[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6fa0a6e9-7123-4538-8a98-660a594e72d7@rowland.harvard.edu>
Date: Sun, 17 Mar 2024 16:59:32 -0400
From: Alan Stern <stern@...land.harvard.edu>
To: xingwei lee <xrivendell7@...il.com>
Cc: gregkh@...uxfoundation.org, usb-storage@...ts.one-eyed-alien.net,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
samsun1006219@...il.com, syzkaller-bugs@...glegroups.com
Subject: Re: divide error in alauda_transport
On Sun, Mar 17, 2024 at 11:57:58PM +0800, xingwei lee wrote:
> On Mar 17, 2024, at 23:04, Alan Stern <stern@...land.harvard.edu> wrote:
>
> On Sun, Mar 17, 2024 at 04:31:01PM +0800, xingwei lee wrote:
>
> Hello I found a bug in latest upstream titled "divide error in
> alauda_transport", and maybe is realted with usb.
> I comfired in the latest upstream the poc tree can trigger the issue.
>
> If you fix this issue, please add the following tag to the commit:
> Reported-by: xingwei lee <xrivendell7@...il.com>
> Reported-by: yue sun <samsun1006219@...il.com>
>
> kernel: upstream 9187210eee7d87eea37b45ea93454a88681894a4
> config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1c6662240382da2
> with KASAN enabled
> compiler: gcc (Debian 12.2.0-14) 12.2.0
>
> divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 2 PID: 8229 Comm: usb-storage Not tainted 6.8.0-05202-g9187210eee7d #20
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.16.2-1.fc38 04/01/2014
> RIP: 0010:alauda_read_data drivers/usb/storage/alauda.c:954 [inline]
> RIP: 0010:alauda_transport+0xcaf/0x3830 drivers/usb/storage/alauda.c:1184
> Hi Alan
>
> I apply your patch in my upstream commit
> 9187210eee7d87eea37b45ea93454a88681894a4
> However, the poc still trigger the bug like below:
> [ 146.141945][ T8215] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
> [ 146.143565][ T8215] CPU: 1 PID: 8215 Comm: usb-storage Not tainted
> 6.8.0-05202-g9187210eee7d-dirty #21
> [ 146.145319][ T8215] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.16.2-1.fc38 04/01/2014
> [ 146.146720][ T8215] RIP: 0010:alauda_transport+0xc65/0x38b0
The line in your original bug report, alauda.c:954, was a call to
alauda_ensure_map_for_zone(), which my patch moves to a different
location so that a test for overflow can run first. It's hard to tell
whether the divide error occurs before the function call, within the
function, or after.
Furthermore, alauda_ensure_map_for_zone() calls alauda_read_map(), and
it's hard to tell if the divide error occurs before that function call
or within the function.
Can you try adding some pr_info() statements to those places so we can
determine exactly where the error occurs? The only divisions that I see
are by 2 or by uzonesize, which should always be nonzero. Maybe you can
print out the value of uzonesize so we can verify this.
Thanks,
Alan Stern
Powered by blists - more mailing lists