lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 11 Jun 2020 14:51:18 +1000
From:   Peter Hutterer <peter.hutterer@...-t.net>
To:     Jiri Kosina <jikos@...nel.org>
Cc:     Andrey Konovalov <andreyknvl@...gle.com>,
        syzbot <syzbot+6921abfb75d6fc79c0eb@...kaller.appspotmail.com>,
        Benjamin Tissoires <benjamin.tissoires@...hat.com>,
        "open list:HID CORE LAYER" <linux-input@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Dmitry Torokhov <dmitry.torokhov@...il.com>,
        amir73il@...il.com, Felipe Balbi <balbi@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jan Kara <jack@...e.cz>, kuba@...nel.org,
        linux-fsdevel@...r.kernel.org, mathew.j.martineau@...ux.intel.com,
        matthieu.baerts@...sares.net, mptcp@...ts.01.org,
        netdev <netdev@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: INFO: task hung in corrupted (2)

On Thu, Jun 04, 2020 at 01:41:07PM +0200, Jiri Kosina wrote:
> On Tue, 2 Jun 2020, Andrey Konovalov wrote:
> 
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit:    b0c3ba31 Merge tag 'fsnotify_for_v5.7-rc8' of git://git.ke..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=14089eee100000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=ce116858301bc2ea
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=6921abfb75d6fc79c0eb
> > > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14947d26100000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=172726d2100000
> > >
> > > The bug was bisected to:
> > >
> > > commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10
> > > Author: Andrey Konovalov <andreyknvl@...gle.com>
> > > Date:   Mon Feb 24 16:13:03 2020 +0000
> > >
> > >     usb: gadget: add raw-gadget interface
> > >
> > > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=119e4702100000
> > > final crash:    https://syzkaller.appspot.com/x/report.txt?x=139e4702100000
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=159e4702100000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+6921abfb75d6fc79c0eb@...kaller.appspotmail.com
> > > Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface")
> > >
> > > INFO: task syz-executor610:7072 blocked for more than 143 seconds.
> > >       Not tainted 5.7.0-rc7-syzkaller #0
> > > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> > > syz-executor610 D24336  7072   7071 0x80004002
> > > Call Trace:
> > >  context_switch kernel/sched/core.c:3367 [inline]
> > >  __schedule+0x805/0xc90 kernel/sched/core.c:4083
> > >
> > > Showing all locks held in the system:
> > > 1 lock held by khungtaskd/1134:
> > >  #0: ffffffff892e85d0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30 net/mptcp/pm_netlink.c:860
> > > 1 lock held by in:imklog/6715:
> > >  #0: ffff8880a441e6b0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x25d/0x2f0 fs/file.c:826
> > > 6 locks held by kworker/1:0/7064:
> > > 1 lock held by syz-executor610/7072:
> > >  #0: ffffffff892eab20 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:290 [inline]
> > >  #0: ffffffff892eab20 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x1bd/0x5b0 kernel/rcu/tree_exp.h:856
> > > 4 locks held by systemd-udevd/7099:
> > >  #0: ffff8880a7fdcc70 (&p->lock){+.+.}-{3:3}, at: seq_read+0x60/0xce0 fs/seq_file.c:153
> > >  #1: ffff888096486888 (&of->mutex){+.+.}-{3:3}, at: kernfs_seq_start+0x50/0x3b0 fs/kernfs/file.c:111
> > >  #2: ffff88809fc0d660 (kn->count#78){.+.+}-{0:0}, at: kernfs_seq_start+0x6f/0x3b0 fs/kernfs/file.c:112
> > >  #3: ffff8880a1df7218 (&dev->mutex){....}-{3:3}, at: device_lock_interruptible include/linux/device.h:773 [inline]
> > >  #3: ffff8880a1df7218 (&dev->mutex){....}-{3:3}, at: serial_show+0x22/0xa0 drivers/usb/core/sysfs.c:142
> > >
> > > =============================================
> > >
> > > NMI backtrace for cpu 0
> > > CPU: 0 PID: 1134 Comm: khungtaskd Not tainted 5.7.0-rc7-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Call Trace:
> > >  __dump_stack lib/dump_stack.c:77 [inline]
> > >  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
> > >  nmi_cpu_backtrace+0x9f/0x180 lib/nmi_backtrace.c:101
> > >  nmi_trigger_cpumask_backtrace+0x16a/0x280 lib/nmi_backtrace.c:62
> > >  check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
> > >  watchdog+0xd2a/0xd40 kernel/hung_task.c:289
> > >  kthread+0x353/0x380 kernel/kthread.c:268
> > >  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
> > > Sending NMI from CPU 0 to CPUs 1:
> > > NMI backtrace for cpu 1
> > > CPU: 1 PID: 7064 Comm: kworker/1:0 Not tainted 5.7.0-rc7-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Workqueue: usb_hub_wq hub_event
> > > RIP: 0010:__sanitizer_cov_trace_const_cmp4+0x0/0x90 kernel/kcov.c:275
> > > Code: 4c f2 08 48 c1 e0 03 48 83 c8 18 49 89 14 02 4d 89 44 f2 18 49 ff c1 4d 89 0a c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 <4c> 8b 04 24 65 48 8b 04 25 40 1e 02 00 65 8b 0d 78 96 8e 7e f7 c1
> > > RSP: 0018:ffffc90001676cf0 EFLAGS: 00000246
> > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88809fb9e240
> > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000ffffffff
> > > RBP: ffff888092d24a04 R08: ffffffff86034f3b R09: ffffc900016790cc
> > > R10: 0000000000000004 R11: 0000000000000000 R12: ffff888092d24a00
> > > R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888092d24a00
> > > FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
> > > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 00000000004c6e68 CR3: 0000000092d41000 CR4: 00000000001406e0
> > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > Call Trace:
> > >  hid_apply_multiplier drivers/hid/hid-core.c:1106 [inline]
> > 
> > Looks like an issue in the HID subsystem, adding HID maintainers.
> 
> So this is hanging indefinitely in either of the loops in 
> hid_apply_multiplier(). We'll have to decipher the reproducer to 
> understand what made the loop (and which one) unbounded.
> 
> In parallel, CCing Peter, who wrote that code in the first place.

based on the line numbers it's the while loop in there which is also the one
that could be unbounded if the hid collection isn't set up correctly or if
we have some other corruption happening.

Need to page this back in to figure out what could be happening here.

Cheers,
   Peter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ