linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* KASAN: use-after-free Read in si470x_int_in_callback (2)
@ 2019-10-18 14:53 syzbot
  2019-11-18 13:44 ` Oliver Neukum
                   ` (5 more replies)
  0 siblings, 6 replies; 23+ messages in thread
From: syzbot @ 2019-10-18 14:53 UTC (permalink / raw)
  To: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=102b65cf600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143b9060e00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15d3b94b600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

radio-si470x 1-1:0.0: non-zero urb status (-71)
==================================================================
BUG: KASAN: use-after-free in si470x_int_in_callback.cold+0x27/0xbe  
drivers/media/radio/si470x/radio-si470x-usb.c:378
Read of size 8 at addr ffff8881cf5ccab0 by task kworker/0:1/12

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description.constprop.0+0x36/0x50 mm/kasan/report.c:374
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:506
  kasan_report+0xe/0x20 mm/kasan/common.c:634
  si470x_int_in_callback.cold+0x27/0xbe  
drivers/media/radio/si470x/radio-si470x-usb.c:378
  __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1654
  usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1719
  dummy_timer+0x120f/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1966
  call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
  expire_timers kernel/time/timer.c:1449 [inline]
  __run_timers kernel/time/timer.c:1773 [inline]
  __run_timers kernel/time/timer.c:1740 [inline]
  run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
  __do_softirq+0x221/0x912 kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:373 [inline]
  irq_exit+0x178/0x1a0 kernel/softirq.c:413
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
  </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:console_unlock+0xa2a/0xc40 kernel/printk/printk.c:2481
Code: 00 89 ee 48 c7 c7 c0 59 d3 86 e8 41 b6 03 00 65 ff 0d d2 85 d9 7e e9  
db f9 ff ff e8 b0 af 15 00 e8 2b dc 1a 00 ff 74 24 30 9d <e9> 18 fe ff ff  
e8 9c af 15 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
RSP: 0018:ffff8881da2271b0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881da21204c
RBP: 0000000000000000 R08: ffff8881da211800 R09: fffffbfff11b23a5
R10: fffffbfff11b23a4 R11: ffffffff88d91d27 R12: 000000000000004c
R13: dffffc0000000000 R14: ffffffff8293f390 R15: ffffffff87077070
  vprintk_emit+0x171/0x3e0 kernel/printk/printk.c:1996
  vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386
  printk+0xba/0xed kernel/printk/printk.c:2056
  really_probe.cold+0x69/0x1de drivers/base/dd.c:628
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5183 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5323 [inline]
  port_event drivers/usb/core/hub.c:5469 [inline]
  hub_event+0x1dd0/0x37e0 drivers/usb/core/hub.c:5551
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 12:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc mm/kasan/common.c:510 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:483
  kmalloc include/linux/slab.h:556 [inline]
  kzalloc include/linux/slab.h:690 [inline]
  si470x_usb_driver_probe+0x51/0xf50  
drivers/media/radio/si470x/radio-si470x-usb.c:573
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5183 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5323 [inline]
  port_event drivers/usb/core/hub.c:5469 [inline]
  hub_event+0x1dd0/0x37e0 drivers/usb/core/hub.c:5551
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 12:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  kasan_set_free_info mm/kasan/common.c:332 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:471
  slab_free_hook mm/slub.c:1424 [inline]
  slab_free_freelist_hook mm/slub.c:1475 [inline]
  slab_free mm/slub.c:3018 [inline]
  kfree+0xe4/0x320 mm/slub.c:3967
  si470x_usb_driver_probe+0xb27/0xf50  
drivers/media/radio/si470x/radio-si470x-usb.c:766
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5183 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5323 [inline]
  port_event drivers/usb/core/hub.c:5469 [inline]
  hub_event+0x1dd0/0x37e0 drivers/usb/core/hub.c:5551
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8881cf5cc000
  which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2736 bytes inside of
  4096-byte region [ffff8881cf5cc000, ffff8881cf5cd000)
The buggy address belongs to the page:
page:ffffea00073d7200 refcount:1 mapcount:0 mapping:ffff8881da00c280  
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c280
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8881cf5cc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881cf5cca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cf5cca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                      ^
  ffff8881cf5ccb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881cf5ccb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
@ 2019-11-18 13:44 ` Oliver Neukum
  2019-11-19  9:10   ` syzbot
  2019-11-20 10:32 ` Oliver Neukum
                   ` (4 subsequent siblings)
  5 siblings, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-11-18 13:44 UTC (permalink / raw)
  To: syzbot, andreyknvl, hverkuil, linux-kernel, linux-media,
	linux-usb, mchehab, syzkaller-bugs

Am Freitag, den 18.10.2019, 07:53 -0700 schrieb syzbot:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    22be26f7 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=102b65cf600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143b9060e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15d3b94b600000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git 22be26f7

From e7c30d32a1d9b3589c31593ce18b8df45989a27c Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 18 Nov 2019 14:41:51 +0100
Subject: [PATCH] si470x: prevent resubmission

Poison the URB in case probe fails to remove any chance
of a resubmission from the callback.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/radio/si470x/radio-si470x-usb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index fedff68d8c49..b6e25d5c7c53 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -749,7 +749,7 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 
 	return 0;
 err_all:
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 err_buf:
 	kfree(radio->buffer);
 err_ctrl:
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-18 13:44 ` Oliver Neukum
@ 2019-11-19  9:10   ` syzbot
  0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2019-11-19  9:10 UTC (permalink / raw)
  To: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
KASAN: use-after-free Read in si470x_int_in_callback

radio-si470x 4-1:0.0: non-zero urb status (-71)
==================================================================
BUG: KASAN: use-after-free in si470x_int_in_callback.cold+0x27/0xbe  
drivers/media/radio/si470x/radio-si470x-usb.c:378
Read of size 8 at addr ffff8881d2fceab0 by task kworker/0:2/2107

CPU: 0 PID: 2107 Comm: kworker/0:2 Not tainted 5.4.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description.constprop.0+0x36/0x50 mm/kasan/report.c:374
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:506
  kasan_report+0xe/0x20 mm/kasan/common.c:634
  si470x_int_in_callback.cold+0x27/0xbe  
drivers/media/radio/si470x/radio-si470x-usb.c:378
  __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1654
  usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1719
  dummy_timer+0x120f/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1966
  call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
  expire_timers kernel/time/timer.c:1449 [inline]
  __run_timers kernel/time/timer.c:1773 [inline]
  __run_timers kernel/time/timer.c:1740 [inline]
  run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
  __do_softirq+0x221/0x912 kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:373 [inline]
  irq_exit+0x178/0x1a0 kernel/softirq.c:413
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
  </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1751 [inline]
RIP: 0010:vprintk_emit+0x3cd/0x3e0 kernel/printk/printk.c:1995
Code: 00 83 fb ff 75 d6 e9 db fc ff ff e8 fd 7a 15 00 e8 78 a7 1a 00 41 56  
9d e9 b1 fd ff ff e8 eb 7a 15 00 e8 66 a7 1a 00 41 56 9d <e9> 2a ff ff ff  
0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89
RSP: 0018:ffff8881cb01f238 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffff8881cbfa08f0 RDI: ffff8881cbfa084c
RBP: ffff8881cb01f280 R08: ffff8881cbfa0000 R09: fffffbfff11b23ae
R10: fffffbfff11b23ad R11: ffffffff88d91d6f R12: 0000000000000034
R13: ffff8881da24e000 R14: 0000000000000293 R15: 0000000000000000
  vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386
  printk+0xba/0xed kernel/printk/printk.c:2056
  really_probe.cold+0x69/0x1de drivers/base/dd.c:628
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5183 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5323 [inline]
  port_event drivers/usb/core/hub.c:5469 [inline]
  hub_event+0x1dd0/0x37e0 drivers/usb/core/hub.c:5551
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 2107:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc mm/kasan/common.c:510 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:483
  kmalloc include/linux/slab.h:556 [inline]
  kzalloc include/linux/slab.h:690 [inline]
  si470x_usb_driver_probe+0x51/0xf50  
drivers/media/radio/si470x/radio-si470x-usb.c:573
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5183 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5323 [inline]
  port_event drivers/usb/core/hub.c:5469 [inline]
  hub_event+0x1dd0/0x37e0 drivers/usb/core/hub.c:5551
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 2107:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  kasan_set_free_info mm/kasan/common.c:332 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:471
  slab_free_hook mm/slub.c:1424 [inline]
  slab_free_freelist_hook mm/slub.c:1475 [inline]
  slab_free mm/slub.c:3018 [inline]
  kfree+0xe4/0x320 mm/slub.c:3967
  si470x_usb_driver_probe+0xb27/0xf50  
drivers/media/radio/si470x/radio-si470x-usb.c:766
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5183 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5323 [inline]
  port_event drivers/usb/core/hub.c:5469 [inline]
  hub_event+0x1dd0/0x37e0 drivers/usb/core/hub.c:5551
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8881d2fce000
  which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2736 bytes inside of
  4096-byte region [ffff8881d2fce000, ffff8881d2fcf000)
The buggy address belongs to the page:
page:ffffea00074bf200 refcount:1 mapcount:0 mapping:ffff8881da00c280  
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8881d2fce980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881d2fcea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881d2fcea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                      ^
  ffff8881d2fceb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881d2fceb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=149ed686e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1508a25ae00000


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
  2019-11-18 13:44 ` Oliver Neukum
@ 2019-11-20 10:32 ` Oliver Neukum
  2019-11-20 23:50   ` syzbot
  2019-11-21 12:00 ` Oliver Neukum
                   ` (3 subsequent siblings)
  5 siblings, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-11-20 10:32 UTC (permalink / raw)
  To: syzbot, andreyknvl, hverkuil, linux-kernel, linux-media,
	linux-usb, mchehab, syzkaller-bugs

Am Freitag, den 18.10.2019, 07:53 -0700 schrieb syzbot:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    22be26f7 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=102b65cf600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143b9060e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15d3b94b600000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git 22be26f7

From c322de1808b3f43b2248457281634c9d22500840 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 18 Nov 2019 14:41:51 +0100
Subject: [PATCH] si470x: prevent resubmission

Starting IO to a device is not necessarily a NOP in every error
case. So we need to terminate all IO in every case of probe
failure with absolute certainty.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/radio/si470x/radio-si470x-usb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index fedff68d8c49..07e9ddbb5937 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -734,7 +734,8 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 	/* start radio */
 	retval = si470x_start_usb(radio);
 	if (retval < 0)
-		goto err_buf;
+		/* the urb may be running even after an error */
+		goto err_all;
 
 	/* set initial frequency */
 	si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
@@ -749,7 +750,7 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 
 	return 0;
 err_all:
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 err_buf:
 	kfree(radio->buffer);
 err_ctrl:
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-20 10:32 ` Oliver Neukum
@ 2019-11-20 23:50   ` syzbot
  0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2019-11-20 23:50 UTC (permalink / raw)
  To: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
INFO: rcu detected stall in dummy_timer

radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 	1-....: (1 GPs behind) idle=eb2/0/0x3 softirq=3951/3952 fqs=5203
	(t=10500 jiffies g=3417 q=3162)
NMI backtrace for cpu 1
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.4.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  nmi_cpu_backtrace.cold+0x55/0x96 lib/nmi_backtrace.c:101
  nmi_trigger_cpumask_backtrace+0x1b0/0x1c7 lib/nmi_backtrace.c:62
  trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
  rcu_dump_cpu_stacks+0x169/0x1b3 kernel/rcu/tree_stall.h:254
  print_cpu_stall kernel/rcu/tree_stall.h:455 [inline]
  check_cpu_stall kernel/rcu/tree_stall.h:529 [inline]
  rcu_pending kernel/rcu/tree.c:2795 [inline]
  rcu_sched_clock_irq.cold+0x4da/0x936 kernel/rcu/tree.c:2244
  update_process_times+0x25/0x60 kernel/time/timer.c:1726
  tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:167
  tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1299
  __run_hrtimer kernel/time/hrtimer.c:1514 [inline]
  __hrtimer_run_queues+0x303/0xc60 kernel/time/hrtimer.c:1576
  hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1638
  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline]
  smp_apic_timer_interrupt+0xf5/0x500 arch/x86/kernel/apic/apic.c:1135
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x40/0x50  
kernel/locking/spinlock.c:191
Code: e8 95 14 b3 fb 48 89 ef e8 6d f3 b3 fb f6 c7 02 75 11 53 9d e8 61 ba  
d0 fb 65 ff 0d a2 67 8f 7a 5b 5d c3 e8 02 be d0 fb 53 9d <eb> ed 0f 1f 40  
00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fd 65 ff
RSP: 0018:ffff8881db309b08 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000206 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881da21384c
RBP: ffff8881d50e0000 R08: ffff8881da213000 R09: fffffbfff11b23b8
R10: fffffbfff11b23b7 R11: ffffffff88d91dbf R12: 0000000000000080
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8881ccf59700
  spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
  dummy_timer+0x131b/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1980
  call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
  expire_timers kernel/time/timer.c:1449 [inline]
  __run_timers kernel/time/timer.c:1773 [inline]
  __run_timers kernel/time/timer.c:1740 [inline]
  run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
  __do_softirq+0x221/0x912 kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:373 [inline]
  irq_exit+0x178/0x1a0 kernel/softirq.c:413
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
  </IRQ>
RIP: 0010:default_idle+0x28/0x2e0 arch/x86/kernel/process.c:581
Code: 90 90 41 56 41 55 65 44 8b 2d f4 20 8f 7a 41 54 55 53 0f 1f 44 00 00  
e8 c6 d2 d0 fb e9 07 00 00 00 0f 00 2d ea c5 4f 00 fb f4 <65> 44 8b 2d d0  
20 8f 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffff8881da22fdc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21384c
RBP: ffffed103b442600 R08: ffff8881da213000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
  cpuidle_idle_call kernel/sched/idle.c:154 [inline]
  do_idle+0x3b6/0x500 kernel/sched/idle.c:263
  cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:355
  start_secondary+0x27d/0x330 arch/x86/kernel/smpboot.c:264
  secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 3-1

Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16fb6ecee00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=145812f2e00000


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
  2019-11-18 13:44 ` Oliver Neukum
  2019-11-20 10:32 ` Oliver Neukum
@ 2019-11-21 12:00 ` Oliver Neukum
  2019-11-22 10:33   ` syzbot
  2019-11-27 10:27 ` Oliver Neukum
                   ` (2 subsequent siblings)
  5 siblings, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-11-21 12:00 UTC (permalink / raw)
  To: syzbot, andreyknvl, hverkuil, linux-kernel, linux-media,
	linux-usb, mchehab, syzkaller-bugs

Am Freitag, den 18.10.2019, 07:53 -0700 schrieb syzbot:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    22be26f7 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=102b65cf600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143b9060e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15d3b94b600000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git 22be26f7

From 40218a235aed2aab9fe948c036582905fdbf4e50 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 18 Nov 2019 14:41:51 +0100
Subject: [PATCH] si470x: prevent resubmission

Starting IO to a device is not necessarily a NOP in every error
case. So we need to terminate all IO in every case of probe
failure with absolute certainty.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/radio/si470x/radio-si470x-usb.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index fedff68d8c49..e280b1149fa1 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -542,6 +542,8 @@ static int si470x_start_usb(struct si470x_device *radio)
 		radio->int_in_running = 0;
 	}
 	radio->status_rssi_auto_update = radio->int_in_running;
+	if (retval < 0)
+		return retval;
 
 	/* start radio */
 	retval = si470x_start(radio);
@@ -734,7 +736,8 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 	/* start radio */
 	retval = si470x_start_usb(radio);
 	if (retval < 0)
-		goto err_buf;
+		/* the urb may be running even after an error */
+		goto err_all;
 
 	/* set initial frequency */
 	si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
@@ -749,7 +752,7 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 
 	return 0;
 err_all:
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 err_buf:
 	kfree(radio->buffer);
 err_ctrl:
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-21 12:00 ` Oliver Neukum
@ 2019-11-22 10:33   ` syzbot
  2019-11-22 15:35     ` Alan Stern
  0 siblings, 1 reply; 23+ messages in thread
From: syzbot @ 2019-11-22 10:33 UTC (permalink / raw)
  To: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
INFO: rcu detected stall in dummy_timer

radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 	1-...!: (8177 ticks this GP) idle=78e/1/0x4000000000000004  
softirq=3439/3439 fqs=0
	(t=10502 jiffies g=2653 q=23)
rcu: rcu_sched kthread starved for 10504 jiffies! g2653 f0x0  
RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: RCU grace-period kthread stack dump:
rcu_sched       R  running task    29744    10      2 0x80004000
Call Trace:
  schedule+0xca/0x250 kernel/sched/core.c:4136
  schedule_timeout+0x440/0xb20 kernel/time/timer.c:1895
  rcu_gp_fqs_loop kernel/rcu/tree.c:1639 [inline]
  rcu_gp_kthread+0xaff/0x29e0 kernel/rcu/tree.c:1799
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
NMI backtrace for cpu 1
CPU: 1 PID: 1737 Comm: kworker/1:3 Not tainted 5.4.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  nmi_cpu_backtrace.cold+0x55/0x96 lib/nmi_backtrace.c:101
  nmi_trigger_cpumask_backtrace+0x1b0/0x1c7 lib/nmi_backtrace.c:62
  trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
  rcu_dump_cpu_stacks+0x169/0x1b3 kernel/rcu/tree_stall.h:254
  print_cpu_stall kernel/rcu/tree_stall.h:455 [inline]
  check_cpu_stall kernel/rcu/tree_stall.h:529 [inline]
  rcu_pending kernel/rcu/tree.c:2795 [inline]
  rcu_sched_clock_irq.cold+0x4da/0x936 kernel/rcu/tree.c:2244
  update_process_times+0x25/0x60 kernel/time/timer.c:1726
  tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:167
  tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1299
  __run_hrtimer kernel/time/hrtimer.c:1514 [inline]
  __hrtimer_run_queues+0x303/0xc60 kernel/time/hrtimer.c:1576
  hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1638
  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline]
  smp_apic_timer_interrupt+0xf5/0x500 arch/x86/kernel/apic/apic.c:1135
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x40/0x50  
kernel/locking/spinlock.c:191
Code: e8 95 14 b3 fb 48 89 ef e8 6d f3 b3 fb f6 c7 02 75 11 53 9d e8 61 ba  
d0 fb 65 ff 0d a2 67 8f 7a 5b 5d c3 e8 02 be d0 fb 53 9d <eb> ed 0f 1f 40  
00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fd 65 ff
RSP: 0018:ffff8881db309b08 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000206 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d065084c
RBP: ffff8881d50f4000 R08: ffff8881d0650000 R09: fffffbfff11b23b8
R10: fffffbfff11b23b7 R11: ffffffff88d91dbf R12: 0000000000000080
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8881d46bcd00
  spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
  dummy_timer+0x131b/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1980
  call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
  expire_timers kernel/time/timer.c:1449 [inline]
  __run_timers kernel/time/timer.c:1773 [inline]
  __run_timers kernel/time/timer.c:1740 [inline]
  run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
  __do_softirq+0x221/0x912 kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:373 [inline]
  irq_exit+0x178/0x1a0 kernel/softirq.c:413
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
  </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:console_unlock+0xb4f/0xc40 kernel/printk/printk.c:2477
Code: 32 fe ff ff e8 a2 ae 15 00 48 8b bc 24 80 00 00 00 e8 b5 dd ff ff e9  
29 fb ff ff e8 8b ae 15 00 e8 06 db 1a 00 ff 74 24 30 9d <e9> 15 fb ff ff  
e8 67 f0 3c 00 e9 de f6 ff ff e8 6d f0 3c 00 e9 98
RSP: 0018:ffff8881c06beda0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffff8881d06508f0 RDI: ffff8881d065084c
RBP: 0000000000000001 R08: ffff8881d0650000 R09: fffffbfff11b23ae
R10: fffffbfff11b23ad R11: ffffffff88d91d6f R12: 0000000000000047
R13: dffffc0000000000 R14: ffffffff8293f390 R15: ffffffff87077070
  vprintk_emit+0x171/0x3e0 kernel/printk/printk.c:1996
  dev_vprintk_emit+0x4fc/0x541 drivers/base/core.c:3312
  dev_printk_emit+0xba/0xf1 drivers/base/core.c:3323
  __dev_printk+0x1db/0x203 drivers/base/core.c:3335
  _dev_warn+0xd7/0x109 drivers/base/core.c:3379
  si470x_set_report.isra.0.constprop.0.cold+0x32/0x41  
drivers/media/radio/si470x/radio-si470x-usb.c:234
  si470x_set_register+0x11c/0x180  
drivers/media/radio/si470x/radio-si470x-usb.c:269
  si470x_start+0x72/0x2bf  
drivers/media/radio/si470x/radio-si470x-common.c:374
  si470x_start_usb+0x507/0x53d  
drivers/media/radio/si470x/radio-si470x-usb.c:549
  si470x_usb_driver_probe.cold+0x6e5/0x8b2  
drivers/media/radio/si470x/radio-si470x-usb.c:737
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x6d0 drivers/base/dd.c:548
  driver_probe_device+0x104/0x210 drivers/base/dd.c:721
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
  bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:430
  __device_attach+0x217/0x360 drivers/base/dd.c:894
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:490
  device_add+0xae6/0x16f0 drivers/base/core.c:2201
  usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
  hub_port_connect drivers/usb/core/hub.c:5183 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5323 [inline]
  port_event drivers/usb/core/hub.c:5469 [inline]
  hub_event+0x1dd0/0x37e0 drivers/usb/core/hub.c:5551
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)


Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11821c22e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12ae33ace00000


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-22 10:33   ` syzbot
@ 2019-11-22 15:35     ` Alan Stern
  2019-11-22 19:00       ` Oliver Neukum
  0 siblings, 1 reply; 23+ messages in thread
From: Alan Stern @ 2019-11-22 15:35 UTC (permalink / raw)
  To: syzbot
  Cc: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, syzkaller-bugs

On Fri, 22 Nov 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> INFO: rcu detected stall in dummy_timer
> 
> radio-si470x 1-1:0.0: non-zero urb status (-71)
> radio-si470x 4-1:0.0: non-zero urb status (-71)
> radio-si470x 3-1:0.0: non-zero urb status (-71)

Oliver:

The reason for this stall is because the driver goes into a tight
resubmit loop when the interrupt URB completes with an unrecognized
error status.  Instead, the driver should log an error message and
avoid resubmitting.  Error recovery can be done at a higher level.

In other words, change the

			goto resubmit; /* Maybe we can recover. */

line in the completion handler into a return.

Alan Stern


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-22 15:35     ` Alan Stern
@ 2019-11-22 19:00       ` Oliver Neukum
  2019-11-22 20:12         ` Alan Stern
  0 siblings, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-11-22 19:00 UTC (permalink / raw)
  To: Alan Stern, syzbot
  Cc: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, syzkaller-bugs

Am Freitag, den 22.11.2019, 10:35 -0500 schrieb Alan Stern:
> On Fri, 22 Nov 2019, syzbot wrote:
> 
> > Hello,
> > 
> > syzbot has tested the proposed patch but the reproducer still triggered  
> > crash:
> > INFO: rcu detected stall in dummy_timer
> > 
> > radio-si470x 1-1:0.0: non-zero urb status (-71)
> > radio-si470x 4-1:0.0: non-zero urb status (-71)
> > radio-si470x 3-1:0.0: non-zero urb status (-71)
> 
> Oliver:
> 
> The reason for this stall is because the driver goes into a tight
> resubmit loop when the interrupt URB completes with an unrecognized
> error status.  Instead, the driver should log an error message and
> avoid resubmitting.  Error recovery can be done at a higher level.
> 
> In other words, change the
> 
> 			goto resubmit; /* Maybe we can recover. */
> 
> line in the completion handler into a return.

I thought so, too. That is why I poisoned the URB. Am I dense?

	Regards
		Oliver


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-22 19:00       ` Oliver Neukum
@ 2019-11-22 20:12         ` Alan Stern
  0 siblings, 0 replies; 23+ messages in thread
From: Alan Stern @ 2019-11-22 20:12 UTC (permalink / raw)
  To: Oliver Neukum
  Cc: syzbot, andreyknvl, hverkuil, linux-kernel, linux-media,
	linux-usb, mchehab, syzkaller-bugs

On Fri, 22 Nov 2019, Oliver Neukum wrote:

> Am Freitag, den 22.11.2019, 10:35 -0500 schrieb Alan Stern:
> > On Fri, 22 Nov 2019, syzbot wrote:
> > 
> > > Hello,
> > > 
> > > syzbot has tested the proposed patch but the reproducer still triggered  
> > > crash:
> > > INFO: rcu detected stall in dummy_timer
> > > 
> > > radio-si470x 1-1:0.0: non-zero urb status (-71)
> > > radio-si470x 4-1:0.0: non-zero urb status (-71)
> > > radio-si470x 3-1:0.0: non-zero urb status (-71)
> > 
> > Oliver:
> > 
> > The reason for this stall is because the driver goes into a tight
> > resubmit loop when the interrupt URB completes with an unrecognized
> > error status.  Instead, the driver should log an error message and
> > avoid resubmitting.  Error recovery can be done at a higher level.
> > 
> > In other words, change the
> > 
> > 			goto resubmit; /* Maybe we can recover. */
> > 
> > line in the completion handler into a return.

(I guess you also should clear the int_in_running flag, although the 
callback routine doesn't do that in the case of -ENOENT, -ECONNRESET, 
or -ESHUTDOWN.)

> 
> I thought so, too. That is why I poisoned the URB. Am I dense?

Poisoning the URB should work -- if you do it in the right place.  The
probe routine might not be good enough; an unrecognized error can occur
after the probe has succeeded.

Did you modify si470x_int_in_callback()?  That's where the tight loop
is.

Alan Stern



^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
                   ` (2 preceding siblings ...)
  2019-11-21 12:00 ` Oliver Neukum
@ 2019-11-27 10:27 ` Oliver Neukum
  2019-11-27 16:30   ` syzbot
  2019-11-28 11:10 ` Oliver Neukum
  2019-12-04 15:03 ` Oliver Neukum
  5 siblings, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-11-27 10:27 UTC (permalink / raw)
  To: syzbot, andreyknvl, hverkuil, linux-kernel, linux-media,
	linux-usb, mchehab, syzkaller-bugs

Am Freitag, den 18.10.2019, 07:53 -0700 schrieb syzbot:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    22be26f7 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=102b65cf600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143b9060e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15d3b94b600000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git 22be26f7

From 497dce10b022c0cfbba450a47d634aa212ecafa1 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 18 Nov 2019 14:41:51 +0100
Subject: [PATCH] si470x: prevent resubmission

Starting IO to a device is not necessarily a NOP in every error
case. So we need to terminate all IO in every case of probe
failure and disconnect with absolute certainty.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/radio/si470x/radio-si470x-usb.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index fedff68d8c49..8663828d93a5 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -542,6 +542,8 @@ static int si470x_start_usb(struct si470x_device *radio)
 		radio->int_in_running = 0;
 	}
 	radio->status_rssi_auto_update = radio->int_in_running;
+	if (retval < 0)
+		return retval;
 
 	/* start radio */
 	retval = si470x_start(radio);
@@ -734,7 +736,8 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 	/* start radio */
 	retval = si470x_start_usb(radio);
 	if (retval < 0)
-		goto err_buf;
+		/* the urb may be running even after an error */
+		goto err_all;
 
 	/* set initial frequency */
 	si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
@@ -749,7 +752,7 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 
 	return 0;
 err_all:
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 err_buf:
 	kfree(radio->buffer);
 err_ctrl:
@@ -824,7 +827,7 @@ static void si470x_usb_driver_disconnect(struct usb_interface *intf)
 	mutex_lock(&radio->lock);
 	v4l2_device_disconnect(&radio->v4l2_dev);
 	video_unregister_device(&radio->videodev);
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 	usb_set_intfdata(intf, NULL);
 	mutex_unlock(&radio->lock);
 	v4l2_device_put(&radio->v4l2_dev);
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-27 10:27 ` Oliver Neukum
@ 2019-11-27 16:30   ` syzbot
  2019-11-27 18:07     ` Alan Stern
  0 siblings, 1 reply; 23+ messages in thread
From: syzbot @ 2019-11-27 16:30 UTC (permalink / raw)
  To: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
INFO: rcu detected stall in dummy_timer

radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 	1-....: (8213 ticks this GP) idle=4f6/1/0x4000000000000004  
softirq=3368/3368 fqs=3
	(t=10501 jiffies g=2713 q=134)
NMI backtrace for cpu 1
CPU: 1 PID: 1853 Comm: syz-executor.2 Not tainted 5.4.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  nmi_cpu_backtrace.cold+0x55/0x96 lib/nmi_backtrace.c:101
  nmi_trigger_cpumask_backtrace+0x1b0/0x1c7 lib/nmi_backtrace.c:62
  trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
  rcu_dump_cpu_stacks+0x169/0x1b3 kernel/rcu/tree_stall.h:254
  print_cpu_stall kernel/rcu/tree_stall.h:455 [inline]
  check_cpu_stall kernel/rcu/tree_stall.h:529 [inline]
  rcu_pending kernel/rcu/tree.c:2795 [inline]
  rcu_sched_clock_irq.cold+0x4da/0x936 kernel/rcu/tree.c:2244
  update_process_times+0x25/0x60 kernel/time/timer.c:1726
  tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:167
  tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1299
  __run_hrtimer kernel/time/hrtimer.c:1514 [inline]
  __hrtimer_run_queues+0x303/0xc60 kernel/time/hrtimer.c:1576
  hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1638
  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline]
  smp_apic_timer_interrupt+0xf5/0x500 arch/x86/kernel/apic/apic.c:1135
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x40/0x50  
kernel/locking/spinlock.c:191
Code: e8 95 14 b3 fb 48 89 ef e8 6d f3 b3 fb f6 c7 02 75 11 53 9d e8 61 ba  
d0 fb 65 ff 0d a2 67 8f 7a 5b 5d c3 e8 02 be d0 fb 53 9d <eb> ed 0f 1f 40  
00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fd 65 ff
RSP: 0018:ffff8881db309b08 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000206 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881ce7fb84c
RBP: ffff8881d50f0000 R08: ffff8881ce7fb000 R09: fffffbfff11b23b8
R10: fffffbfff11b23b7 R11: ffffffff88d91dbf R12: 0000000000000080
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8881c6617500
  spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
  dummy_timer+0x131b/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1980
  call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
  expire_timers kernel/time/timer.c:1449 [inline]
  __run_timers kernel/time/timer.c:1773 [inline]
  __run_timers kernel/time/timer.c:1740 [inline]
  run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
  __do_softirq+0x221/0x912 kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:373 [inline]
  irq_exit+0x178/0x1a0 kernel/softirq.c:413
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
  </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x40/0x50  
kernel/locking/spinlock.c:191
Code: e8 95 14 b3 fb 48 89 ef e8 6d f3 b3 fb f6 c7 02 75 11 53 9d e8 61 ba  
d0 fb 65 ff 0d a2 67 8f 7a 5b 5d c3 e8 02 be d0 fb 53 9d <eb> ed 0f 1f 40  
00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fd 65 ff
RSP: 0018:ffff8881cd477ba8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000246 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881ce7fb84c
RBP: ffff8881db325b00 R08: ffff8881ce7fb000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8881db325b80 R14: 0000000000000000 R15: ffff8881db325b00
  unlock_hrtimer_base kernel/time/hrtimer.c:898 [inline]
  hrtimer_start_range_ns+0x5bf/0xb00 kernel/time/hrtimer.c:1133
  hrtimer_start_expires include/linux/hrtimer.h:435 [inline]
  hrtimer_sleeper_start_expires kernel/time/hrtimer.c:1792 [inline]
  do_nanosleep+0x1b9/0x650 kernel/time/hrtimer.c:1868
  hrtimer_nanosleep+0x249/0x4f0 kernel/time/hrtimer.c:1924
  __do_sys_nanosleep kernel/time/hrtimer.c:1958 [inline]
  __se_sys_nanosleep kernel/time/hrtimer.c:1945 [inline]
  __x64_sys_nanosleep+0x19d/0x220 kernel/time/hrtimer.c:1945
  do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457f00
Code: c0 5b 5d c3 66 0f 1f 44 00 00 8b 04 24 48 83 c4 18 5b 5d c3 66 0f 1f  
44 00 00 83 3d 51 e8 61 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 24 d3 fb ff c3 48 83 ec 08 e8 ea 46 00 00
RSP: 002b:00007ffe6aaf7d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
RAX: ffffffffffffffda RBX: 000000000000961f RCX: 0000000000457f00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffe6aaf7d50
RBP: 0000000000000004 R08: 0000000000000001 R09: 0000000002432940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 00007ffe6aaf7da0 R14: 0000000000008efa R15: 00007ffe6aaf7db0
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 5-1:0.0: non-zero urb status (-71)
radio-si470x 3-1:0.0: non-zero urb status (-71)
radio-si470x 4-1:0.0: non-zero urb status (-71)
radio-si470x 1-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 6-1:0.0: non-zero urb status (-71)
radio-si470x 2-1:0.0: non-zero urb status (-71)


Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=177ca17ae00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1226e536e00000


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-27 16:30   ` syzbot
@ 2019-11-27 18:07     ` Alan Stern
  2019-11-27 20:55       ` syzbot
  2019-11-28 10:51       ` Oliver Neukum
  0 siblings, 2 replies; 23+ messages in thread
From: Alan Stern @ 2019-11-27 18:07 UTC (permalink / raw)
  To: syzbot
  Cc: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, syzkaller-bugs

On Wed, 27 Nov 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> INFO: rcu detected stall in dummy_timer
> 
> radio-si470x 5-1:0.0: non-zero urb status (-71)
> radio-si470x 3-1:0.0: non-zero urb status (-71)
> rcu: INFO: rcu_sched self-detected stall on CPU
> rcu: 	1-....: (8213 ticks this GP) idle=4f6/1/0x4000000000000004  

Almost the same as Oliver's patch, but this one stops when the 
interrupt-IN URB gets an unrecognized error status.

Alan Stern

#syz test: https://github.com/google/kasan.git 22be26f7

Index: usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c
===================================================================
--- usb-devel.orig/drivers/media/radio/si470x/radio-si470x-usb.c
+++ usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -370,15 +370,14 @@ static void si470x_int_in_callback(struc
 	unsigned char tmpbuf[3];
 
 	if (urb->status) {
-		if (urb->status == -ENOENT ||
+		if (!(urb->status == -ENOENT ||
 				urb->status == -ECONNRESET ||
-				urb->status == -ESHUTDOWN) {
-			return;
-		} else {
+				urb->status == -ESHUTDOWN))
 			dev_warn(&radio->intf->dev,
-			 "non-zero urb status (%d)\n", urb->status);
-			goto resubmit; /* Maybe we can recover. */
-		}
+					"unrecognized urb status (%d)\n",
+					urb->status);
+		radio->int_in_running = 0;
+		return;
 	}
 
 	/* Sometimes the device returns len 0 packets */
@@ -542,6 +541,8 @@ static int si470x_start_usb(struct si470
 		radio->int_in_running = 0;
 	}
 	radio->status_rssi_auto_update = radio->int_in_running;
+	if (retval < 0)
+		return retval;
 
 	/* start radio */
 	retval = si470x_start(radio);
@@ -734,7 +735,8 @@ static int si470x_usb_driver_probe(struc
 	/* start radio */
 	retval = si470x_start_usb(radio);
 	if (retval < 0)
-		goto err_buf;
+		/* the urb may be running even after an error */
+		goto err_all;
 
 	/* set initial frequency */
 	si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
@@ -749,7 +751,7 @@ static int si470x_usb_driver_probe(struc
 
 	return 0;
 err_all:
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 err_buf:
 	kfree(radio->buffer);
 err_ctrl:
@@ -824,7 +826,7 @@ static void si470x_usb_driver_disconnect
 	mutex_lock(&radio->lock);
 	v4l2_device_disconnect(&radio->v4l2_dev);
 	video_unregister_device(&radio->videodev);
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 	usb_set_intfdata(intf, NULL);
 	mutex_unlock(&radio->lock);
 	v4l2_device_put(&radio->v4l2_dev);


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-27 18:07     ` Alan Stern
@ 2019-11-27 20:55       ` syzbot
  2019-11-27 21:11         ` Alan Stern
  2019-11-28 10:51       ` Oliver Neukum
  1 sibling, 1 reply; 23+ messages in thread
From: syzbot @ 2019-11-27 20:55 UTC (permalink / raw)
  To: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, stern, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger  
crash:

Reported-and-tested-by:  
syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17d13f6ae00000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-27 20:55       ` syzbot
@ 2019-11-27 21:11         ` Alan Stern
  2019-11-28 15:19           ` Oliver Neukum
  0 siblings, 1 reply; 23+ messages in thread
From: Alan Stern @ 2019-11-27 21:11 UTC (permalink / raw)
  To: Oliver Neukum, syzbot
  Cc: andreyknvl, hverkuil, Kernel development list, linux-media,
	USB list, mchehab, syzkaller-bugs

Oliver:

Make of this what you will...

Alan Stern

On Wed, 27 Nov 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch and the reproducer did not trigger  
> crash:
> 
> Reported-and-tested-by:  
> syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com
> 
> Tested on:
> 
> commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git
> kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=17d13f6ae00000
> 
> Note: testing is done by a robot and is best-effort only.


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-27 18:07     ` Alan Stern
  2019-11-27 20:55       ` syzbot
@ 2019-11-28 10:51       ` Oliver Neukum
  2019-11-28 17:33         ` Alan Stern
  1 sibling, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-11-28 10:51 UTC (permalink / raw)
  To: Alan Stern, syzbot
  Cc: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, syzkaller-bugs

Am Mittwoch, den 27.11.2019, 13:07 -0500 schrieb Alan Stern:
> Index: usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c
> ===================================================================
> --- usb-devel.orig/drivers/media/radio/si470x/radio-si470x-usb.c
> +++ usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c
> @@ -370,15 +370,14 @@ static void si470x_int_in_callback(struc
>         unsigned char tmpbuf[3];
>  
>         if (urb->status) {
> -               if (urb->status == -ENOENT ||
> +               if (!(urb->status == -ENOENT ||
>                                 urb->status == -ECONNRESET ||
> -                               urb->status == -ESHUTDOWN) {
> -                       return;
> -               } else {
> +                               urb->status == -ESHUTDOWN))
>                         dev_warn(&radio->intf->dev,
> -                        "non-zero urb status (%d)\n", urb->status);
> -                       goto resubmit; /* Maybe we can recover. */
> -               }
> +                                       "unrecognized urb status (%d)\n",
> +                                       urb->status);
> +               radio->int_in_running = 0;
> +               return;

Hi,

it is a bit awkward to complain here, as your patch tests as correct
while mine didn't, but this is a race condition.
You can't guarantee that urb->status != 0.
The kill may happen while the completion handler is running for
a successful transfer.

I really appreciate your help, but I must understand what is going
wrong here. You are stopping the resubmit, but how could the resubmit
ever have not failed?

	Regards
		Oliver


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
                   ` (3 preceding siblings ...)
  2019-11-27 10:27 ` Oliver Neukum
@ 2019-11-28 11:10 ` Oliver Neukum
  2019-11-28 13:53   ` syzbot
  2019-12-04 15:03 ` Oliver Neukum
  5 siblings, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-11-28 11:10 UTC (permalink / raw)
  To: syzbot, andreyknvl, hverkuil, linux-kernel, linux-media,
	linux-usb, mchehab, syzkaller-bugs

Am Freitag, den 18.10.2019, 07:53 -0700 schrieb syzbot:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    22be26f7 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=102b65cf600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143b9060e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15d3b94b600000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

JUST FOR DEBUGGING

#syz test: https://github.com/google/kasan.git 22be26f7

From 6e4c324c34b2fead2bdd1bc1274bd2e978df2be5 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 18 Nov 2019 14:41:51 +0100
Subject: [PATCH] si470x: prevent resubmission

Starting IO to a device is not necessarily a NOP in every error
case. So we need to terminate all IO in every case of probe
failure and disconnect with absolute certainty.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/radio/si470x/radio-si470x-usb.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index fedff68d8c49..3a3c539ee39a 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -373,6 +373,7 @@ static void si470x_int_in_callback(struct urb *urb)
 		if (urb->status == -ENOENT ||
 				urb->status == -ECONNRESET ||
 				urb->status == -ESHUTDOWN) {
+			printk(KERN_ERR"Int URB killed\n");
 			return;
 		} else {
 			dev_warn(&radio->intf->dev,
@@ -463,6 +464,7 @@ static void si470x_int_in_callback(struct urb *urb)
 	/* Resubmit if we're still running. */
 	if (radio->int_in_running && radio->usbdev) {
 		retval = usb_submit_urb(radio->int_in_urb, GFP_ATOMIC);
+		printk(KERN_ERR"In resubmit code path with result %d\n", retval);
 		if (retval) {
 			dev_warn(&radio->intf->dev,
 			       "resubmitting urb failed (%d)", retval);
@@ -542,6 +544,8 @@ static int si470x_start_usb(struct si470x_device *radio)
 		radio->int_in_running = 0;
 	}
 	radio->status_rssi_auto_update = radio->int_in_running;
+	if (retval < 0)
+		return retval;
 
 	/* start radio */
 	retval = si470x_start(radio);
@@ -734,7 +738,8 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 	/* start radio */
 	retval = si470x_start_usb(radio);
 	if (retval < 0)
-		goto err_buf;
+		/* the urb may be running even after an error */
+		goto err_all;
 
 	/* set initial frequency */
 	si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
@@ -749,7 +754,7 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 
 	return 0;
 err_all:
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 err_buf:
 	kfree(radio->buffer);
 err_ctrl:
@@ -824,7 +829,7 @@ static void si470x_usb_driver_disconnect(struct usb_interface *intf)
 	mutex_lock(&radio->lock);
 	v4l2_device_disconnect(&radio->v4l2_dev);
 	video_unregister_device(&radio->videodev);
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 	usb_set_intfdata(intf, NULL);
 	mutex_unlock(&radio->lock);
 	v4l2_device_put(&radio->v4l2_dev);
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-28 11:10 ` Oliver Neukum
@ 2019-11-28 13:53   ` syzbot
  0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2019-11-28 13:53 UTC (permalink / raw)
  To: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, syzkaller-bugs

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
INFO: rcu detected stall in dummy_timer

radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 	1-...!: (1 GPs behind) idle=82a/0/0x3 softirq=3099/3100 fqs=0
	(t=10503 jiffies g=2445 q=28)
rcu: rcu_sched kthread starved for 10505 jiffies! g2445 f0x0  
RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: RCU grace-period kthread stack dump:
rcu_sched       R  running task    29384    10      2 0x80004000
Call Trace:
  schedule+0xca/0x250 kernel/sched/core.c:4136
  schedule_timeout+0x440/0xb20 kernel/time/timer.c:1895
  rcu_gp_fqs_loop kernel/rcu/tree.c:1639 [inline]
  rcu_gp_kthread+0xaff/0x29e0 kernel/rcu/tree.c:1799
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
NMI backtrace for cpu 1
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.4.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  nmi_cpu_backtrace.cold+0x55/0x96 lib/nmi_backtrace.c:101
  nmi_trigger_cpumask_backtrace+0x1b0/0x1c7 lib/nmi_backtrace.c:62
  trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
  rcu_dump_cpu_stacks+0x169/0x1b3 kernel/rcu/tree_stall.h:254
  print_cpu_stall kernel/rcu/tree_stall.h:455 [inline]
  check_cpu_stall kernel/rcu/tree_stall.h:529 [inline]
  rcu_pending kernel/rcu/tree.c:2795 [inline]
  rcu_sched_clock_irq.cold+0x4da/0x936 kernel/rcu/tree.c:2244
  update_process_times+0x25/0x60 kernel/time/timer.c:1726
  tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:167
  tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1299
  __run_hrtimer kernel/time/hrtimer.c:1514 [inline]
  __hrtimer_run_queues+0x303/0xc60 kernel/time/hrtimer.c:1576
  hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1638
  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline]
  smp_apic_timer_interrupt+0xf5/0x500 arch/x86/kernel/apic/apic.c:1135
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160  
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x40/0x50  
kernel/locking/spinlock.c:191
Code: e8 95 14 b3 fb 48 89 ef e8 6d f3 b3 fb f6 c7 02 75 11 53 9d e8 61 ba  
d0 fb 65 ff 0d a2 67 8f 7a 5b 5d c3 e8 02 be d0 fb 53 9d <eb> ed 0f 1f 40  
00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fd 65 ff
RSP: 0018:ffff8881db309b08 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000206 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881da21384c
RBP: ffff8881d50e0000 R08: ffff8881da213000 R09: fffffbfff11b23b8
R10: fffffbfff11b23b7 R11: ffffffff88d91dbf R12: 0000000000000080
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8881d2f05b00
  spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
  dummy_timer+0x131b/0x2fa2 drivers/usb/gadget/udc/dummy_hcd.c:1980
  call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
  expire_timers kernel/time/timer.c:1449 [inline]
  __run_timers kernel/time/timer.c:1773 [inline]
  __run_timers kernel/time/timer.c:1740 [inline]
  run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
  __do_softirq+0x221/0x912 kernel/softirq.c:292
  invoke_softirq kernel/softirq.c:373 [inline]
  irq_exit+0x178/0x1a0 kernel/softirq.c:413
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
  </IRQ>
RIP: 0010:default_idle+0x28/0x2e0 arch/x86/kernel/process.c:581
Code: 90 90 41 56 41 55 65 44 8b 2d f4 20 8f 7a 41 54 55 53 0f 1f 44 00 00  
e8 c6 d2 d0 fb e9 07 00 00 00 0f 00 2d ea c5 4f 00 fb f4 <65> 44 8b 2d d0  
20 8f 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffff8881da22fdc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21384c
RBP: ffffed103b442600 R08: ffff8881da213000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
  cpuidle_idle_call kernel/sched/idle.c:154 [inline]
  do_idle+0x3b6/0x500 kernel/sched/idle.c:263
  cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:355
  start_secondary+0x27d/0x330 arch/x86/kernel/smpboot.c:264
  secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 1-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0
radio-si470x 2-1:0.0: non-zero urb status (-71)
In resubmit code path with result 0


Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10baff5ee00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=164cd702e00000


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-27 21:11         ` Alan Stern
@ 2019-11-28 15:19           ` Oliver Neukum
  2019-11-28 17:25             ` Alan Stern
  0 siblings, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-11-28 15:19 UTC (permalink / raw)
  To: Alan Stern, syzbot
  Cc: andreyknvl, hverkuil, Kernel development list, linux-media,
	USB list, mchehab, syzkaller-bugs

Am Mittwoch, den 27.11.2019, 16:11 -0500 schrieb Alan Stern:
> Oliver:
> 
> Make of this what you will...

Hi,

first, thank you. Second, this is teaching me to question my
assumptions. There is no disconnect at all. We are busy looping
in the error handler as we have virtual hardware in this test,
which can execute an URB without waiting for hardware.

So should we kill error handling for this case?

	Regards
		Oliver


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-28 15:19           ` Oliver Neukum
@ 2019-11-28 17:25             ` Alan Stern
  0 siblings, 0 replies; 23+ messages in thread
From: Alan Stern @ 2019-11-28 17:25 UTC (permalink / raw)
  To: Oliver Neukum
  Cc: syzbot, andreyknvl, hverkuil, Kernel development list,
	linux-media, USB list, mchehab, syzkaller-bugs

On Thu, 28 Nov 2019, Oliver Neukum wrote:

> Am Mittwoch, den 27.11.2019, 16:11 -0500 schrieb Alan Stern:
> > Oliver:
> > 
> > Make of this what you will...
> 
> Hi,
> 
> first, thank you. Second, this is teaching me to question my
> assumptions. There is no disconnect at all. We are busy looping
> in the error handler as we have virtual hardware in this test,
> which can execute an URB without waiting for hardware.
> 
> So should we kill error handling for this case?

Okay.  First of all, we must recognize that these syzbot tests have
encountered two separate bugs.  The first is the one fixed in your
original patches (the use-after-free).  This bug needs no discussion;
it looks like your patch fixes it.

The second bug is the CPU starvation caused by the tight resubmit loop
in the completion handler.  It is the reason why you kept getting
failure reports back from syzbot.  It is to some extent a misleading
result, related to the fact that dummy-hcd doesn't use real hardware,
as you noted.

Nevertheless, the fix I posted is appropriate.  I posed this question
to Greg KH some weeks ago, and he pointed out that after some
discussion on the mailing list, people had generally agreed that
drivers should not blindly resubmit URBs when they get an unrecognized
error status.  In this situation, error recovery has to occur at a
higher level (for example, the user could unplug the device and then
plug it in again).

So even though with real hardware this tight resubmit loop might not
end up using all the available CPU time, not resubmitting is still the
right approach.

Alan Stern


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-11-28 10:51       ` Oliver Neukum
@ 2019-11-28 17:33         ` Alan Stern
  0 siblings, 0 replies; 23+ messages in thread
From: Alan Stern @ 2019-11-28 17:33 UTC (permalink / raw)
  To: Oliver Neukum
  Cc: syzbot, andreyknvl, hverkuil, linux-kernel, linux-media,
	linux-usb, mchehab, syzkaller-bugs

On Thu, 28 Nov 2019, Oliver Neukum wrote:

> Hi,
> 
> it is a bit awkward to complain here, as your patch tests as correct
> while mine didn't, but this is a race condition.
> You can't guarantee that urb->status != 0.
> The kill may happen while the completion handler is running for
> a successful transfer.
> 
> I really appreciate your help, but I must understand what is going
> wrong here. You are stopping the resubmit, but how could the resubmit
> ever have not failed?

You probably have figured all this out already, but I'll answer anyway.

The code I changed doesn't race with the error condition you were 
concerned about.  The two are independent, and it doesn't matter if the 
kill happens while the completion handler is running.

In the case my patch addresses, the resubmit does not fail.  Rather, it
succeeds but then the URB completes with a -EPROTO error.  The problem
is that the completion handler then resubmits the URB again, and it
completes again with the same error, right away, in a tight loop --
which prevents the CPU from executing any other code.  The way to fix
the problem is to break the loop by not resubmitting, which is what the
patch does.

Alan Stern


^ permalink raw reply	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
                   ` (4 preceding siblings ...)
  2019-11-28 11:10 ` Oliver Neukum
@ 2019-12-04 15:03 ` Oliver Neukum
  2019-12-04 18:17   ` syzbot
  5 siblings, 1 reply; 23+ messages in thread
From: Oliver Neukum @ 2019-12-04 15:03 UTC (permalink / raw)
  To: syzbot, andreyknvl, hverkuil, linux-kernel, linux-media,
	linux-usb, mchehab, syzkaller-bugs

Am Freitag, den 18.10.2019, 07:53 -0700 schrieb syzbot:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    22be26f7 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=102b65cf600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=143b9060e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15d3b94b600000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

JUST IN CASE
Final test before submission

#syz test: https://github.com/google/kasan.git 22be26f7

From ccc2a7baec5a5117216972b1c502c5a0b97de0c4 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 4 Dec 2019 13:40:19 +0100
Subject: [PATCH] si470x: fixup error handling of the interrupt URB

The error handling of the interrupt URB is not correct
in every case and assumes that low level errors
are either transient or end with a disconnect.

Starting IO to a device is not necessarily a NOP in every error
case. So we need to terminate all IO in every case of probe
failure and disconnect with absolute certainty.
We also must not retry forever in an error case.
As this is unlikely in an actual device, we just give
up.

Reported-and-tested-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/radio/si470x/radio-si470x-usb.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index fedff68d8c49..1b974c2683a6 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -370,15 +370,12 @@ static void si470x_int_in_callback(struct urb *urb)
 	unsigned char tmpbuf[3];
 
 	if (urb->status) {
-		if (urb->status == -ENOENT ||
+		if (!(urb->status == -ENOENT ||
 				urb->status == -ECONNRESET ||
-				urb->status == -ESHUTDOWN) {
-			return;
-		} else {
+				urb->status == -ESHUTDOWN))
 			dev_warn(&radio->intf->dev,
 			 "non-zero urb status (%d)\n", urb->status);
-			goto resubmit; /* Maybe we can recover. */
-		}
+		return;
 	}
 
 	/* Sometimes the device returns len 0 packets */
@@ -463,6 +460,7 @@ static void si470x_int_in_callback(struct urb *urb)
 	/* Resubmit if we're still running. */
 	if (radio->int_in_running && radio->usbdev) {
 		retval = usb_submit_urb(radio->int_in_urb, GFP_ATOMIC);
+		printk(KERN_ERR"In resubmit code path with result %d\n", retval);
 		if (retval) {
 			dev_warn(&radio->intf->dev,
 			       "resubmitting urb failed (%d)", retval);
@@ -542,6 +540,8 @@ static int si470x_start_usb(struct si470x_device *radio)
 		radio->int_in_running = 0;
 	}
 	radio->status_rssi_auto_update = radio->int_in_running;
+	if (retval < 0)
+		return retval;
 
 	/* start radio */
 	retval = si470x_start(radio);
@@ -734,7 +734,8 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 	/* start radio */
 	retval = si470x_start_usb(radio);
 	if (retval < 0)
-		goto err_buf;
+		/* the urb may be running even after an error */
+		goto err_all;
 
 	/* set initial frequency */
 	si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
@@ -749,8 +750,7 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 
 	return 0;
 err_all:
-	usb_kill_urb(radio->int_in_urb);
-err_buf:
+	usb_poison_urb(radio->int_in_urb);
 	kfree(radio->buffer);
 err_ctrl:
 	v4l2_ctrl_handler_free(&radio->hdl);
@@ -824,7 +824,7 @@ static void si470x_usb_driver_disconnect(struct usb_interface *intf)
 	mutex_lock(&radio->lock);
 	v4l2_device_disconnect(&radio->v4l2_dev);
 	video_unregister_device(&radio->videodev);
-	usb_kill_urb(radio->int_in_urb);
+	usb_poison_urb(radio->int_in_urb);
 	usb_set_intfdata(intf, NULL);
 	mutex_unlock(&radio->lock);
 	v4l2_device_put(&radio->v4l2_dev);
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 23+ messages in thread
* Re: KASAN: use-after-free Read in si470x_int_in_callback (2)
  2019-12-04 15:03 ` Oliver Neukum
@ 2019-12-04 18:17   ` syzbot
  0 siblings, 0 replies; 23+ messages in thread
From: syzbot @ 2019-12-04 18:17 UTC (permalink / raw)
  To: andreyknvl, hverkuil, linux-kernel, linux-media, linux-usb,
	mchehab, oneukum, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger  
crash:

Reported-and-tested-by:  
syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com

Tested on:

commit:         22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7a12fd736d93e0232
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1063382ee00000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 23+ messages in thread
end of thread, other threads:[~2019-12-04 18:17 UTC | newest]

Thread overview: 23+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-18 14:53 KASAN: use-after-free Read in si470x_int_in_callback (2) syzbot
2019-11-18 13:44 ` Oliver Neukum
2019-11-19  9:10   ` syzbot
2019-11-20 10:32 ` Oliver Neukum
2019-11-20 23:50   ` syzbot
2019-11-21 12:00 ` Oliver Neukum
2019-11-22 10:33   ` syzbot
2019-11-22 15:35     ` Alan Stern
2019-11-22 19:00       ` Oliver Neukum
2019-11-22 20:12         ` Alan Stern
2019-11-27 10:27 ` Oliver Neukum
2019-11-27 16:30   ` syzbot
2019-11-27 18:07     ` Alan Stern
2019-11-27 20:55       ` syzbot
2019-11-27 21:11         ` Alan Stern
2019-11-28 15:19           ` Oliver Neukum
2019-11-28 17:25             ` Alan Stern
2019-11-28 10:51       ` Oliver Neukum
2019-11-28 17:33         ` Alan Stern
2019-11-28 11:10 ` Oliver Neukum
2019-11-28 13:53   ` syzbot
2019-12-04 15:03 ` Oliver Neukum
2019-12-04 18:17   ` syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).