All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com>
To: andreyknvl@google.com, hverkuil@xs4all.nl,
	linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
	linux-usb@vger.kernel.org, mchehab@kernel.org, oneukum@suse.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
Date: Fri, 22 Nov 2019 02:33:01 -0800	[thread overview]
Message-ID: <0000000000002d684a0597ecf0b5@google.com> (raw)
In-Reply-To: <1574337654.29504.0.camel@suse.com>

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
INFO: rcu detected stall in dummy_timer

radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 	1-...!: (8177 ticks this GP) idle=78e/1/0x4000000000000004  
softirq=3439/3439 fqs=0
	(t=10502 jiffies g=2653 q=23)
rcu: rcu_sched kthread starved for 10504 jiffies! g2653 f0x0  
RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: RCU grace-period kthread stack dump:
rcu_sched       R  running task    29744    10      2 0x80004000
Call Trace:
  schedule+0xca/0x250 kernel/sched/core.c:4136
  schedule_timeout+0x440/0xb20 kernel/time/timer.c:1895
  rcu_gp_fqs_loop kernel/rcu/tree.c:1639 [inline]
  rcu_gp_kthread+0xaff/0x29e0 kernel/rcu/tree.c:1799
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
NMI backtrace for cpu 1
CPU: 1 PID: 1737 Comm: kworker/1:3 Not tainted 5.4.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  nmi_cpu_backtrace.cold+0x55/0x96 lib/nmi_backtrace.c:101
  nmi_trigger_cpumask_backtrace+0x1b0/0x1c7 lib/nmi_backtrace.c:62
  trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
  rcu_dump_cpu_stacks+0x169/0x1b3 kernel/rcu/tree_stall.h:254
  print_cpu_stall kernel/rcu/tree_stall.h:455 [inline]
  check_cpu_stall kernel/rcu/tree_stall.h:529 [inline]
  rcu_pending kernel/rcu/tree.c:2795 [inline]
  rcu_sched_clock_irq.cold+0x4da/0x936 kernel/rcu/tree.c:2244
  update_process_times+0x25/0x60 kernel/time/timer.c:1726
  tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:167
  tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1299
  __run_hrtimer kernel/time/hrtimer.c:1514 [inline]
  __hrtimer_run_queues+0x303/0xc60 kernel/time/hrtimer.c:1576
  hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1638
  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline]
  smp_apic_timer_interrupt+0xf5/0x500 arch/x86/kernel/apic/apic.c:1135
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x40/0x50  
kernel/locking/spinlock.c:191
Code: e8 95 14 b3 fb 48 89 ef e8 6d f3 b3 fb f6 c7 02 75 11 53 9d e8 61 ba  
d0 fb 65 ff 0d a2 67 8f 7a 5b 5d c3 e8 02 be d0 fb 53 9d <eb> ed 0f 1f 40  
00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fd 65 ff
RSP: 0018:ffff8881db309b08 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000206 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d065084c
RBP: ffff8881d50f4000 R08: ffff8881d0650000 R09: fffffbfff11b23b8
R10: fffffbfff11b23b7 R11: ffffffff88d91dbf R12: 0000000000000080
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8881d46bcd00
  spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
  dummy_timer+0x131b/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1980
  call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
  expire_timers kernel/time/timer.c:1449 [inline]
  __run_timers kernel/time/timer.c:1773 [inline]
  __run_timers kernel/time/timer.c:1740 [inline]
  run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
  __do_softirq+0x221/0x912 kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:373 [inline]
  irq_exit+0x178/0x1a0 kernel/softirq.c:413
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
  </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:console_unlock+0xb4f/0xc40 kernel/printk/printk.c:2477
Code: 32 fe ff ff e8 a2 ae 15 00 48 8b bc 24 80 00 00 00 e8 b5 dd ff ff e9  
29 fb ff ff e8 8b ae 15 00 e8 06 db 1a 00 ff 74 24 30 9d <e9> 15 fb ff ff  
e8 67 f0 3c 00 e9 de f6 ff ff e8 6d f0 3c 00 e9 98
RSP: 0018:ffff8881c06beda0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffff8881d06508f0 RDI: ffff8881d065084c
RBP: 0000000000000001 R08: ffff8881d0650000 R09: fffffbfff11b23ae
R10: fffffbfff11b23ad R11: ffffffff88d91d6f R12: 0000000000000047
R13: dffffc0000000000 R14: ffffffff8293f390 R15: ffffffff87077070
  vprintk_emit+0x171/0x3e0 kernel/printk/printk.c:1996
  dev_vprintk_emit+0x4fc/0x541 drivers/base/core.c:3312
  dev_printk_emit+0xba/0xf1 drivers/base/core.c:3323
  __dev_printk+0x1db/0x203 drivers/base/core.c:3335
  _dev_warn+0xd7/0x109 drivers/base/core.c:3379
  si470x_set_report.isra.0.constprop.0.cold+0x32/0x41  
drivers/media/radio/si470x/radio-si470x-usb.c:234
  si470x_set_register+0x11c/0x180  
drivers/media/radio/si470x/radio-si470x-usb.c:269
  si470x_start+0x72/0x2bf  
drivers/media/radio/si470x/radio-si470x-common.c:374
  si470x_start_usb+0x507/0x53d  
drivers/media/radio/si470x/radio-si470x-usb.c:549
  si470x_usb_driver_probe.cold+0x6e5/0x8b2  
drivers/media/radio/si470x/radio-si470x-usb.c:737
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5183 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5323 [inline]
  port_event drivers/usb/core/hub.c:5469 [inline]
  hub_event+0x1dd0/0x37e0 drivers/usb/core/hub.c:5551
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)


Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11821c22e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12ae33ace00000


  reply	other threads:[~2019-11-22 11:27 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
2019-11-18 13:44 ` Oliver Neukum
2019-11-19  9:10   ` syzbot
2019-11-20 10:32 ` Oliver Neukum
2019-11-20 23:50   ` syzbot
2019-11-21 12:00 ` Oliver Neukum
2019-11-22 10:33   ` syzbot [this message]
2019-11-22 15:35     ` Alan Stern
2019-11-22 19:00       ` Oliver Neukum
2019-11-22 20:12         ` Alan Stern
2019-11-27 10:27 ` Oliver Neukum
2019-11-27 16:30   ` syzbot
2019-11-27 18:07     ` Alan Stern
2019-11-27 20:55       ` syzbot
2019-11-27 21:11         ` Alan Stern
2019-11-28 15:19           ` Oliver Neukum
2019-11-28 17:25             ` Alan Stern
2019-11-28 10:51       ` Oliver Neukum
2019-11-28 17:33         ` Alan Stern
2019-11-28 11:10 ` Oliver Neukum
2019-11-28 13:53   ` syzbot
2019-12-04 15:03 ` Oliver Neukum
2019-12-04 18:17   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000002d684a0597ecf0b5@google.com \
    --to=syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com \
    --cc=andreyknvl@google.com \
    --cc=hverkuil@xs4all.nl \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=oneukum@suse.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.