Re: divide error in alauda_transport

[xingwei lee]

On Mar 17, 2024, at 23:04, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:

On Sun, Mar 17, 2024 at 04:31:01PM +0800, xingwei lee wrote:

Hello I found a bug in latest upstream titled "divide error in
alauda_transport", and maybe is realted with usb.
I comfired in the latest upstream the poc tree can trigger the issue.

If you fix this issue, please add the following tag to the commit:
Reported-by: xingwei lee <xrivendell7@xxxxxxxxx>
Reported-by: yue sun <samsun1006219@xxxxxxxxx>

kernel: upstream 9187210eee7d87eea37b45ea93454a88681894a4
config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1c6662240382da2
with KASAN enabled
compiler: gcc (Debian 12.2.0-14) 12.2.0

divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 2 PID: 8229 Comm: usb-storage Not tainted 6.8.0-05202-g9187210eee7d #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.2-1.fc38 04/01/2014
RIP: 0010:alauda_read_data drivers/usb/storage/alauda.c:954 [inline]
RIP: 0010:alauda_transport+0xcaf/0x3830 drivers/usb/storage/alauda.c:1184


Can you please test the patch below?

Alan Stern




Index: usb-devel/drivers/usb/storage/alauda.c
===================================================================
--- usb-devel.orig/drivers/usb/storage/alauda.c
+++ usb-devel/drivers/usb/storage/alauda.c
@@ -951,7 +951,6 @@ static int alauda_read_data(struct us_da
unsigned int lba_offset = lba - (zone * uzonesize);
unsigned int pages;
u16 pba;
- alauda_ensure_map_for_zone(us, zone);

/* Not overflowing capacity? */
if (lba >= max_lba) {
@@ -961,6 +960,8 @@ static int alauda_read_data(struct us_da
break;
}

+ alauda_ensure_map_for_zone(us, zone);
+
/* Find number of pages we can read in this block */
pages = min(sectors, blocksize - page);
len = pages << pageshift;


Hi Alan

I apply your patch in my upstream commit
9187210eee7d87eea37b45ea93454a88681894a4

diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c
index 115f05a6201a..6eccbadcea78 100644
--- a/drivers/usb/storage/alauda.c
+++ b/drivers/usb/storage/alauda.c
@@ -951,7 +951,6 @@ static int alauda_read_data(struct us_data *us,
unsigned long address,
                unsigned int lba_offset = lba - (zone * uzonesize);
                unsigned int pages;
                u16 pba;
-               alauda_ensure_map_for_zone(us, zone);

                /* Not overflowing capacity? */
                if (lba >= max_lba) {
@@ -961,6 +960,8 @@ static int alauda_read_data(struct us_data *us,
unsigned long address,
                        break;
                }

+               alauda_ensure_map_for_zone(us, zone);
+
                /* Find number of pages we can read in this block */
                pages = min(sectors, blocksize - page);
                len = pages << pageshift;

However, the poc still trigger the bug like below:

root@syzkaller:~# ./55a
[  143.702248][   T29] usb 1-1: new high-speed USB device number 2
using dummy_hcd
[  143.941971][   T29] usb 1-1: Using ep0 maxpacket: 8
[  144.062985][   T29] usb 1-1: config 0 interface 0 altsetting 0
endpoint 0xE has invalid maxpacket 6912, setting to 1024
[  144.066725][   T29] usb 1-1: config 0 interface 0 altsetting 0 bulk
endpoint 0xE has invalid maxpacket 1024
[  144.069851][   T29] usb 1-1: config 0 interface 0 altsetting 0
endpoint 0x82 has invalid wMaxPacketSize 0
[  144.073033][   T29] usb 1-1: config 0 interface 0 altsetting 0 bulk
endpoint 0x82 has invalid maxpacket 0
[  144.076132][   T29] usb 1-1: New USB device found, idVendor=07b4,
idProduct=010a, bcdDevice= 1.02
[  144.079142][   T29] usb 1-1: New USB device strings: Mfr=0,
Product=0, SerialNumber=0
[  144.082673][ T4526] systemd-journald[4526]: sd-device: Failed to
chase symlinks in "/sys/dev/char/189:1".
[  144.086529][   T29] usb 1-1: config 0 descriptor??
[  144.103215][ T8204] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[  144.124706][   T29] ums-alauda 1-1:0.0: USB Mass Storage device detected
[  144.153028][   T29] scsi host2: usb-storage 1-1:0.0
[  145.216626][ T1020] scsi 2:0:0:0: Direct-Access     Olympus
MAUSB-10 (Alauda 0102 PQ: 0 ANSI: 0 CCS
[  145.219706][ T1020] scsi 2:0:0:1: Direct-Access     Olympus
MAUSB-10 (Alauda 0102 PQ: 0 ANSI: 0 CCS
[  145.234829][ T1020] sd 2:0:0:0: Attached scsi generic sg2 type 0
[  145.251393][ T1020] sd 2:0:0:1: Attached scsi generic sg3 type 0
[  145.492274][   T73] sd 2:0:0:0: [sdb] Very big device. Trying to
use READ CAPACITY(16).
[  145.932043][   T12] sd 2:0:0:1: [sdc] Very big device. Trying to
use READ CAPACITY(16).
[  145.932844][   T73] sd 2:0:0:0: [sdb] Using 0xffffffff as device size
[  145.935914][   T12] sd 2:0:0:1: [sdc] Using 0xffffffff as device size
[  146.141945][ T8215] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
[  146.143565][ T8215] CPU: 1 PID: 8215 Comm: usb-storage Not tainted
6.8.0-05202-g9187210eee7d-dirty #21
[  146.145319][ T8215] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/01/2014
[  146.146720][ T8215] RIP: 0010:alauda_transport+0xc65/0x38b0
[  146.147977][ T8215] Code: 84 24 08 01 00 00 00 00 00 00 48 c7 84 24
18 01 00 00 00 00 00 00 48 d3 eb 48 89 d9 85 f6 0f 84 5b 12 00 00 31
d2 41 0f b7 c4 <f7> 74 24 40 66 41 39 dc 41 89 c6 0f 83 08 02 00 00 41
81
[  146.150664][ T8215] RSP: 0018:ffffc9001005fa60 EFLAGS: 00010246
[  146.151539][ T8215] RAX: 0000000000000000 RBX: 0000000000000000
RCX: 0000000000000000
[  146.152672][ T8215] RDX: 0000000000000000 RSI: 0000000000000001
RDI: ffff88802d3d5a00
[  146.153819][ T8215] RBP: 1ffff9200200bf69 R08: 0000000000000001
R09: ffffed1005ed15ad
[  146.154982][ T8215] R10: ffff88802f68b088 R11: ffff88802f68acb8
R12: 0000000000000000
[  146.156122][ T8215] R13: 0000000000000000 R14: 0000000000000000
R15: ffff88802d3d5a00
[  146.157275][ T8215] FS:  0000000000000000(0000)
GS:ffff88823bc00000(0000) knlGS:0000000000000000
[  146.158578][ T8215] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  146.159536][ T8215] CR2: 000055e7fa9c4770 CR3: 000000000c774000
CR4: 0000000000750ef0
[  146.160699][ T8215] PKRU: 55555554
[  146.161232][ T8215] Call Trace:
[  146.161730][ T8215]  <TASK>
[  146.162173][ T8215]  ? die+0x31/0x80
[  146.162718][ T8215]  ? do_trap+0x1b4/0x3c0
[  146.163355][ T8215]  ? alauda_transport+0xc65/0x38b0
[  146.164115][ T8215]  ? do_error_trap+0x9e/0x160
[  146.164788][ T8215]  ? alauda_transport+0xc65/0x38b0
[  146.165542][ T8215]  ? exc_divide_error+0x38/0x50
[  146.166259][ T8215]  ? alauda_transport+0xc65/0x38b0
[  146.167008][ T8215]  ? asm_exc_divide_error+0x1a/0x20
[  146.167782][ T8215]  ? alauda_transport+0xc65/0x38b0
[  146.168546][ T8215]  ? __pfx___lock_acquire+0x10/0x10
[  146.169309][ T8215]  ? __pfx_alauda_transport+0x10/0x10
[  146.170098][ T8215]  ? srso_alias_return_thunk+0x5/0xfbef5
[  146.170909][ T8215]  ? __lock_acquire+0x193f/0x5c00
[  146.171639][ T8215]  usb_stor_invoke_transport+0xea/0x13d0
[  146.172465][ T8215]  ? __pfx_mark_lock+0x10/0x10
[  146.173179][ T8215]  ? __mutex_lock+0x25a/0x1330
[  146.173893][ T8215]  ? __pfx_usb_stor_invoke_transport+0x10/0x10
[  146.174796][ T8215]  ? srso_alias_return_thunk+0x5/0xfbef5
[  146.175640][ T8215]  ? find_held_lock+0x2d/0x110
[  146.176357][ T8215]  ? srso_alias_return_thunk+0x5/0xfbef5
[  146.177172][ T8215]  ? usb_stor_control_thread+0x304/0x980
[  146.178002][ T8215]  ? __pfx_lock_release+0x10/0x10
[  146.178745][ T8215]  ? srso_alias_return_thunk+0x5/0xfbef5
[  146.179581][ T8215]  ? srso_alias_return_thunk+0x5/0xfbef5
[  146.180406][ T8215]  ? mark_held_locks+0x9f/0xe0
[  146.181114][ T8215]  usb_stor_control_thread+0x5d6/0x980
[  146.181928][ T8215]  ? __pfx_usb_stor_control_thread+0x10/0x10
[  146.182784][ T8215]  ? _raw_spin_unlock_irqrestore+0x52/0x80
[  146.183620][ T8215]  ? srso_alias_return_thunk+0x5/0xfbef5
[  146.184438][ T8215]  ? lockdep_hardirqs_on+0x7c/0x100
[  146.185196][ T8215]  ? srso_alias_return_thunk+0x5/0xfbef5
[  146.186007][ T8215]  ? srso_alias_return_thunk+0x5/0xfbef5
[  146.186808][ T8215]  ? __kthread_parkme+0xb5/0x1f0
[  146.187545][ T8215]  ? __pfx_usb_stor_control_thread+0x10/0x10
[  146.188418][ T8215]  kthread+0x2eb/0x3d0
[  146.189202][ T8215]  ? _raw_spin_unlock_irq+0x23/0x50
[  146.189981][ T8215]  ? __pfx_kthread+0x10/0x10
[  146.190712][ T8215]  ret_from_fork+0x2f/0x70
[  146.191387][ T8215]  ? __pfx_kthread+0x10/0x10
[  146.192065][ T8215]  ret_from_fork_asm+0x1a/0x30
[  146.192765][ T8215]  </TASK>
[  146.193222][ T8215] Modules linked in:
[  146.193986][ T8215] ---[ end trace 0000000000000000 ]---
[  146.194815][ T8215] RIP: 0010:alauda_transport+0xc65/0x38b0
[  146.195724][ T8215] Code: 84 24 08 01 00 00 00 00 00 00 48 c7 84 24
18 01 00 00 00 00 00 00 48 d3 eb 48 89 d9 85 f6 0f 84 5b 12 00 00 31
d2 41 0f b7 c4 <f7> 74 24 40 66 41 39 dc 41 89 c6 0f 83 08 02 00 00 41
81
[  146.198822][ T8215] RSP: 0018:ffffc9001005fa60 EFLAGS: 00010246
[  146.199783][ T8215] RAX: 0000000000000000 RBX: 0000000000000000
RCX: 0000000000000000
[  146.200998][ T8215] RDX: 0000000000000000 RSI: 0000000000000001
RDI: ffff88802d3d5a00
[  146.202239][ T8215] RBP: 1ffff9200200bf69 R08: 0000000000000001
R09: ffffed1005ed15ad
[  146.203581][ T8215] R10: ffff88802f68b088 R11: ffff88802f68acb8
R12: 0000000000000000
[  146.204813][ T8215] R13: 0000000000000000 R14: 0000000000000000
R15: ffff88802d3d5a00
[  146.206034][ T8215] FS:  0000000000000000(0000)
GS:ffff88823bd00000(0000) knlGS:0000000000000000
[  146.207351][ T8215] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  146.208325][ T8215] CR2: 000055e7fa9cf2c8 CR3: 0000000027014000
CR4: 0000000000750ef0
[  146.209490][ T8215] PKRU: 55555554
[  146.210032][ T8215] Kernel panic - not syncing: Fatal exception
[  146.211335][ T8215] Kernel Offset: disabled
[  146.212003][ T8215] Rebooting in 86400 seconds..


Best regards
xingwei Lee