All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com>
To: andreyknvl@google.com, hverkuil@xs4all.nl,
	linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
	linux-usb@vger.kernel.org, mchehab@kernel.org, oneukum@suse.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
Date: Wed, 27 Nov 2019 08:30:01 -0800	[thread overview]
Message-ID: <0000000000001dec4905985682c9@google.com> (raw)
In-Reply-To: <1574850465.2485.10.camel@suse.com>

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
INFO: rcu detected stall in dummy_timer

radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 	1-....: (8213 ticks this GP) idle=4f6/1/0x4000000000000004  
softirq=3368/3368 fqs=3
	(t=10501 jiffies g=2713 q=134)
NMI backtrace for cpu 1
CPU: 1 PID: 1853 Comm: syz-executor.2 Not tainted 5.4.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  nmi_cpu_backtrace.cold+0x55/0x96 lib/nmi_backtrace.c:101
  nmi_trigger_cpumask_backtrace+0x1b0/0x1c7 lib/nmi_backtrace.c:62
  trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
  rcu_dump_cpu_stacks+0x169/0x1b3 kernel/rcu/tree_stall.h:254
  print_cpu_stall kernel/rcu/tree_stall.h:455 [inline]
  check_cpu_stall kernel/rcu/tree_stall.h:529 [inline]
  rcu_pending kernel/rcu/tree.c:2795 [inline]
  rcu_sched_clock_irq.cold+0x4da/0x936 kernel/rcu/tree.c:2244
  update_process_times+0x25/0x60 kernel/time/timer.c:1726
  tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:167
  tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1299
  __run_hrtimer kernel/time/hrtimer.c:1514 [inline]
  __hrtimer_run_queues+0x303/0xc60 kernel/time/hrtimer.c:1576
  hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1638
  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline]
  smp_apic_timer_interrupt+0xf5/0x500 arch/x86/kernel/apic/apic.c:1135
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x40/0x50  
kernel/locking/spinlock.c:191
Code: e8 95 14 b3 fb 48 89 ef e8 6d f3 b3 fb f6 c7 02 75 11 53 9d e8 61 ba  
d0 fb 65 ff 0d a2 67 8f 7a 5b 5d c3 e8 02 be d0 fb 53 9d <eb> ed 0f 1f 40  
00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fd 65 ff
RSP: 0018:ffff8881db309b08 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000206 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881ce7fb84c
RBP: ffff8881d50f0000 R08: ffff8881ce7fb000 R09: fffffbfff11b23b8
R10: fffffbfff11b23b7 R11: ffffffff88d91dbf R12: 0000000000000080
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8881c6617500
  spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
  dummy_timer+0x131b/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1980
  call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
  expire_timers kernel/time/timer.c:1449 [inline]
  __run_timers kernel/time/timer.c:1773 [inline]
  __run_timers kernel/time/timer.c:1740 [inline]
  run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
  __do_softirq+0x221/0x912 kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:373 [inline]
  irq_exit+0x178/0x1a0 kernel/softirq.c:413
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
  </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x40/0x50  
kernel/locking/spinlock.c:191
Code: e8 95 14 b3 fb 48 89 ef e8 6d f3 b3 fb f6 c7 02 75 11 53 9d e8 61 ba  
d0 fb 65 ff 0d a2 67 8f 7a 5b 5d c3 e8 02 be d0 fb 53 9d <eb> ed 0f 1f 40  
00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fd 65 ff
RSP: 0018:ffff8881cd477ba8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000246 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881ce7fb84c
RBP: ffff8881db325b00 R08: ffff8881ce7fb000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8881db325b80 R14: 0000000000000000 R15: ffff8881db325b00
  unlock_hrtimer_base kernel/time/hrtimer.c:898 [inline]
  hrtimer_start_range_ns+0x5bf/0xb00 kernel/time/hrtimer.c:1133
  hrtimer_start_expires include/linux/hrtimer.h:435 [inline]
  hrtimer_sleeper_start_expires kernel/time/hrtimer.c:1792 [inline]
  do_nanosleep+0x1b9/0x650 kernel/time/hrtimer.c:1868
  hrtimer_nanosleep+0x249/0x4f0 kernel/time/hrtimer.c:1924
  __do_sys_nanosleep kernel/time/hrtimer.c:1958 [inline]
  __se_sys_nanosleep kernel/time/hrtimer.c:1945 [inline]
  __x64_sys_nanosleep+0x19d/0x220 kernel/time/hrtimer.c:1945
  do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457f00
Code: c0 5b 5d c3 66 0f 1f 44 00 00 8b 04 24 48 83 c4 18 5b 5d c3 66 0f 1f  
44 00 00 83 3d 51 e8 61 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 24 d3 fb ff c3 48 83 ec 08 e8 ea 46 00 00
RSP: 002b:00007ffe6aaf7d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
RAX: ffffffffffffffda RBX: 000000000000961f RCX: 0000000000457f00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffe6aaf7d50
RBP: 0000000000000004 R08: 0000000000000001 R09: 0000000002432940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 00007ffe6aaf7da0 R14: 0000000000008efa R15: 00007ffe6aaf7db0
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)


Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=177ca17ae00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1226e536e00000


  reply	other threads:[~2019-11-27 16:30 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
2019-11-18 13:44 ` Oliver Neukum
2019-11-19  9:10   ` syzbot
2019-11-20 10:32 ` Oliver Neukum
2019-11-20 23:50   ` syzbot
2019-11-21 12:00 ` Oliver Neukum
2019-11-22 10:33   ` syzbot
2019-11-22 15:35     ` Alan Stern
2019-11-22 19:00       ` Oliver Neukum
2019-11-22 20:12         ` Alan Stern
2019-11-27 10:27 ` Oliver Neukum
2019-11-27 16:30   ` syzbot [this message]
2019-11-27 18:07     ` Alan Stern
2019-11-27 20:55       ` syzbot
2019-11-27 21:11         ` Alan Stern
2019-11-28 15:19           ` Oliver Neukum
2019-11-28 17:25             ` Alan Stern
2019-11-28 10:51       ` Oliver Neukum
2019-11-28 17:33         ` Alan Stern
2019-11-28 11:10 ` Oliver Neukum
2019-11-28 13:53   ` syzbot
2019-12-04 15:03 ` Oliver Neukum
2019-12-04 18:17   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000001dec4905985682c9@google.com \
    --to=syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com \
    --cc=andreyknvl@google.com \
    --cc=hverkuil@xs4all.nl \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=oneukum@suse.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.