Re: divide error in alauda_transport

From: Alan Stern
Date: Sun Mar 17 2024 - 16:59:53 EST

Next message: kernel test robot: "[tip:master] BUILD SUCCESS 7e19a79344df2ed5e106091c29338962261b0290"
Previous message: Rob Herring: "Re: [PATCH v3 1/8] dt-bindings: misc: Add mikrobus-connector"
In reply to: xingwei lee: "Re: divide error in alauda_transport"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Mar 17, 2024 at 11:57:58PM +0800, xingwei lee wrote:
> On Mar 17, 2024, at 23:04, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Sun, Mar 17, 2024 at 04:31:01PM +0800, xingwei lee wrote:
>
> Hello I found a bug in latest upstream titled "divide error in
> alauda_transport", and maybe is realted with usb.
> I comfired in the latest upstream the poc tree can trigger the issue.
>
> If you fix this issue, please add the following tag to the commit:
> Reported-by: xingwei lee <xrivendell7@xxxxxxxxx>
> Reported-by: yue sun <samsun1006219@xxxxxxxxx>
>
> kernel: upstream 9187210eee7d87eea37b45ea93454a88681894a4
> config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1c6662240382da2
> with KASAN enabled
> compiler: gcc (Debian 12.2.0-14) 12.2.0
>
> divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 2 PID: 8229 Comm: usb-storage Not tainted 6.8.0-05202-g9187210eee7d #20
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.16.2-1.fc38 04/01/2014
> RIP: 0010:alauda_read_data drivers/usb/storage/alauda.c:954 [inline]
> RIP: 0010:alauda_transport+0xcaf/0x3830 drivers/usb/storage/alauda.c:1184

> Hi Alan
>
> I apply your patch in my upstream commit
> 9187210eee7d87eea37b45ea93454a88681894a4

> However, the poc still trigger the bug like below:

> [ 146.141945][ T8215] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
> [ 146.143565][ T8215] CPU: 1 PID: 8215 Comm: usb-storage Not tainted
> 6.8.0-05202-g9187210eee7d-dirty #21
> [ 146.145319][ T8215] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.16.2-1.fc38 04/01/2014
> [ 146.146720][ T8215] RIP: 0010:alauda_transport+0xc65/0x38b0

The line in your original bug report, alauda.c:954, was a call to
alauda_ensure_map_for_zone(), which my patch moves to a different
location so that a test for overflow can run first. It's hard to tell
whether the divide error occurs before the function call, within the
function, or after.

Furthermore, alauda_ensure_map_for_zone() calls alauda_read_map(), and
it's hard to tell if the divide error occurs before that function call
or within the function.

Can you try adding some pr_info() statements to those places so we can
determine exactly where the error occurs? The only divisions that I see
are by 2 or by uzonesize, which should always be nonzero. Maybe you can
print out the value of uzonesize so we can verify this.

Thanks,

Alan Stern

Next message: kernel test robot: "[tip:master] BUILD SUCCESS 7e19a79344df2ed5e106091c29338962261b0290"
Previous message: Rob Herring: "Re: [PATCH v3 1/8] dt-bindings: misc: Add mikrobus-connector"
In reply to: xingwei lee: "Re: divide error in alauda_transport"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]