linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alan Stern <stern@rowland.harvard.edu>
To: syzbot <syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com>
Cc: andreyknvl@google.com, <hverkuil@xs4all.nl>,
	<linux-kernel@vger.kernel.org>, <linux-media@vger.kernel.org>,
	<linux-usb@vger.kernel.org>, <mchehab@kernel.org>,
	<oneukum@suse.com>, <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
Date: Wed, 27 Nov 2019 13:07:13 -0500 (EST)	[thread overview]
Message-ID: <Pine.LNX.4.44L0.1911271304410.1319-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <0000000000001dec4905985682c9@google.com>

On Wed, 27 Nov 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> INFO: rcu detected stall in dummy_timer
> 
> radio-si470x 5-1:0.0: non-zero urb status (-71)
> radio-si470x 3-1:0.0: non-zero urb status (-71)
> rcu: INFO: rcu_sched self-detected stall on CPU
> rcu: 	1-....: (8213 ticks this GP) idle=4f6/1/0x4000000000000004  

Almost the same as Oliver's patch, but this one stops when the 
interrupt-IN URB gets an unrecognized error status.

Alan Stern

#syz test: https://github.com/google/kasan.git 22be26f7

Index: usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c
===================================================================
--- usb-devel.orig/drivers/media/radio/si470x/radio-si470x-usb.c
+++ usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -370,15 +370,14 @@ static void si470x_int_in_callback(struc
 	unsigned char tmpbuf[3];
 
 	if (urb->status) {
-		if (urb->status == -ENOENT ||
+		if (!(urb->status == -ENOENT ||
 				urb->status == -ECONNRESET ||
-				urb->status == -ESHUTDOWN) {
-			return;
-		} else {
+				urb->status == -ESHUTDOWN))
 			dev_warn(&radio->intf->dev,
-			 "non-zero urb status (%d)\n", urb->status);
-			goto resubmit; /* Maybe we can recover. */
-		}
+					"unrecognized urb status (%d)\n",
+					urb->status);
+		radio->int_in_running = 0;
+		return;
 	}
 
 	/* Sometimes the device returns len 0 packets */
@@ -542,6 +541,8 @@ static int si470x_start_usb(struct si470
 		radio->int_in_running = 0;
 	}
 	radio->status_rssi_auto_update = radio->int_in_running;
+	if (retval < 0)
+		return retval;
 
 	/* start radio */
 	retval = si470x_start(radio);
@@ -734,7 +735,8 @@ static int si470x_usb_driver_probe(struc
 	/* start radio */
 	retval = si470x_start_usb(radio);
 	if (retval < 0)
-		goto err_buf;
+		/* the urb may be running even after an error */
+		goto err_all;
 
 	/* set initial frequency */
 	si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
@@ -749,7 +751,7 @@ static int si470x_usb_driver_probe(struc
 
 	return 0;
 err_all:
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 err_buf:
 	kfree(radio->buffer);
 err_ctrl:
@@ -824,7 +826,7 @@ static void si470x_usb_driver_disconnect
 	mutex_lock(&radio->lock);
 	v4l2_device_disconnect(&radio->v4l2_dev);
 	video_unregister_device(&radio->videodev);
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 	usb_set_intfdata(intf, NULL);
 	mutex_unlock(&radio->lock);
 	v4l2_device_put(&radio->v4l2_dev);


  reply	other threads:[~2019-11-27 18:07 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
2019-11-18 13:44 ` Oliver Neukum
2019-11-19  9:10   ` syzbot
2019-11-20 10:32 ` Oliver Neukum
2019-11-20 23:50   ` syzbot
2019-11-21 12:00 ` Oliver Neukum
2019-11-22 10:33   ` syzbot
2019-11-22 15:35     ` Alan Stern
2019-11-22 19:00       ` Oliver Neukum
2019-11-22 20:12         ` Alan Stern
2019-11-27 10:27 ` Oliver Neukum
2019-11-27 16:30   ` syzbot
2019-11-27 18:07     ` Alan Stern [this message]
2019-11-27 20:55       ` syzbot
2019-11-27 21:11         ` Alan Stern
2019-11-28 15:19           ` Oliver Neukum
2019-11-28 17:25             ` Alan Stern
2019-11-28 10:51       ` Oliver Neukum
2019-11-28 17:33         ` Alan Stern
2019-11-28 11:10 ` Oliver Neukum
2019-11-28 13:53   ` syzbot
2019-12-04 15:03 ` Oliver Neukum
2019-12-04 18:17   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.44L0.1911271304410.1319-100000@iolanthe.rowland.org \
    --to=stern@rowland.harvard.edu \
    --cc=andreyknvl@google.com \
    --cc=hverkuil@xs4all.nl \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=oneukum@suse.com \
    --cc=syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).