From: syzbot <syzbot+cc699626e48a6ebaf295@syzkaller.appspotmail.com>
To: Larry.Finger@lwfinger.net, florian.c.schilhabel@googlemail.com,
gregkh@linuxfoundation.org, hridayhegde1999@gmail.com,
linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev,
paskripkin@gmail.com, rkovhaev@gmail.com,
straube.linux@gmail.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KASAN: slab-out-of-bounds Read in do_wait_for_common
Date: Tue, 20 Jul 2021 08:21:06 -0700 [thread overview]
Message-ID: <00000000000047c76a05c78f9ab1@google.com> (raw)
In-Reply-To: <20210720141039.3d4ddcfe@gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in flush_workqueue
usb 6-1: r8712u: Loading firmware from "rtlwifi/rtl8712u.bin"
usb 6-1: Direct firmware load for rtlwifi/rtl8712u.bin failed with error -2
usb 6-1: Falling back to sysfs fallback for: rtlwifi/rtl8712u.bin
usb 6-1: r8712u: Firmware request failed
============================================
WARNING: possible recursive locking detected
5.14.0-rc2-syzkaller #0 Not tainted
--------------------------------------------
kworker/0:3/3159 is trying to acquire lock:
ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: flush_workqueue+0x15c/0x1750 kernel/workqueue.c:2787
but task is already holding lock:
ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7aa/0x10c0 kernel/workqueue.c:2249
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock((wq_completion)events);
lock((wq_completion)events);
*** DEADLOCK ***
May be due to missing lock nesting notation
5 locks held by kworker/0:3/3159:
#0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7aa/0x10c0 kernel/workqueue.c:2249
#1: ffffc900021d7d20 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x7e8/0x10c0 kernel/workqueue.c:2251
#2: ffff8881467d4220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:754 [inline]
#2: ffff8881467d4220 (&dev->mutex){....}-{3:3}, at: rtl871x_load_fw_fail drivers/staging/rtl8712/hal_init.c:43 [inline]
#2: ffff8881467d4220 (&dev->mutex){....}-{3:3}, at: rtl871x_load_fw_cb+0x102/0x130 drivers/staging/rtl8712/hal_init.c:56
#3: ffff8880363da220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:754 [inline]
#3: ffff8880363da220 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1028 [inline]
#3: ffff8880363da220 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xc1/0x7b0 drivers/base/dd.c:1229
#4: ffff8880308211a8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:754 [inline]
#4: ffff8880308211a8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1028 [inline]
#4: ffff8880308211a8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xc1/0x7b0 drivers/base/dd.c:1229
stack backtrace:
CPU: 0 PID: 3159 Comm: kworker/0:3 Not tainted 5.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
__lock_acquire+0x2615/0x6100 kernel/locking/lockdep.c:4853
lock_acquire+0x182/0x4a0 kernel/locking/lockdep.c:5625
flush_workqueue+0x178/0x1750 kernel/workqueue.c:2787
flush_scheduled_work include/linux/workqueue.h:597 [inline]
r871xu_dev_remove+0x159/0x420 drivers/staging/rtl8712/usb_intf.c:604
usb_unbind_interface+0x1f2/0x860 drivers/usb/core/driver.c:458
__device_release_driver drivers/base/dd.c:1201 [inline]
device_release_driver_internal+0x51e/0x7b0 drivers/base/dd.c:1232
bus_remove_device+0x2fd/0x410 drivers/base/bus.c:529
device_del+0x6e1/0xc10 drivers/base/core.c:3540
usb_disable_device+0x407/0x800 drivers/usb/core/message.c:1419
usb_set_configuration+0x42b/0x2100 drivers/usb/core/message.c:2027
usb_unbind_device+0x6b/0x170 drivers/usb/core/driver.c:309
__device_release_driver drivers/base/dd.c:1201 [inline]
device_release_driver_internal+0x51e/0x7b0 drivers/base/dd.c:1232
rtl871x_load_fw_fail drivers/staging/rtl8712/hal_init.c:45 [inline]
rtl871x_load_fw_cb+0x10a/0x130 drivers/staging/rtl8712/hal_init.c:56
request_firmware_work_func+0x175/0x250 drivers/base/firmware_loader/main.c:1081
process_one_work+0x833/0x10c0 kernel/workqueue.c:2276
worker_thread+0xac1/0x1320 kernel/workqueue.c:2422
kthread+0x453/0x480 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Tested on:
commit: 8cae8cd8 seq_file: disallow extremely large seq buffer..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=149905f2300000
kernel config: https://syzkaller.appspot.com/x/.config?x=300aea483211c875
dashboard link: https://syzkaller.appspot.com/bug?extid=cc699626e48a6ebaf295
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
patch: https://syzkaller.appspot.com/x/patch.diff?x=15737b4a300000
next prev parent reply other threads:[~2021-07-20 15:21 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 13:42 [syzbot] KASAN: slab-out-of-bounds Read in do_wait_for_common syzbot
2021-07-19 13:42 ` syzbot
2021-07-20 11:10 ` Pavel Skripkin
2021-07-20 15:21 ` syzbot [this message]
2021-07-20 15:21 ` syzbot
2021-07-20 19:14 ` Pavel Skripkin
2021-07-20 22:10 ` syzbot
2021-07-20 22:10 ` syzbot
2021-07-21 9:57 ` Pavel Skripkin
2021-07-21 16:53 ` syzbot
2021-07-21 16:53 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000047c76a05c78f9ab1@google.com \
--to=syzbot+cc699626e48a6ebaf295@syzkaller.appspotmail.com \
--cc=Larry.Finger@lwfinger.net \
--cc=florian.c.schilhabel@googlemail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hridayhegde1999@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=paskripkin@gmail.com \
--cc=rkovhaev@gmail.com \
--cc=straube.linux@gmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.