WARNING in pvr2_i2c_core_done

WARNING in pvr2_i2c_core_done

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    d9e63adc usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com

pvrusb2: Device being rendered inoperable
cx25840 0-0044: Unable to detect h/w, assuming cx23887
cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
pvrusb2: Attached sub-driver cx25840
pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I  
can't clear it.
pvrusb2: You might need to power cycle the pvrusb2 device in order to  
recover.
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'i2c-0'
WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group  
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278  
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 102 Comm: pvrusb2-context Not tainted 5.3.0+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  panic+0x2a3/0x6da kernel/panic.c:219
  __warn.cold+0x20/0x4a kernel/panic.c:576
  report_bug+0x262/0x2a0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:179 [inline]
  fixup_bug arch/x86/kernel/traps.c:174 [inline]
  do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c  
01 00 75 41 48 8b 33 48 c7 c7 a0 dc d0 85 e8 e0 67 8a ff <0f> 0b eb 95 e8  
72 c4 db ff e9 d2 fe ff ff 48 89 df e8 65 c4 db ff
RSP: 0018:ffff8881d5857c40 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff85f33f80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8128d3fd RDI: ffffed103ab0af7a
RBP: 0000000000000000 R08: ffff8881d5e11800 R09: ffffed103b643ee7
R10: ffffed103b643ee6 R11: ffff8881db21f737 R12: ffff8881d2e68338
R13: ffffffff85f34520 R14: ffff8881d2e68900 R15: ffff8881d5e11800
  dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:741
  device_del+0x12a/0xb10 drivers/base/core.c:2352
  device_unregister+0x11/0x30 drivers/base/core.c:2407
  i2c_del_adapter drivers/i2c/i2c-core-base.c:1596 [inline]
  i2c_del_adapter+0x42b/0x590 drivers/i2c/i2c-core-base.c:1535
  pvr2_i2c_core_done+0x69/0xb6  
drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:652
  pvr2_hdw_destroy+0x179/0x370 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2680
  pvr2_context_destroy+0x84/0x230  
drivers/media/usb/pvrusb2/pvrusb2-context.c:70
  pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]
  pvr2_context_thread_func+0x657/0x860  
drivers/media/usb/pvrusb2/pvrusb2-context.c:158
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: WARNING in pvr2_i2c_core_done

[Alan Stern]

On Wed, 25 Sep 2019, syzbot wrote:

> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
> 
> pvrusb2: Device being rendered inoperable
> cx25840 0-0044: Unable to detect h/w, assuming cx23887
> cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> pvrusb2: Attached sub-driver cx25840
> pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I  
> can't clear it.
> pvrusb2: You might need to power cycle the pvrusb2 device in order to  
> recover.
> ------------[ cut here ]------------
> sysfs group 'power' not found for kobject 'i2c-0'
> WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group  
> fs/sysfs/group.c:278 [inline]
> WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278  
> sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269

I have seen a lot of error messages like this one (i.e., "group 'power'
not found for kobject"), in runs that involved fuzzing a completely
different USB driver.  Initial testing failed to find a cause.

This leads me to wonder whether the problem might lie somewhere else 
entirely.  A bug in some core kernel code?  Memory corruption?

Alan Stern

Re: WARNING in pvr2_i2c_core_done

[Andrey Konovalov]

On Wed, Sep 25, 2019 at 4:10 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Wed, 25 Sep 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
> >
> > pvrusb2: Device being rendered inoperable
> > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > pvrusb2: Attached sub-driver cx25840
> > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> > can't clear it.
> > pvrusb2: You might need to power cycle the pvrusb2 device in order to
> > recover.
> > ------------[ cut here ]------------
> > sysfs group 'power' not found for kobject 'i2c-0'
> > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> > fs/sysfs/group.c:278 [inline]
> > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
>
> I have seen a lot of error messages like this one (i.e., "group 'power'
> not found for kobject"), in runs that involved fuzzing a completely
> different USB driver.  Initial testing failed to find a cause.
>
> This leads me to wonder whether the problem might lie somewhere else
> entirely.  A bug in some core kernel code?  Memory corruption?

AFAICS so far this has only been triggered from the usbvision driver
[1] and from the pvrusb2 driver (this report).

I wanted to loop in sysfs maintainers, but it seems that Greg and
Rafael are already cc'ed on this.

[1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634

Re: WARNING in pvr2_i2c_core_done

[Alan Stern]

On Wed, 25 Sep 2019, Andrey Konovalov wrote:

> On Wed, Sep 25, 2019 at 4:10 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Wed, 25 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit:    d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> > > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> > > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
> > >
> > > pvrusb2: Device being rendered inoperable
> > > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > > pvrusb2: Attached sub-driver cx25840
> > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> > > can't clear it.
> > > pvrusb2: You might need to power cycle the pvrusb2 device in order to
> > > recover.
> > > ------------[ cut here ]------------
> > > sysfs group 'power' not found for kobject 'i2c-0'
> > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> > > fs/sysfs/group.c:278 [inline]
> > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> >
> > I have seen a lot of error messages like this one (i.e., "group 'power'
> > not found for kobject"), in runs that involved fuzzing a completely
> > different USB driver.  Initial testing failed to find a cause.
> >
> > This leads me to wonder whether the problem might lie somewhere else
> > entirely.  A bug in some core kernel code?  Memory corruption?
> 
> AFAICS so far this has only been triggered from the usbvision driver
> [1] and from the pvrusb2 driver (this report).
> 
> I wanted to loop in sysfs maintainers, but it seems that Greg and
> Rafael are already cc'ed on this.
> 
> [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634

It turns out the reason for this error is simple: The driver 
unregisters its subdevices in the release handler instead of in the 
disconnect handler.  There probably is documentation about this 
somewhere, but I don't know exactly where -- maybe Greg remembers.

In the case of pvrusb2, the issues involve unregistering both the v4l2 
device and the i2c device.

Alan Stern

Re: WARNING in pvr2_i2c_core_done

[Greg Kroah-Hartman]

On Thu, Sep 26, 2019 at 05:44:31PM -0400, Alan Stern wrote:
> On Wed, 25 Sep 2019, Andrey Konovalov wrote:
> 
> > On Wed, Sep 25, 2019 at 4:10 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> > >
> > > On Wed, 25 Sep 2019, syzbot wrote:
> > >
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit:    d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> > > > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> > > > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
> > > >
> > > > pvrusb2: Device being rendered inoperable
> > > > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > > > pvrusb2: Attached sub-driver cx25840
> > > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> > > > can't clear it.
> > > > pvrusb2: You might need to power cycle the pvrusb2 device in order to
> > > > recover.
> > > > ------------[ cut here ]------------
> > > > sysfs group 'power' not found for kobject 'i2c-0'
> > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> > > > fs/sysfs/group.c:278 [inline]
> > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> > > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> > >
> > > I have seen a lot of error messages like this one (i.e., "group 'power'
> > > not found for kobject"), in runs that involved fuzzing a completely
> > > different USB driver.  Initial testing failed to find a cause.
> > >
> > > This leads me to wonder whether the problem might lie somewhere else
> > > entirely.  A bug in some core kernel code?  Memory corruption?
> > 
> > AFAICS so far this has only been triggered from the usbvision driver
> > [1] and from the pvrusb2 driver (this report).
> > 
> > I wanted to loop in sysfs maintainers, but it seems that Greg and
> > Rafael are already cc'ed on this.
> > 
> > [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
> 
> It turns out the reason for this error is simple: The driver 
> unregisters its subdevices in the release handler instead of in the 
> disconnect handler.  There probably is documentation about this 
> somewhere, but I don't know exactly where -- maybe Greg remembers.

Nope, I don't remember.  It should happen in the disconnect handler, odd
of it to be in release, but maybe that's the "easiest" way for v4l to
handle this?

thanks,

greg k-h

Re: WARNING in pvr2_i2c_core_done

[Alan Stern]

On Fri, 27 Sep 2019, Greg Kroah-Hartman wrote:

> > It turns out the reason for this error is simple: The driver 
> > unregisters its subdevices in the release handler instead of in the 
> > disconnect handler.  There probably is documentation about this 
> > somewhere, but I don't know exactly where -- maybe Greg remembers.
> 
> Nope, I don't remember.  It should happen in the disconnect handler, odd
> of it to be in release, but maybe that's the "easiest" way for v4l to
> handle this?

This isn't a question of "easiest".  Unregistering child devices in a
release handler is just _wrong_, plain and simple.  That's what gives
rise to the

"sysfs group 'power' not found for kobject 'i2c-0'"

warning in the kernel log.  The group can't be found because it has 
already been removed; it gets destroyed when the parent USB interface 
device is unregistered, because unregistering a device also removes 
from sysfs everything below that device.

Alan Stern

Re: WARNING in pvr2_i2c_core_done

[B K Karthik]

On Wed, 22 Jul 2020 at 14:42, Hillf Danton <hdanton@sina.com> wrote:
>
>
> From: syzbot <syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com>
>
> Tue, 21 Jul 2020 21:06:10 -0700
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > general protection fault in kernfs_find_ns
> >
> > pvrusb2: Invalid write control endpoint
> > pvrusb2: Invalid write control endpoint
> > pvrusb2: Invalid write control endpoint
> > pvrusb2: Invalid write control endpoint
> > general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
> > CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829
> > Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48
> > RSP: 0018:ffff8881d419f938 EFLAGS: 00010202
> > RAX: dffffc0000000000 RBX: ffffffff863789c0 RCX: ffffffff85a79ba7
> > RDX: 000000000000000e RSI: ffffffff81901d1c RDI: 0000000000000070
> > RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff873ed1e7
> > R10: fffffbfff0e7da3c R11: 0000000000000001 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff863790e0
> > FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f3a7e248000 CR3: 00000001d2224000 CR4: 00000000001406f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906
> >  kernfs_find_and_get include/linux/kernfs.h:548 [inline]
> >  sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366
> >  dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790
>
> [3]
>
> >  device_del+0x18b/0xd20 drivers/base/core.c:2834
> >  device_unregister+0x22/0xc0 drivers/base/core.c:2889
> >  i2c_unregister_device include/linux/err.h:41 [inline]
>
> [2]
>
> >  i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465
> >  device_release+0x71/0x200 drivers/base/core.c:1559
>
> [1] kobject_del() goes before the release cb in kobject_cleanup() and
> kobj is removed from sysfs, see [3] above.

Oh, thank you for letting me know about this. Forgive me, but I did
not understand you very clearly.
I presume you are saying that the second call to
i2c_unregister_device() is where the problem occurs?

please let me know.
thanks,

karthik

Re: WARNING in pvr2_i2c_core_done

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in kernfs_find_ns

pvrusb2: Invalid write control endpoint
pvrusb2: Invalid write control endpoint
pvrusb2: Invalid write control endpoint
pvrusb2: Invalid write control endpoint
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829
Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48
RSP: 0018:ffff8881d419f938 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff863789c0 RCX: ffffffff85a79ba7
RDX: 000000000000000e RSI: ffffffff81901d1c RDI: 0000000000000070
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff873ed1e7
R10: fffffbfff0e7da3c R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff863790e0
FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3a7e248000 CR3: 00000001d2224000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906
 kernfs_find_and_get include/linux/kernfs.h:548 [inline]
 sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366
 dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790
 device_del+0x18b/0xd20 drivers/base/core.c:2834
 device_unregister+0x22/0xc0 drivers/base/core.c:2889
 i2c_unregister_device include/linux/err.h:41 [inline]
 i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465
 device_release+0x71/0x200 drivers/base/core.c:1559
 kobject_cleanup lib/kobject.c:693 [inline]
 kobject_release lib/kobject.c:722 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x245/0x540 lib/kobject.c:739
 put_device drivers/base/core.c:2779 [inline]
 device_unregister+0x34/0xc0 drivers/base/core.c:2890
 i2c_unregister_device+0x38/0x40 include/linux/err.h:41
 v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114
 v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135
 pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline]
 pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline]
 pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline]
 pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline]
 pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339
 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline]
 pvr2_context_thread_func+0x250/0x850 drivers/media/usb/pvrusb2/pvrusb2-context.c:158
 kthread+0x392/0x470 kernel/kthread.c:291
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Modules linked in:
---[ end trace a2576a16aa8e791c ]---
RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829
Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48
RSP: 0018:ffff8881d419f938 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff863789c0 RCX: ffffffff85a79ba7
RDX: 000000000000000e RSI: ffffffff81901d1c RDI: 0000000000000070
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff873ed1e7
R10: fffffbfff0e7da3c R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff863790e0
FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3a7e248000 CR3: 00000001d2224000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit:         b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git..
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=1208f437100000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343
dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
compiler:       gcc (GCC) 10.1.0-syz 20200507
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14d56430900000

Re: WARNING in pvr2_i2c_core_done

[B K Karthik]

On Tue, Jul 21, 2020 at 4:50 PM syzbot
<syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> general protection fault in kernfs_find_ns
>
> pvrusb2: Invalid write control endpoint
> pvrusb2: Invalid write control endpoint
> pvrusb2: Invalid write control endpoint
> pvrusb2: Invalid write control endpoint
> pvrusb2: Invalid write control endpoint
> pvrusb2: Invalid write control endpoint
> general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]

I'm guessing this has to do with kmem_cache_free() called by
i2c_acpi_remove_space_handler()
through acpi_ut_delete_generic_state() in drivers/acpi/osl.c:1708 ?

> CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829
> Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48
> RSP: 0018:ffff8881d4187938 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffffffff863789c0 RCX: ffffffff85a79ba7
> RDX: 000000000000000e RSI: ffffffff81901d1c RDI: 0000000000000070
> RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff873ed1e7
> R10: fffffbfff0e7da3c R11: 0000000000000001 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff863790e0
> FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000557f2b45ae48 CR3: 00000001d2762000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906
>  kernfs_find_and_get include/linux/kernfs.h:548 [inline]
>  sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366
>  dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790
>  device_del+0x18b/0xd20 drivers/base/core.c:2834
>  device_unregister+0x22/0xc0 drivers/base/core.c:2889
>  i2c_unregister_device include/linux/err.h:41 [inline]
>  i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465
>  device_release+0x71/0x200 drivers/base/core.c:1559
>  kobject_cleanup lib/kobject.c:693 [inline]
>  kobject_release lib/kobject.c:722 [inline]
>  kref_put include/linux/kref.h:65 [inline]
>  kobject_put+0x245/0x540 lib/kobject.c:739
>  put_device drivers/base/core.c:2779 [inline]
>  device_unregister+0x34/0xc0 drivers/base/core.c:2890
>  i2c_unregister_device+0x38/0x40 include/linux/err.h:41
>  v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114
>  v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135
>  pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline]
>  pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline]
>  pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline]
>  pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline]
>  pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339
>  pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline]
>  pvr2_context_thread_func+0x250/0x850 drivers/media/usb/pvrusb2/pvrusb2-context.c:158
>  kthread+0x392/0x470 kernel/kthread.c:291
>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
> Modules linked in:
> ---[ end trace 9af941b6bcb04b01 ]---
> RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829
> Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48
> RSP: 0018:ffff8881d4187938 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffffffff863789c0 RCX: ffffffff85a79ba7
> RDX: 000000000000000e RSI: ffffffff81901d1c RDI: 0000000000000070
> RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff873ed1e7
> R10: fffffbfff0e7da3c R11: 0000000000000001 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff863790e0
> FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000557f2b45ae48 CR3: 00000001d2762000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> Tested on:
>
> commit:         b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git..
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=16dfe440900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343
> dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=117e281b100000
>

Re: WARNING in pvr2_i2c_core_done

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in kernfs_find_ns

pvrusb2: Invalid write control endpoint
pvrusb2: Invalid write control endpoint
pvrusb2: Invalid write control endpoint
pvrusb2: Invalid write control endpoint
pvrusb2: Invalid write control endpoint
pvrusb2: Invalid write control endpoint
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829
Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48
RSP: 0018:ffff8881d4187938 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff863789c0 RCX: ffffffff85a79ba7
RDX: 000000000000000e RSI: ffffffff81901d1c RDI: 0000000000000070
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff873ed1e7
R10: fffffbfff0e7da3c R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff863790e0
FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557f2b45ae48 CR3: 00000001d2762000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906
 kernfs_find_and_get include/linux/kernfs.h:548 [inline]
 sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366
 dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790
 device_del+0x18b/0xd20 drivers/base/core.c:2834
 device_unregister+0x22/0xc0 drivers/base/core.c:2889
 i2c_unregister_device include/linux/err.h:41 [inline]
 i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465
 device_release+0x71/0x200 drivers/base/core.c:1559
 kobject_cleanup lib/kobject.c:693 [inline]
 kobject_release lib/kobject.c:722 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x245/0x540 lib/kobject.c:739
 put_device drivers/base/core.c:2779 [inline]
 device_unregister+0x34/0xc0 drivers/base/core.c:2890
 i2c_unregister_device+0x38/0x40 include/linux/err.h:41
 v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114
 v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135
 pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline]
 pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline]
 pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline]
 pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline]
 pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339
 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline]
 pvr2_context_thread_func+0x250/0x850 drivers/media/usb/pvrusb2/pvrusb2-context.c:158
 kthread+0x392/0x470 kernel/kthread.c:291
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Modules linked in:
---[ end trace 9af941b6bcb04b01 ]---
RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829
Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48
RSP: 0018:ffff8881d4187938 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff863789c0 RCX: ffffffff85a79ba7
RDX: 000000000000000e RSI: ffffffff81901d1c RDI: 0000000000000070
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff873ed1e7
R10: fffffbfff0e7da3c R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff863790e0
FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557f2b45ae48 CR3: 00000001d2762000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit:         b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git..
git tree:       https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=16dfe440900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343
dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
compiler:       gcc (GCC) 10.1.0-syz 20200507
patch:          https://syzkaller.appspot.com/x/patch.diff?x=117e281b100000