From: Alan Stern <stern@rowland.harvard.edu>
To: Oliver Neukum <oneukum@suse.com>
Cc: syzbot <syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com>,
<andreyknvl@google.com>, <hverkuil@xs4all.nl>,
<linux-kernel@vger.kernel.org>, <linux-media@vger.kernel.org>,
<linux-usb@vger.kernel.org>, <mchehab@kernel.org>,
<syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
Date: Fri, 22 Nov 2019 15:12:55 -0500 (EST) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1911221506490.1511-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <1574449256.2659.2.camel@suse.com>
On Fri, 22 Nov 2019, Oliver Neukum wrote:
> Am Freitag, den 22.11.2019, 10:35 -0500 schrieb Alan Stern:
> > On Fri, 22 Nov 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer still triggered
> > > crash:
> > > INFO: rcu detected stall in dummy_timer
> > >
> > > radio-si470x 1-1:0.0: non-zero urb status (-71)
> > > radio-si470x 4-1:0.0: non-zero urb status (-71)
> > > radio-si470x 3-1:0.0: non-zero urb status (-71)
> >
> > Oliver:
> >
> > The reason for this stall is because the driver goes into a tight
> > resubmit loop when the interrupt URB completes with an unrecognized
> > error status. Instead, the driver should log an error message and
> > avoid resubmitting. Error recovery can be done at a higher level.
> >
> > In other words, change the
> >
> > goto resubmit; /* Maybe we can recover. */
> >
> > line in the completion handler into a return.
(I guess you also should clear the int_in_running flag, although the
callback routine doesn't do that in the case of -ENOENT, -ECONNRESET,
or -ESHUTDOWN.)
>
> I thought so, too. That is why I poisoned the URB. Am I dense?
Poisoning the URB should work -- if you do it in the right place. The
probe routine might not be good enough; an unrecognized error can occur
after the probe has succeeded.
Did you modify si470x_int_in_callback()? That's where the tight loop
is.
Alan Stern
next prev parent reply other threads:[~2019-11-22 20:12 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
2019-11-18 13:44 ` Oliver Neukum
2019-11-19 9:10 ` syzbot
2019-11-20 10:32 ` Oliver Neukum
2019-11-20 23:50 ` syzbot
2019-11-21 12:00 ` Oliver Neukum
2019-11-22 10:33 ` syzbot
2019-11-22 15:35 ` Alan Stern
2019-11-22 19:00 ` Oliver Neukum
2019-11-22 20:12 ` Alan Stern [this message]
2019-11-27 10:27 ` Oliver Neukum
2019-11-27 16:30 ` syzbot
2019-11-27 18:07 ` Alan Stern
2019-11-27 20:55 ` syzbot
2019-11-27 21:11 ` Alan Stern
2019-11-28 15:19 ` Oliver Neukum
2019-11-28 17:25 ` Alan Stern
2019-11-28 10:51 ` Oliver Neukum
2019-11-28 17:33 ` Alan Stern
2019-11-28 11:10 ` Oliver Neukum
2019-11-28 13:53 ` syzbot
2019-12-04 15:03 ` Oliver Neukum
2019-12-04 18:17 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1911221506490.1511-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=andreyknvl@google.com \
--cc=hverkuil@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=oneukum@suse.com \
--cc=syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.