We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version of syzkaller) This bug happened during enumeration (i.e., set_config) for an acm gadget. Although tty (instance of tty_struct) held by port->port in gs_start_io() is null, this tries to access its field (tty->flags) in tty_wakeup(), thereby triggering this error. kernel config: https://kt0755.github.io/etc/config_v5.6.11 ================================================================== BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline] BUG: KASAN: null-ptr-deref in tty_wakeup+0x25/0x110 drivers/tty/tty_io.c:532 Read of size 8 at addr 0000000000000460 by task systemd-udevd/2719 CPU: 2 PID: 2719 Comm: systemd-udevd Not tainted 5.6.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 __kasan_report+0x161/0x1b0 mm/kasan/report.c:510 kasan_report+0x12/0x20 mm/kasan/common.c:641 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:95 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline] tty_wakeup+0x25/0x110 drivers/tty/tty_io.c:532 gs_start_io+0x1b7/0x2a0 drivers/usb/gadget/function/u_serial.c:568 gserial_connect+0x41c/0x590 drivers/usb/gadget/function/u_serial.c:1333 acm_set_alt+0x251/0x5c0 drivers/usb/gadget/function/f_acm.c:456 set_config drivers/usb/gadget/composite.c:838 [inline] composite_setup+0x4231/0x6f10 drivers/usb/gadget/composite.c:1717 configfs_composite_setup+0x11a/0x170 drivers/usb/gadget/configfs.c:1466 dummy_timer+0xda5/0x33f0 drivers/usb/gadget/udc/dummy_hcd.c:1898 call_timer_fn+0x20e/0x770 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] run_timer_softirq+0x63f/0x13c0 kernel/time/timer.c:1786 __do_softirq+0x262/0xb46 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x161/0x1b0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x137/0x500 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 </IRQ> RIP: 0010:create_object+0x74c/0xba0 mm/kmemleak.c:607 Code: e9 44 fc ff ff 65 48 8b 04 25 00 0f 02 00 48 8d b8 90 04 00 00 48 ba 00 00 00 00 00 fc ff df 48 89 fe 48 c1 ee 03 0f b6 14 16 <84> d2 74 09 80 fa 03 0f 8e be 01 00 00 49 8d bf 50 01 00 00 8b 90 RSP: 0018:ffff88805ad17560 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff13 RAX: ffff88803b448000 RBX: 0000000000000120 RCX: ffffffff816e25c4 RDX: 0000000000000000 RSI: 1ffff11007689092 RDI: ffff88803b448490 RBP: ffff88805ad175b0 R08: ffffed100c9a128e R09: ffffed100c9a128e R10: 0000000000000001 R11: ffffed100c9a128d R12: ffff888057bb8160 R13: ffff888064d09420 R14: ffff888064d09534 R15: ffff888064d093e0 kmemleak_alloc+0x21/0x30 mm/kmemleak.c:893 kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc_node mm/slub.c:2786 [inline] slab_alloc mm/slub.c:2794 [inline] kmem_cache_alloc+0x157/0x2d0 mm/slub.c:2799 __d_alloc+0x2e/0x8b0 fs/dcache.c:1690 d_alloc+0x4d/0x250 fs/dcache.c:1769 d_alloc_parallel+0xfe/0x1910 fs/dcache.c:2521 __lookup_slow+0x195/0x440 fs/namei.c:1742 lookup_slow fs/namei.c:1774 [inline] walk_component+0x779/0xe30 fs/namei.c:1915 lookup_last fs/namei.c:2391 [inline] path_lookupat+0x151/0x3e0 fs/namei.c:2436 filename_lookup+0x191/0x3a0 fs/namei.c:2466 user_path_at_empty+0x40/0x50 fs/namei.c:2746 user_path_at include/linux/namei.h:58 [inline] vfs_statx+0xe9/0x190 fs/stat.c:197 vfs_lstat include/linux/fs.h:3277 [inline] __do_sys_newlstat+0x87/0xf0 fs/stat.c:364 __se_sys_newlstat fs/stat.c:358 [inline] __x64_sys_newlstat+0x54/0x80 fs/stat.c:358 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f473bb9f335 Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89 RSP: 002b:00007ffc79ada6f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000006 RAX: ffffffffffffffda RBX: 000055d54f102c1a RCX: 00007f473bb9f335 RDX: 00007ffc79ada7b0 RSI: 00007ffc79ada7b0 RDI: 00007ffc79ada700 RBP: 00007ffc79ada880 R08: 000000000000fc00 R09: 0000000000000000 R10: 0000000000000007 R11: 0000000000000246 R12: 00007ffc79ada890 R13: 00007ffc79ada788 R14: 0000000000000018 R15: 000055d54f846470 ==================================================================