subject:"\[syzbot\] unexpected kernel reboot \(4\)"

Re: [syzbot] unexpected kernel reboot (4)

2021-04-18 Thread Tetsuo Handa

On 2021/04/17 12:19, Tetsuo Handa wrote:
> On 2021/04/15 0:39, Andrey Konovalov wrote:
>> On Wed, Apr 14, 2021 at 7:45 AM Dmitry Vyukov  wrote:
>>> The reproducer connects some USB HID device and communicates with the 
>>> driver.
>>> Previously we observed reboots because HID devices can trigger reboot
>>> SYSRQ, but we disable it with "CONFIG_MAGIC_SYSRQ is not set".
>>> How else can a USB device reboot the machine? Is it possible to disable it?
>>> I don't see any direct includes of  in drivers/usb/*
>>
>> This happens when a keyboard sends the Ctrl+Alt+Del sequence, see
>> fn_boot_it()->ctrl_alt_del() in drivers/tty/vt/keyboard.c.
>>
> 
> Regarding ctrl_alt_del() problem, doing
> 
>   sh -c 'echo 0 > /proc/sys/kernel/ctrl-alt-del; echo $$ > 
> /proc/sys/kernel/cad_pid'
> 
> as root before start fuzzing might help.
> 
> Also, with the command above, reproducer still triggers suspend operation 
> which freezes userspace processes.
> This could possibly be one of causes for no output / lost connections. Try 
> disabling freeze/suspend related configs?
> 

I tried

  # CONFIG_HIBERNATION is not set
  # CONFIG_SUSPEND is not set
  # CONFIG_PM is not set

but the reproducer still shutdowns the system.

The reproducer can be simplified to single threaded.


int main(int argc, char *argv[])
{
uint64_t r[1] = { 0x };

syscall(__NR_mmap, 0x2000ul, 0x100ul, 7ul, 0x32ul, -1, 0ul);
memcpy((void*)0x2200,
   
"\x12\x01\x00\x00\x00\x00\x00\x40\x26\x09\x33\x33\x40\x00\x00\x00\x00"
   
"\x01\x09\x02\x24\x00\x01\x00\x00\x00\x00\x09\x04\x00\x00\x01\x03\x01"
   
"\x00\x00\x09\x21\x00\x00\x00\x01\x22\x01\x00\x09\x05\x81\x03\x08",
   50);
r[0] = syz_usb_connect(0, 0x36, 0x2200, 0);
syz_usb_control_io(r[0], 0, 0);
*(uint32_t*)0x2300 = 0x24;
*(uint64_t*)0x2304 = 0;
*(uint64_t*)0x230c = 0;
*(uint64_t*)0x2314 = 0x21c0;
*(uint8_t*)0x21c0 = 0;
*(uint8_t*)0x21c1 = 0x22;
*(uint32_t*)0x21c2 = 5;
STORE_BY_BITMASK(uint8_t, , 0x21c6, 3, 0, 2);
STORE_BY_BITMASK(uint8_t, , 0x21c6, 0, 2, 2);
STORE_BY_BITMASK(uint8_t, , 0x21c6, 0, 4, 4);
memcpy((void*)0x21c7, "\x65\xe9\x5e\x9d", 4);
*(uint64_t*)0x231c = 0;
syz_usb_control_io(r[0], 0x2300, 0);
syz_usb_ep_write(r[0], 0, 5, (long) "\x8e\xc5\x44\xbc\x66");
return 0;
}


Since applying below diff does not help, I don't think that
this problem can be avoided by modifying tty code.


diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index 77638629c562..25e6d52f5de6 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -323,12 +323,14 @@ int kbd_rate(struct kbd_repeat *rpt)
  */
 static void put_queue(struct vc_data *vc, int ch)
 {
+   return;
tty_insert_flip_char(>port, ch, 0);
tty_schedule_flip(>port);
 }
 
 static void puts_queue(struct vc_data *vc, const char *cp)
 {
+   return;
tty_insert_flip_string(>port, cp, strlen(cp));
tty_schedule_flip(>port);
 }
@@ -657,7 +659,7 @@ static void k_spec(struct vc_data *vc, unsigned char value, 
char up_flag)
 kbd->kbdmode == VC_OFF) &&
 value != KVAL(K_SAK))
return; /* SAK is allowed even in raw mode */
-   fn_handler[value](vc);
+   //fn_handler[value](vc);
 }
 
 static void k_lowercase(struct vc_data *vc, unsigned char value, char up_flag)
@@ -1393,6 +1395,7 @@ static void kbd_keycode(unsigned int keycode, int down, 
bool hw_raw)
struct keyboard_notifier_param param = { .vc = vc, .value = keycode, 
.down = down };
int rc;
 
+   return;
tty = vc->port.tty;
 
if (tty && (!tty->driver_data)) {
@@ -1509,7 +1512,7 @@ static void kbd_keycode(unsigned int keycode, int down, 
bool hw_raw)
if ((raw_mode || kbd->kbdmode == VC_OFF) && type != KT_SPEC && type != 
KT_SHIFT)
return;
 
-   (*k_handler[type])(vc, keysym & 0xff, !down);
+   //(*k_handler[type])(vc, keysym & 0xff, !down);
 
param.ledstate = kbd->ledflagstate;
atomic_notifier_call_chain(_notifier_list, KBD_POST_KEYSYM, 
);


Running the reproducer with

  dbus-monitor --system > /dev/ttyprintk

reports that systemd's shutdown service is requested when syz_usb_ep_write() is 
called.
I can't understand why the command "\x8e\xc5\x44\xbc\x66" leads to this result.


[   62.382763][   T47] usb 5-1: new high-speed USB device number 2 using 
dummy_hcd
[   62.745091][   T47] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 
has an invalid bInterval 0, changing to 7
[   62.749179][   T47] usb 5-1: New USB

Re: [syzbot] unexpected kernel reboot (4)

2021-04-16 Thread Tetsuo Handa

On 2021/04/15 0:39, Andrey Konovalov wrote:
> On Wed, Apr 14, 2021 at 7:45 AM Dmitry Vyukov  wrote:
>> The reproducer connects some USB HID device and communicates with the driver.
>> Previously we observed reboots because HID devices can trigger reboot
>> SYSRQ, but we disable it with "CONFIG_MAGIC_SYSRQ is not set".
>> How else can a USB device reboot the machine? Is it possible to disable it?
>> I don't see any direct includes of  in drivers/usb/*
> 
> This happens when a keyboard sends the Ctrl+Alt+Del sequence, see
> fn_boot_it()->ctrl_alt_del() in drivers/tty/vt/keyboard.c.
> 

Regarding ctrl_alt_del() problem, doing

  sh -c 'echo 0 > /proc/sys/kernel/ctrl-alt-del; echo $$ > 
/proc/sys/kernel/cad_pid'

as root before start fuzzing might help.

Also, with the command above, reproducer still triggers suspend operation which 
freezes userspace processes.
This could possibly be one of causes for no output / lost connections. Try 
disabling freeze/suspend related configs?

[   60.881255][ T6280] usb 5-1: new high-speed USB device number 2 using 
dummy_hcd
[   61.260648][ T6280] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 
has an invalid bInterval 0, changing to 7
[   61.274056][ T6280] usb 5-1: New USB device found, idVendor=0926, 
idProduct=, bcdDevice= 0.40
[   61.284700][ T6280] usb 5-1: New USB device strings: Mfr=0, Product=0, 
SerialNumber=0
[   61.289556][ T6280] usb 5-1: config 0 descriptor??
[   61.780871][ T6280] keytouch 0003:0926:.0002: fixing up Keytouch IEC 
report descriptor
[   61.792015][ T6280] input: HID 0926: as 
/devices/platform/dummy_hcd.0/usb5/5-1/5-1:0.0/0003:0926:.0002/input/input5
[   61.871612][ T6280] keytouch 0003:0926:.0002: input,hidraw1: USB HID 
v0.00 Keyboard [HID 0926:] on usb-dummy_hcd.0-1/input0
[   62.137706][ T6847] PM: suspend entry (s2idle)
[   62.147914][ T6847] Filesystems sync: 0.007 seconds
[   62.152031][ T6847] Freezing user space processes ... (elapsed 0.003 
seconds) done.
[   62.158369][ T6847] OOM killer disabled.
[   62.159673][ T6847] Freezing remaining freezable tasks ... (elapsed 0.003 
seconds) done.
[   62.167440][ T6847] vhci_hcd vhci_hcd.15: suspend vhci_hcd
[   62.169569][ T6847] vhci_hcd vhci_hcd.14: suspend vhci_hcd
[   62.171562][ T6847] vhci_hcd vhci_hcd.13: suspend vhci_hcd
[   62.173500][ T6847] vhci_hcd vhci_hcd.12: suspend vhci_hcd
[   62.175740][ T6847] vhci_hcd vhci_hcd.11: suspend vhci_hcd
[   62.177677][ T6847] vhci_hcd vhci_hcd.10: suspend vhci_hcd
[   62.179725][ T6847] vhci_hcd vhci_hcd.9: suspend vhci_hcd
[   62.181602][ T6847] vhci_hcd vhci_hcd.8: suspend vhci_hcd
[   62.183681][ T6847] vhci_hcd vhci_hcd.7: suspend vhci_hcd
[   62.185594][ T6847] vhci_hcd vhci_hcd.6: suspend vhci_hcd
[   62.187552][ T6847] vhci_hcd vhci_hcd.5: suspend vhci_hcd
[   62.189566][ T6847] vhci_hcd vhci_hcd.4: suspend vhci_hcd
[   62.191767][ T6847] vhci_hcd vhci_hcd.3: suspend vhci_hcd
[   62.193657][ T6847] vhci_hcd vhci_hcd.2: suspend vhci_hcd
[   62.195634][ T6847] vhci_hcd vhci_hcd.1: suspend vhci_hcd
[   62.197430][ T6847] vhci_hcd vhci_hcd.0: suspend vhci_hcd
[   62.249881][T8] mptbase: ioc0: pci-suspend: pdev=0x888005495000, 
slot=:00:10.0, Entering operating state [D0]

Re: [syzbot] unexpected kernel reboot (4)

2021-04-14 Thread Tetsuo Handa

On 2021/04/15 0:39, Andrey Konovalov wrote:
> On Wed, Apr 14, 2021 at 7:45 AM Dmitry Vyukov  wrote:
>>
>> On Tue, Apr 13, 2021 at 11:27 PM syzbot
>>  wrote:
>>>
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:89698bec Merge tag 'm68knommu-for-v5.12-rc7' of git://git...
>>> git tree:   upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1243fcfed0
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=b234ddbbe2953747
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=9ce030d4c89856b27619
>>> syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=173e92fed0
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1735da2ed0
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+9ce030d4c89856b27...@syzkaller.appspotmail.com
>>>
>>> output_len: 0x0e74eb68
>>> kernel_total_size: 0x0f226000
>>> needed_size: 0x0f40
>>> trampoline_32bit: 0x0009d000
>>> Decompressing Linux... Parsing ELF... done.
>>> Booting the kernel.
>>
>> +linux-input
>>
>> The reproducer connects some USB HID device and communicates with the driver.
>> Previously we observed reboots because HID devices can trigger reboot
>> SYSRQ, but we disable it with "CONFIG_MAGIC_SYSRQ is not set".
>> How else can a USB device reboot the machine? Is it possible to disable it?
>> I don't see any direct includes of  in drivers/usb/*
> 
> This happens when a keyboard sends the Ctrl+Alt+Del sequence, see
> fn_boot_it()->ctrl_alt_del() in drivers/tty/vt/keyboard.c.
> 
> There was a patchset by Tetsuo [1] to suppress this, but I think it
> was abandoned.


Not abandoned; I'm waiting for you to join the discussion.
But for right now I'm trying to merge LOCKDEP's capacity tuning patch for
https://github.com/google/syzkaller/pull/2535 in the next merge window.

I still believe that ctrl_alt_del() etc. should be initially controlled
via kernel config options (despite Linus's objection at
https://lore.kernel.org/lkml/CAHk-=wgz=7MGxxX-tmMmdCsKyYJkuyxNc-4uLP=e_eEV=oz...@mail.gmail.com/
 ), for
we will need several trials and errors (and an effort to avoid kernel size 
bloating
like https://lkml.kernel.org/r/YD57hjaSmsYapHnQ@alley still remains) before we 
can
determine usable units for allow toggling via kernel command line options.

> 
> (This reminds of a somewhat related syzkaller issue:
> https://github.com/google/syzkaller/issues/1824; it relies on a
> similar reproducer.)
> 
> [1] https://groups.google.com/g/syzkaller/c/7wCmrGlLgm0/m/5yG6HVtbBQAJ
>

Re: [syzbot] unexpected kernel reboot (4)

2021-04-14 Thread Andrey Konovalov

On Wed, Apr 14, 2021 at 7:45 AM Dmitry Vyukov  wrote:
>
> On Tue, Apr 13, 2021 at 11:27 PM syzbot
>  wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:89698bec Merge tag 'm68knommu-for-v5.12-rc7' of git://git...
> > git tree:   upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1243fcfed0
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=b234ddbbe2953747
> > dashboard link: https://syzkaller.appspot.com/bug?extid=9ce030d4c89856b27619
> > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=173e92fed0
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1735da2ed0
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+9ce030d4c89856b27...@syzkaller.appspotmail.com
> >
> > output_len: 0x0e74eb68
> > kernel_total_size: 0x0f226000
> > needed_size: 0x0f40
> > trampoline_32bit: 0x0009d000
> > Decompressing Linux... Parsing ELF... done.
> > Booting the kernel.
>
> +linux-input
>
> The reproducer connects some USB HID device and communicates with the driver.
> Previously we observed reboots because HID devices can trigger reboot
> SYSRQ, but we disable it with "CONFIG_MAGIC_SYSRQ is not set".
> How else can a USB device reboot the machine? Is it possible to disable it?
> I don't see any direct includes of  in drivers/usb/*

This happens when a keyboard sends the Ctrl+Alt+Del sequence, see
fn_boot_it()->ctrl_alt_del() in drivers/tty/vt/keyboard.c.

There was a patchset by Tetsuo [1] to suppress this, but I think it
was abandoned.

(This reminds of a somewhat related syzkaller issue:
https://github.com/google/syzkaller/issues/1824; it relies on a
similar reproducer.)

[1] https://groups.google.com/g/syzkaller/c/7wCmrGlLgm0/m/5yG6HVtbBQAJ

Re: [syzbot] unexpected kernel reboot (4)

2021-04-13 Thread Dmitry Vyukov

On Tue, Apr 13, 2021 at 11:27 PM syzbot
 wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:89698bec Merge tag 'm68knommu-for-v5.12-rc7' of git://git...
> git tree:   upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1243fcfed0
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b234ddbbe2953747
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ce030d4c89856b27619
> syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=173e92fed0
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1735da2ed0
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9ce030d4c89856b27...@syzkaller.appspotmail.com
>
> output_len: 0x0e74eb68
> kernel_total_size: 0x0f226000
> needed_size: 0x0f40
> trampoline_32bit: 0x0009d000
> Decompressing Linux... Parsing ELF... done.
> Booting the kernel.

+linux-input

The reproducer connects some USB HID device and communicates with the driver.
Previously we observed reboots because HID devices can trigger reboot
SYSRQ, but we disable it with "CONFIG_MAGIC_SYSRQ is not set".
How else can a USB device reboot the machine? Is it possible to disable it?
I don't see any direct includes of  in drivers/usb/*

r0 = syz_usb_connect$hid(0x0, 0x36,
&(0x7f00)=ANY=[@ANYBLOB="12010e402609411b000109022400010904010301092110012201000905810308"],
0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f001440)={0x24, 0x0, 0x0,
&(0x7f40)={0x0, 0x22, 0x1, {[@local]}}, 0x0}, 0x0)
syz_usb_ep_write(r0, 0x0, 0xfd,
&(0x7f000b80)="34981a23c3490d163907e65ff758478e74cd7dc073700ebf655f1ce3394018ade882075917a36a30ad3594f98282ea729f3620534fd655c69ebec66aa7397e843ee79879e825e6a31a189616c611912dee259ab9d8ff1566c90ae8985ec380bcab6b8265695f7b76654377adab6b1930de1f44060021f50f1dd3fff126f862f378ef2deb2d4331b9bcb3f394062133b4bb44a7f168473f7ca3d9945bfb4c456b22428a7a11d5d7df1fcc4f7ffad0e526d34321fb6aedfb5dd4fc6797cba2cf45369daea9f0953bf1a8343aa7548f3f9817c6a1bedde9dcaa4b8eed4a493828384fc9ccb7d230967ea0cb2003076ac7d9f386a5fbaec392")



> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkal...@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches

[syzbot] unexpected kernel reboot (4)

2021-04-13 Thread syzbot

Hello,

syzbot found the following issue on:

HEAD commit:89698bec Merge tag 'm68knommu-for-v5.12-rc7' of git://git...
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1243fcfed0
kernel config:  https://syzkaller.appspot.com/x/.config?x=b234ddbbe2953747
dashboard link: https://syzkaller.appspot.com/bug?extid=9ce030d4c89856b27619
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=173e92fed0
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1735da2ed0

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ce030d4c89856b27...@syzkaller.appspotmail.com

output_len: 0x0e74eb68
kernel_total_size: 0x0f226000
needed_size: 0x0f40
trampoline_32bit: 0x0009d000
Decompressing Linux... Parsing ELF... done.
Booting the kernel.


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] unexpected kernel reboot (4)

Re: [syzbot] unexpected kernel reboot (4)

Re: [syzbot] unexpected kernel reboot (4)

Re: [syzbot] unexpected kernel reboot (4)

Re: [syzbot] unexpected kernel reboot (4)

[syzbot] unexpected kernel reboot (4)

6 matches

Site Navigation

Mail list logo

Footer information