| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANypQFYtQxHL5ghREs-BujZG413RPJGnO5TH=xjFBKpPts33tA@mail.gmail.com> Date: Sun, 12 Oct 2025 19:11:53 +0800 From: Jiaming Zhang <r772577952@...il.com> To: linux-sound@...r.kernel.org, perex@...ex.cz, tiwai@...e.com Cc: broonie@...nel.org, cryolitia@...ontech.com, gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org, pierre-louis.bossart@...ux.dev, quic_wcheng@...cinc.com, syzkaller@...glegroups.com Subject: [Linux Kernel Bug] general protection fault in try_to_register_card Dear Linux kernel developers and maintainers: We are writing to report a general protection fault discovered in the kernel with our modified syzkaller. This bug is reproducible on the latest version (commit 67029a49db6c1f21106a1b5fcdd0ea234a6e0711). The kernel console output, kernel config, syzkaller reproducer, and C reproducer are attached to this email to help analysis. The KASAN report from kernel (commit 67029a49), formatted by syz-symbolize, is listed below: ================================================================== e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX usb 1-1: new full-speed USB device number 2 using dummy_hcd usb 1-1: not running at top speed; connect to a high speed hub usb 1-1: config 2 has an invalid interface number: 131 but max is 3 usb 1-1: config 2 has an invalid interface number: 160 but max is 3 usb 1-1: config 2 has an invalid descriptor of length 0, skipping remainder of the config usb 1-1: config 2 has 2 interfaces, different from the descriptor's value: 4 usb 1-1: config 2 has no interface number 0 usb 1-1: config 2 has no interface number 1 usb 1-1: config 2 interface 160 altsetting 9 has an invalid descriptor for endpoint zero, skipping usb 1-1: config 2 interface 160 altsetting 9 has 2 endpoint descriptors, different from the interface descriptor's value: 16 usb 1-1: config 2 interface 131 has no altsetting 0 usb 1-1: config 2 interface 160 has no altsetting 0 usb 1-1: New USB device found, idVendor=0dba, idProduct=5000, bcdDevice=3a.c9 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: MBOX3: Initialized. Oops: general protection fault, probably for non-canonical address 0xdffffc000000001c: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000000e0-0x00000000000000e7] CPU: 1 UID: 0 PID: 793 Comm: kworker/1:2 Not tainted 6.17.0-12904-g67029a49db6c #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_interface_claimed include/linux/usb.h:918 [inline] RIP: 0010:try_to_register_card+0x248/0x300 sound/usb/card.c:896 Code: de cd 30 f9 49 8b 3f 44 89 f6 e8 43 e5 fa fd 49 89 c6 49 81 c6 e0 00 00 00 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 aa cd 30 f9 49 83 3e 00 74 73 e8 ff RSP: 0018:ffffc9000462eb80 EFLAGS: 00010202 RAX: 000000000000001c RBX: ffff888049b02a30 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000a0 RBP: ffffc9000462ec30 R08: ffffc9000462e9e7 R09: 1ffff920008c5d3c R10: dffffc0000000000 R11: ffffffff88f59950 R12: 00000000000000f8 R13: 1ffff11009360559 R14: 00000000000000e0 R15: ffff888049b02a38 FS: 0000000000000000(0000) GS:ffff8880ec976000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f86fb0e16f8 CR3: 0000000028a6b000 CR4: 0000000000752ef0 PKRU: 55555554 Call Trace: <TASK> usb_audio_probe+0x143f/0x1e60 sound/usb/card.c:1039 usb_probe_interface+0x668/0xc30 drivers/usb/core/driver.c:396 really_probe+0x26d/0x9f0 drivers/base/dd.c:659 __driver_probe_device+0x190/0x390 drivers/base/dd.c:801 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462 __device_attach+0x2b7/0x400 drivers/base/dd.c:1031 bus_probe_device+0x185/0x260 drivers/base/bus.c:537 device_add+0x7b6/0xb50 drivers/base/core.c:3689 usb_set_configuration+0x1a5c/0x20b0 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250 usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291 really_probe+0x26d/0x9f0 drivers/base/dd.c:659 __driver_probe_device+0x190/0x390 drivers/base/dd.c:801 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462 __device_attach+0x2b7/0x400 drivers/base/dd.c:1031 bus_probe_device+0x185/0x260 drivers/base/bus.c:537 device_add+0x7b6/0xb50 drivers/base/core.c:3689 usb_new_device+0xb9d/0x1a00 drivers/usb/core/hub.c:2694 hub_port_connect drivers/usb/core/hub.c:5566 [inline] hub_port_connect_change drivers/usb/core/hub.c:5706 [inline] port_event drivers/usb/core/hub.c:5870 [inline] hub_event+0x290c/0x49a0 drivers/usb/core/hub.c:5952 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:usb_interface_claimed include/linux/usb.h:918 [inline] RIP: 0010:try_to_register_card+0x248/0x300 sound/usb/card.c:896 Code: de cd 30 f9 49 8b 3f 44 89 f6 e8 43 e5 fa fd 49 89 c6 49 81 c6 e0 00 00 00 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 aa cd 30 f9 49 83 3e 00 74 73 e8 ff RSP: 0018:ffffc9000462eb80 EFLAGS: 00010202 RAX: 000000000000001c RBX: ffff888049b02a30 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000a0 RBP: ffffc9000462ec30 R08: ffffc9000462e9e7 R09: 1ffff920008c5d3c R10: dffffc0000000000 R11: ffffffff88f59950 R12: 00000000000000f8 R13: 1ffff11009360559 R14: 00000000000000e0 R15: ffff888049b02a38 FS: 0000000000000000(0000) GS:ffff8880ec976000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f067e010980 CR3: 0000000024315000 CR4: 0000000000752ef0 PKRU: 55555554 ---------------- Code disassembly (best guess): 0: de cd fmulp %st,%st(5) 2: 30 f9 xor %bh,%cl 4: 49 8b 3f mov (%r15),%rdi 7: 44 89 f6 mov %r14d,%esi a: e8 43 e5 fa fd call 0xfdfae552 f: 49 89 c6 mov %rax,%r14 12: 49 81 c6 e0 00 00 00 add $0xe0,%r14 19: 4c 89 f0 mov %r14,%rax 1c: 48 c1 e8 03 shr $0x3,%rax 20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx 27: fc ff df * 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction 2e: 74 08 je 0x38 30: 4c 89 f7 mov %r14,%rdi 33: e8 aa cd 30 f9 call 0xf930cde2 38: 49 83 3e 00 cmpq $0x0,(%r14) 3c: 74 73 je 0xb1 3e: e8 .byte 0xe8 3f: ff .byte 0xff ================================================================== Please let me know if any further information is required. Best Regards, Jiaming Zhang. View attachment "repro.c" of type "text/plain" (17279 bytes) Download attachment ".config" of type "application/xml" (276250 bytes) Download attachment "kernel.log" of type "application/octet-stream" (188867 bytes) Download attachment "report" of type "application/octet-stream" (6235 bytes) Download attachment "repro.syz" of type "application/octet-stream" (693 bytes)
Powered by blists - more mailing lists