGFR/cOk+dxFgxaJXbxxXEPWvU53Si0lYlTdPhnwhLrEHsVUsDamAAaBMaQSg4edbg+FS6AyQnDEHUT2rqBaYzci5b/TxV2uxAbYPRIQc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709221221; c=relaxed/simple; bh=vl4r6f9A4c/KKfnU4Nr5FNHhSTwmYeD20JiNkU2673c=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=YRleSYWfycqC/98zdrqdf8Hu/GAhsRuRzyKdpLfuUQtk+JOMuIXFW/dPZ8v0HRi+b742YkBbeo41M4X+2eU6V2iZEvkHbwQxQwtBdZ1bRcSc9iDPdSZqvYWuyqa1YeSeVRSD87KbSK9dUW244UcidJ3s3+flaoeZrSS5pbO745U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=s1L7tTd1; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1dc9f4d1106so176495ad.0 for ; Thu, 29 Feb 2024 07:40:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1709221219; x=1709826019; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=XPtYyP7t0NFgMkniDi99zk16rKwZpHYjTsBi+fDdWUA=; b=s1L7tTd1VXOAJTGj4fK0Hwnaw8DI24qElE1BxsimrLHDvjfn0y2JfqTLVTfvN8OdYQ yazMEHKOWyUTFu3PcFwmdwcnghPjmBJFIC0SSKSzG/vhgiWxlHy/4qqQSa76rUJYehAx 0I8mmJif35bl/Vdwc65sVSyRl+5iVbawF49SdsPRwCsy9Bi5ZpNqPg599Cb72G1tGiB8 tY33ZtjnrIAWQAAP13u/Fz6RLaFiqatEU1vrcIIS5rrJMkF2AOhd5QZVYf3S7JVKcVk9 MGpNNb1oIV/R81L+K+kS5IDpFG5BJCYE4FLM3s/klARqraPxvef+FKczTd+HPAPcl2Is NRUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709221219; x=1709826019; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XPtYyP7t0NFgMkniDi99zk16rKwZpHYjTsBi+fDdWUA=; b=MhynBkXD6DVr1htqwEg748WTpGgvl+iDh8VxQPGXowy4UYHBGpaA/fRB7tAKllbCfi 1F781oRHx4WcGZ5SyIDM+Ws4dHlO/V5yprmuTzdk30f8Yr9UWLO9ij2uEhD0Fc0Ecgs6 N+QQ1auxmbnPtKxBzukwyP1yM5S1UJbnW9AReupiO8DJM/6tWdq+/s6UPVKZ9CHkLxUu EecOoRBu+WV+oj4fzYJVi+CrsfYrzVqkUAM1221X6ONXrJGpSDpHnU9JonqmRxMlxQ2o H1GNJutl1eGIAZ1K2V6iABIYvEKa211YxZqdf8GlVl6g508cTv9LdE6wbZeIaU0yBJYS I8qw== X-Forwarded-Encrypted: i=1; AJvYcCVzJF3A/xDLqph/MZMwfAW+bpxY8yqM0CQk4PgoDFdQhxHs/0G2cy8WcjGlnIQaZIskG/1nFvcLbmKcuMBhTunXTmf1AIvG5k4HKSBj X-Gm-Message-State: AOJu0Yz8ie33Au4tCgJRaUjLQypKnO1K0zXeNj9t6T3txgPCMPCpY8uQ sYBMcxh2rzckKqwJ77aCy51jiu8pcsgl+vZ3NX/oGW/BHaW96AuWN8mbjWZhtoyHHfDq09JvLvT 6jWBsEJb56L+nfQZ4bMXYa0pE0cRm1so2aqeN X-Received: by 2002:a17:902:e88d:b0:1db:9fed:c591 with SMTP id w13-20020a170902e88d00b001db9fedc591mr193659plg.22.1709221219060; Thu, 29 Feb 2024 07:40:19 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <8fe3f46c-4ee5-4597-bf2d-12a5d634a264@rowland.harvard.edu> <0000000000008b026406126a4bbe@google.com> <13add23d-af18-4f84-9f1a-043932a9712b@rowland.harvard.edu> <380909e4-6e0a-402f-b3ac-de07e520c910@rowland.harvard.edu> In-Reply-To: <380909e4-6e0a-402f-b3ac-de07e520c910@rowland.harvard.edu> From: Aleksandr Nogikh Date: Thu, 29 Feb 2024 16:40:05 +0100 Message-ID: Subject: Re: [syzbot] [usb-storage?] divide error in isd200_ata_command To: Alan Stern Cc: syzbot , bvanassche@acm.org, emilne@redhat.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, martin.petersen@oracle.com, syzkaller-bugs@googlegroups.com, tasos@tasossah.com, usb-storage@lists.one-eyed-alien.net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Feb 28, 2024 at 8:18=E2=80=AFPM Alan Stern wrote: > > On Wed, Feb 28, 2024 at 05:52:50PM +0100, Aleksandr Nogikh wrote: > > Hi Alan, > > > > Please try it once more with the full commit hash. > > Thanks for the advice. Are you a good person to complain to about the > difference between what syzbot provides and what it will accept? This > bug report states > > HEAD commit: f2e367d6ad3b Merge tag 'for-6.8/dm-fix-3' of git://git.ke= r.. > git tree: upstream > > But if I specify "upstream" as the git tree on a syz test request, it > doesn't accept it. Now you're suggesting that if I put f2e367d6ad3b as > the commit ID, it won't accept it. > > There's probably already a bugfix request for this, but I'd like to push > on it some more. Syzbot's output should be acceptable as its input! That all totally makes sense. Thanks for highlighting the problems! For accepting "upstream" (and alike) as input, there was already a github i= ssue: https://github.com/google/syzkaller/issues/2265 That syzbot is not able to fetch commits by their short hashes was only discovered yesterday. I've just sent PRs with fixes for both issues. If there's anything else that can make syzbot reports better, please let me know :) --=20 Aleksandr > > Okay, here goes with the full commit ID... > > Alan Stern > > On Mon, Feb 26, 2024 at 01:42:26AM -0800, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: f2e367d6ad3b Merge tag 'for-6.8/dm-fix-3' of git://git.= ker.. > > git tree: upstream > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D114e10e4180= 000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3Deff9f3183d0= a20dd > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D28748250ab47a= 8f04100 > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for D= ebian) 2.40 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D1064b3721= 80000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D10aca6ac180= 000 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/c55ca1fdc5ad/d= isk-f2e367d6.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/4556a82fb4ed/vmli= nux-f2e367d6.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/95338ed9dad1= /bzImage-f2e367d6.xz > > > > The issue was bisected to: > > > > commit 321da3dc1f3c92a12e3c5da934090d2992a8814c > > Author: Martin K. Petersen > > Date: Tue Feb 13 14:33:06 2024 +0000 > > > > scsi: sd: usb_storage: uas: Access media prior to querying device p= roperties > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=3D15a3934a= 180000 > > final oops: https://syzkaller.appspot.com/x/report.txt?x=3D17a3934a= 180000 > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D13a3934a180= 000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the co= mmit: > > Reported-by: syzbot+28748250ab47a8f04100@syzkaller.appspotmail.com > > Fixes: 321da3dc1f3c ("scsi: sd: usb_storage: uas: Access media prior to= querying device properties") > > > > divide error: 0000 [#1] PREEMPT SMP KASAN PTI > > CPU: 0 PID: 5070 Comm: usb-storage Not tainted 6.8.0-rc5-syzkaller-0029= 7-gf2e367d6ad3b #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS= Google 01/25/2024 > > RIP: 0010:isd200_scsi_to_ata drivers/usb/storage/isd200.c:1318 [inline] > > RIP: 0010:isd200_ata_command+0x776/0x2380 drivers/usb/storage/isd200.c:= 1529 > > #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux= git/ f2e367d6ad3bdc527c2b14e759c2f010d6b2b7a1 > Index: usb-devel/drivers/usb/storage/isd200.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- usb-devel.orig/drivers/usb/storage/isd200.c > +++ usb-devel/drivers/usb/storage/isd200.c > @@ -1105,7 +1105,7 @@ static void isd200_dump_driveid(struct u > static int isd200_get_inquiry_data( struct us_data *us ) > { > struct isd200_info *info =3D (struct isd200_info *)us->extra; > - int retStatus =3D ISD200_GOOD; > + int retStatus; > u16 *id =3D info->id; > > usb_stor_dbg(us, "Entering isd200_get_inquiry_data\n"); > @@ -1137,6 +1137,13 @@ static int isd200_get_inquiry_data( stru > isd200_fix_driveid(id); > isd200_dump_driveid(us, id); > > + /* Prevent division by 0 in isd200_scsi_t= o_ata() */ > + if (id[ATA_ID_HEADS] =3D=3D 0 || id[ATA_I= D_SECTORS] =3D=3D 0) { > + usb_stor_dbg(us, " Invalid ATA = Identify data\n"); > + retStatus =3D ISD200_ERROR; > + goto Done; > + } > + > memset(&info->InquiryData, 0, sizeof(info= ->InquiryData)); > > /* Standard IDE interface only supports d= isks */ > @@ -1202,6 +1209,7 @@ static int isd200_get_inquiry_data( stru > } > } > > + Done: > usb_stor_dbg(us, "Leaving isd200_get_inquiry_data %08X\n", retSta= tus); > > return(retStatus); > @@ -1481,22 +1489,27 @@ static int isd200_init_info(struct us_da > > static int isd200_Initialization(struct us_data *us) > { > + int rc =3D 0; > + > usb_stor_dbg(us, "ISD200 Initialization...\n"); > > /* Initialize ISD200 info struct */ > > - if (isd200_init_info(us) =3D=3D ISD200_ERROR) { > + if (isd200_init_info(us) < 0) { > usb_stor_dbg(us, "ERROR Initializing ISD200 Info struct\n= "); > + rc =3D -ENOMEM; > } else { > /* Get device specific data */ > > - if (isd200_get_inquiry_data(us) !=3D ISD200_GOOD) > + if (isd200_get_inquiry_data(us) !=3D ISD200_GOOD) { > usb_stor_dbg(us, "ISD200 Initialization Failure\n= "); > - else > + rc =3D -EINVAL; > + } else { > usb_stor_dbg(us, "ISD200 Initialization complete\= n"); > + } > } > > - return 0; > + return rc; > } > > > >