WARNING: Detected a wedged cx25840 chip; the device will not work.

WARNING: Detected a wedged cx25840 chip; the device will not work.

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    9a33b369 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=12df67c3200000
kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
dashboard link: https://syzkaller.appspot.com/bug?extid=170a86bf206dd2c6217e
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=108a28f3200000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=145d8a2d200000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com

usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
pvrusb2: Hardware description: Gotview USB 2.0 DVD 2
pvrusb2: Invalid write control endpoint
usb 1-1: USB disconnect, device number 2
pvrusb2: Invalid write control endpoint
pvrusb2: WARNING: Detected a wedged cx25840 chip; the device will not work.
pvrusb2: WARNING: Try power cycling the pvrusb2 device.
pvrusb2: WARNING: Disabling further access to the device to prevent other  
foul-ups.
pvrusb2: Device being rendered inoperable
cx25840 0-0044: Unable to detect h/w, assuming cx23887
cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
pvrusb2: Attached sub-driver cx25840
pvrusb2: Attempted to execute control transfer when device not ok
pvrusb2: Attempted to execute control transfer when device not ok


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: WARNING: Detected a wedged cx25840 chip; the device will not work.

[Greg KH]

On Tue, Apr 30, 2019 at 07:36:07AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=12df67c3200000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> dashboard link: https://syzkaller.appspot.com/bug?extid=170a86bf206dd2c6217e
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=108a28f3200000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=145d8a2d200000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com
> 
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> pvrusb2: Hardware description: Gotview USB 2.0 DVD 2
> pvrusb2: Invalid write control endpoint
> usb 1-1: USB disconnect, device number 2
> pvrusb2: Invalid write control endpoint
> pvrusb2: WARNING: Detected a wedged cx25840 chip; the device will not work.
> pvrusb2: WARNING: Try power cycling the pvrusb2 device.
> pvrusb2: WARNING: Disabling further access to the device to prevent other
> foul-ups.
> pvrusb2: Device being rendered inoperable
> cx25840 0-0044: Unable to detect h/w, assuming cx23887
> cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> pvrusb2: Attached sub-driver cx25840
> pvrusb2: Attempted to execute control transfer when device not ok
> pvrusb2: Attempted to execute control transfer when device not ok

As the driver said, power cycle your device, it crashed :)

Seriously, I think your script detection failed here, sorry.

greg k-h

Re: WARNING: Detected a wedged cx25840 chip; the device will not work.

[Greg KH]

On Tue, Apr 30, 2019 at 05:35:16PM +0200, Greg KH wrote:
> On Tue, Apr 30, 2019 at 07:36:07AM -0700, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following crash on:
> > 
> > HEAD commit:    9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12df67c3200000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> > dashboard link: https://syzkaller.appspot.com/bug?extid=170a86bf206dd2c6217e
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=108a28f3200000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=145d8a2d200000
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com
> > 
> > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> > pvrusb2: Hardware description: Gotview USB 2.0 DVD 2
> > pvrusb2: Invalid write control endpoint
> > usb 1-1: USB disconnect, device number 2
> > pvrusb2: Invalid write control endpoint
> > pvrusb2: WARNING: Detected a wedged cx25840 chip; the device will not work.
> > pvrusb2: WARNING: Try power cycling the pvrusb2 device.
> > pvrusb2: WARNING: Disabling further access to the device to prevent other
> > foul-ups.
> > pvrusb2: Device being rendered inoperable
> > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > pvrusb2: Attached sub-driver cx25840
> > pvrusb2: Attempted to execute control transfer when device not ok
> > pvrusb2: Attempted to execute control transfer when device not ok
> 
> As the driver said, power cycle your device, it crashed :)
> 
> Seriously, I think your script detection failed here, sorry.

Ah, same issue as the other "WARNING" message, sorry for the noise.

Re: WARNING: Detected a wedged cx25840 chip; the device will not work.

[Andrey Konovalov]

[-- Attachment #1: Type: text/plain, Size: 2165 bytes --]

On Tue, Apr 30, 2019 at 4:36 PM syzbot
<syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=12df67c3200000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> dashboard link: https://syzkaller.appspot.com/bug?extid=170a86bf206dd2c6217e
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=108a28f3200000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=145d8a2d200000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com
>
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> pvrusb2: Hardware description: Gotview USB 2.0 DVD 2
> pvrusb2: Invalid write control endpoint
> usb 1-1: USB disconnect, device number 2
> pvrusb2: Invalid write control endpoint
> pvrusb2: WARNING: Detected a wedged cx25840 chip; the device will not work.
> pvrusb2: WARNING: Try power cycling the pvrusb2 device.
> pvrusb2: WARNING: Disabling further access to the device to prevent other
> foul-ups.
> pvrusb2: Device being rendered inoperable
> cx25840 0-0044: Unable to detect h/w, assuming cx23887
> cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> pvrusb2: Attached sub-driver cx25840
> pvrusb2: Attempted to execute control transfer when device not ok
> pvrusb2: Attempted to execute control transfer when device not ok

#syz test: https://github.com/google/kasan.git usb-fuzzer

>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

[-- Attachment #2: pvrusb2.patch --]
[-- Type: text/x-patch, Size: 3641 bytes --]

commit f15cfa809ec035eebc0bec07bc9e1dd2123281a5
Author: Andrey Konovalov <andreyknvl@google.com>
Date:   Wed Apr 17 19:40:40 2019 +0200

    media: pvrusb2: use a different format for warnings
    
    When the pvrusb2 driver detects that there's something wrong with the
    device, it prints a warning message. Right now those message are printed
    in two different formats:
    
    1. ***WARNING*** message here
    2. WARNING: message here
    
    There's an issue with the second format. Syzkaller recognizes it as a
    message produced by a WARN_ON(), which is used to indicate a bug in the
    kernel. However pvrusb2 prints those warnings to indicate an issue with
    the device, not the bug in the kernel.
    
    This patch changes the pvrusb2 driver to consistently use the first
    warning message format. This will unblock syzkaller testing of this
    driver.
    
    Signed-off-by: Andrey Konovalov <andreyknvl@google.com>

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index 446a999dd2ce..a0f7b10045d2 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -1678,7 +1678,7 @@ static int pvr2_decoder_enable(struct pvr2_hdw *hdw,int enablefl)
 	}
 	if (!hdw->flag_decoder_missed) {
 		pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-			   "WARNING: No decoder present");
+			   "***WARNING*** No decoder present");
 		hdw->flag_decoder_missed = !0;
 		trace_stbit("flag_decoder_missed",
 			    hdw->flag_decoder_missed);
@@ -2364,7 +2364,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf,
 	if (hdw_desc->flag_is_experimental) {
 		pvr2_trace(PVR2_TRACE_INFO, "**********");
 		pvr2_trace(PVR2_TRACE_INFO,
-			   "WARNING: Support for this device (%s) is experimental.",
+			   "***WARNING*** Support for this device (%s) is experimental.",
 							      hdw_desc->description);
 		pvr2_trace(PVR2_TRACE_INFO,
 			   "Important functionality might not be entirely working.");
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
index 8f023085c2d9..43e54bdbd4aa 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
@@ -343,11 +343,11 @@ static int i2c_hack_cx25840(struct pvr2_hdw *hdw,
 
 	if ((ret != 0) || (*rdata == 0x04) || (*rdata == 0x0a)) {
 		pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-			   "WARNING: Detected a wedged cx25840 chip; the device will not work.");
+			   "***WARNING*** Detected a wedged cx25840 chip; the device will not work.");
 		pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-			   "WARNING: Try power cycling the pvrusb2 device.");
+			   "***WARNING*** Try power cycling the pvrusb2 device.");
 		pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-			   "WARNING: Disabling further access to the device to prevent other foul-ups.");
+			   "***WARNING*** Disabling further access to the device to prevent other foul-ups.");
 		// This blocks all further communication with the part.
 		hdw->i2c_func[0x44] = NULL;
 		pvr2_hdw_render_useless(hdw);
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-std.c b/drivers/media/usb/pvrusb2/pvrusb2-std.c
index 6b651f8b54df..37dc299a1ca2 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-std.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-std.c
@@ -353,7 +353,7 @@ struct v4l2_standard *pvr2_std_create_enum(unsigned int *countptr,
 		bcnt = pvr2_std_id_to_str(buf,sizeof(buf),fmsk);
 		pvr2_trace(
 			PVR2_TRACE_ERROR_LEGS,
-			"WARNING: Failed to classify the following standard(s): %.*s",
+			"***WARNING*** Failed to classify the following standard(s): %.*s",
 			bcnt,buf);
 	}
 

WARNING: Detected a wedged cx25840 chip; the device will not work.

[Andrey Konovalov]

On Tue, Apr 30, 2019 at 4:36 PM syzbot
<syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=12df67c3200000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> dashboard link: https://syzkaller.appspot.com/bug?extid=170a86bf206dd2c6217e
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=108a28f3200000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=145d8a2d200000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+170a86bf206dd2c6217e@syzkaller.appspotmail.com
>
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> pvrusb2: Hardware description: Gotview USB 2.0 DVD 2
> pvrusb2: Invalid write control endpoint
> usb 1-1: USB disconnect, device number 2
> pvrusb2: Invalid write control endpoint
> pvrusb2: WARNING: Detected a wedged cx25840 chip; the device will not work.
> pvrusb2: WARNING: Try power cycling the pvrusb2 device.
> pvrusb2: WARNING: Disabling further access to the device to prevent other
> foul-ups.
> pvrusb2: Device being rendered inoperable
> cx25840 0-0044: Unable to detect h/w, assuming cx23887
> cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> pvrusb2: Attached sub-driver cx25840
> pvrusb2: Attempted to execute control transfer when device not ok
> pvrusb2: Attempted to execute control transfer when device not ok

#syz test: https://github.com/google/kasan.git usb-fuzzer

>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

commit f15cfa809ec035eebc0bec07bc9e1dd2123281a5
Author: Andrey Konovalov <andreyknvl@google.com>
Date:   Wed Apr 17 19:40:40 2019 +0200

    media: pvrusb2: use a different format for warnings
    
    When the pvrusb2 driver detects that there's something wrong with the
    device, it prints a warning message. Right now those message are printed
    in two different formats:
    
    1. ***WARNING*** message here
    2. WARNING: message here
    
    There's an issue with the second format. Syzkaller recognizes it as a
    message produced by a WARN_ON(), which is used to indicate a bug in the
    kernel. However pvrusb2 prints those warnings to indicate an issue with
    the device, not the bug in the kernel.
    
    This patch changes the pvrusb2 driver to consistently use the first
    warning message format. This will unblock syzkaller testing of this
    driver.
    
    Signed-off-by: Andrey Konovalov <andreyknvl@google.com>

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index 446a999dd2ce..a0f7b10045d2 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -1678,7 +1678,7 @@ static int pvr2_decoder_enable(struct pvr2_hdw *hdw,int enablefl)
 	}
 	if (!hdw->flag_decoder_missed) {
 		pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-			   "WARNING: No decoder present");
+			   "***WARNING*** No decoder present");
 		hdw->flag_decoder_missed = !0;
 		trace_stbit("flag_decoder_missed",
 			    hdw->flag_decoder_missed);
@@ -2364,7 +2364,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf,
 	if (hdw_desc->flag_is_experimental) {
 		pvr2_trace(PVR2_TRACE_INFO, "**********");
 		pvr2_trace(PVR2_TRACE_INFO,
-			   "WARNING: Support for this device (%s) is experimental.",
+			   "***WARNING*** Support for this device (%s) is experimental.",
 							      hdw_desc->description);
 		pvr2_trace(PVR2_TRACE_INFO,
 			   "Important functionality might not be entirely working.");
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
index 8f023085c2d9..43e54bdbd4aa 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
@@ -343,11 +343,11 @@ static int i2c_hack_cx25840(struct pvr2_hdw *hdw,
 
 	if ((ret != 0) || (*rdata == 0x04) || (*rdata == 0x0a)) {
 		pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-			   "WARNING: Detected a wedged cx25840 chip; the device will not work.");
+			   "***WARNING*** Detected a wedged cx25840 chip; the device will not work.");
 		pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-			   "WARNING: Try power cycling the pvrusb2 device.");
+			   "***WARNING*** Try power cycling the pvrusb2 device.");
 		pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-			   "WARNING: Disabling further access to the device to prevent other foul-ups.");
+			   "***WARNING*** Disabling further access to the device to prevent other foul-ups.");
 		// This blocks all further communication with the part.
 		hdw->i2c_func[0x44] = NULL;
 		pvr2_hdw_render_useless(hdw);
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-std.c b/drivers/media/usb/pvrusb2/pvrusb2-std.c
index 6b651f8b54df..37dc299a1ca2 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-std.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-std.c
@@ -353,7 +353,7 @@ struct v4l2_standard *pvr2_std_create_enum(unsigned int *countptr,
 		bcnt = pvr2_std_id_to_str(buf,sizeof(buf),fmsk);
 		pvr2_trace(
 			PVR2_TRACE_ERROR_LEGS,
-			"WARNING: Failed to classify the following standard(s): %.*s",
+			"***WARNING*** Failed to classify the following standard(s): %.*s",
 			bcnt,buf);
 	}
 

Re: WARNING: Detected a wedged cx25840 chip; the device will not work.

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
WARNING in sysfs_remove_group

pvrusb2: Attached sub-driver tuner
pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the  
failure of one or more sub-device kernel modules.
pvrusb2: You need to resolve the failing condition before this driver can  
function.  There should be some earlier messages giving more information  
about the problem.
------------[ cut here ]------------
sysfs group 'power' not found for kobject '0-0044'
WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254 sysfs_remove_group  
fs/sysfs/group.c:254 [inline]
WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254  
sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 586 Comm: pvrusb2-context Not tainted 5.1.0-rc3-g43151d6-dirty  
#1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xe8/0x16e lib/dump_stack.c:113
  panic+0x29d/0x5f2 kernel/panic.c:214
  __warn.cold+0x20/0x48 kernel/panic.c:571
  report_bug+0x262/0x2a0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:179 [inline]
  fixup_bug arch/x86/kernel/traps.c:174 [inline]
  do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272
  do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291
  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:254 [inline]
RIP: 0010:sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c  
01 00 75 41 48 8b 33 48 c7 c7 a0 31 7a 8e e8 e6 c2 6e ff <0f> 0b eb 95 e8  
0d de d3 ff e9 d2 fe ff ff 48 89 df e8 00 de d3 ff
RSP: 0018:ffff88809ced7b70 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffffff8f037e80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815b2132 RDI: ffffed10139daf60
RBP: 0000000000000000 R08: ffff88809ce96200 R09: ffffed1015a23edb
R10: ffffed1015a23eda R11: ffff8880ad11f6d7 R12: ffff888218b8e630
R13: ffffffff8f038520 R14: 1ffff110139daf97 R15: ffff888218b8e628
  dpm_sysfs_remove+0xa2/0xc0 drivers/base/power/sysfs.c:737
  device_del+0x175/0xb90 drivers/base/core.c:2246
usb 4-1: new high-speed USB device number 3 using dummy_hcd
  device_unregister+0x27/0xd0 drivers/base/core.c:2301
  i2c_unregister_device drivers/i2c/i2c-core-base.c:814 [inline]
  __unregister_client drivers/i2c/i2c-core-base.c:1422 [inline]
  __unregister_client+0x7d/0x90 drivers/i2c/i2c-core-base.c:1418
  device_for_each_child+0x100/0x170 drivers/base/core.c:2401
  i2c_del_adapter drivers/i2c/i2c-core-base.c:1485 [inline]
  i2c_del_adapter+0x35b/0x640 drivers/i2c/i2c-core-base.c:1447
  pvr2_i2c_core_done+0x6e/0xbb  
drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:662
  pvr2_hdw_destroy+0x17e/0x380 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2669
  pvr2_context_destroy+0x89/0x240  
drivers/media/usb/pvrusb2/pvrusb2-context.c:79
  pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146 [inline]
  pvr2_context_thread_func+0x65e/0x870  
drivers/media/usb/pvrusb2/pvrusb2-context.c:167
  kthread+0x313/0x420 kernel/kthread.c:253
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit:         43151d6c usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=15433634a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=274aad0cf966c3bc
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13df3d24a00000

WARNING: Detected a wedged cx25840 chip; the device will not work.

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
WARNING in sysfs_remove_group

pvrusb2: Attached sub-driver tuner
pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the  
failure of one or more sub-device kernel modules.
pvrusb2: You need to resolve the failing condition before this driver can  
function.  There should be some earlier messages giving more information  
about the problem.
------------[ cut here ]------------
sysfs group 'power' not found for kobject '0-0044'
WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254 sysfs_remove_group  
fs/sysfs/group.c:254 [inline]
WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254  
sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 586 Comm: pvrusb2-context Not tainted 5.1.0-rc3-g43151d6-dirty  
#1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xe8/0x16e lib/dump_stack.c:113
  panic+0x29d/0x5f2 kernel/panic.c:214
  __warn.cold+0x20/0x48 kernel/panic.c:571
  report_bug+0x262/0x2a0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:179 [inline]
  fixup_bug arch/x86/kernel/traps.c:174 [inline]
  do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272
  do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291
  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:254 [inline]
RIP: 0010:sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c  
01 00 75 41 48 8b 33 48 c7 c7 a0 31 7a 8e e8 e6 c2 6e ff <0f> 0b eb 95 e8  
0d de d3 ff e9 d2 fe ff ff 48 89 df e8 00 de d3 ff
RSP: 0018:ffff88809ced7b70 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffffff8f037e80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815b2132 RDI: ffffed10139daf60
RBP: 0000000000000000 R08: ffff88809ce96200 R09: ffffed1015a23edb
R10: ffffed1015a23eda R11: ffff8880ad11f6d7 R12: ffff888218b8e630
R13: ffffffff8f038520 R14: 1ffff110139daf97 R15: ffff888218b8e628
  dpm_sysfs_remove+0xa2/0xc0 drivers/base/power/sysfs.c:737
  device_del+0x175/0xb90 drivers/base/core.c:2246
usb 4-1: new high-speed USB device number 3 using dummy_hcd
  device_unregister+0x27/0xd0 drivers/base/core.c:2301
  i2c_unregister_device drivers/i2c/i2c-core-base.c:814 [inline]
  __unregister_client drivers/i2c/i2c-core-base.c:1422 [inline]
  __unregister_client+0x7d/0x90 drivers/i2c/i2c-core-base.c:1418
  device_for_each_child+0x100/0x170 drivers/base/core.c:2401
  i2c_del_adapter drivers/i2c/i2c-core-base.c:1485 [inline]
  i2c_del_adapter+0x35b/0x640 drivers/i2c/i2c-core-base.c:1447
  pvr2_i2c_core_done+0x6e/0xbb  
drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:662
  pvr2_hdw_destroy+0x17e/0x380 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2669
  pvr2_context_destroy+0x89/0x240  
drivers/media/usb/pvrusb2/pvrusb2-context.c:79
  pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146 [inline]
  pvr2_context_thread_func+0x65e/0x870  
drivers/media/usb/pvrusb2/pvrusb2-context.c:167
  kthread+0x313/0x420 kernel/kthread.c:253
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit:         43151d6c usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=15433634a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=274aad0cf966c3bc
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13df3d24a00000

Re: WARNING: Detected a wedged cx25840 chip; the device will not work.

[Alan Stern]

On Tue, 30 Apr 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> WARNING in sysfs_remove_group
> 
> pvrusb2: Attached sub-driver tuner
> pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the  
> failure of one or more sub-device kernel modules.
> pvrusb2: You need to resolve the failing condition before this driver can  
> function.  There should be some earlier messages giving more information  
> about the problem.
> ------------[ cut here ]------------
> sysfs group 'power' not found for kobject '0-0044'
> WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254 sysfs_remove_group  
> fs/sysfs/group.c:254 [inline]
> WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254  
> sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 586 Comm: pvrusb2-context Not tainted 5.1.0-rc3-g43151d6-dirty  
> #1
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xe8/0x16e lib/dump_stack.c:113
>   panic+0x29d/0x5f2 kernel/panic.c:214
>   __warn.cold+0x20/0x48 kernel/panic.c:571
>   report_bug+0x262/0x2a0 lib/bug.c:186
>   fixup_bug arch/x86/kernel/traps.c:179 [inline]
>   fixup_bug arch/x86/kernel/traps.c:174 [inline]
>   do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272
>   do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291
>   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
> RIP: 0010:sysfs_remove_group fs/sysfs/group.c:254 [inline]
> RIP: 0010:sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
> Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c  
> 01 00 75 41 48 8b 33 48 c7 c7 a0 31 7a 8e e8 e6 c2 6e ff <0f> 0b eb 95 e8  
> 0d de d3 ff e9 d2 fe ff ff 48 89 df e8 00 de d3 ff
> RSP: 0018:ffff88809ced7b70 EFLAGS: 00010286
> RAX: 0000000000000000 RBX: ffffffff8f037e80 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff815b2132 RDI: ffffed10139daf60
> RBP: 0000000000000000 R08: ffff88809ce96200 R09: ffffed1015a23edb
> R10: ffffed1015a23eda R11: ffff8880ad11f6d7 R12: ffff888218b8e630
> R13: ffffffff8f038520 R14: 1ffff110139daf97 R15: ffff888218b8e628
>   dpm_sysfs_remove+0xa2/0xc0 drivers/base/power/sysfs.c:737
>   device_del+0x175/0xb90 drivers/base/core.c:2246
> usb 4-1: new high-speed USB device number 3 using dummy_hcd
>   device_unregister+0x27/0xd0 drivers/base/core.c:2301
>   i2c_unregister_device drivers/i2c/i2c-core-base.c:814 [inline]
>   __unregister_client drivers/i2c/i2c-core-base.c:1422 [inline]
>   __unregister_client+0x7d/0x90 drivers/i2c/i2c-core-base.c:1418
>   device_for_each_child+0x100/0x170 drivers/base/core.c:2401
>   i2c_del_adapter drivers/i2c/i2c-core-base.c:1485 [inline]
>   i2c_del_adapter+0x35b/0x640 drivers/i2c/i2c-core-base.c:1447
>   pvr2_i2c_core_done+0x6e/0xbb  
> drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:662
>   pvr2_hdw_destroy+0x17e/0x380 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2669
>   pvr2_context_destroy+0x89/0x240  
> drivers/media/usb/pvrusb2/pvrusb2-context.c:79
>   pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146 [inline]
>   pvr2_context_thread_func+0x65e/0x870  
> drivers/media/usb/pvrusb2/pvrusb2-context.c:167
>   kthread+0x313/0x420 kernel/kthread.c:253
>   ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 
> 
> Tested on:
> 
> commit:         43151d6c usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=15433634a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=274aad0cf966c3bc
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=13df3d24a00000

It seems pretty clear that this problem is caused by the
pvr2_context_thread trying to unregister the device before the main
probe routine has finished registering it.

I'm not familiar enough with this driver to want to fix the problem, 
however.  Someone else who knows the code better should work on it.

Alan Stern

WARNING: Detected a wedged cx25840 chip; the device will not work.

[Alan Stern]

On Tue, 30 Apr 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> WARNING in sysfs_remove_group
> 
> pvrusb2: Attached sub-driver tuner
> pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the  
> failure of one or more sub-device kernel modules.
> pvrusb2: You need to resolve the failing condition before this driver can  
> function.  There should be some earlier messages giving more information  
> about the problem.
> ------------[ cut here ]------------
> sysfs group 'power' not found for kobject '0-0044'
> WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254 sysfs_remove_group  
> fs/sysfs/group.c:254 [inline]
> WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254  
> sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 586 Comm: pvrusb2-context Not tainted 5.1.0-rc3-g43151d6-dirty  
> #1
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0xe8/0x16e lib/dump_stack.c:113
>   panic+0x29d/0x5f2 kernel/panic.c:214
>   __warn.cold+0x20/0x48 kernel/panic.c:571
>   report_bug+0x262/0x2a0 lib/bug.c:186
>   fixup_bug arch/x86/kernel/traps.c:179 [inline]
>   fixup_bug arch/x86/kernel/traps.c:174 [inline]
>   do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272
>   do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291
>   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
> RIP: 0010:sysfs_remove_group fs/sysfs/group.c:254 [inline]
> RIP: 0010:sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
> Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c  
> 01 00 75 41 48 8b 33 48 c7 c7 a0 31 7a 8e e8 e6 c2 6e ff <0f> 0b eb 95 e8  
> 0d de d3 ff e9 d2 fe ff ff 48 89 df e8 00 de d3 ff
> RSP: 0018:ffff88809ced7b70 EFLAGS: 00010286
> RAX: 0000000000000000 RBX: ffffffff8f037e80 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff815b2132 RDI: ffffed10139daf60
> RBP: 0000000000000000 R08: ffff88809ce96200 R09: ffffed1015a23edb
> R10: ffffed1015a23eda R11: ffff8880ad11f6d7 R12: ffff888218b8e630
> R13: ffffffff8f038520 R14: 1ffff110139daf97 R15: ffff888218b8e628
>   dpm_sysfs_remove+0xa2/0xc0 drivers/base/power/sysfs.c:737
>   device_del+0x175/0xb90 drivers/base/core.c:2246
> usb 4-1: new high-speed USB device number 3 using dummy_hcd
>   device_unregister+0x27/0xd0 drivers/base/core.c:2301
>   i2c_unregister_device drivers/i2c/i2c-core-base.c:814 [inline]
>   __unregister_client drivers/i2c/i2c-core-base.c:1422 [inline]
>   __unregister_client+0x7d/0x90 drivers/i2c/i2c-core-base.c:1418
>   device_for_each_child+0x100/0x170 drivers/base/core.c:2401
>   i2c_del_adapter drivers/i2c/i2c-core-base.c:1485 [inline]
>   i2c_del_adapter+0x35b/0x640 drivers/i2c/i2c-core-base.c:1447
>   pvr2_i2c_core_done+0x6e/0xbb  
> drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:662
>   pvr2_hdw_destroy+0x17e/0x380 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2669
>   pvr2_context_destroy+0x89/0x240  
> drivers/media/usb/pvrusb2/pvrusb2-context.c:79
>   pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146 [inline]
>   pvr2_context_thread_func+0x65e/0x870  
> drivers/media/usb/pvrusb2/pvrusb2-context.c:167
>   kthread+0x313/0x420 kernel/kthread.c:253
>   ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 
> 
> Tested on:
> 
> commit:         43151d6c usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=15433634a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=274aad0cf966c3bc
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=13df3d24a00000

It seems pretty clear that this problem is caused by the
pvr2_context_thread trying to unregister the device before the main
probe routine has finished registering it.

I'm not familiar enough with this driver to want to fix the problem, 
however.  Someone else who knows the code better should work on it.

Alan Stern

Re: WARNING: Detected a wedged cx25840 chip; the device will not work.

[Andrey Konovalov]

On Tue, Apr 30, 2019 at 9:34 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Tue, 30 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > WARNING in sysfs_remove_group
> >
> > pvrusb2: Attached sub-driver tuner
> > pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the
> > failure of one or more sub-device kernel modules.
> > pvrusb2: You need to resolve the failing condition before this driver can
> > function.  There should be some earlier messages giving more information
> > about the problem.
> > ------------[ cut here ]------------
> > sysfs group 'power' not found for kobject '0-0044'
> > WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254 sysfs_remove_group
> > fs/sysfs/group.c:254 [inline]
> > WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254
> > sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
> > Kernel panic - not syncing: panic_on_warn set ...
> > CPU: 1 PID: 586 Comm: pvrusb2-context Not tainted 5.1.0-rc3-g43151d6-dirty
> > #1
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xe8/0x16e lib/dump_stack.c:113
> >   panic+0x29d/0x5f2 kernel/panic.c:214
> >   __warn.cold+0x20/0x48 kernel/panic.c:571
> >   report_bug+0x262/0x2a0 lib/bug.c:186
> >   fixup_bug arch/x86/kernel/traps.c:179 [inline]
> >   fixup_bug arch/x86/kernel/traps.c:174 [inline]
> >   do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272
> >   do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291
> >   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
> > RIP: 0010:sysfs_remove_group fs/sysfs/group.c:254 [inline]
> > RIP: 0010:sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
> > Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
> > 01 00 75 41 48 8b 33 48 c7 c7 a0 31 7a 8e e8 e6 c2 6e ff <0f> 0b eb 95 e8
> > 0d de d3 ff e9 d2 fe ff ff 48 89 df e8 00 de d3 ff
> > RSP: 0018:ffff88809ced7b70 EFLAGS: 00010286
> > RAX: 0000000000000000 RBX: ffffffff8f037e80 RCX: 0000000000000000
> > RDX: 0000000000000000 RSI: ffffffff815b2132 RDI: ffffed10139daf60
> > RBP: 0000000000000000 R08: ffff88809ce96200 R09: ffffed1015a23edb
> > R10: ffffed1015a23eda R11: ffff8880ad11f6d7 R12: ffff888218b8e630
> > R13: ffffffff8f038520 R14: 1ffff110139daf97 R15: ffff888218b8e628
> >   dpm_sysfs_remove+0xa2/0xc0 drivers/base/power/sysfs.c:737
> >   device_del+0x175/0xb90 drivers/base/core.c:2246
> > usb 4-1: new high-speed USB device number 3 using dummy_hcd
> >   device_unregister+0x27/0xd0 drivers/base/core.c:2301
> >   i2c_unregister_device drivers/i2c/i2c-core-base.c:814 [inline]
> >   __unregister_client drivers/i2c/i2c-core-base.c:1422 [inline]
> >   __unregister_client+0x7d/0x90 drivers/i2c/i2c-core-base.c:1418
> >   device_for_each_child+0x100/0x170 drivers/base/core.c:2401
> >   i2c_del_adapter drivers/i2c/i2c-core-base.c:1485 [inline]
> >   i2c_del_adapter+0x35b/0x640 drivers/i2c/i2c-core-base.c:1447
> >   pvr2_i2c_core_done+0x6e/0xbb
> > drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:662
> >   pvr2_hdw_destroy+0x17e/0x380 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2669
> >   pvr2_context_destroy+0x89/0x240
> > drivers/media/usb/pvrusb2/pvrusb2-context.c:79
> >   pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146 [inline]
> >   pvr2_context_thread_func+0x65e/0x870
> > drivers/media/usb/pvrusb2/pvrusb2-context.c:167
> >   kthread+0x313/0x420 kernel/kthread.c:253
> >   ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
> > Kernel Offset: disabled
> > Rebooting in 86400 seconds..
> >
> >
> > Tested on:
> >
> > commit:         43151d6c usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=15433634a00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=274aad0cf966c3bc
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > patch:          https://syzkaller.appspot.com/x/patch.diff?x=13df3d24a00000
>
> It seems pretty clear that this problem is caused by the
> pvr2_context_thread trying to unregister the device before the main
> probe routine has finished registering it.
>
> I'm not familiar enough with this driver to want to fix the problem,
> however.  Someone else who knows the code better should work on it.

Yeah, it's a different bug than I intended to fix. I've sent patch for
the original issue (using "WARNING:") though.

>
> Alan Stern
>

WARNING: Detected a wedged cx25840 chip; the device will not work.

[Andrey Konovalov]

On Tue, Apr 30, 2019 at 9:34 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Tue, 30 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > WARNING in sysfs_remove_group
> >
> > pvrusb2: Attached sub-driver tuner
> > pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the
> > failure of one or more sub-device kernel modules.
> > pvrusb2: You need to resolve the failing condition before this driver can
> > function.  There should be some earlier messages giving more information
> > about the problem.
> > ------------[ cut here ]------------
> > sysfs group 'power' not found for kobject '0-0044'
> > WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254 sysfs_remove_group
> > fs/sysfs/group.c:254 [inline]
> > WARNING: CPU: 1 PID: 586 at fs/sysfs/group.c:254
> > sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
> > Kernel panic - not syncing: panic_on_warn set ...
> > CPU: 1 PID: 586 Comm: pvrusb2-context Not tainted 5.1.0-rc3-g43151d6-dirty
> > #1
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xe8/0x16e lib/dump_stack.c:113
> >   panic+0x29d/0x5f2 kernel/panic.c:214
> >   __warn.cold+0x20/0x48 kernel/panic.c:571
> >   report_bug+0x262/0x2a0 lib/bug.c:186
> >   fixup_bug arch/x86/kernel/traps.c:179 [inline]
> >   fixup_bug arch/x86/kernel/traps.c:174 [inline]
> >   do_error_trap+0x130/0x1f0 arch/x86/kernel/traps.c:272
> >   do_invalid_op+0x37/0x40 arch/x86/kernel/traps.c:291
> >   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
> > RIP: 0010:sysfs_remove_group fs/sysfs/group.c:254 [inline]
> > RIP: 0010:sysfs_remove_group+0x15a/0x1b0 fs/sysfs/group.c:245
> > Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
> > 01 00 75 41 48 8b 33 48 c7 c7 a0 31 7a 8e e8 e6 c2 6e ff <0f> 0b eb 95 e8
> > 0d de d3 ff e9 d2 fe ff ff 48 89 df e8 00 de d3 ff
> > RSP: 0018:ffff88809ced7b70 EFLAGS: 00010286
> > RAX: 0000000000000000 RBX: ffffffff8f037e80 RCX: 0000000000000000
> > RDX: 0000000000000000 RSI: ffffffff815b2132 RDI: ffffed10139daf60
> > RBP: 0000000000000000 R08: ffff88809ce96200 R09: ffffed1015a23edb
> > R10: ffffed1015a23eda R11: ffff8880ad11f6d7 R12: ffff888218b8e630
> > R13: ffffffff8f038520 R14: 1ffff110139daf97 R15: ffff888218b8e628
> >   dpm_sysfs_remove+0xa2/0xc0 drivers/base/power/sysfs.c:737
> >   device_del+0x175/0xb90 drivers/base/core.c:2246
> > usb 4-1: new high-speed USB device number 3 using dummy_hcd
> >   device_unregister+0x27/0xd0 drivers/base/core.c:2301
> >   i2c_unregister_device drivers/i2c/i2c-core-base.c:814 [inline]
> >   __unregister_client drivers/i2c/i2c-core-base.c:1422 [inline]
> >   __unregister_client+0x7d/0x90 drivers/i2c/i2c-core-base.c:1418
> >   device_for_each_child+0x100/0x170 drivers/base/core.c:2401
> >   i2c_del_adapter drivers/i2c/i2c-core-base.c:1485 [inline]
> >   i2c_del_adapter+0x35b/0x640 drivers/i2c/i2c-core-base.c:1447
> >   pvr2_i2c_core_done+0x6e/0xbb
> > drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:662
> >   pvr2_hdw_destroy+0x17e/0x380 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2669
> >   pvr2_context_destroy+0x89/0x240
> > drivers/media/usb/pvrusb2/pvrusb2-context.c:79
> >   pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146 [inline]
> >   pvr2_context_thread_func+0x65e/0x870
> > drivers/media/usb/pvrusb2/pvrusb2-context.c:167
> >   kthread+0x313/0x420 kernel/kthread.c:253
> >   ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
> > Kernel Offset: disabled
> > Rebooting in 86400 seconds..
> >
> >
> > Tested on:
> >
> > commit:         43151d6c usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=15433634a00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=274aad0cf966c3bc
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > patch:          https://syzkaller.appspot.com/x/patch.diff?x=13df3d24a00000
>
> It seems pretty clear that this problem is caused by the
> pvr2_context_thread trying to unregister the device before the main
> probe routine has finished registering it.
>
> I'm not familiar enough with this driver to want to fix the problem,
> however.  Someone else who knows the code better should work on it.

Yeah, it's a different bug than I intended to fix. I've sent patch for
the original issue (using "WARNING:") though.

>
> Alan Stern
>