WARNING in pvr2_i2c_core_done
53 views
Skip to first unread message
syzbot
Sep 25, 2019, 8:59:06 AM9/25/19
to andre...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e74a99...@syzkaller.appspotmail.com
pvrusb2: Device being rendered inoperable
cx25840 0-0044: Unable to detect h/w, assuming cx23887
cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
pvrusb2: Attached sub-driver cx25840
pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
can't clear it.
pvrusb2: You might need to power cycle the pvrusb2 device in order to
recover.
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'i2c-0'
WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 102 Comm: pvrusb2-context Not tainted 5.3.0+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 a0 dc d0 85 e8 e0 67 8a ff <0f> 0b eb 95 e8
72 c4 db ff e9 d2 fe ff ff 48 89 df e8 65 c4 db ff
RSP: 0018:ffff8881d5857c40 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff85f33f80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8128d3fd RDI: ffffed103ab0af7a
RBP: 0000000000000000 R08: ffff8881d5e11800 R09: ffffed103b643ee7
R10: ffffed103b643ee6 R11: ffff8881db21f737 R12: ffff8881d2e68338
R13: ffffffff85f34520 R14: ffff8881d2e68900 R15: ffff8881d5e11800
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:741
device_del+0x12a/0xb10 drivers/base/core.c:2352
device_unregister+0x11/0x30 drivers/base/core.c:2407
i2c_del_adapter drivers/i2c/i2c-core-base.c:1596 [inline]
i2c_del_adapter+0x42b/0x590 drivers/i2c/i2c-core-base.c:1535
pvr2_i2c_core_done+0x69/0xb6
drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:652
pvr2_hdw_destroy+0x179/0x370 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2680
pvr2_context_destroy+0x84/0x230
drivers/media/usb/pvrusb2/pvrusb2-context.c:70
pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]
pvr2_context_thread_func+0x657/0x860
drivers/media/usb/pvrusb2/pvrusb2-context.c:158
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e74a99...@syzkaller.appspotmail.com
pvrusb2: Device being rendered inoperable
cx25840 0-0044: Unable to detect h/w, assuming cx23887
cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
pvrusb2: Attached sub-driver cx25840
pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
can't clear it.
pvrusb2: You might need to power cycle the pvrusb2 device in order to
recover.
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'i2c-0'
WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 102 Comm: pvrusb2-context Not tainted 5.3.0+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 a0 dc d0 85 e8 e0 67 8a ff <0f> 0b eb 95 e8
72 c4 db ff e9 d2 fe ff ff 48 89 df e8 65 c4 db ff
RSP: 0018:ffff8881d5857c40 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff85f33f80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8128d3fd RDI: ffffed103ab0af7a
RBP: 0000000000000000 R08: ffff8881d5e11800 R09: ffffed103b643ee7
R10: ffffed103b643ee6 R11: ffff8881db21f737 R12: ffff8881d2e68338
R13: ffffffff85f34520 R14: ffff8881d2e68900 R15: ffff8881d5e11800
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:741
device_del+0x12a/0xb10 drivers/base/core.c:2352
device_unregister+0x11/0x30 drivers/base/core.c:2407
i2c_del_adapter drivers/i2c/i2c-core-base.c:1596 [inline]
i2c_del_adapter+0x42b/0x590 drivers/i2c/i2c-core-base.c:1535
pvr2_i2c_core_done+0x69/0xb6
drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:652
pvr2_hdw_destroy+0x179/0x370 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2680
pvr2_context_destroy+0x84/0x230
drivers/media/usb/pvrusb2/pvrusb2-context.c:70
pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]
pvr2_context_thread_func+0x657/0x860
drivers/media/usb/pvrusb2/pvrusb2-context.c:158
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Alan Stern
Sep 25, 2019, 10:10:16 AM9/25/19
to syzbot, andre...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
not found for kobject"), in runs that involved fuzzing a completely
different USB driver. Initial testing failed to find a cause.
This leads me to wonder whether the problem might lie somewhere else
entirely. A bug in some core kernel code? Memory corruption?
Alan Stern
Andrey Konovalov
Sep 25, 2019, 11:34:51 AM9/25/19
to Alan Stern, Greg Kroah-Hartman, Rafael J. Wysocki, syzbot, LKML, USB list, syzkaller-bugs
[1] and from the pvrusb2 driver (this report).
I wanted to loop in sysfs maintainers, but it seems that Greg and
Rafael are already cc'ed on this.
[1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
Alan Stern
Sep 25, 2019, 2:26:19 PM9/25/19
to syzbot, syzkaller-bugs
This is the patch which supposedly fixed
syzbot+5b9bba...@syzkaller.appspotmail.com.
#syz test: https://github.com/google/kasan.git f0df5c1b
drivers/media/usb/usbvision/usbvision-video.c | 27 ++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
@@ -314,6 +314,10 @@ static int usbvision_v4l2_open(struct fi
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
@@ -377,6 +381,7 @@ unlock:
static int usbvision_v4l2_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
@@ -391,9 +396,10 @@ static int usbvision_v4l2_close(struct f
usbvision_scratch_free(usbvision);
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
@@ -453,6 +459,9 @@ static int vidioc_querycap(struct file *
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
@@ -1073,6 +1082,11 @@ static int usbvision_radio_open(struct f
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
@@ -1105,21 +1119,24 @@ out:
static int usbvision_radio_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "");
mutex_lock(&usbvision->v4l2_lock);
/* Set packet size to 0 */
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
usbvision_audio_off(usbvision);
usbvision->radio = 0;
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
v4l2_fh_release(file);
usbvision_release(usbvision);
@@ -1551,6 +1568,7 @@ err_usb:
static void usbvision_disconnect(struct usb_interface *intf)
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
@@ -1567,13 +1585,14 @@ static void usbvision_disconnect(struct
v4l2_device_disconnect(&usbvision->v4l2_dev);
usbvision_i2c_unregister(usbvision);
usbvision->remove_pending = 1; /* Now all ISO data will be ignored */
+ u = usbvision->user;
usb_put_dev(usbvision->dev);
usbvision->dev = NULL; /* USB device is no more */
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->user) {
+ if (u) {
printk(KERN_INFO "%s: In use, disconnect pending\n",
__func__);
wake_up_interruptible(&usbvision->wait_frame);
syzbot+5b9bba...@syzkaller.appspotmail.com.
#syz test: https://github.com/google/kasan.git f0df5c1b
drivers/media/usb/usbvision/usbvision-video.c | 27 ++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
@@ -314,6 +314,10 @@ static int usbvision_v4l2_open(struct fi
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
@@ -377,6 +381,7 @@ unlock:
static int usbvision_v4l2_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
@@ -391,9 +396,10 @@ static int usbvision_v4l2_close(struct f
usbvision_scratch_free(usbvision);
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
@@ -453,6 +459,9 @@ static int vidioc_querycap(struct file *
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
@@ -1073,6 +1082,11 @@ static int usbvision_radio_open(struct f
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
@@ -1105,21 +1119,24 @@ out:
static int usbvision_radio_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "");
mutex_lock(&usbvision->v4l2_lock);
/* Set packet size to 0 */
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
usbvision_audio_off(usbvision);
usbvision->radio = 0;
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
v4l2_fh_release(file);
usbvision_release(usbvision);
@@ -1551,6 +1568,7 @@ err_usb:
static void usbvision_disconnect(struct usb_interface *intf)
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
@@ -1567,13 +1585,14 @@ static void usbvision_disconnect(struct
v4l2_device_disconnect(&usbvision->v4l2_dev);
usbvision_i2c_unregister(usbvision);
usbvision->remove_pending = 1; /* Now all ISO data will be ignored */
+ u = usbvision->user;
usb_put_dev(usbvision->dev);
usbvision->dev = NULL; /* USB device is no more */
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->user) {
+ if (u) {
printk(KERN_INFO "%s: In use, disconnect pending\n",
__func__);
wake_up_interruptible(&usbvision->wait_frame);
syzbot
Sep 25, 2019, 2:38:02 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
usbvision_radio_close: Final disconnect
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'radio7'
WARNING: CPU: 0 PID: 2909 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 2909 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
e2 d1 db ff e9 d2 fe ff ff 48 89 df e8 d5 d1 db ff
RSP: 0018:ffff8881d42f7c50 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffffff85f2d700 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288ddd RDI: ffffed103a85ef7c
RBP: 0000000000000000 R08: ffff8881d4a09800 R09: ffffed103b645d58
R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffff8881d4fa2bd8
R13: ffffffff85f2dca0 R14: 0000000000000000 R15: ffff8881d4fa3078
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:735
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0x83/0x120
drivers/media/usb/usbvision/usbvision-video.c:1256
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1369
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1142
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fcd6296a2b0
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007ffd212d1b08 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007fcd6296a2b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007ffd212d1c60 R14: 0000000000000000 R15: 0000000000000000
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14992a6d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
usbvision_radio_close: Final disconnect
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'radio7'
WARNING: CPU: 0 PID: 2909 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 2909 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 2909 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 e0 c8 d0 85 e8 a0 0e 8b ff <0f> 0b eb 95 e8
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
e2 d1 db ff e9 d2 fe ff ff 48 89 df e8 d5 d1 db ff
RSP: 0018:ffff8881d42f7c50 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffffff85f2d700 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288ddd RDI: ffffed103a85ef7c
RBP: 0000000000000000 R08: ffff8881d4a09800 R09: ffffed103b645d58
R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffff8881d4fa2bd8
R13: ffffffff85f2dca0 R14: 0000000000000000 R15: ffff8881d4fa3078
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:735
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0x83/0x120
drivers/media/usb/usbvision/usbvision-video.c:1256
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1369
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1142
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fcd6296a2b0
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007ffd212d1b08 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007fcd6296a2b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007ffd212d1c60 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
Rebooting in 86400 seconds..
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14992a6d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=111021d5600000
Alan Stern
Sep 25, 2019, 3:06:03 PM9/25/19
to syzbot, syzkall...@googlegroups.com
drivers/media/usb/usbvision/usbvision-video.c | 52 ++++++++++++++++++++++++--
1 file changed, 48 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
@@ -131,6 +131,26 @@ MODULE_LICENSE("GPL");
MODULE_VERSION(USBVISION_VERSION_STRING);
MODULE_ALIAS(DRIVER_ALIAS);
+#include <linux/kernfs.h>
+#include <linux/kobject.h>
+
+static void usbvision_check(struct usb_usbvision *usbvision, char *msg)
+{
+ struct kernfs_node *kn;
+
+ if (!video_is_registered(&usbvision->rdev)) {
+ dev_info(&usbvision->rdev.dev, "AS Not registered: %s\n", msg);
+ } else {
+ kn = kernfs_find_and_get(usbvision->rdev.dev.kobj.sd, "power");
+ if (kn) {
+ kernfs_put(kn);
+ dev_info(&usbvision->rdev.dev, "AS Power ok: %s\n", msg);
+ } else {
+ dev_err(&usbvision->rdev.dev, "AS Power gone: %s\n", msg);
+ }
+ }
+}
+
/*****************************************************************************/
/* SYSFS Code - Copied from the stv680.c usb module. */
@@ -314,6 +334,10 @@ static int usbvision_v4l2_open(struct fi
mutex_lock(&usbvision->v4l2_lock);
usbvision_audio_off(usbvision);
usbvision_restart_isoc(usbvision);
@@ -391,9 +417,11 @@ static int usbvision_v4l2_close(struct f
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
@@ -1105,21 +1141,26 @@ out:
if (video_is_registered(&usbvision->rdev)) {
PDEBUG(DBG_PROBE, "unregister %s [v4l2]",
video_device_node_name(&usbvision->rdev));
+ usbvision_check(usbvision, "unregister_video");
video_unregister_device(&usbvision->rdev);
}
@@ -1551,6 +1593,7 @@ err_usb:
1 file changed, 48 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
MODULE_VERSION(USBVISION_VERSION_STRING);
MODULE_ALIAS(DRIVER_ALIAS);
+#include <linux/kernfs.h>
+#include <linux/kobject.h>
+
+static void usbvision_check(struct usb_usbvision *usbvision, char *msg)
+{
+ struct kernfs_node *kn;
+
+ if (!video_is_registered(&usbvision->rdev)) {
+ dev_info(&usbvision->rdev.dev, "AS Not registered: %s\n", msg);
+ } else {
+ kn = kernfs_find_and_get(usbvision->rdev.dev.kobj.sd, "power");
+ if (kn) {
+ kernfs_put(kn);
+ dev_info(&usbvision->rdev.dev, "AS Power ok: %s\n", msg);
+ } else {
+ dev_err(&usbvision->rdev.dev, "AS Power gone: %s\n", msg);
+ }
+ }
+}
+
/*****************************************************************************/
/* SYSFS Code - Copied from the stv680.c usb module. */
@@ -314,6 +334,10 @@ static int usbvision_v4l2_open(struct fi
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
@@ -377,9 +401,11 @@ unlock:
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
static int usbvision_v4l2_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
+ usbvision_check(usbvision, "v4l2 close 1");
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
mutex_lock(&usbvision->v4l2_lock);
usbvision_audio_off(usbvision);
usbvision_restart_isoc(usbvision);
@@ -391,9 +417,11 @@ static int usbvision_v4l2_close(struct f
usbvision_scratch_free(usbvision);
usbvision->user--;
+ r = usbvision->remove_pending;
+ usbvision_check(usbvision, "v4l2 close 2");
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
@@ -453,6 +481,9 @@ static int vidioc_querycap(struct file *
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
@@ -1073,6 +1104,11 @@ static int usbvision_radio_open(struct f
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
static int usbvision_radio_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "");
+ usbvision_check(usbvision, "radio close 1");
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "");
mutex_lock(&usbvision->v4l2_lock);
/* Set packet size to 0 */
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
usbvision_audio_off(usbvision);
usbvision->radio = 0;
usbvision->user--;
+ r = usbvision->remove_pending;
+ usbvision_check(usbvision, "radio close 2");
/* Set packet size to 0 */
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
usbvision_audio_off(usbvision);
usbvision->radio = 0;
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
v4l2_fh_release(file);
usbvision_release(usbvision);
@@ -1236,6 +1277,7 @@ static void usbvision_unregister_video(s
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
v4l2_fh_release(file);
usbvision_release(usbvision);
if (video_is_registered(&usbvision->rdev)) {
PDEBUG(DBG_PROBE, "unregister %s [v4l2]",
video_device_node_name(&usbvision->rdev));
+ usbvision_check(usbvision, "unregister_video");
video_unregister_device(&usbvision->rdev);
}
@@ -1551,6 +1593,7 @@ err_usb:
static void usbvision_disconnect(struct usb_interface *intf)
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
@@ -1567,13 +1610,14 @@ static void usbvision_disconnect(struct
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
syzbot
Sep 25, 2019, 3:17:01 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
video4linux radio2: AS Power gone: unregister_video
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'radio2'
WARNING: CPU: 1 PID: 2892 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 1 PID: 2892 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2892 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Kernel panic - not syncing: panic_on_warn set ...
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 e0 c8 d0 85 e8 a0 0e 8b ff <0f> 0b eb 95 e8
e2 d1 db ff e9 d2 fe ff ff 48 89 df e8 d5 d1 db ff
RSP: 0018:ffff8881c0dd7c50 EFLAGS: 00010286
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 e0 c8 d0 85 e8 a0 0e 8b ff <0f> 0b eb 95 e8
e2 d1 db ff e9 d2 fe ff ff 48 89 df e8 d5 d1 db ff
RAX: 0000000000000000 RBX: ffffffff85f2d700 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288ddd RDI: ffffed10381baf7c
RBP: 0000000000000000 R08: ffff8881d6be4800 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881ced7ccd8
R13: ffffffff85f2dca0 R14: 0000000000000000 R15: ffff8881ced7d178
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:735
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0x92/0x130
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
drivers/media/usb/usbvision/usbvision-video.c:1281
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1394
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1166
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f0f468872b0
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007ffc810dfde8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f0f468872b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007ffc810dff40 R14: 0000000000000000 R15: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12370019600000
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1435cf29600000
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 25, 2019, 4:08:40 PM9/25/19
to syzbot, syzkall...@googlegroups.com
static int usbvision_v4l2_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
@@ -391,9 +416,10 @@ static int usbvision_v4l2_close(struct f
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
usbvision_scratch_free(usbvision);
usbvision->user--;
+ r = usbvision->remove_pending;
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
@@ -453,6 +479,9 @@ static int vidioc_querycap(struct file *
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
@@ -1073,6 +1102,11 @@ static int usbvision_radio_open(struct f
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
static int usbvision_radio_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "");
+ usbvision_check(usbvision, "radio close 1");
mutex_lock(&usbvision->v4l2_lock);
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "");
+ usbvision_check(usbvision, "radio close 1");
mutex_lock(&usbvision->v4l2_lock);
+ usbvision_check(usbvision, "radio close 2");
/* Set packet size to 0 */
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
+ usbvision_check(usbvision, "radio close 3");
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
usbvision_audio_off(usbvision);
usbvision->radio = 0;
usbvision->user--;
+ r = usbvision->remove_pending;
+ usbvision_check(usbvision, "radio close 4");
usbvision->radio = 0;
usbvision->user--;
+ r = usbvision->remove_pending;
syzbot
Sep 25, 2019, 4:19:01 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
video4linux radio0: AS Power gone: unregister_video
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'radio0'
WARNING: CPU: 1 PID: 2871 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 1 PID: 2871 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2871 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Kernel panic - not syncing: panic_on_warn set ...
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 e0 c8 d0 85 e8 a0 0e 8b ff <0f> 0b eb 95 e8
e2 d1 db ff e9 d2 fe ff ff 48 89 df e8 d5 d1 db ff
RSP: 0018:ffff8881d6287c50 EFLAGS: 00010286
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 e0 c8 d0 85 e8 a0 0e 8b ff <0f> 0b eb 95 e8
e2 d1 db ff e9 d2 fe ff ff 48 89 df e8 d5 d1 db ff
RAX: 0000000000000000 RBX: ffffffff85f2d700 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288ddd RDI: ffffed103ac50f7c
RBP: 0000000000000000 R08: ffff8881d66db000 R09: ffffed103b663ee7
R10: ffffed103b663ee6 R11: ffff8881db31f737 R12: ffff8881cf2f2bd8
R13: ffffffff85f2dca0 R14: 0000000000000000 R15: ffff8881cf2f3078
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:735
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0x92/0x130
drivers/media/usb/usbvision/usbvision-video.c:1281
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1394
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1166
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f12e98e02b0
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0x92/0x130
drivers/media/usb/usbvision/usbvision-video.c:1281
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1394
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1166
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007fff2e9b9b08 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f12e98e02b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007fff2e9b9c60 R14: 0000000000000000 R15: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=115dfa83600000
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1415b261600000
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 25, 2019, 5:19:33 PM9/25/19
to syzbot, syzkall...@googlegroups.com
drivers/base/power/sysfs.c | 10 +++
drivers/media/usb/usbvision/usbvision-video.c | 52 ++++++++++++++++++-
fs/kernfs/dir.c | 68 ++++++++++++++++++++++++++
include/linux/kernfs.h | 1
4 files changed, 127 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/base/power/sysfs.c
===================================================================
--- usb-devel.orig/drivers/base/power/sysfs.c
+++ usb-devel/drivers/base/power/sysfs.c
@@ -11,6 +11,10 @@
#include <linux/jiffies.h>
#include "power.h"
+#include <linux/kernfs.h>
+extern void ASadd(struct kernfs_node *parent);
+extern void ASremove(struct kernfs_node *parent);
+
/*
* control - Report/change current runtime PM setting of the device
*
@@ -652,6 +656,8 @@ int dpm_sysfs_add(struct device *dev)
rc = sysfs_create_group(&dev->kobj, &pm_attr_group);
if (rc)
return rc;
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
+ ASadd(&dev->kobj.sd);
if (pm_runtime_callbacks_present(dev)) {
rc = sysfs_merge_group(&dev->kobj, &pm_runtime_attr_group);
@@ -676,6 +682,8 @@ int dpm_sysfs_add(struct device *dev)
err_runtime:
sysfs_unmerge_group(&dev->kobj, &pm_runtime_attr_group);
err_out:
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
+ ASremove(&dev->kobj.sd);
sysfs_remove_group(&dev->kobj, &pm_attr_group);
return rc;
}
@@ -734,5 +742,7 @@ void dpm_sysfs_remove(struct device *dev
dev_pm_qos_constraints_destroy(dev);
rpm_sysfs_remove(dev);
sysfs_unmerge_group(&dev->kobj, &pm_wakeup_attr_group);
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
+ ASremove(&dev->kobj.sd);
sysfs_remove_group(&dev->kobj, &pm_attr_group);
}
Index: usb-devel/fs/kernfs/dir.c
===================================================================
--- usb-devel.orig/fs/kernfs/dir.c
+++ usb-devel/fs/kernfs/dir.c
@@ -25,6 +25,46 @@ static DEFINE_SPINLOCK(kernfs_idr_lock);
#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
+static struct kernfs_node *kernfs_find_ns(struct kernfs_node *parent,
+ const unsigned char *name,
+ const void *ns);
+
+static LIST_HEAD(ASlist);
+static DEFINE_MUTEX(ASmutex);
+
+void ASadd(struct kernfs_node *parent)
+{
+ mutex_lock(&ASmutex);
+ list_add(&parent->ASnode, &ASlist);
+ mutex_unlock(&ASmutex);
+}
+EXPORT_SYMBOL_GPL(ASadd);
+
+void ASremove(struct kernfs_node *parent)
+{
+ mutex_lock(&ASmutex);
+ list_del(&parent->ASnode);
+ mutex_unlock(&ASmutex);
+}
+EXPORT_SYMBOL_GPL(ASremove);
+
+static void AScheck(void)
+{
+ struct kernfs_node *parent, *tmp;
+ kernfs_node *kn;
+
+ mutex_lock(&ASmutex);
+ list_for_each_entry_safe(parent, tmp, &ASlist, ASnode) {
+ kn = kernfs_find_ns(parent, "power", NULL);
+ if (!kn) {
+ printk(KERN_WARNING "Missing power for %s\n", parent->name);
+ dump_stack();
+ list_del_init(&parent->ASnode);
+ }
+ }
+ mutex_unlock(&ASmutex);
+}
+
static bool kernfs_active(struct kernfs_node *kn)
{
lockdep_assert_held(&kernfs_mutex);
@@ -462,6 +502,7 @@ static void kernfs_drain(struct kernfs_n
lockdep_assert_held(&kernfs_mutex);
WARN_ON_ONCE(kernfs_active(kn));
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (kernfs_lockdep(kn)) {
@@ -482,6 +523,7 @@ static void kernfs_drain(struct kernfs_n
kernfs_drain_open_files(kn);
mutex_lock(&kernfs_mutex);
+ AScheck();
}
/**
@@ -568,6 +610,7 @@ static int kernfs_dop_revalidate(struct
kn = kernfs_dentry_node(dentry);
mutex_lock(&kernfs_mutex);
+ AScheck();
/* The kernfs node has been deactivated */
if (!kernfs_active(kn))
@@ -586,9 +629,11 @@ static int kernfs_dop_revalidate(struct
kernfs_info(dentry->d_sb)->ns != kn->ns)
goto out_bad;
+ AScheck();
mutex_unlock(&kernfs_mutex);
return 1;
out_bad:
+ AScheck();
mutex_unlock(&kernfs_mutex);
out_bad_unlocked:
return 0;
@@ -769,6 +814,7 @@ int kernfs_add_one(struct kernfs_node *k
int ret;
mutex_lock(&kernfs_mutex);
+ AScheck();
ret = -EINVAL;
has_ns = kernfs_ns_enabled(parent);
@@ -800,6 +846,7 @@ int kernfs_add_one(struct kernfs_node *k
ps_iattrs->ia_mtime = ps_iattrs->ia_ctime;
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
/*
@@ -814,6 +861,7 @@ int kernfs_add_one(struct kernfs_node *k
return 0;
out_unlock:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -932,8 +980,10 @@ struct kernfs_node *kernfs_walk_and_get_
struct kernfs_node *kn;
mutex_lock(&kernfs_mutex);
+ AScheck();
kn = kernfs_walk_ns(parent, path, ns);
kernfs_get(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return kn;
@@ -1080,6 +1130,7 @@ static struct dentry *kernfs_iop_lookup(
const void *ns = NULL;
mutex_lock(&kernfs_mutex);
+ AScheck();
if (kernfs_ns_enabled(parent))
ns = kernfs_info(dir->i_sb)->ns;
@@ -1102,6 +1153,7 @@ static struct dentry *kernfs_iop_lookup(
/* instantiate and hash dentry */
ret = d_splice_alias(inode, dentry);
out_unlock:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -1258,6 +1310,7 @@ void kernfs_activate(struct kernfs_node
struct kernfs_node *pos;
mutex_lock(&kernfs_mutex);
+ AScheck();
pos = NULL;
while ((pos = kernfs_next_descendant_post(pos, kn))) {
@@ -1271,6 +1324,7 @@ void kernfs_activate(struct kernfs_node
pos->flags |= KERNFS_ACTIVATED;
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -1350,7 +1404,9 @@ static void __kernfs_remove(struct kernf
void kernfs_remove(struct kernfs_node *kn)
{
mutex_lock(&kernfs_mutex);
+ AScheck();
__kernfs_remove(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -1439,6 +1495,7 @@ bool kernfs_remove_self(struct kernfs_no
bool ret;
mutex_lock(&kernfs_mutex);
+ AScheck();
kernfs_break_active_protection(kn);
/*
@@ -1466,9 +1523,11 @@ bool kernfs_remove_self(struct kernfs_no
atomic_read(&kn->active) == KN_DEACTIVATED_BIAS)
break;
+ AScheck();
mutex_unlock(&kernfs_mutex);
schedule();
mutex_lock(&kernfs_mutex);
+ AScheck();
}
finish_wait(waitq, &wait);
WARN_ON_ONCE(!RB_EMPTY_NODE(&kn->rb));
@@ -1481,6 +1540,7 @@ bool kernfs_remove_self(struct kernfs_no
*/
kernfs_unbreak_active_protection(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -1506,11 +1566,13 @@ int kernfs_remove_by_name_ns(struct kern
}
mutex_lock(&kernfs_mutex);
+ AScheck();
kn = kernfs_find_ns(parent, name, ns);
if (kn)
__kernfs_remove(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (kn)
@@ -1538,6 +1600,7 @@ int kernfs_rename_ns(struct kernfs_node
return -EINVAL;
mutex_lock(&kernfs_mutex);
+ AScheck();
error = -ENOENT;
if (!kernfs_active(kn) || !kernfs_active(new_parent) ||
@@ -1591,6 +1654,7 @@ int kernfs_rename_ns(struct kernfs_node
error = 0;
out:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return error;
}
@@ -1667,6 +1731,7 @@ static int kernfs_fop_readdir(struct fil
if (!dir_emit_dots(file, ctx))
return 0;
mutex_lock(&kernfs_mutex);
+ AScheck();
if (kernfs_ns_enabled(parent))
ns = kernfs_info(dentry->d_sb)->ns;
@@ -1683,11 +1748,14 @@ static int kernfs_fop_readdir(struct fil
file->private_data = pos;
kernfs_get(pos);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (!dir_emit(ctx, name, len, ino, type))
return 0;
mutex_lock(&kernfs_mutex);
+ AScheck();
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
file->private_data = NULL;
ctx->pos = INT_MAX;
Index: usb-devel/include/linux/kernfs.h
===================================================================
--- usb-devel.orig/include/linux/kernfs.h
+++ usb-devel/include/linux/kernfs.h
@@ -160,6 +160,7 @@ struct kernfs_node {
unsigned short flags;
umode_t mode;
struct kernfs_iattrs *iattr;
+ struct list_head ASnode;
};
/*
drivers/media/usb/usbvision/usbvision-video.c | 52 ++++++++++++++++++-
fs/kernfs/dir.c | 68 ++++++++++++++++++++++++++
include/linux/kernfs.h | 1
4 files changed, 127 insertions(+), 4 deletions(-)
===================================================================
--- usb-devel.orig/drivers/base/power/sysfs.c
+++ usb-devel/drivers/base/power/sysfs.c
@@ -11,6 +11,10 @@
#include <linux/jiffies.h>
#include "power.h"
+#include <linux/kernfs.h>
+extern void ASadd(struct kernfs_node *parent);
+extern void ASremove(struct kernfs_node *parent);
+
/*
* control - Report/change current runtime PM setting of the device
*
@@ -652,6 +656,8 @@ int dpm_sysfs_add(struct device *dev)
rc = sysfs_create_group(&dev->kobj, &pm_attr_group);
if (rc)
return rc;
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
+ ASadd(&dev->kobj.sd);
if (pm_runtime_callbacks_present(dev)) {
rc = sysfs_merge_group(&dev->kobj, &pm_runtime_attr_group);
@@ -676,6 +682,8 @@ int dpm_sysfs_add(struct device *dev)
err_runtime:
sysfs_unmerge_group(&dev->kobj, &pm_runtime_attr_group);
err_out:
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
+ ASremove(&dev->kobj.sd);
sysfs_remove_group(&dev->kobj, &pm_attr_group);
return rc;
}
@@ -734,5 +742,7 @@ void dpm_sysfs_remove(struct device *dev
dev_pm_qos_constraints_destroy(dev);
rpm_sysfs_remove(dev);
sysfs_unmerge_group(&dev->kobj, &pm_wakeup_attr_group);
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
+ ASremove(&dev->kobj.sd);
sysfs_remove_group(&dev->kobj, &pm_attr_group);
}
Index: usb-devel/fs/kernfs/dir.c
===================================================================
--- usb-devel.orig/fs/kernfs/dir.c
+++ usb-devel/fs/kernfs/dir.c
@@ -25,6 +25,46 @@ static DEFINE_SPINLOCK(kernfs_idr_lock);
#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
+static struct kernfs_node *kernfs_find_ns(struct kernfs_node *parent,
+ const unsigned char *name,
+ const void *ns);
+
+static LIST_HEAD(ASlist);
+static DEFINE_MUTEX(ASmutex);
+
+void ASadd(struct kernfs_node *parent)
+{
+ mutex_lock(&ASmutex);
+ list_add(&parent->ASnode, &ASlist);
+ mutex_unlock(&ASmutex);
+}
+EXPORT_SYMBOL_GPL(ASadd);
+
+void ASremove(struct kernfs_node *parent)
+{
+ mutex_lock(&ASmutex);
+ list_del(&parent->ASnode);
+ mutex_unlock(&ASmutex);
+}
+EXPORT_SYMBOL_GPL(ASremove);
+
+static void AScheck(void)
+{
+ struct kernfs_node *parent, *tmp;
+ kernfs_node *kn;
+
+ mutex_lock(&ASmutex);
+ list_for_each_entry_safe(parent, tmp, &ASlist, ASnode) {
+ kn = kernfs_find_ns(parent, "power", NULL);
+ if (!kn) {
+ printk(KERN_WARNING "Missing power for %s\n", parent->name);
+ dump_stack();
+ list_del_init(&parent->ASnode);
+ }
+ }
+ mutex_unlock(&ASmutex);
+}
+
static bool kernfs_active(struct kernfs_node *kn)
{
lockdep_assert_held(&kernfs_mutex);
@@ -462,6 +502,7 @@ static void kernfs_drain(struct kernfs_n
lockdep_assert_held(&kernfs_mutex);
WARN_ON_ONCE(kernfs_active(kn));
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (kernfs_lockdep(kn)) {
@@ -482,6 +523,7 @@ static void kernfs_drain(struct kernfs_n
kernfs_drain_open_files(kn);
mutex_lock(&kernfs_mutex);
+ AScheck();
}
/**
@@ -568,6 +610,7 @@ static int kernfs_dop_revalidate(struct
kn = kernfs_dentry_node(dentry);
mutex_lock(&kernfs_mutex);
+ AScheck();
/* The kernfs node has been deactivated */
if (!kernfs_active(kn))
@@ -586,9 +629,11 @@ static int kernfs_dop_revalidate(struct
kernfs_info(dentry->d_sb)->ns != kn->ns)
goto out_bad;
+ AScheck();
mutex_unlock(&kernfs_mutex);
return 1;
out_bad:
+ AScheck();
mutex_unlock(&kernfs_mutex);
out_bad_unlocked:
return 0;
@@ -769,6 +814,7 @@ int kernfs_add_one(struct kernfs_node *k
int ret;
mutex_lock(&kernfs_mutex);
+ AScheck();
ret = -EINVAL;
has_ns = kernfs_ns_enabled(parent);
@@ -800,6 +846,7 @@ int kernfs_add_one(struct kernfs_node *k
ps_iattrs->ia_mtime = ps_iattrs->ia_ctime;
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
/*
@@ -814,6 +861,7 @@ int kernfs_add_one(struct kernfs_node *k
return 0;
out_unlock:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -932,8 +980,10 @@ struct kernfs_node *kernfs_walk_and_get_
struct kernfs_node *kn;
mutex_lock(&kernfs_mutex);
+ AScheck();
kn = kernfs_walk_ns(parent, path, ns);
kernfs_get(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return kn;
@@ -1080,6 +1130,7 @@ static struct dentry *kernfs_iop_lookup(
const void *ns = NULL;
mutex_lock(&kernfs_mutex);
+ AScheck();
if (kernfs_ns_enabled(parent))
ns = kernfs_info(dir->i_sb)->ns;
@@ -1102,6 +1153,7 @@ static struct dentry *kernfs_iop_lookup(
/* instantiate and hash dentry */
ret = d_splice_alias(inode, dentry);
out_unlock:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -1258,6 +1310,7 @@ void kernfs_activate(struct kernfs_node
struct kernfs_node *pos;
mutex_lock(&kernfs_mutex);
+ AScheck();
pos = NULL;
while ((pos = kernfs_next_descendant_post(pos, kn))) {
@@ -1271,6 +1324,7 @@ void kernfs_activate(struct kernfs_node
pos->flags |= KERNFS_ACTIVATED;
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -1350,7 +1404,9 @@ static void __kernfs_remove(struct kernf
void kernfs_remove(struct kernfs_node *kn)
{
mutex_lock(&kernfs_mutex);
+ AScheck();
__kernfs_remove(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -1439,6 +1495,7 @@ bool kernfs_remove_self(struct kernfs_no
bool ret;
mutex_lock(&kernfs_mutex);
+ AScheck();
kernfs_break_active_protection(kn);
/*
@@ -1466,9 +1523,11 @@ bool kernfs_remove_self(struct kernfs_no
atomic_read(&kn->active) == KN_DEACTIVATED_BIAS)
break;
+ AScheck();
mutex_unlock(&kernfs_mutex);
schedule();
mutex_lock(&kernfs_mutex);
+ AScheck();
}
finish_wait(waitq, &wait);
WARN_ON_ONCE(!RB_EMPTY_NODE(&kn->rb));
@@ -1481,6 +1540,7 @@ bool kernfs_remove_self(struct kernfs_no
*/
kernfs_unbreak_active_protection(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -1506,11 +1566,13 @@ int kernfs_remove_by_name_ns(struct kern
}
mutex_lock(&kernfs_mutex);
+ AScheck();
kn = kernfs_find_ns(parent, name, ns);
if (kn)
__kernfs_remove(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (kn)
@@ -1538,6 +1600,7 @@ int kernfs_rename_ns(struct kernfs_node
return -EINVAL;
mutex_lock(&kernfs_mutex);
+ AScheck();
error = -ENOENT;
if (!kernfs_active(kn) || !kernfs_active(new_parent) ||
@@ -1591,6 +1654,7 @@ int kernfs_rename_ns(struct kernfs_node
error = 0;
out:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return error;
}
@@ -1667,6 +1731,7 @@ static int kernfs_fop_readdir(struct fil
if (!dir_emit_dots(file, ctx))
return 0;
mutex_lock(&kernfs_mutex);
+ AScheck();
if (kernfs_ns_enabled(parent))
ns = kernfs_info(dentry->d_sb)->ns;
@@ -1683,11 +1748,14 @@ static int kernfs_fop_readdir(struct fil
file->private_data = pos;
kernfs_get(pos);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (!dir_emit(ctx, name, len, ino, type))
return 0;
mutex_lock(&kernfs_mutex);
+ AScheck();
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
file->private_data = NULL;
ctx->pos = INT_MAX;
Index: usb-devel/include/linux/kernfs.h
===================================================================
--- usb-devel.orig/include/linux/kernfs.h
+++ usb-devel/include/linux/kernfs.h
@@ -160,6 +160,7 @@ struct kernfs_node {
unsigned short flags;
umode_t mode;
struct kernfs_iattrs *iattr;
+ struct list_head ASnode;
};
/*
syzbot
Sep 25, 2019, 5:22:01 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but build/boot failed:
/digital_technology.o
CC mm/hugetlb.o
CC net/core/ptp_classifier.o
CC net/core/net-traces.o
CC drivers/acpi/power.o
CC net/phonet/datagram.o
AR fs/ext4/built-in.a
Makefile:1083: recipe for target 'fs' failed
make: *** [fs] Error 2
make: *** Waiting for unfinished jobs....
CC net/core/dst_cache.o
CC lib/fault-inject.o
CC net/core/gro_cells.o
CC drivers/acpi/acpica/utalloc.o
CC drivers/acpi/acpica/utascii.o
CC net/sched/sch_mq.o
CC net/netfilter/nf_conntrack_proto_icmp.o
AR kernel/trace/built-in.a
CC net/netfilter/nf_conntrack_extend.o
AR sound/usb/built-in.a
AR sound/built-in.a
CC drivers/acpi/acpica/utbuffer.o
CC kernel/pid.o
CC kernel/task_work.o
CC net/sunrpc/auth_gss/auth_gss.o
CC net/unix/af_unix.o
CC lib/syscall.o
AR net/packet/built-in.a
AR net/rfkill/built-in.a
CC net/core/failover.o
CC kernel/extable.o
CC net/sched/sch_api.o
CC net/sched/sch_blackhole.o
CC net/nfc/digital_dep.o
CC net/sched/cls_api.o
CC drivers/acpi/acpica/utcopy.o
CC net/mac80211/ht.o
CC net/phonet/sysctl.o
CC arch/x86/kernel/ptrace.o
CC net/wimax/id-table.o
CC net/wireless/core.o
CC lib/nlattr.o
CC kernel/params.o
CC kernel/kthread.o
CC lib/cpu_rmap.o
CC kernel/sys_ni.o
CC net/netfilter/nf_conntrack_acct.o
CC arch/x86/kernel/tls.o
CC net/sched/act_api.o
CC net/xfrm/xfrm_policy.o
CC net/xfrm/xfrm_state.o
CC net/xfrm/xfrm_hash.o
CC net/wimax/op-msg.o
CC net/xfrm/xfrm_input.o
CC drivers/acpi/acpica/utexcep.o
CC net/ipv4/devinet.o
CC net/sched/sch_fifo.o
CC lib/dynamic_queue_limits.o
CC net/phonet/af_phonet.o
CC net/ipv4/af_inet.o
CC net/mac80211/agg-tx.o
CC net/xfrm/xfrm_output.o
CC net/xfrm/xfrm_sysctl.o
AR net/nfc/built-in.a
CC net/xfrm/xfrm_replay.o
CC net/phonet/pep.o
CC drivers/acpi/acpica/utdebug.o
CC drivers/acpi/acpica/utdecode.o
CC kernel/nsproxy.o
CC lib/glob.o
CC net/mac80211/agg-rx.o
CC arch/x86/kernel/step.o
CC net/netfilter/nf_conntrack_seqadj.o
CC net/ipv6/tcp_ipv6.o
CC net/ipv6/ping.o
CC net/wimax/op-reset.o
CC net/wireless/sysfs.o
CC drivers/acpi/acpica/utdelete.o
CC lib/strncpy_from_user.o
CC lib/strnlen_user.o
CC lib/net_utils.o
CC net/xfrm/xfrm_device.o
CC kernel/notifier.o
CC lib/sg_pool.o
CC arch/x86/kernel/i8237.o
CC arch/x86/kernel/stacktrace.o
CC net/phonet/pep-gprs.o
CC lib/stackdepot.o
CC drivers/acpi/acpica/uterror.o
CC net/wimax/op-rfkill.o
CC net/unix/garbage.o
CC net/sunrpc/auth_gss/gss_generic_token.o
CC mm/mempolicy.o
CC arch/x86/kernel/reboot.o
CC net/xfrm/xfrm_algo.o
CC net/sunrpc/auth_gss/gss_mech_switch.o
CC net/sunrpc/auth_gss/svcauth_gss.o
CC net/ipv6/exthdrs.o
CC net/netfilter/nf_conntrack_proto_icmpv6.o
CC net/ipv4/igmp.o
CC net/ipv4/fib_frontend.o
CC drivers/acpi/acpica/uteval.o
CC kernel/ksysfs.o
AR net/core/built-in.a
CC drivers/acpi/acpica/utglobal.o
CC drivers/acpi/acpica/uthex.o
CC net/unix/sysctl_net_unix.o
CC net/ipv4/fib_semantics.o
CC net/wimax/op-state-get.o
CC net/ipv4/fib_trie.o
CC net/ipv4/fib_notifier.o
CC drivers/acpi/acpica/utids.o
CC net/wireless/radiotap.o
CC drivers/acpi/acpica/utinit.o
CC net/xfrm/xfrm_user.o
CC net/mac80211/vht.o
AR net/phonet/built-in.a
CC mm/sparse.o
CC net/wimax/stack.o
CC net/ipv4/inet_fragment.o
CC mm/sparse-vmemmap.o
CC kernel/cred.o
CC arch/x86/kernel/msr.o
CC mm/mmu_notifier.o
CC kernel/reboot.o
CC kernel/async.o
CC net/netfilter/nf_conntrack_netlink.o
CC drivers/acpi/acpica/utlock.o
CC net/netfilter/nf_conntrack_ftp.o
CC net/wimax/debugfs.o
CC net/sunrpc/clnt.o
CC net/unix/scm.o
CC mm/slub.o
CC drivers/acpi/acpica/utmath.o
CC net/sched/ematch.o
CC arch/x86/kernel/cpuid.o
CC net/wireless/util.o
CC net/wireless/reg.o
CC drivers/acpi/acpica/utmisc.o
CC net/wireless/scan.o
CC net/ipv4/ping.o
CC net/ipv4/ip_tunnel_core.o
CC net/sunrpc/xprt.o
CC lib/asn1_decoder.o
CC net/sunrpc/socklib.o
CC drivers/acpi/acpica/utmutex.o
CC kernel/range.o
CC arch/x86/kernel/early-quirks.o
CC net/ipv6/datagram.o
AR net/wimax/built-in.a
CC net/sunrpc/xprtsock.o
CC net/sunrpc/sched.o
CC net/ipv6/ip6_flowlabel.o
CC kernel/smpboot.o
CC net/ipv6/inet6_connection_sock.o
GEN lib/oid_registry_data.c
AR net/unix/built-in.a
CC drivers/acpi/acpica/utnonansi.o
CC lib/ucs2_string.o
CC drivers/acpi/acpica/utobject.o
CC net/sunrpc/auth_gss/gss_rpc_upcall.o
CC net/mac80211/he.o
CC net/sunrpc/auth_gss/gss_rpc_xdr.o
AR net/sched/built-in.a
CC net/netfilter/nf_conntrack_irc.o
CC net/netfilter/nf_log_common.o
CC net/netfilter/nf_conntrack_sip.o
CC net/sunrpc/auth_gss/trace.o
CC lib/sbitmap.o
CC net/sunrpc/auth.o
CC arch/x86/kernel/smp.o
CC net/ipv4/gre_offload.o
CC drivers/acpi/acpica/utosi.o
CC net/ipv6/udp_offload.o
CC kernel/ucount.o
CC kernel/kmod.o
CC drivers/acpi/acpica/utownerid.o
CC net/mac80211/ibss.o
CC kernel/groups.o
CC net/netfilter/nf_nat_core.o
CC arch/x86/kernel/smpboot.o
CC lib/argv_split.o
CC net/ipv4/metrics.o
CC drivers/acpi/event.o
CC drivers/acpi/sysfs.o
CC net/sunrpc/auth_null.o
CC arch/x86/kernel/tsc_sync.o
CC net/ipv6/seg6.o
CC drivers/acpi/property.o
CC drivers/acpi/acpica/utpredef.o
CC drivers/acpi/acpica/utresdecode.o
CC arch/x86/kernel/setup_percpu.o
AR net/xfrm/built-in.a
CC net/netfilter/nf_nat_proto.o
CC net/netfilter/nf_nat_helper.o
CC net/netfilter/nf_nat_masquerade.o
CC lib/bug.o
CC net/sunrpc/auth_unix.o
CC net/ipv6/fib6_notifier.o
CC net/ipv4/netlink.o
CC mm/failslab.o
CC net/socket.o
AR net/sunrpc/auth_gss/built-in.a
CC net/netfilter/nf_nat_ftp.o
CC net/netfilter/nf_nat_irc.o
CC kernel/freezer.o
CC kernel/profile.o
CC lib/chacha.o
CC drivers/acpi/acpica/utresrc.o
CC net/wireless/nl80211.o
CC net/wireless/mlme.o
CC drivers/acpi/acpi_cmos_rtc.o
CC net/sunrpc/svc.o
CC net/compat.o
CC net/ipv4/nexthop.o
CC mm/migrate.o
CC mm/page_counter.o
CC arch/x86/kernel/mpparse.o
CC arch/x86/kernel/trace_clock.o
CC lib/clz_tab.o
CC drivers/acpi/acpica/utstate.o
CC lib/cmdline.o
CC lib/cpumask.o
CC net/sysctl_net.o
CC mm/memcontrol.o
CC kernel/stacktrace.o
CC kernel/futex.o
CC net/ipv4/ip_tunnel.o
CC arch/x86/kernel/machine_kexec_64.o
CC mm/vmpressure.o
CC kernel/dma.o
CC net/ipv6/sysctl_net_ipv6.o
CC kernel/smp.o
CC kernel/uid16.o
CC net/sunrpc/svcsock.o
AS arch/x86/kernel/relocate_kernel_64.o
CC drivers/acpi/acpica/utstring.o
CC drivers/acpi/acpica/utstrsuppt.o
CC drivers/acpi/x86/apple.o
CC drivers/acpi/acpica/utstrtoul64.o
CC lib/ctype.o
CC lib/dec_and_lock.o
CC net/netfilter/nf_nat_sip.o
CC net/netfilter/x_tables.o
CC net/ipv6/xfrm6_policy.o
CC net/ipv4/sysctl_net_ipv4.o
CC kernel/module.o
CC net/wireless/ibss.o
CC drivers/acpi/x86/utils.o
CC lib/decompress.o
CC net/sunrpc/svcauth.o
CC lib/decompress_bunzip2.o
CC drivers/acpi/acpica/utxface.o
CC drivers/acpi/acpica/utxfinit.o
CC net/mac80211/iface.o
CC drivers/acpi/debugfs.o
CC arch/x86/kernel/crash.o
CC arch/x86/kernel/crash_dump_64.o
CC drivers/acpi/numa.o
CC kernel/kallsyms.o
CC drivers/acpi/acpi_lpat.o
CC net/sunrpc/svcauth_unix.o
CC net/sunrpc/addr.o
CC net/sunrpc/rpcb_clnt.o
CC net/ipv4/proc.o
CC drivers/acpi/acpica/utxferror.o
CC arch/x86/kernel/module.o
CC net/ipv4/fib_rules.o
CC lib/decompress_inflate.o
CC net/sunrpc/timer.o
CC net/ipv6/xfrm6_state.o
CC net/mac80211/rate.o
CC net/sunrpc/xdr.o
CC kernel/acct.o
CC drivers/acpi/acpi_lpit.o
CC drivers/acpi/acpica/utxfmutex.o
CC net/ipv4/ipmr.o
CC net/wireless/sme.o
CC net/ipv4/ipmr_base.o
CC net/netfilter/xt_tcpudp.o
CC kernel/crash_core.o
CC net/mac80211/michael.o
CC arch/x86/kernel/doublefault.o
CC arch/x86/kernel/early_printk.o
CC lib/decompress_unlz4.o
CC drivers/acpi/ac.o
CC net/sunrpc/sunrpc_syms.o
AR drivers/acpi/acpica/built-in.a
CC lib/decompress_unlzma.o
CC net/netfilter/xt_mark.o
CC kernel/kexec_core.o
CC net/sunrpc/cache.o
CC drivers/acpi/button.o
CC net/netfilter/xt_nat.o
CC net/ipv6/xfrm6_input.o
CC lib/decompress_unlzo.o
CC mm/early_ioremap.o
CC lib/decompress_unxz.o
CC mm/frame_vector.o
CC net/ipv4/syncookies.o
CC kernel/kexec.o
CC net/mac80211/tkip.o
CC kernel/compat.o
CC drivers/acpi/fan.o
CC net/wireless/chan.o
CC arch/x86/kernel/hpet.o
CC net/ipv6/xfrm6_output.o
CC arch/x86/kernel/amd_nb.o
CC kernel/utsname.o
CC kernel/user_namespace.o
CC net/netfilter/xt_CONNSECMARK.o
CC kernel/pid_namespace.o
CC drivers/acpi/acpi_video.o
CC lib/dump_stack.o
CC net/sunrpc/rpc_pipe.o
CC net/sunrpc/svc_xprt.o
CC mm/usercopy.o
CC net/sunrpc/xprtmultipath.o
CC mm/memfd.o
CC net/wireless/ethtool.o
CC kernel/stop_machine.o
CC net/mac80211/aes_cmac.o
CC net/mac80211/aes_gmac.o
CC net/netfilter/xt_LOG.o
CC net/ipv6/xfrm6_protocol.o
CC lib/earlycpio.o
CC arch/x86/kernel/kvm.o
CC kernel/audit.o
CC net/mac80211/fils_aead.o
CC net/sunrpc/stats.o
CC lib/extable.o
CC lib/flex_proportions.o
CC net/mac80211/cfg.o
CC kernel/auditfilter.o
CC net/mac80211/ethtool.o
CC net/ipv6/netfilter.o
CC net/sunrpc/sysctl.o
CC kernel/auditsc.o
CC kernel/audit_watch.o
CC kernel/audit_fsnotify.o
CC drivers/acpi/video_detect.o
CC kernel/audit_tree.o
CC lib/idr.o
CC kernel/kcov.o
CC net/ipv6/proc.o
AR mm/built-in.a
CC net/mac80211/rx.o
CC net/wireless/mesh.o
CC net/netfilter/xt_NFLOG.o
CC net/wireless/ap.o
CC net/netfilter/xt_MASQUERADE.o
CC net/ipv4/tunnel4.o
CC net/netfilter/xt_SECMARK.o
CC net/ipv6/syncookies.o
CC net/mac80211/spectmgmt.o
CC kernel/hung_task.o
CC kernel/watchdog.o
CC arch/x86/kernel/kvmclock.o
CC kernel/seccomp.o
CC kernel/watchdog_hld.o
CC lib/ioremap.o
CC drivers/acpi/processor_driver.o
CC kernel/relay.o
CC net/wireless/trace.o
CC net/wireless/ocb.o
CC net/wireless/pmsr.o
CC net/wireless/of.o
CC net/netfilter/xt_TCPMSS.o
CC net/ipv4/ipconfig.o
CC net/netfilter/xt_addrtype.o
CC arch/x86/kernel/paravirt.o
CC lib/irq_regs.o
CC net/wireless/wext-compat.o
CC kernel/utsname_sysctl.o
CC lib/is_single_threaded.o
CC arch/x86/kernel/paravirt_patch.o
CC lib/klist.o
CC net/netfilter/xt_conntrack.o
CC net/ipv6/calipso.o
AR net/sunrpc/built-in.a
CC drivers/acpi/processor_idle.o
CC net/ipv6/ah6.o
CC net/wireless/wext-sme.o
CC kernel/delayacct.o
CC drivers/acpi/processor_throttling.o
CC arch/x86/kernel/paravirt-spinlocks.o
CC kernel/taskstats.o
CC net/ipv6/esp6.o
CC drivers/acpi/processor_thermal.o
CC net/mac80211/tx.o
CC net/ipv4/netfilter.o
CC net/ipv4/tcp_cubic.o
CC drivers/acpi/processor_perflib.o
CC net/mac80211/key.o
CC arch/x86/kernel/pvclock.o
GEN net/wireless/shipped-certs.c
CC arch/x86/kernel/pcspeaker.o
CC lib/kobject.o
CC lib/kobject_uevent.o
CC lib/memcat_p.o
CC lib/nmi_backtrace.o
CC net/netfilter/xt_policy.o
CC net/mac80211/util.o
CC net/netfilter/xt_state.o
CC kernel/tsacct.o
CC net/wireless/lib80211.o
CC lib/nodemask.o
CC arch/x86/kernel/check.o
CC kernel/tracepoint.o
CC kernel/elfcore.o
CC net/wireless/wext-core.o
CC arch/x86/kernel/pci-swiotlb.o
CC arch/x86/kernel/devicetree.o
CC drivers/acpi/container.o
CC arch/x86/kernel/uprobes.o
CC drivers/acpi/thermal.o
CC net/mac80211/wme.o
CC net/wireless/wext-proc.o
CC net/ipv6/sit.o
CC net/ipv4/cipso_ipv4.o
CC kernel/irq_work.o
CC net/wireless/wext-spy.o
CC drivers/acpi/acpi_memhotplug.o
CC net/ipv6/addrconf_core.o
CC arch/x86/kernel/sysfb.o
CC net/ipv6/exthdrs_core.o
CC net/wireless/wext-priv.o
CC arch/x86/kernel/sysfb_efi.o
CC drivers/acpi/ioapic.o
CC lib/plist.o
CC lib/radix-tree.o
CC net/wireless/shipped-certs.o
CC lib/ratelimit.o
CC lib/rbtree.o
CC kernel/crash_dump.o
AR net/netfilter/built-in.a
CC lib/seq_buf.o
CC drivers/acpi/battery.o
CC arch/x86/kernel/perf_regs.o
CC net/ipv6/ip6_checksum.o
CC net/ipv6/ip6_icmp.o
CC lib/sha1.o
CC net/mac80211/chan.o
CC kernel/jump_label.o
CC net/ipv6/output_core.o
CC net/ipv6/protocol.o
CC kernel/iomem.o
CC kernel/rseq.o
CC drivers/acpi/bgrt.o
CC drivers/acpi/cppc_acpi.o
CC lib/show_mem.o
CC arch/x86/kernel/tracepoint.o
CC net/mac80211/trace.o
CC arch/x86/kernel/itmt.o
CC net/ipv6/ip6_offload.o
CC net/ipv6/tcpv6_offload.o
CC arch/x86/kernel/umip.o
CC arch/x86/kernel/unwind_orc.o
CC lib/siphash.o
CC net/mac80211/mlme.o
CC net/mac80211/tdls.o
CC net/ipv6/exthdrs_offload.o
CC drivers/acpi/spcr.o
CC lib/string.o
CC net/mac80211/ocb.o
CC net/ipv4/xfrm4_policy.o
CC net/ipv4/xfrm4_state.o
CC net/ipv4/xfrm4_input.o
CC net/ipv6/inet6_hashtables.o
CC net/ipv6/mcast_snoop.o
CC net/ipv4/xfrm4_output.o
CC net/mac80211/pm.o
CC net/mac80211/led.o
CC net/mac80211/rc80211_minstrel.o
CC arch/x86/kernel/audit_64.o
CC arch/x86/kernel/pci-calgary_64.o
CC lib/timerqueue.o
AR kernel/built-in.a
CC lib/vsprintf.o
CC net/mac80211/rc80211_minstrel_ht.o
CC net/ipv4/xfrm4_protocol.o
CC lib/win_minmax.o
CC arch/x86/kernel/tce_64.o
CC lib/xarray.o
GEN lib/crc32table.h
CC arch/x86/kernel/mmconf-fam10h_64.o
AR drivers/acpi/built-in.a
CC lib/oid_registry.o
CC arch/x86/kernel/vsmp_64.o
Makefile:1083: recipe for target 'drivers' failed
make: *** [drivers] Error 2
AS arch/x86/kernel/head_64.o
CC arch/x86/kernel/head64.o
CC arch/x86/kernel/ebda.o
CC arch/x86/kernel/platform-quirks.o
LDS arch/x86/kernel/vmlinux.lds
CC lib/crc32.o
AR net/ipv6/built-in.a
AR arch/x86/kernel/built-in.a
AR arch/x86/built-in.a
AR net/ipv4/built-in.a
AR lib/lib.a
EXPORTS lib/lib-ksyms.o
AR lib/built-in.a
AR net/mac80211/built-in.a
AR net/wireless/built-in.a
AR net/built-in.a
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1377f9e5600000
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
syzbot tried to test the proposed patch but build/boot failed:
/digital_technology.o
CC mm/hugetlb.o
CC net/core/ptp_classifier.o
CC net/core/net-traces.o
CC drivers/acpi/power.o
CC net/phonet/datagram.o
AR fs/ext4/built-in.a
Makefile:1083: recipe for target 'fs' failed
make: *** [fs] Error 2
make: *** Waiting for unfinished jobs....
CC net/core/dst_cache.o
CC lib/fault-inject.o
CC net/core/gro_cells.o
CC drivers/acpi/acpica/utalloc.o
CC drivers/acpi/acpica/utascii.o
CC net/sched/sch_mq.o
CC net/netfilter/nf_conntrack_proto_icmp.o
AR kernel/trace/built-in.a
CC net/netfilter/nf_conntrack_extend.o
AR sound/usb/built-in.a
AR sound/built-in.a
CC drivers/acpi/acpica/utbuffer.o
CC kernel/pid.o
CC kernel/task_work.o
CC net/sunrpc/auth_gss/auth_gss.o
CC net/unix/af_unix.o
CC lib/syscall.o
AR net/packet/built-in.a
AR net/rfkill/built-in.a
CC net/core/failover.o
CC kernel/extable.o
CC net/sched/sch_api.o
CC net/sched/sch_blackhole.o
CC net/nfc/digital_dep.o
CC net/sched/cls_api.o
CC drivers/acpi/acpica/utcopy.o
CC net/mac80211/ht.o
CC net/phonet/sysctl.o
CC arch/x86/kernel/ptrace.o
CC net/wimax/id-table.o
CC net/wireless/core.o
CC lib/nlattr.o
CC kernel/params.o
CC kernel/kthread.o
CC lib/cpu_rmap.o
CC kernel/sys_ni.o
CC net/netfilter/nf_conntrack_acct.o
CC arch/x86/kernel/tls.o
CC net/sched/act_api.o
CC net/xfrm/xfrm_policy.o
CC net/xfrm/xfrm_state.o
CC net/xfrm/xfrm_hash.o
CC net/wimax/op-msg.o
CC net/xfrm/xfrm_input.o
CC drivers/acpi/acpica/utexcep.o
CC net/ipv4/devinet.o
CC net/sched/sch_fifo.o
CC lib/dynamic_queue_limits.o
CC net/phonet/af_phonet.o
CC net/ipv4/af_inet.o
CC net/mac80211/agg-tx.o
CC net/xfrm/xfrm_output.o
CC net/xfrm/xfrm_sysctl.o
AR net/nfc/built-in.a
CC net/xfrm/xfrm_replay.o
CC net/phonet/pep.o
CC drivers/acpi/acpica/utdebug.o
CC drivers/acpi/acpica/utdecode.o
CC kernel/nsproxy.o
CC lib/glob.o
CC net/mac80211/agg-rx.o
CC arch/x86/kernel/step.o
CC net/netfilter/nf_conntrack_seqadj.o
CC net/ipv6/tcp_ipv6.o
CC net/ipv6/ping.o
CC net/wimax/op-reset.o
CC net/wireless/sysfs.o
CC drivers/acpi/acpica/utdelete.o
CC lib/strncpy_from_user.o
CC lib/strnlen_user.o
CC lib/net_utils.o
CC net/xfrm/xfrm_device.o
CC kernel/notifier.o
CC lib/sg_pool.o
CC arch/x86/kernel/i8237.o
CC arch/x86/kernel/stacktrace.o
CC net/phonet/pep-gprs.o
CC lib/stackdepot.o
CC drivers/acpi/acpica/uterror.o
CC net/wimax/op-rfkill.o
CC net/unix/garbage.o
CC net/sunrpc/auth_gss/gss_generic_token.o
CC mm/mempolicy.o
CC arch/x86/kernel/reboot.o
CC net/xfrm/xfrm_algo.o
CC net/sunrpc/auth_gss/gss_mech_switch.o
CC net/sunrpc/auth_gss/svcauth_gss.o
CC net/ipv6/exthdrs.o
CC net/netfilter/nf_conntrack_proto_icmpv6.o
CC net/ipv4/igmp.o
CC net/ipv4/fib_frontend.o
CC drivers/acpi/acpica/uteval.o
CC kernel/ksysfs.o
AR net/core/built-in.a
CC drivers/acpi/acpica/utglobal.o
CC drivers/acpi/acpica/uthex.o
CC net/unix/sysctl_net_unix.o
CC net/ipv4/fib_semantics.o
CC net/wimax/op-state-get.o
CC net/ipv4/fib_trie.o
CC net/ipv4/fib_notifier.o
CC drivers/acpi/acpica/utids.o
CC net/wireless/radiotap.o
CC drivers/acpi/acpica/utinit.o
CC net/xfrm/xfrm_user.o
CC net/mac80211/vht.o
AR net/phonet/built-in.a
CC mm/sparse.o
CC net/wimax/stack.o
CC net/ipv4/inet_fragment.o
CC mm/sparse-vmemmap.o
CC kernel/cred.o
CC arch/x86/kernel/msr.o
CC mm/mmu_notifier.o
CC kernel/reboot.o
CC kernel/async.o
CC net/netfilter/nf_conntrack_netlink.o
CC drivers/acpi/acpica/utlock.o
CC net/netfilter/nf_conntrack_ftp.o
CC net/wimax/debugfs.o
CC net/sunrpc/clnt.o
CC net/unix/scm.o
CC mm/slub.o
CC drivers/acpi/acpica/utmath.o
CC net/sched/ematch.o
CC arch/x86/kernel/cpuid.o
CC net/wireless/util.o
CC net/wireless/reg.o
CC drivers/acpi/acpica/utmisc.o
CC net/wireless/scan.o
CC net/ipv4/ping.o
CC net/ipv4/ip_tunnel_core.o
CC net/sunrpc/xprt.o
CC lib/asn1_decoder.o
CC net/sunrpc/socklib.o
CC drivers/acpi/acpica/utmutex.o
CC kernel/range.o
CC arch/x86/kernel/early-quirks.o
CC net/ipv6/datagram.o
AR net/wimax/built-in.a
CC net/sunrpc/xprtsock.o
CC net/sunrpc/sched.o
CC net/ipv6/ip6_flowlabel.o
CC kernel/smpboot.o
CC net/ipv6/inet6_connection_sock.o
GEN lib/oid_registry_data.c
AR net/unix/built-in.a
CC drivers/acpi/acpica/utnonansi.o
CC lib/ucs2_string.o
CC drivers/acpi/acpica/utobject.o
CC net/sunrpc/auth_gss/gss_rpc_upcall.o
CC net/mac80211/he.o
CC net/sunrpc/auth_gss/gss_rpc_xdr.o
AR net/sched/built-in.a
CC net/netfilter/nf_conntrack_irc.o
CC net/netfilter/nf_log_common.o
CC net/netfilter/nf_conntrack_sip.o
CC net/sunrpc/auth_gss/trace.o
CC lib/sbitmap.o
CC net/sunrpc/auth.o
CC arch/x86/kernel/smp.o
CC net/ipv4/gre_offload.o
CC drivers/acpi/acpica/utosi.o
CC net/ipv6/udp_offload.o
CC kernel/ucount.o
CC kernel/kmod.o
CC drivers/acpi/acpica/utownerid.o
CC net/mac80211/ibss.o
CC kernel/groups.o
CC net/netfilter/nf_nat_core.o
CC arch/x86/kernel/smpboot.o
CC lib/argv_split.o
CC net/ipv4/metrics.o
CC drivers/acpi/event.o
CC drivers/acpi/sysfs.o
CC net/sunrpc/auth_null.o
CC arch/x86/kernel/tsc_sync.o
CC net/ipv6/seg6.o
CC drivers/acpi/property.o
CC drivers/acpi/acpica/utpredef.o
CC drivers/acpi/acpica/utresdecode.o
CC arch/x86/kernel/setup_percpu.o
AR net/xfrm/built-in.a
CC net/netfilter/nf_nat_proto.o
CC net/netfilter/nf_nat_helper.o
CC net/netfilter/nf_nat_masquerade.o
CC lib/bug.o
CC net/sunrpc/auth_unix.o
CC net/ipv6/fib6_notifier.o
CC net/ipv4/netlink.o
CC mm/failslab.o
CC net/socket.o
AR net/sunrpc/auth_gss/built-in.a
CC net/netfilter/nf_nat_ftp.o
CC net/netfilter/nf_nat_irc.o
CC kernel/freezer.o
CC kernel/profile.o
CC lib/chacha.o
CC drivers/acpi/acpica/utresrc.o
CC net/wireless/nl80211.o
CC net/wireless/mlme.o
CC drivers/acpi/acpi_cmos_rtc.o
CC net/sunrpc/svc.o
CC net/compat.o
CC net/ipv4/nexthop.o
CC mm/migrate.o
CC mm/page_counter.o
CC arch/x86/kernel/mpparse.o
CC arch/x86/kernel/trace_clock.o
CC lib/clz_tab.o
CC drivers/acpi/acpica/utstate.o
CC lib/cmdline.o
CC lib/cpumask.o
CC net/sysctl_net.o
CC mm/memcontrol.o
CC kernel/stacktrace.o
CC kernel/futex.o
CC net/ipv4/ip_tunnel.o
CC arch/x86/kernel/machine_kexec_64.o
CC mm/vmpressure.o
CC kernel/dma.o
CC net/ipv6/sysctl_net_ipv6.o
CC kernel/smp.o
CC kernel/uid16.o
CC net/sunrpc/svcsock.o
AS arch/x86/kernel/relocate_kernel_64.o
CC drivers/acpi/acpica/utstring.o
CC drivers/acpi/acpica/utstrsuppt.o
CC drivers/acpi/x86/apple.o
CC drivers/acpi/acpica/utstrtoul64.o
CC lib/ctype.o
CC lib/dec_and_lock.o
CC net/netfilter/nf_nat_sip.o
CC net/netfilter/x_tables.o
CC net/ipv6/xfrm6_policy.o
CC net/ipv4/sysctl_net_ipv4.o
CC kernel/module.o
CC net/wireless/ibss.o
CC drivers/acpi/x86/utils.o
CC lib/decompress.o
CC net/sunrpc/svcauth.o
CC lib/decompress_bunzip2.o
CC drivers/acpi/acpica/utxface.o
CC drivers/acpi/acpica/utxfinit.o
CC net/mac80211/iface.o
CC drivers/acpi/debugfs.o
CC arch/x86/kernel/crash.o
CC arch/x86/kernel/crash_dump_64.o
CC drivers/acpi/numa.o
CC kernel/kallsyms.o
CC drivers/acpi/acpi_lpat.o
CC net/sunrpc/svcauth_unix.o
CC net/sunrpc/addr.o
CC net/sunrpc/rpcb_clnt.o
CC net/ipv4/proc.o
CC drivers/acpi/acpica/utxferror.o
CC arch/x86/kernel/module.o
CC net/ipv4/fib_rules.o
CC lib/decompress_inflate.o
CC net/sunrpc/timer.o
CC net/ipv6/xfrm6_state.o
CC net/mac80211/rate.o
CC net/sunrpc/xdr.o
CC kernel/acct.o
CC drivers/acpi/acpi_lpit.o
CC drivers/acpi/acpica/utxfmutex.o
CC net/ipv4/ipmr.o
CC net/wireless/sme.o
CC net/ipv4/ipmr_base.o
CC net/netfilter/xt_tcpudp.o
CC kernel/crash_core.o
CC net/mac80211/michael.o
CC arch/x86/kernel/doublefault.o
CC arch/x86/kernel/early_printk.o
CC lib/decompress_unlz4.o
CC drivers/acpi/ac.o
CC net/sunrpc/sunrpc_syms.o
AR drivers/acpi/acpica/built-in.a
CC lib/decompress_unlzma.o
CC net/netfilter/xt_mark.o
CC kernel/kexec_core.o
CC net/sunrpc/cache.o
CC drivers/acpi/button.o
CC net/netfilter/xt_nat.o
CC net/ipv6/xfrm6_input.o
CC lib/decompress_unlzo.o
CC mm/early_ioremap.o
CC lib/decompress_unxz.o
CC mm/frame_vector.o
CC net/ipv4/syncookies.o
CC kernel/kexec.o
CC net/mac80211/tkip.o
CC kernel/compat.o
CC drivers/acpi/fan.o
CC net/wireless/chan.o
CC arch/x86/kernel/hpet.o
CC net/ipv6/xfrm6_output.o
CC arch/x86/kernel/amd_nb.o
CC kernel/utsname.o
CC kernel/user_namespace.o
CC net/netfilter/xt_CONNSECMARK.o
CC kernel/pid_namespace.o
CC drivers/acpi/acpi_video.o
CC lib/dump_stack.o
CC net/sunrpc/rpc_pipe.o
CC net/sunrpc/svc_xprt.o
CC mm/usercopy.o
CC net/sunrpc/xprtmultipath.o
CC mm/memfd.o
CC net/wireless/ethtool.o
CC kernel/stop_machine.o
CC net/mac80211/aes_cmac.o
CC net/mac80211/aes_gmac.o
CC net/netfilter/xt_LOG.o
CC net/ipv6/xfrm6_protocol.o
CC lib/earlycpio.o
CC arch/x86/kernel/kvm.o
CC kernel/audit.o
CC net/mac80211/fils_aead.o
CC net/sunrpc/stats.o
CC lib/extable.o
CC lib/flex_proportions.o
CC net/mac80211/cfg.o
CC kernel/auditfilter.o
CC net/mac80211/ethtool.o
CC net/ipv6/netfilter.o
CC net/sunrpc/sysctl.o
CC kernel/auditsc.o
CC kernel/audit_watch.o
CC kernel/audit_fsnotify.o
CC drivers/acpi/video_detect.o
CC kernel/audit_tree.o
CC lib/idr.o
CC kernel/kcov.o
CC net/ipv6/proc.o
AR mm/built-in.a
CC net/mac80211/rx.o
CC net/wireless/mesh.o
CC net/netfilter/xt_NFLOG.o
CC net/wireless/ap.o
CC net/netfilter/xt_MASQUERADE.o
CC net/ipv4/tunnel4.o
CC net/netfilter/xt_SECMARK.o
CC net/ipv6/syncookies.o
CC net/mac80211/spectmgmt.o
CC kernel/hung_task.o
CC kernel/watchdog.o
CC arch/x86/kernel/kvmclock.o
CC kernel/seccomp.o
CC kernel/watchdog_hld.o
CC lib/ioremap.o
CC drivers/acpi/processor_driver.o
CC kernel/relay.o
CC net/wireless/trace.o
CC net/wireless/ocb.o
CC net/wireless/pmsr.o
CC net/wireless/of.o
CC net/netfilter/xt_TCPMSS.o
CC net/ipv4/ipconfig.o
CC net/netfilter/xt_addrtype.o
CC arch/x86/kernel/paravirt.o
CC lib/irq_regs.o
CC net/wireless/wext-compat.o
CC kernel/utsname_sysctl.o
CC lib/is_single_threaded.o
CC arch/x86/kernel/paravirt_patch.o
CC lib/klist.o
CC net/netfilter/xt_conntrack.o
CC net/ipv6/calipso.o
AR net/sunrpc/built-in.a
CC drivers/acpi/processor_idle.o
CC net/ipv6/ah6.o
CC net/wireless/wext-sme.o
CC kernel/delayacct.o
CC drivers/acpi/processor_throttling.o
CC arch/x86/kernel/paravirt-spinlocks.o
CC kernel/taskstats.o
CC net/ipv6/esp6.o
CC drivers/acpi/processor_thermal.o
CC net/mac80211/tx.o
CC net/ipv4/netfilter.o
CC net/ipv4/tcp_cubic.o
CC drivers/acpi/processor_perflib.o
CC net/mac80211/key.o
CC arch/x86/kernel/pvclock.o
GEN net/wireless/shipped-certs.c
CC arch/x86/kernel/pcspeaker.o
CC lib/kobject.o
CC lib/kobject_uevent.o
CC lib/memcat_p.o
CC lib/nmi_backtrace.o
CC net/netfilter/xt_policy.o
CC net/mac80211/util.o
CC net/netfilter/xt_state.o
CC kernel/tsacct.o
CC net/wireless/lib80211.o
CC lib/nodemask.o
CC arch/x86/kernel/check.o
CC kernel/tracepoint.o
CC kernel/elfcore.o
CC net/wireless/wext-core.o
CC arch/x86/kernel/pci-swiotlb.o
CC arch/x86/kernel/devicetree.o
CC drivers/acpi/container.o
CC arch/x86/kernel/uprobes.o
CC drivers/acpi/thermal.o
CC net/mac80211/wme.o
CC net/wireless/wext-proc.o
CC net/ipv6/sit.o
CC net/ipv4/cipso_ipv4.o
CC kernel/irq_work.o
CC net/wireless/wext-spy.o
CC drivers/acpi/acpi_memhotplug.o
CC net/ipv6/addrconf_core.o
CC arch/x86/kernel/sysfb.o
CC net/ipv6/exthdrs_core.o
CC net/wireless/wext-priv.o
CC arch/x86/kernel/sysfb_efi.o
CC drivers/acpi/ioapic.o
CC lib/plist.o
CC lib/radix-tree.o
CC net/wireless/shipped-certs.o
CC lib/ratelimit.o
CC lib/rbtree.o
CC kernel/crash_dump.o
AR net/netfilter/built-in.a
CC lib/seq_buf.o
CC drivers/acpi/battery.o
CC arch/x86/kernel/perf_regs.o
CC net/ipv6/ip6_checksum.o
CC net/ipv6/ip6_icmp.o
CC lib/sha1.o
CC net/mac80211/chan.o
CC kernel/jump_label.o
CC net/ipv6/output_core.o
CC net/ipv6/protocol.o
CC kernel/iomem.o
CC kernel/rseq.o
CC drivers/acpi/bgrt.o
CC drivers/acpi/cppc_acpi.o
CC lib/show_mem.o
CC arch/x86/kernel/tracepoint.o
CC net/mac80211/trace.o
CC arch/x86/kernel/itmt.o
CC net/ipv6/ip6_offload.o
CC net/ipv6/tcpv6_offload.o
CC arch/x86/kernel/umip.o
CC arch/x86/kernel/unwind_orc.o
CC lib/siphash.o
CC net/mac80211/mlme.o
CC net/mac80211/tdls.o
CC net/ipv6/exthdrs_offload.o
CC drivers/acpi/spcr.o
CC lib/string.o
CC net/mac80211/ocb.o
CC net/ipv4/xfrm4_policy.o
CC net/ipv4/xfrm4_state.o
CC net/ipv4/xfrm4_input.o
CC net/ipv6/inet6_hashtables.o
CC net/ipv6/mcast_snoop.o
CC net/ipv4/xfrm4_output.o
CC net/mac80211/pm.o
CC net/mac80211/led.o
CC net/mac80211/rc80211_minstrel.o
CC arch/x86/kernel/audit_64.o
CC arch/x86/kernel/pci-calgary_64.o
CC lib/timerqueue.o
AR kernel/built-in.a
CC lib/vsprintf.o
CC net/mac80211/rc80211_minstrel_ht.o
CC net/ipv4/xfrm4_protocol.o
CC lib/win_minmax.o
CC arch/x86/kernel/tce_64.o
CC lib/xarray.o
GEN lib/crc32table.h
CC arch/x86/kernel/mmconf-fam10h_64.o
AR drivers/acpi/built-in.a
CC lib/oid_registry.o
CC arch/x86/kernel/vsmp_64.o
Makefile:1083: recipe for target 'drivers' failed
make: *** [drivers] Error 2
AS arch/x86/kernel/head_64.o
CC arch/x86/kernel/head64.o
CC arch/x86/kernel/ebda.o
CC arch/x86/kernel/platform-quirks.o
LDS arch/x86/kernel/vmlinux.lds
CC lib/crc32.o
AR net/ipv6/built-in.a
AR arch/x86/kernel/built-in.a
AR arch/x86/built-in.a
AR net/ipv4/built-in.a
AR lib/lib.a
EXPORTS lib/lib-ksyms.o
AR lib/built-in.a
AR net/mac80211/built-in.a
AR net/wireless/built-in.a
AR net/built-in.a
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1377f9e5600000
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=142c65d5600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 25, 2019, 5:27:26 PM9/25/19
to syzbot, syzkall...@googlegroups.com
if (pm_runtime_callbacks_present(dev)) {
rc = sysfs_merge_group(&dev->kobj, &pm_runtime_attr_group);
@@ -676,6 +682,8 @@ int dpm_sysfs_add(struct device *dev)
err_runtime:
sysfs_unmerge_group(&dev->kobj, &pm_runtime_attr_group);
err_out:
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
sysfs_remove_group(&dev->kobj, &pm_attr_group);
return rc;
}
@@ -734,5 +742,7 @@ void dpm_sysfs_remove(struct device *dev
dev_pm_qos_constraints_destroy(dev);
rpm_sysfs_remove(dev);
sysfs_unmerge_group(&dev->kobj, &pm_wakeup_attr_group);
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
+ ASremove(dev->kobj.sd);
return rc;
}
@@ -734,5 +742,7 @@ void dpm_sysfs_remove(struct device *dev
dev_pm_qos_constraints_destroy(dev);
rpm_sysfs_remove(dev);
sysfs_unmerge_group(&dev->kobj, &pm_wakeup_attr_group);
+ if (strncmp(dev_name(dev), "radio", 5) == 0)
syzbot
Sep 25, 2019, 5:33:01 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but build/boot failed:
CC drivers/usb/host/ehci-pci.o
syzbot tried to test the proposed patch but build/boot failed:
CC drivers/usb/isp1760/isp1760-core.o
CC drivers/staging/wusbcore/host/whci/debug.o
CC drivers/gpu/drm/drm_panel_orientation_quirks.o
CC drivers/staging/uwb/reset.o
CC drivers/tty/vt/defkeymap.o
CC drivers/staging/uwb/rsv.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
AR drivers/usb/gadget/fuzzer/built-in.a
CC drivers/video/fbdev/core/fbcvt.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/staging/wusbcore/crypto.o
CC drivers/media/usb/gspca/t613.o
AR drivers/usb/chipidea/built-in.a
CC drivers/staging/rtl8712/ieee80211.o
CC drivers/usb/misc/sisusbvga/sisusb.o
CC drivers/media/usb/gspca/topro.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
AR drivers/tty/serial/8250/built-in.a
CC drivers/usb/core/driver.o
CC drivers/usb/core/config.o
AR drivers/tty/serial/built-in.a
AR drivers/usb/image/built-in.a
CC drivers/staging/wusbcore/devconnect.o
CC drivers/usb/mon/mon_main.o
CC drivers/usb/isp1760/isp1760-if.o
CC drivers/usb/gadget/udc/bdc/bdc_core.o
CC drivers/usb/core/file.o
CC drivers/tty/pty.o
CC drivers/usb/gadget/udc/core.o
CC drivers/usb/gadget/udc/trace.o
AR drivers/usb/gadget/legacy/built-in.a
CC drivers/usb/gadget/udc/dummy_hcd.o
CC drivers/usb/gadget/udc/net2272.o
CC drivers/usb/gadget/udc/net2280.o
CC drivers/staging/wusbcore/host/whci/hcd.o
CC drivers/video/fbdev/core/fb_defio.o
CC drivers/usb/dwc3/trace.o
CC drivers/usb/dwc3/host.o
CC drivers/usb/isp1760/isp1760-hcd.o
CC drivers/staging/uwb/scan.o
CC drivers/media/usb/gspca/touptek.o
AR drivers/tty/vt/built-in.a
CC drivers/usb/mon/mon_stat.o
CC drivers/staging/uwb/uwbd.o
CC drivers/staging/uwb/uwb-debug.o
CC drivers/usb/gadget/udc/bdc/bdc_cmd.o
CC drivers/staging/rtl8712/rtl871x_mp_ioctl.o
CC drivers/tty/tty_audit.o
CC drivers/tty/sysrq.o
CC drivers/staging/wusbcore/host/whci/hw.o
CC drivers/staging/wlan-ng/p80211conv.o
CC drivers/staging/rtl8712/rtl871x_mp.o
CC drivers/staging/wlan-ng/p80211req.o
CC drivers/usb/mon/mon_text.o
CC drivers/staging/uwb/umc-bus.o
CC drivers/video/fbdev/core/fbcon.o
CC drivers/usb/mon/mon_bin.o
CC drivers/usb/gadget/udc/snps_udc_core.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/staging/rtl8712/mlme_linux.o
CC drivers/staging/wlan-ng/p80211wep.o
CC drivers/usb/gadget/udc/bdc/bdc_ep.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/media/usb/gspca/tv8532.o
CC drivers/staging/wusbcore/host/whci/init.o
CC drivers/usb/core/buffer.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
AR drivers/usb/misc/sisusbvga/built-in.a
CC drivers/usb/misc/adutux.o
CC drivers/staging/uwb/umc-dev.o
CC drivers/usb/misc/appledisplay.o
CC drivers/staging/uwb/umc-drv.o
CC drivers/usb/dwc3/gadget.o
AR drivers/tty/built-in.a
CC drivers/staging/rtl8712/recv_linux.o
CC drivers/video/fbdev/core/bitblit.o
CC drivers/staging/wlan-ng/p80211netdev.o
CC drivers/staging/rtl8712/xmit_linux.o
CC drivers/usb/dwc3/ep0.o
CC drivers/usb/gadget/udc/amd5536udc_pci.o
CC drivers/usb/misc/cypress_cy7c63.o
CC drivers/usb/core/sysfs.o
CC drivers/usb/core/endpoint.o
CC drivers/media/usb/gspca/vc032x.o
CC drivers/usb/host/ehci-platform.o
CC drivers/usb/gadget/udc/pxa27x_udc.o
CC drivers/staging/wusbcore/host/whci/int.o
AR drivers/usb/dwc2/built-in.a
CC drivers/usb/dwc3/drd.o
CC drivers/usb/musb/musb_core.o
CC drivers/usb/phy/phy.o
CC drivers/staging/uwb/whci.o
CC drivers/usb/phy/of.o
CC drivers/usb/isp1760/isp1760-udc.o
AR drivers/usb/mon/built-in.a
CC drivers/usb/phy/phy-generic.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/usb/misc/cytherm.o
CC drivers/usb/musb/musb_trace.o
CC drivers/usb/core/devio.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/usb/gadget/udc/goku_udc.o
CC drivers/staging/rtl8712/usb_intf.o
CC drivers/staging/rtl8712/os_intfs.o
CC drivers/usb/phy/phy-tahvo.o
CC drivers/usb/misc/emi26.o
CC drivers/staging/wusbcore/host/whci/pzl.o
CC drivers/staging/uwb/whc-rc.o
CC drivers/usb/gadget/udc/bdc/bdc_udc.o
CC drivers/usb/host/isp116x-hcd.o
CC drivers/usb/host/oxu210hp-hcd.o
CC drivers/usb/core/notify.o
CC drivers/usb/misc/emi62.o
CC drivers/usb/misc/ezusb.o
CC drivers/usb/core/generic.o
AR drivers/staging/wlan-ng/built-in.a
CC drivers/media/usb/gspca/vicam.o
CC drivers/usb/gadget/udc/bdc/bdc_pci.o
CC drivers/usb/phy/phy-gpio-vbus-usb.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/usb/gadget/udc/r8a66597-udc.o
CC drivers/usb/misc/ftdi-elan.o
CC drivers/usb/core/quirks.o
CC drivers/usb/musb/musb_virthub.o
CC drivers/usb/dwc3/ulpi.o
AR drivers/usb/isp1760/built-in.a
CC drivers/usb/gadget/udc/pch_udc.o
CC drivers/staging/uwb/hwa-rc.o
CC drivers/usb/roles/class.o
CC drivers/staging/wusbcore/host/whci/qset.o
CC drivers/usb/misc/idmouse.o
CC drivers/staging/rtl8712/rtl871x_pwrctrl.o
CC drivers/staging/rtl8712/rtl8712_recv.o
CC drivers/usb/serial/usb-serial.o
CC drivers/usb/core/devices.o
CC drivers/usb/misc/iowarrior.o
CC drivers/usb/misc/isight_firmware.o
AR drivers/usb/gadget/udc/bdc/built-in.a
CC drivers/staging/wusbcore/host/whci/wusb.o
CC drivers/usb/phy/phy-isp1301.o
CC drivers/usb/dwc3/debugfs.o
CC drivers/media/usb/gspca/xirlink_cit.o
CC drivers/usb/dwc3/dwc3-pci.o
CC drivers/usb/core/phy.o
CC drivers/usb/core/port.o
AR drivers/usb/roles/built-in.a
CC drivers/usb/misc/usblcd.o
CC drivers/usb/core/of.o
CC drivers/usb/core/hcd-pci.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/usb/serial/generic.o
AR drivers/usb/phy/built-in.a
CC drivers/staging/rtl8712/rtl871x_recv.o
CC drivers/usb/dwc3/dwc3-haps.o
AR drivers/staging/uwb/built-in.a
CC drivers/usb/dwc3/dwc3-of-simple.o
CC drivers/video/fbdev/core/softcursor.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/video/fbdev/core/tileblit.o
AR drivers/usb/typec/altmodes/built-in.a
CC drivers/usb/musb/musb_host.o
CC drivers/usb/storage/uas.o
AR drivers/usb/typec/mux/built-in.a
CC drivers/usb/typec/tcpm/tcpm.o
CC drivers/usb/core/usb-acpi.o
CC drivers/usb/usbip/usbip_common.o
CC drivers/usb/storage/scsiglue.o
CC drivers/usb/misc/ldusb.o
CC drivers/usb/storage/protocol.o
AR drivers/staging/wusbcore/host/whci/built-in.a
AR drivers/staging/wusbcore/host/built-in.a
CC drivers/usb/core/ledtrig-usbport.o
CC drivers/staging/wusbcore/dev-sysfs.o
CC drivers/usb/host/ohci-hcd.o
CC drivers/staging/wusbcore/mmc.o
CC drivers/usb/host/ohci-pci.o
CC drivers/usb/host/ohci-platform.o
CC drivers/usb/host/uhci-hcd.o
CC drivers/usb/host/xhci.o
CC drivers/usb/host/xhci-mem.o
CC drivers/staging/wusbcore/pal.o
CC drivers/video/fbdev/core/cfbfillrect.o
CC drivers/usb/serial/bus.o
CC drivers/usb/serial/aircable.o
CC drivers/media/usb/gspca/zc3xx.o
CC drivers/usb/storage/transport.o
CC drivers/usb/misc/legousbtower.o
CC drivers/usb/usbip/vhci_sysfs.o
CC drivers/usb/usbip/usbip_event.o
AR drivers/usb/core/built-in.a
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/staging/rtl8712/rtl871x_xmit.o
CC drivers/staging/rtl8712/rtl871x_sta_mgt.o
CC drivers/usb/typec/tcpm/tcpci.o
CC drivers/usb/typec/tcpm/fusb302.o
CC drivers/usb/typec/ucsi/ucsi.o
CC drivers/usb/gadget/udc/mv_udc_core.o
CC drivers/usb/typec/ucsi/trace.o
CC drivers/usb/typec/ucsi/ucsi_acpi.o
CC drivers/usb/typec/class.o
CC drivers/staging/wusbcore/rh.o
CC drivers/staging/wusbcore/reservation.o
CC drivers/video/fbdev/core/cfbcopyarea.o
CC drivers/staging/wusbcore/security.o
CC drivers/usb/serial/ark3116.o
CC drivers/usb/host/xhci-ext-caps.o
CC drivers/staging/wusbcore/wusbhc.o
CC drivers/video/fbdev/core/cfbimgblt.o
CC drivers/usb/misc/rio500.o
CC drivers/usb/usbip/vhci_tx.o
AR drivers/usb/dwc3/built-in.a
CC drivers/usb/usbip/vhci_rx.o
CC drivers/video/fbdev/core/sysfillrect.o
CC drivers/usb/usbip/vhci_hcd.o
CC drivers/usb/serial/belkin_sa.o
CC drivers/staging/rtl8712/rtl8712_xmit.o
CC drivers/usb/storage/usb.o
CC drivers/usb/storage/initializers.o
CC drivers/staging/wusbcore/wa-hc.o
CC drivers/usb/gadget/udc/fotg210-udc.o
CC drivers/usb/gadget/udc/mv_u3d_core.o
CC drivers/usb/gadget/udc/gr_udc.o
CC drivers/usb/usbip/stub_dev.o
CC drivers/usb/host/xhci-ring.o
CC drivers/usb/usbip/stub_main.o
CC drivers/usb/musb/musb_gadget_ep0.o
CC drivers/usb/musb/musb_gadget.o
CC drivers/staging/wusbcore/wa-nep.o
CC drivers/usb/usbip/stub_rx.o
CC drivers/usb/usbip/stub_tx.o
CC drivers/usb/misc/usbtest.o
CC drivers/usb/misc/ehset.o
CC drivers/usb/musb/musb_debugfs.o
AR drivers/usb/typec/ucsi/built-in.a
CC drivers/usb/host/xhci-hub.o
CC drivers/usb/misc/trancevibrator.o
CC drivers/video/fbdev/core/syscopyarea.o
CC drivers/usb/host/xhci-dbg.o
CC drivers/usb/serial/ch341.o
AR drivers/media/usb/gspca/built-in.a
CC drivers/usb/host/xhci-trace.o
AR drivers/media/usb/built-in.a
AR drivers/media/built-in.a
CC drivers/usb/misc/uss720.o
CC drivers/usb/misc/usbsevseg.o
CC drivers/usb/host/xhci-dbgcap.o
CC drivers/usb/host/xhci-dbgtty.o
AR drivers/staging/rtl8712/built-in.a
CC drivers/video/fbdev/core/sysimgblt.o
CC drivers/usb/host/xhci-debugfs.o
CC drivers/staging/wusbcore/wa-rpipe.o
CC drivers/staging/wusbcore/wa-xfer.o
CC drivers/staging/wusbcore/cbaf.o
CC drivers/usb/storage/sierra_ms.o
CC drivers/usb/gadget/udc/snps_udc_plat.o
CC drivers/usb/host/xhci-pci.o
CC drivers/video/fbdev/core/fb_sys_fops.o
CC drivers/usb/usbip/vudc_dev.o
CC drivers/usb/usbip/vudc_sysfs.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/usb/serial/cp210x.o
CC drivers/usb/typec/mux.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/usb/usbip/vudc_tx.o
CC drivers/usb/misc/yurex.o
CC drivers/usb/storage/option_ms.o
CC drivers/usb/usbip/vudc_rx.o
AR drivers/video/fbdev/core/built-in.a
AR drivers/video/fbdev/built-in.a
AR drivers/video/built-in.a
CC drivers/usb/serial/cyberjack.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/usb/misc/usb251xb.o
CC drivers/usb/serial/cypress_m8.o
CC drivers/usb/usbip/vudc_transfer.o
AR drivers/usb/gadget/udc/built-in.a
CC drivers/usb/host/xhci-plat.o
AR drivers/usb/gadget/built-in.a
CC drivers/gpu/drm/i915/display/vlv_dsi.o
AR drivers/usb/musb/built-in.a
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/usb/misc/usb3503.o
CC drivers/usb/misc/usb4604.o
CC drivers/usb/usbip/vudc_main.o
CC drivers/usb/host/sl811-hcd.o
CC drivers/usb/serial/usb_debug.o
CC drivers/usb/storage/usual-tables.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/usb/storage/alauda.o
CC drivers/usb/storage/cypress_atacb.o
CC drivers/usb/storage/datafab.o
CC drivers/usb/misc/chaoskey.o
CC drivers/usb/misc/lvstest.o
AR drivers/usb/typec/tcpm/built-in.a
CC drivers/usb/serial/digi_acceleport.o
CC drivers/usb/typec/bus.o
CC drivers/gpu/drm/i915/i915_vgpu.o
CC drivers/usb/storage/ene_ub6250.o
CC drivers/usb/typec/tps6598x.o
CC drivers/usb/storage/freecom.o
CC drivers/usb/serial/io_edgeport.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_oa_hsw.o
CC drivers/usb/host/sl811_cs.o
CC drivers/gpu/drm/i915/i915_oa_bdw.o
CC drivers/usb/serial/io_ti.o
CC drivers/gpu/drm/i915/i915_oa_chv.o
AR drivers/usb/usbip/built-in.a
CC drivers/usb/host/u132-hcd.o
CC drivers/usb/storage/isd200.o
CC drivers/usb/host/r8a66597-hcd.o
CC drivers/usb/serial/empeg.o
CC drivers/gpu/drm/i915/i915_oa_sklgt2.o
CC drivers/usb/host/bcma-hcd.o
CC drivers/gpu/drm/i915/i915_oa_sklgt3.o
AR drivers/usb/misc/built-in.a
CC drivers/usb/serial/f81534.o
CC drivers/usb/serial/f81232.o
AR drivers/usb/typec/built-in.a
CC drivers/usb/storage/jumpshot.o
CC drivers/usb/storage/karma.o
CC drivers/usb/serial/ftdi_sio.o
CC drivers/usb/host/ssb-hcd.o
CC drivers/usb/host/fotg210-hcd.o
CC drivers/usb/storage/onetouch.o
CC drivers/usb/serial/garmin_gps.o
CC drivers/usb/storage/realtek_cr.o
CC drivers/gpu/drm/i915/i915_oa_sklgt4.o
CC drivers/gpu/drm/i915/i915_oa_bxt.o
CC drivers/usb/storage/sddr09.o
CC drivers/gpu/drm/i915/i915_oa_kblgt2.o
CC drivers/usb/storage/sddr55.o
CC drivers/usb/serial/ipaq.o
CC drivers/gpu/drm/i915/i915_oa_kblgt3.o
AR drivers/staging/wusbcore/built-in.a
AR drivers/staging/built-in.a
CC drivers/usb/serial/ipw.o
CC drivers/usb/host/max3421-hcd.o
CC drivers/usb/serial/ir-usb.o
CC drivers/gpu/drm/i915/i915_oa_glk.o
CC drivers/usb/storage/shuttle_usbat.o
CC drivers/usb/serial/iuu_phoenix.o
CC drivers/gpu/drm/i915/i915_oa_cflgt2.o
CC drivers/usb/serial/keyspan.o
CC drivers/gpu/drm/i915/i915_oa_cflgt3.o
CC drivers/usb/serial/keyspan_pda.o
CC drivers/usb/serial/kl5kusb105.o
CC drivers/usb/serial/kobil_sct.o
CC drivers/gpu/drm/i915/i915_oa_cnl.o
CC drivers/usb/serial/mct_u232.o
CC drivers/gpu/drm/i915/i915_oa_icl.o
CC drivers/usb/serial/metro-usb.o
CC drivers/usb/serial/mos7720.o
CC drivers/usb/serial/mos7840.o
CC drivers/usb/serial/mxuport.o
CC drivers/usb/serial/navman.o
CC drivers/usb/serial/omninet.o
CC drivers/usb/serial/opticon.o
CC drivers/usb/serial/oti6858.o
CC drivers/usb/serial/option.o
CC drivers/usb/serial/pl2303.o
CC drivers/usb/serial/qcaux.o
CC drivers/usb/serial/qcserial.o
CC drivers/usb/serial/quatech2.o
CC drivers/usb/serial/safe_serial.o
CC drivers/usb/serial/sierra.o
CC drivers/usb/serial/usb-serial-simple.o
CC drivers/usb/serial/spcp8x5.o
CC drivers/usb/serial/ssu100.o
CC drivers/usb/serial/symbolserial.o
CC drivers/usb/serial/usb_wwan.o
CC drivers/usb/serial/ti_usb_3410_5052.o
CC drivers/usb/serial/upd78f0730.o
CC drivers/usb/serial/visor.o
CC drivers/usb/serial/wishbone-serial.o
CC drivers/usb/serial/whiteheat.o
CC drivers/usb/serial/xsens_mt.o
AR drivers/usb/storage/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
AR drivers/usb/serial/built-in.a
AR drivers/usb/host/built-in.a
AR drivers/usb/built-in.a
AR drivers/built-in.a
Error text is too large and was truncated, full error text is at:
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 25, 2019, 5:34:23 PM9/25/19
to syzbot, syzkall...@googlegroups.com
syzbot
Sep 25, 2019, 5:47:01 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
video4linux radio2: AS Power gone: unregister_video
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'radio2'
WARNING: CPU: 0 PID: 2897 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 2897 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 2897 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Kernel panic - not syncing: panic_on_warn set ...
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 e0 c9 d0 85 e8 60 09 8b ff <0f> 0b eb 95 e8
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
a2 cc db ff e9 d2 fe ff ff 48 89 df e8 95 cc db ff
RSP: 0018:ffff8881d57e7c48 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffffff85f2d840 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288ddd RDI: ffffed103aafcf7b
RBP: 0000000000000000 R08: ffff8881d5750000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881c6e6ccd8
R13: ffffffff85f2dde0 R14: 0000000000000000 R15: ffff8881c6e6d178
dpm_sysfs_remove+0xfb/0x180 drivers/base/power/sysfs.c:745
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0x92/0x130
drivers/media/usb/usbvision/usbvision-video.c:1281
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1394
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1166
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f23742222b0
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0x92/0x130
drivers/media/usb/usbvision/usbvision-video.c:1281
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1394
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1166
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007fff91400588 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f23742222b0
RDX: 00007f23744d8df0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007f23744d8df0 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007fff914006e0 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14fa94a9600000
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11908871600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 25, 2019, 9:18:02 PM9/25/19
to syzbot, syzkall...@googlegroups.com
drivers/media/usb/usbvision/usbvision-video.c | 62 ++++++++++++++++++++++++--
fs/kernfs/dir.c | 18 +++++++
2 files changed, 76 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
@@ -131,6 +131,31 @@ MODULE_LICENSE("GPL");
+static int ASflag;
+
+static int usbvision_check(struct usb_usbvision *usbvision, char *msg)
+ }
+ }
+ return 0;
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
@@ -1105,21 +1144,28 @@ out:
@@ -1236,6 +1282,8 @@ static void usbvision_unregister_video(s
+ ASlist(usbvision->rdev.dev.kobj.sd);
video_unregister_device(&usbvision->rdev);
}
@@ -1283,6 +1331,10 @@ static int usbvision_register_video(stru
usbvision->nr, video_device_node_name(&usbvision->rdev));
}
/* all done */
+ if (!ASflag) {
+ ASflag = 1;
+ ASlist(usbvision->rdev.dev.kobj.sd);
+ }
return 0;
err_exit:
@@ -1551,6 +1603,7 @@ err_usb:
#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
+static void ASlist2(struct kernfs_node *kn, int level)
+{
+ if (kn->rb.rb_left)
+ ASlist2(rb_to_kn(kn->rb.rb_left), level + 1);
+ printk(KERN_INFO "%d: %s\n", level, kernfs_name(kn));
+ if (kn->rb.rb_right)
+ ASlist2(rb_to_kn(kn->rb.rb_right), level + 1);
+}
+
+void ASlist(struct kernfs_node *parent)
+{
+ mutex_lock(&kernfs_mutex);
+ printk(KERN_INFO "Listing for %s\n", kernfs_name(parent));
+ ASlist2(parent, 0);
+ mutex_unlock(&kernfs_mutex);
+}
+EXPORT_SYMBOL_GPL(ASlist);
fs/kernfs/dir.c | 18 +++++++
2 files changed, 76 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
MODULE_VERSION(USBVISION_VERSION_STRING);
MODULE_ALIAS(DRIVER_ALIAS);
+#include <linux/kernfs.h>
+#include <linux/kobject.h>
+
+extern void ASlist(struct kernfs_node *parent);
MODULE_ALIAS(DRIVER_ALIAS);
+#include <linux/kernfs.h>
+#include <linux/kobject.h>
+
+static int ASflag;
+
+static int usbvision_check(struct usb_usbvision *usbvision, char *msg)
+{
+ struct kernfs_node *kn;
+
+ if (!video_is_registered(&usbvision->rdev)) {
+ dev_info(&usbvision->rdev.dev, "AS Not registered: %s\n", msg);
+ } else {
+ kn = kernfs_find_and_get(usbvision->rdev.dev.kobj.sd, "power");
+ if (kn) {
+ kernfs_put(kn);
+ dev_info(&usbvision->rdev.dev, "AS Power ok: %s\n", msg);
+ } else {
+ dev_err(&usbvision->rdev.dev, "AS Power gone: %s\n", msg);
+ return 1;
+ struct kernfs_node *kn;
+
+ if (!video_is_registered(&usbvision->rdev)) {
+ dev_info(&usbvision->rdev.dev, "AS Not registered: %s\n", msg);
+ } else {
+ kn = kernfs_find_and_get(usbvision->rdev.dev.kobj.sd, "power");
+ if (kn) {
+ kernfs_put(kn);
+ dev_info(&usbvision->rdev.dev, "AS Power ok: %s\n", msg);
+ } else {
+ dev_err(&usbvision->rdev.dev, "AS Power gone: %s\n", msg);
+ }
+ }
+ return 0;
+}
+
/*****************************************************************************/
/* SYSFS Code - Copied from the stv680.c usb module. */
@@ -314,6 +339,10 @@ static int usbvision_v4l2_open(struct fi
+
/*****************************************************************************/
/* SYSFS Code - Copied from the stv680.c usb module. */
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
@@ -377,6 +406,7 @@ unlock:
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
static int usbvision_v4l2_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
@@ -391,9 +421,10 @@ static int usbvision_v4l2_close(struct f
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
usbvision_scratch_free(usbvision);
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
@@ -453,6 +484,9 @@ static int vidioc_querycap(struct file *
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
@@ -1073,6 +1107,11 @@ static int usbvision_radio_open(struct f
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
if (video_is_registered(&usbvision->rdev)) {
PDEBUG(DBG_PROBE, "unregister %s [v4l2]",
video_device_node_name(&usbvision->rdev));
+ if (usbvision_check(usbvision, "unregister_video"))
PDEBUG(DBG_PROBE, "unregister %s [v4l2]",
video_device_node_name(&usbvision->rdev));
+ ASlist(usbvision->rdev.dev.kobj.sd);
video_unregister_device(&usbvision->rdev);
}
@@ -1283,6 +1331,10 @@ static int usbvision_register_video(stru
usbvision->nr, video_device_node_name(&usbvision->rdev));
}
/* all done */
+ if (!ASflag) {
+ ASflag = 1;
+ ASlist(usbvision->rdev.dev.kobj.sd);
+ }
return 0;
err_exit:
@@ -1551,6 +1603,7 @@ err_usb:
static void usbvision_disconnect(struct usb_interface *intf)
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
@@ -1567,13 +1620,14 @@ static void usbvision_disconnect(struct
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
v4l2_device_disconnect(&usbvision->v4l2_dev);
usbvision_i2c_unregister(usbvision);
usbvision->remove_pending = 1; /* Now all ISO data will be ignored */
+ u = usbvision->user;
usb_put_dev(usbvision->dev);
usbvision->dev = NULL; /* USB device is no more */
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->user) {
+ if (u) {
printk(KERN_INFO "%s: In use, disconnect pending\n",
__func__);
wake_up_interruptible(&usbvision->wait_frame);
usbvision_i2c_unregister(usbvision);
usbvision->remove_pending = 1; /* Now all ISO data will be ignored */
+ u = usbvision->user;
usb_put_dev(usbvision->dev);
usbvision->dev = NULL; /* USB device is no more */
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->user) {
+ if (u) {
printk(KERN_INFO "%s: In use, disconnect pending\n",
__func__);
wake_up_interruptible(&usbvision->wait_frame);
Index: usb-devel/fs/kernfs/dir.c
===================================================================
--- usb-devel.orig/fs/kernfs/dir.c
+++ usb-devel/fs/kernfs/dir.c
@@ -25,6 +25,24 @@ static DEFINE_SPINLOCK(kernfs_idr_lock);
===================================================================
--- usb-devel.orig/fs/kernfs/dir.c
+++ usb-devel/fs/kernfs/dir.c
#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
+{
+ if (kn->rb.rb_left)
+ ASlist2(rb_to_kn(kn->rb.rb_left), level + 1);
+ printk(KERN_INFO "%d: %s\n", level, kernfs_name(kn));
+ if (kn->rb.rb_right)
+ ASlist2(rb_to_kn(kn->rb.rb_right), level + 1);
+}
+
+void ASlist(struct kernfs_node *parent)
+{
+ mutex_lock(&kernfs_mutex);
+ printk(KERN_INFO "Listing for %s\n", kernfs_name(parent));
+ ASlist2(parent, 0);
+ mutex_unlock(&kernfs_mutex);
+}
+EXPORT_SYMBOL_GPL(ASlist);
syzbot
Sep 25, 2019, 9:34:01 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but build/boot failed:
c3/gadget.o
syzbot tried to test the proposed patch but build/boot failed:
CC drivers/tty/vt/consolemap_deftbl.o
CC drivers/staging/uwb/reset.o
CC drivers/usb/dwc2/params.o
CC drivers/staging/uwb/rsv.o
CC drivers/staging/uwb/scan.o
CC drivers/staging/rtl8712/rtl871x_io.o
CC drivers/usb/core/devices.o
CC drivers/usb/core/phy.o
CC drivers/staging/wusbcore/host/whci/qset.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.o
CC drivers/usb/host/pci-quirks.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/staging/wusbcore/host/whci/wusb.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8723be/pwrseq.o
CC drivers/usb/dwc3/ep0.o
CC drivers/usb/host/ehci-hcd.o
AR drivers/net/wireless/realtek/rtlwifi/rtl8192ee/built-in.a
CC drivers/video/fbdev/core/cfbimgblt.o
CC drivers/staging/wlan-ng/p80211netdev.o
CC drivers/usb/host/ehci-pci.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.o
AR drivers/usb/gadget/fuzzer/built-in.a
CC drivers/staging/wusbcore/wa-hc.o
CC drivers/tty/vt/defkeymap.o
CC drivers/usb/gadget/legacy/inode.o
CC drivers/usb/host/ehci-platform.o
CC drivers/usb/host/oxu210hp-hcd.o
CC drivers/usb/dwc3/drd.o
CC drivers/staging/rtl8712/rtl8712_io.o
CC drivers/usb/core/port.o
CC drivers/usb/dwc3/ulpi.o
CC drivers/staging/uwb/uwb-debug.o
CC drivers/net/wireless/marvell/mwifiex/usb.o
CC drivers/gpu/drm/i915/i915_oa_bdw.o
CC drivers/gpu/drm/i915/i915_oa_hsw.o
CC drivers/gpu/drm/i915/i915_oa_chv.o
CC drivers/video/fbdev/core/sysfillrect.o
CC drivers/usb/host/isp116x-hcd.o
CC drivers/usb/core/of.o
CC drivers/usb/core/hcd-pci.o
AR drivers/tty/vt/built-in.a
AR drivers/tty/built-in.a
CC drivers/usb/host/ohci-hcd.o
CC drivers/usb/core/usb-acpi.o
CC drivers/video/fbdev/core/syscopyarea.o
CC drivers/usb/dwc2/hcd.o
CC drivers/staging/wusbcore/wa-nep.o
AR drivers/staging/wusbcore/host/whci/built-in.a
CC drivers/staging/wusbcore/host/hwa-hc.o
CC drivers/staging/rtl8712/rtl871x_ioctl_linux.o
CC drivers/usb/dwc3/debugfs.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/led.o
CC drivers/staging/wusbcore/wa-rpipe.o
CC drivers/video/fbdev/core/sysimgblt.o
CC drivers/staging/rtl8712/rtl871x_ioctl_rtl.o
CC drivers/staging/rtl8712/rtl871x_ioctl_set.o
CC drivers/staging/uwb/uwbd.o
AR drivers/staging/wlan-ng/built-in.a
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.o
CC drivers/video/fbdev/core/fb_sys_fops.o
CC drivers/gpu/drm/i915/i915_oa_sklgt2.o
CC drivers/usb/gadget/udc/bdc/bdc_core.o
CC drivers/usb/dwc3/dwc3-pci.o
CC drivers/usb/core/ledtrig-usbport.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/pwrseq.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8723be/rf.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/rf.o
CC drivers/gpu/drm/i915/i915_oa_sklgt3.o
CC drivers/usb/dwc3/dwc3-haps.o
AR drivers/usb/gadget/legacy/built-in.a
CC drivers/usb/dwc3/dwc3-of-simple.o
CC drivers/usb/gadget/udc/core.o
AR drivers/video/fbdev/core/built-in.a
AR drivers/video/fbdev/built-in.a
CC drivers/staging/uwb/umc-bus.o
AR drivers/video/built-in.a
AR drivers/staging/wusbcore/host/built-in.a
CC drivers/staging/uwb/umc-dev.o
CC drivers/usb/dwc2/hcd_intr.o
CC drivers/staging/wusbcore/wa-xfer.o
CC drivers/staging/uwb/umc-drv.o
CC drivers/usb/image/mdc800.o
CC drivers/usb/isp1760/isp1760-core.o
CC drivers/usb/isp1760/isp1760-if.o
CC drivers/usb/gadget/udc/bdc/bdc_cmd.o
AR drivers/usb/core/built-in.a
CC drivers/usb/isp1760/isp1760-hcd.o
CC drivers/usb/isp1760/isp1760-udc.o
CC drivers/gpu/drm/i915/i915_oa_sklgt4.o
CC drivers/usb/host/ohci-pci.o
CC drivers/staging/uwb/whci.o
AR drivers/net/wireless/marvell/mwifiex/built-in.a
AR drivers/net/wireless/marvell/built-in.a
CC drivers/gpu/drm/i915/i915_oa_bxt.o
CC drivers/staging/uwb/whc-rc.o
CC drivers/staging/wusbcore/cbaf.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8723be/sw.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8723be/table.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8723be/trx.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/sw.o
CC drivers/usb/misc/sisusbvga/sisusb.o
CC drivers/usb/dwc2/hcd_queue.o
CC drivers/usb/mon/mon_main.o
CC drivers/gpu/drm/i915/i915_oa_kblgt2.o
CC drivers/staging/rtl8712/rtl8712_led.o
CC drivers/staging/rtl8712/rtl871x_mlme.o
CC drivers/usb/gadget/udc/bdc/bdc_ep.o
CC drivers/staging/rtl8712/ieee80211.o
CC drivers/usb/host/ohci-platform.o
CC drivers/virtio/virtio.o
CC drivers/usb/dwc2/hcd_ddma.o
CC drivers/usb/dwc2/gadget.o
CC drivers/usb/dwc2/debugfs.o
CC drivers/usb/image/microtek.o
CC drivers/staging/uwb/hwa-rc.o
CC drivers/usb/phy/phy.o
CC drivers/usb/mon/mon_stat.o
CC drivers/usb/musb/musb_core.o
CC drivers/usb/host/uhci-hcd.o
CC drivers/virtio/virtio_ring.o
CC drivers/virtio/virtio_pci_modern.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.o
CC drivers/virtio/virtio_pci_common.o
CC drivers/usb/phy/of.o
CC drivers/virtio/virtio_pci_legacy.o
AR drivers/usb/dwc3/built-in.a
CC drivers/virtio/virtio_input.o
CC drivers/w1/masters/ds2490.o
CC drivers/usb/host/xhci.o
CC drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.o
CC drivers/usb/roles/class.o
CC drivers/gpu/drm/i915/i915_oa_kblgt3.o
CC drivers/usb/mon/mon_text.o
AR drivers/usb/image/built-in.a
CC drivers/usb/serial/usb-serial.o
CC drivers/usb/serial/generic.o
CC drivers/staging/rtl8712/rtl871x_mp_ioctl.o
CC drivers/usb/storage/uas.o
CC drivers/usb/phy/phy-generic.o
AR drivers/usb/isp1760/built-in.a
AR drivers/staging/uwb/built-in.a
CC drivers/usb/serial/bus.o
CC drivers/usb/host/xhci-mem.o
AR drivers/net/wireless/realtek/rtlwifi/rtl8723be/built-in.a
CC drivers/usb/gadget/udc/bdc/bdc_udc.o
CC drivers/usb/serial/aircable.o
CC drivers/usb/gadget/udc/bdc/bdc_pci.o
AR drivers/usb/roles/built-in.a
CC drivers/staging/rtl8712/rtl871x_mp.o
CC drivers/usb/gadget/udc/trace.o
CC drivers/usb/dwc2/pci.o
CC drivers/usb/serial/ark3116.o
AR drivers/usb/misc/sisusbvga/built-in.a
CC drivers/usb/serial/belkin_sa.o
CC drivers/usb/misc/adutux.o
CC drivers/usb/serial/ch341.o
AR drivers/w1/masters/built-in.a
AR drivers/w1/slaves/built-in.a
CC drivers/w1/w1.o
CC drivers/usb/serial/cp210x.o
AR drivers/staging/wusbcore/built-in.a
CC drivers/usb/host/xhci-ext-caps.o
CC drivers/usb/serial/cyberjack.o
CC drivers/gpu/drm/i915/i915_oa_glk.o
CC drivers/usb/mon/mon_bin.o
CC drivers/usb/phy/phy-tahvo.o
CC drivers/usb/serial/cypress_m8.o
CC drivers/gpu/drm/i915/i915_oa_cflgt2.o
CC drivers/usb/host/xhci-ring.o
AR drivers/usb/gadget/udc/bdc/built-in.a
CC drivers/watchdog/pcwd_usb.o
CC drivers/usb/host/xhci-hub.o
CC drivers/usb/host/xhci-dbg.o
CC drivers/usb/serial/usb_debug.o
CC drivers/usb/host/xhci-trace.o
CC drivers/usb/misc/appledisplay.o
CC drivers/usb/host/xhci-dbgcap.o
CC drivers/usb/phy/phy-gpio-vbus-usb.o
CC drivers/usb/gadget/udc/dummy_hcd.o
CC drivers/w1/w1_int.o
CC drivers/staging/rtl8712/mlme_linux.o
CC drivers/staging/rtl8712/recv_linux.o
CC drivers/usb/serial/digi_acceleport.o
CC drivers/usb/storage/scsiglue.o
CC drivers/usb/serial/io_edgeport.o
CC drivers/usb/phy/phy-isp1301.o
AR drivers/virtio/built-in.a
CC drivers/gpu/drm/i915/i915_oa_cflgt3.o
CC drivers/usb/host/xhci-dbgtty.o
CC drivers/usb/musb/musb_trace.o
CC drivers/usb/misc/cypress_cy7c63.o
CC drivers/usb/misc/cytherm.o
CC drivers/usb/musb/musb_virthub.o
AR drivers/watchdog/built-in.a
CC drivers/staging/rtl8712/xmit_linux.o
CC drivers/usb/misc/emi26.o
CC drivers/usb/musb/musb_host.o
CC drivers/usb/musb/musb_gadget_ep0.o
CC drivers/usb/storage/protocol.o
CC drivers/net/wireless/realtek/rtlwifi/base.o
CC drivers/usb/misc/emi62.o
CC drivers/usb/storage/transport.o
AR drivers/usb/phy/built-in.a
AR drivers/usb/mon/built-in.a
CC drivers/net/wireless/realtek/rtlwifi/cam.o
CC drivers/usb/host/xhci-debugfs.o
CC drivers/net/wireless/realtek/rtlwifi/core.o
AR drivers/usb/typec/altmodes/built-in.a
CC drivers/net/wireless/realtek/rtlwifi/debug.o
AR drivers/usb/typec/mux/built-in.a
CC drivers/w1/w1_family.o
CC drivers/usb/typec/tcpm/tcpm.o
CC drivers/usb/typec/ucsi/ucsi.o
CC drivers/usb/typec/ucsi/trace.o
CC drivers/usb/misc/ezusb.o
CC drivers/usb/typec/ucsi/ucsi_acpi.o
CC drivers/usb/typec/tcpm/fusb302.o
CC drivers/usb/musb/musb_gadget.o
CC drivers/usb/misc/ftdi-elan.o
CC drivers/gpu/drm/i915/i915_oa_cnl.o
CC drivers/usb/host/xhci-pci.o
CC drivers/usb/host/xhci-plat.o
CC drivers/staging/rtl8712/usb_intf.o
CC drivers/w1/w1_netlink.o
CC drivers/net/wireless/realtek/rtlwifi/efuse.o
CC drivers/usb/host/sl811-hcd.o
CC drivers/usb/misc/idmouse.o
CC drivers/net/wireless/realtek/rtlwifi/ps.o
CC drivers/usb/musb/musb_debugfs.o
CC drivers/staging/rtl8712/os_intfs.o
CC drivers/usb/misc/iowarrior.o
AR drivers/usb/dwc2/built-in.a
CC drivers/w1/w1_io.o
CC drivers/usb/usbip/usbip_common.o
CC drivers/usb/storage/usb.o
CC drivers/usb/gadget/udc/net2272.o
CC drivers/usb/host/sl811_cs.o
CC drivers/usb/host/u132-hcd.o
CC drivers/usb/typec/tcpm/tcpci.o
CC drivers/gpu/drm/i915/i915_oa_icl.o
CC drivers/usb/storage/initializers.o
CC drivers/usb/serial/io_ti.o
CC drivers/usb/host/r8a66597-hcd.o
CC drivers/usb/gadget/udc/net2280.o
AR drivers/usb/typec/ucsi/built-in.a
CC drivers/usb/typec/class.o
CC drivers/usb/misc/isight_firmware.o
CC drivers/usb/misc/usblcd.o
CC drivers/usb/serial/empeg.o
CC drivers/usb/usbip/usbip_event.o
CC drivers/usb/usbip/vhci_sysfs.o
CC drivers/usb/host/bcma-hcd.o
CC drivers/usb/host/ssb-hcd.o
AR drivers/w1/built-in.a
CC drivers/staging/rtl8712/rtl871x_pwrctrl.o
CC drivers/usb/host/fotg210-hcd.o
CC drivers/usb/misc/ldusb.o
CC drivers/usb/misc/legousbtower.o
CC drivers/usb/typec/mux.o
AR drivers/usb/musb/built-in.a
AR drivers/net/wireless/realtek/rtlwifi/rtl8821ae/built-in.a
CC drivers/usb/typec/bus.o
CC drivers/usb/host/max3421-hcd.o
CC drivers/staging/rtl8712/rtl8712_recv.o
CC drivers/usb/misc/rio500.o
CC drivers/usb/serial/f81232.o
CC drivers/usb/storage/sierra_ms.o
CC drivers/usb/gadget/udc/snps_udc_core.o
CC drivers/usb/typec/tps6598x.o
CC drivers/usb/storage/option_ms.o
CC drivers/usb/serial/f81534.o
CC drivers/usb/usbip/vhci_tx.o
CC drivers/net/wireless/realtek/rtlwifi/rc.o
AR drivers/gpu/drm/i915/built-in.a
CC drivers/net/wireless/realtek/rtlwifi/regd.o
AR drivers/gpu/drm/built-in.a
CC drivers/net/wireless/realtek/rtlwifi/stats.o
AR drivers/gpu/built-in.a
CC drivers/usb/serial/ftdi_sio.o
CC drivers/usb/misc/usbtest.o
CC drivers/usb/misc/ehset.o
CC drivers/usb/serial/garmin_gps.o
CC drivers/usb/usbip/vhci_rx.o
CC drivers/usb/gadget/udc/amd5536udc_pci.o
CC drivers/staging/rtl8712/rtl871x_recv.o
CC drivers/usb/storage/usual-tables.o
CC drivers/usb/usbip/vhci_hcd.o
CC drivers/usb/gadget/udc/pxa27x_udc.o
CC drivers/usb/misc/trancevibrator.o
CC drivers/usb/serial/ipaq.o
CC drivers/usb/storage/alauda.o
CC drivers/net/wireless/realtek/rtlwifi/pci.o
CC drivers/usb/usbip/stub_dev.o
CC drivers/staging/rtl8712/rtl871x_sta_mgt.o
CC drivers/staging/rtl8712/rtl871x_xmit.o
CC drivers/usb/usbip/stub_main.o
CC drivers/usb/storage/cypress_atacb.o
CC drivers/usb/gadget/udc/goku_udc.o
CC drivers/usb/serial/ipw.o
CC drivers/usb/serial/ir-usb.o
CC drivers/usb/usbip/stub_rx.o
CC drivers/usb/storage/datafab.o
CC drivers/usb/serial/iuu_phoenix.o
CC drivers/usb/gadget/udc/r8a66597-udc.o
CC drivers/usb/storage/ene_ub6250.o
CC drivers/usb/usbip/stub_tx.o
CC drivers/staging/rtl8712/rtl8712_xmit.o
CC drivers/net/wireless/realtek/rtlwifi/usb.o
CC drivers/usb/storage/freecom.o
CC drivers/usb/storage/isd200.o
CC drivers/usb/storage/jumpshot.o
CC drivers/usb/storage/karma.o
CC drivers/usb/serial/keyspan.o
CC drivers/usb/misc/uss720.o
CC drivers/usb/storage/onetouch.o
CC drivers/usb/usbip/vudc_dev.o
CC drivers/usb/storage/realtek_cr.o
CC drivers/usb/misc/usbsevseg.o
CC drivers/usb/misc/yurex.o
CC drivers/usb/storage/sddr09.o
CC drivers/usb/storage/sddr55.o
CC drivers/usb/misc/usb251xb.o
CC drivers/usb/serial/keyspan_pda.o
CC drivers/usb/gadget/udc/pch_udc.o
CC drivers/usb/storage/shuttle_usbat.o
CC drivers/usb/misc/usb3503.o
CC drivers/usb/gadget/udc/mv_udc_core.o
CC drivers/usb/misc/usb4604.o
CC drivers/usb/usbip/vudc_sysfs.o
AR drivers/usb/typec/tcpm/built-in.a
AR drivers/usb/typec/built-in.a
CC drivers/usb/gadget/udc/fotg210-udc.o
CC drivers/usb/misc/chaoskey.o
CC drivers/usb/usbip/vudc_tx.o
CC drivers/usb/misc/lvstest.o
CC drivers/usb/gadget/udc/mv_u3d_core.o
CC drivers/usb/usbip/vudc_rx.o
CC drivers/usb/gadget/udc/gr_udc.o
CC drivers/usb/gadget/udc/snps_udc_plat.o
CC drivers/usb/usbip/vudc_transfer.o
CC drivers/usb/usbip/vudc_main.o
CC drivers/usb/serial/kl5kusb105.o
CC drivers/usb/serial/kobil_sct.o
CC drivers/usb/serial/mct_u232.o
AR drivers/staging/rtl8712/built-in.a
CC drivers/usb/serial/metro-usb.o
AR drivers/staging/built-in.a
CC drivers/usb/serial/mos7720.o
CC drivers/usb/serial/mos7840.o
CC drivers/usb/serial/mxuport.o
CC drivers/usb/serial/navman.o
CC drivers/usb/serial/omninet.o
CC drivers/usb/serial/opticon.o
CC drivers/usb/serial/option.o
CC drivers/usb/serial/mos7840.o
CC drivers/usb/serial/mxuport.o
CC drivers/usb/serial/navman.o
CC drivers/usb/serial/omninet.o
CC drivers/usb/serial/opticon.o
CC drivers/usb/serial/oti6858.o
CC drivers/usb/serial/pl2303.o
AR drivers/usb/misc/built-in.a
CC drivers/usb/serial/qcserial.o
CC drivers/usb/serial/qcaux.o
CC drivers/usb/serial/quatech2.o
CC drivers/usb/serial/safe_serial.o
CC drivers/usb/serial/sierra.o
CC drivers/usb/serial/usb-serial-simple.o
AR drivers/usb/host/built-in.a
CC drivers/usb/serial/safe_serial.o
CC drivers/usb/serial/sierra.o
CC drivers/usb/serial/usb-serial-simple.o
CC drivers/usb/serial/ssu100.o
CC drivers/usb/serial/spcp8x5.o
CC drivers/usb/serial/usb_wwan.o
CC drivers/usb/serial/symbolserial.o
CC drivers/usb/serial/ti_usb_3410_5052.o
AR drivers/usb/usbip/built-in.a
AR drivers/usb/storage/built-in.a
CC drivers/usb/serial/wishbone-serial.o
CC drivers/usb/serial/visor.o
CC drivers/usb/serial/upd78f0730.o
CC drivers/usb/serial/whiteheat.o
CC drivers/usb/serial/xsens_mt.o
AR drivers/net/wireless/realtek/rtlwifi/built-in.a
AR drivers/net/wireless/realtek/built-in.a
AR drivers/net/wireless/built-in.a
AR drivers/net/built-in.a
AR drivers/usb/gadget/udc/built-in.a
AR drivers/usb/gadget/built-in.a
AR drivers/usb/serial/built-in.a
AR drivers/usb/built-in.a
AR drivers/built-in.a
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1588d9e5600000
AR drivers/built-in.a
Error text is too large and was truncated, full error text is at:
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11cff9e5600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 25, 2019, 9:38:30 PM9/25/19
to syzbot, syzkall...@googlegroups.com
+ if (kn->rb.rb_right)
+ ASlist2(rb_to_kn(kn->rb.rb_right), level + 1);
+}
+
+void ASlist(struct kernfs_node *parent)
+{
+ mutex_lock(&kernfs_mutex);
+ printk(KERN_INFO "Listing for %s\n", parent->name);
+ ASlist2(rb_to_kn(kn->rb.rb_right), level + 1);
+}
+
+void ASlist(struct kernfs_node *parent)
+{
+ mutex_lock(&kernfs_mutex);
syzbot
Sep 25, 2019, 9:49:02 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'radio2'
WARNING: CPU: 0 PID: 2878 at fs/sysfs/group.c:278 sysfs_remove_group
sysfs group 'power' not found for kobject 'radio2'
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 2878 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 2878 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Kernel panic - not syncing: panic_on_warn set ...
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 60 c9 d0 85 e8 70 0d 8b ff <0f> 0b eb 95 e8
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
b2 d0 db ff e9 d2 fe ff ff 48 89 df e8 a5 d0 db ff
RSP: 0018:ffff8881c7387c50 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffffff85f2d780 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288ddd RDI: ffffed1038e70f7c
RBP: 0000000000000000 R08: ffff8881d665c800 R09: ffffed103b645d58
R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffff8881c7264cd8
R13: ffffffff85f2dd20 R14: 0000000000000000 R15: ffff8881c7265178
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:735
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0xaa/0x190
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
drivers/media/usb/usbvision/usbvision-video.c:1287
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1404
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1171
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f683029e2b0
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007fff8bdc1b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f683029e2b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007fff8bdc1ce0 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=151c7819600000
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=12b78183600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 25, 2019, 10:00:51 PM9/25/19
to syzbot, syzkall...@googlegroups.com
---
+static void ASlist2(struct rb_node *node, int level)
+{
+ if (node->rb_left)
+ ASlist2(node->rb_left, level + 1);
+ printk(KERN_INFO "%d: %s\n", level, rb_to_kn(node)->name);
+ if (node->rb_right)
+ ASlist2(node->rb_right, level + 1);
+{
+ if (node->rb_left)
+ ASlist2(node->rb_left, level + 1);
+ printk(KERN_INFO "%d: %s\n", level, rb_to_kn(node)->name);
+ if (node->rb_right)
+ ASlist2(node->rb_right, level + 1);
+}
+
+void ASlist(struct kernfs_node *parent)
+{
+ mutex_lock(&kernfs_mutex);
+ printk(KERN_INFO "Listing for %s\n", parent->name);
+ ASlist2(parent->dir.children.rb_node, 0);
+
+void ASlist(struct kernfs_node *parent)
+{
+ mutex_lock(&kernfs_mutex);
+ printk(KERN_INFO "Listing for %s\n", parent->name);
syzbot
Sep 25, 2019, 10:11:02 PM9/25/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
general protection fault in ASlist2
syzbot has tested the proposed patch but the reproducer still triggered
crash:
video4linux radio14: AS Power gone: unregister_video
Listing for radio14
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 0 PID: 2945 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:ASlist2+0x25/0x60 fs/kernfs/dir.c:29
Google 01/01/2011
Code: 90 90 90 90 90 41 55 49 bd 00 00 00 00 00 fc ff df 41 54 55 89 f5 53
48 89 fb e8 96 34 b6 ff 48 8d 7b 10 48 89 f8 48 c1 e8 03 <42> 80 3c 28 00
75 22 4c 8b 63 10 4d 85 e4 0f 84 fa 6f 00 00 e8 72
RSP: 0018:ffff8881c71f7d50 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8187a60a RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000013 R09: ffffed103b645d58
R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffff8881d3b58390
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881d3b58f78
FS: 00007fe154f11700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe95cff3000 CR3: 00000001d67ab000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ASlist+0x68/0x90 fs/kernfs/dir.c:40
usbvision_unregister_video+0x15e/0x190
drivers/media/usb/usbvision/usbvision-video.c:1286
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1404
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1171
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fe154a3f2b0
drivers/media/usb/usbvision/usbvision-video.c:1404
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1171
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007ffde603d248 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007fe154a3f2b0
RDX: 00007fe154cf5df0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007fe154cf5df0 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007ffde603d3a0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 9e47e967a92badab ]---
RIP: 0010:ASlist2+0x25/0x60 fs/kernfs/dir.c:29
Code: 90 90 90 90 90 41 55 49 bd 00 00 00 00 00 fc ff df 41 54 55 89 f5 53
48 89 fb e8 96 34 b6 ff 48 8d 7b 10 48 89 f8 48 c1 e8 03 <42> 80 3c 28 00
75 22 4c 8b 63 10 4d 85 e4 0f 84 fa 6f 00 00 e8 72
RSP: 0018:ffff8881c71f7d50 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8187a60a RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000013 R09: ffffed103b645d58
R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffff8881d3b58390
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881d3b58f78
FS: 00007fe154f11700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe95cff3000 CR3: 00000001d67ab000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=12e10e4d600000
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 26, 2019, 10:21:27 AM9/26/19
to syzbot, syzkall...@googlegroups.com
drivers/media/usb/usbvision/usbvision-video.c | 62 ++++++++++++++++++++++++--
fs/kernfs/dir.c | 25 ++++++++++
2 files changed, 83 insertions(+), 4 deletions(-)
@@ -25,6 +25,31 @@ static DEFINE_SPINLOCK(kernfs_idr_lock);
#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
+static void ASlist2(struct rb_node *node, int level)
+{
+ struct kernfs_node *kn = rb_to_kn(node);
+
+ mutex_lock(&kernfs_mutex);
+ node = parent->dir.children.rb_node;
+ printk(KERN_INFO "Listing for %s (%px, root node %px)\n",
+ parent->name, parent, node);
+ if (node)
+ ASlist2(node, 0);
fs/kernfs/dir.c | 25 ++++++++++
2 files changed, 83 insertions(+), 4 deletions(-)
#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
+static void ASlist2(struct rb_node *node, int level)
+{
+
+ if (node->rb_left)
+ ASlist2(node->rb_left, level + 1);
+ printk(KERN_INFO "%d %u: %s\n", level, kn->hash, kn->name);
+ if (node->rb_left)
+ ASlist2(node->rb_left, level + 1);
+ if (node->rb_right)
+ ASlist2(node->rb_right, level + 1);
+}
+
+void ASlist(struct kernfs_node *parent)
+{
+ struct rb_node *node;
+ ASlist2(node->rb_right, level + 1);
+}
+
+void ASlist(struct kernfs_node *parent)
+{
+
+ mutex_lock(&kernfs_mutex);
+ node = parent->dir.children.rb_node;
+ printk(KERN_INFO "Listing for %s (%px, root node %px)\n",
+ parent->name, parent, node);
+ if (node)
+ ASlist2(node, 0);
syzbot
Sep 26, 2019, 10:52:01 AM9/26/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'radio0'
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2884 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 2884 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 2884 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Kernel panic - not syncing: panic_on_warn set ...
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 60 c9 d0 85 e8 00 0d 8b ff <0f> 0b eb 95 e8
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
42 d0 db ff e9 d2 fe ff ff 48 89 df e8 35 d0 db ff
RSP: 0018:ffff8881d5e7fc50 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffffff85f2d780 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288ddd RDI: ffffed103abcff7c
RBP: 0000000000000000 R08: ffff8881d5f6c800 R09: ffffed103b645d58
R10: ffffed103b645d57 R11: ffff8881db22eabf R12: ffff8881cf004cd8
R13: ffffffff85f2dd20 R14: 0000000000000000 R15: ffff8881cf005178
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:735
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0xaa/0x190
drivers/media/usb/usbvision/usbvision-video.c:1287
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0xaa/0x190
drivers/media/usb/usbvision/usbvision-video.c:1287
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1404
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1171
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f87d3cd32b0
drivers/media/usb/usbvision/usbvision-video.c:1404
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1171
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007fffd3a02f18 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f87d3cd32b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007fffd3a03070 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1745e56d600000
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=120bef75600000
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 26, 2019, 1:41:48 PM9/26/19
to syzbot, syzkall...@googlegroups.com
drivers/media/usb/usbvision/usbvision-video.c | 61 ++++++++++++++++++++-
fs/kernfs/dir.c | 74 ++++++++++++++++++++++++++
fs/kernfs/kernfs-internal.h | 2
fs/kernfs/mount.c | 3 +
fs/kernfs/symlink.c | 1
5 files changed, 137 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
@@ -131,6 +131,33 @@ MODULE_LICENSE("GPL");
+ dev_info(&usbvision->rdev.dev, "AS Node erased: %s\n", msg);
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
@@ -1105,21 +1146,28 @@ out:
@@ -1236,6 +1284,8 @@ static void usbvision_unregister_video(s
+ ASremove(usbvision->rdev.dev.kobj.sd);
video_unregister_device(&usbvision->rdev);
}
@@ -1283,6 +1333,7 @@ static int usbvision_register_video(stru
return 0;
err_exit:
@@ -1551,6 +1602,7 @@ err_usb:
#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
+#define ASMAX 100
+static struct rb_node **ASlist[ASMAX];
+static int ASnum;
+
+
+ mutex_lock(&ASmutex);
+ for (i = 0; i < ASnum; ++i) {
+ if (!ASlist[i])
+ break;
+ }
+ if (i == ASnum && ASnum < ASMAX)
+ ++ASnum;
+ if (i < ASnum) {
+ ASlist[i] = &parent->dir.children.rb_node;
+ printk(KERN_INFO "AS Adding %s: %px %px\n",
+ parent->name, ASlist[i], *ASlist[i]);
+ }
+ struct rb_node **r = &parent->dir.children.rb_node;
+
+ mutex_lock(&ASmutex);
+ for (i = 0; i < ASnum; ++i) {
+ if (ASlist[i] == r) {
+ ASlist[i] = NULL;
+ break;
+
+void AScheck(void)
+{
+ int i;
+
+ mutex_lock(&ASmutex);
+ for (i = 0; i < ASnum; ++i) {
+ if (ASlist[i] && !*ASlist[i]) {
+ printk(KERN_INFO "AS rb_mode erased at %px\n",
+ ASlist[i]);
+ dump_stack();
+ ASlist[i] = NULL;
mutex_lock(&kernfs_mutex);
mutex_lock(&kernfs_mutex);
{
mutex_lock(&kernfs_mutex);
__kernfs_remove(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -1466,6 +1534,7 @@ bool kernfs_remove_self(struct kernfs_no
error = 0;
out:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return error;
}
@@ -1683,11 +1755,13 @@ static int kernfs_fop_readdir(struct fil
===================================================================
--- usb-devel.orig/fs/kernfs/kernfs-internal.h
+++ usb-devel/fs/kernfs/kernfs-internal.h
@@ -19,6 +19,8 @@
#include <linux/kernfs.h>
#include <linux/fs_context.h>
+extern void AScheck(void);
+
struct kernfs_iattrs {
struct iattr ia_iattr;
void *ia_secdata;
Index: usb-devel/fs/kernfs/mount.c
===================================================================
--- usb-devel.orig/fs/kernfs/mount.c
+++ usb-devel/fs/kernfs/mount.c
@@ -235,6 +235,7 @@ static int kernfs_fill_super(struct supe
/* get root inode, initialize and unlock it */
mutex_lock(&kernfs_mutex);
inode = kernfs_get_inode(sb, info->root->kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (!inode) {
pr_debug("kernfs: could not get root inode\n");
@@ -324,6 +325,7 @@ int kernfs_get_tree(struct fs_context *f
mutex_lock(&kernfs_mutex);
list_add(&info->node, &info->root->supers);
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -352,6 +354,7 @@ void kernfs_kill_sb(struct super_block *
mutex_lock(&kernfs_mutex);
list_del(&info->node);
+ AScheck();
mutex_unlock(&kernfs_mutex);
/*
Index: usb-devel/fs/kernfs/symlink.c
===================================================================
--- usb-devel.orig/fs/kernfs/symlink.c
+++ usb-devel/fs/kernfs/symlink.c
@@ -119,6 +119,7 @@ static int kernfs_getlink(struct inode *
mutex_lock(&kernfs_mutex);
error = kernfs_get_target_path(parent, target, path);
fs/kernfs/dir.c | 74 ++++++++++++++++++++++++++
fs/kernfs/kernfs-internal.h | 2
fs/kernfs/mount.c | 3 +
fs/kernfs/symlink.c | 1
5 files changed, 137 insertions(+), 4 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
MODULE_VERSION(USBVISION_VERSION_STRING);
MODULE_ALIAS(DRIVER_ALIAS);
+#include <linux/kernfs.h>
+#include <linux/kobject.h>
+
MODULE_ALIAS(DRIVER_ALIAS);
+#include <linux/kernfs.h>
+#include <linux/kobject.h>
+
+extern void ASadd(struct kernfs_node *parent);
+extern void ASremove(struct kernfs_node *parent);
+extern void ASremove(struct kernfs_node *parent);
+
+static int usbvision_check(struct usb_usbvision *usbvision, char *msg)
+{
+ struct kernfs_node *kn;
+
+ if (!video_is_registered(&usbvision->rdev)) {
+ dev_info(&usbvision->rdev.dev, "AS Not registered: %s\n", msg);
+ } else if (!usbvision->rdev.dev.kobj.sd->dir.children.rb_node) {
+static int usbvision_check(struct usb_usbvision *usbvision, char *msg)
+{
+ struct kernfs_node *kn;
+
+ if (!video_is_registered(&usbvision->rdev)) {
+ dev_info(&usbvision->rdev.dev, "AS Not registered: %s\n", msg);
+ dev_info(&usbvision->rdev.dev, "AS Node erased: %s\n", msg);
+ } else {
+ kn = kernfs_find_and_get(usbvision->rdev.dev.kobj.sd, "power");
+ if (kn) {
+ kernfs_put(kn);
+ dev_info(&usbvision->rdev.dev, "AS Power ok: %s\n", msg);
+ } else {
+ dev_err(&usbvision->rdev.dev, "AS Power gone: %s\n", msg);
+ return 1;
+ }
+ }
+ return 0;
+}
+
/*****************************************************************************/
/* SYSFS Code - Copied from the stv680.c usb module. */
@@ -314,6 +341,10 @@ static int usbvision_v4l2_open(struct fi
+ kn = kernfs_find_and_get(usbvision->rdev.dev.kobj.sd, "power");
+ if (kn) {
+ kernfs_put(kn);
+ dev_info(&usbvision->rdev.dev, "AS Power ok: %s\n", msg);
+ } else {
+ dev_err(&usbvision->rdev.dev, "AS Power gone: %s\n", msg);
+ return 1;
+ }
+ }
+ return 0;
+}
+
/*****************************************************************************/
/* SYSFS Code - Copied from the stv680.c usb module. */
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
@@ -377,6 +408,7 @@ unlock:
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
static int usbvision_v4l2_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
@@ -391,9 +423,10 @@ static int usbvision_v4l2_close(struct f
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
usbvision_scratch_free(usbvision);
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
@@ -453,6 +486,9 @@ static int vidioc_querycap(struct file *
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
@@ -1073,6 +1109,11 @@ static int usbvision_radio_open(struct f
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
if (video_is_registered(&usbvision->rdev)) {
PDEBUG(DBG_PROBE, "unregister %s [v4l2]",
video_device_node_name(&usbvision->rdev));
+ usbvision_check(usbvision, "unregister_video");
PDEBUG(DBG_PROBE, "unregister %s [v4l2]",
video_device_node_name(&usbvision->rdev));
+ ASremove(usbvision->rdev.dev.kobj.sd);
video_unregister_device(&usbvision->rdev);
}
@@ -1283,6 +1333,7 @@ static int usbvision_register_video(stru
usbvision->nr, video_device_node_name(&usbvision->rdev));
}
/* all done */
+ ASadd(usbvision->rdev.dev.kobj.sd);
}
/* all done */
return 0;
err_exit:
@@ -1551,6 +1602,7 @@ err_usb:
static void usbvision_disconnect(struct usb_interface *intf)
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
@@ -1567,13 +1619,14 @@ static void usbvision_disconnect(struct
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
v4l2_device_disconnect(&usbvision->v4l2_dev);
usbvision_i2c_unregister(usbvision);
usbvision->remove_pending = 1; /* Now all ISO data will be ignored */
+ u = usbvision->user;
usb_put_dev(usbvision->dev);
usbvision->dev = NULL; /* USB device is no more */
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->user) {
+ if (u) {
printk(KERN_INFO "%s: In use, disconnect pending\n",
__func__);
wake_up_interruptible(&usbvision->wait_frame);
Index: usb-devel/fs/kernfs/dir.c
===================================================================
--- usb-devel.orig/fs/kernfs/dir.c
+++ usb-devel/fs/kernfs/dir.c
@@ -25,6 +25,64 @@ static DEFINE_SPINLOCK(kernfs_idr_lock);
usbvision_i2c_unregister(usbvision);
usbvision->remove_pending = 1; /* Now all ISO data will be ignored */
+ u = usbvision->user;
usb_put_dev(usbvision->dev);
usbvision->dev = NULL; /* USB device is no more */
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->user) {
+ if (u) {
printk(KERN_INFO "%s: In use, disconnect pending\n",
__func__);
wake_up_interruptible(&usbvision->wait_frame);
Index: usb-devel/fs/kernfs/dir.c
===================================================================
--- usb-devel.orig/fs/kernfs/dir.c
+++ usb-devel/fs/kernfs/dir.c
#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
+static struct rb_node **ASlist[ASMAX];
+static int ASnum;
+
+static DEFINE_MUTEX(ASmutex);
+
+void ASadd(struct kernfs_node *parent)
+{
+ int i;
+
+void ASadd(struct kernfs_node *parent)
+{
+
+ mutex_lock(&ASmutex);
+ for (i = 0; i < ASnum; ++i) {
+ if (!ASlist[i])
+ break;
+ }
+ if (i == ASnum && ASnum < ASMAX)
+ ++ASnum;
+ if (i < ASnum) {
+ ASlist[i] = &parent->dir.children.rb_node;
+ printk(KERN_INFO "AS Adding %s: %px %px\n",
+ parent->name, ASlist[i], *ASlist[i]);
+ }
+ mutex_unlock(&ASmutex);
+}
+EXPORT_SYMBOL_GPL(ASadd);
+
+void ASremove(struct kernfs_node *parent)
+{
+ int i;
+}
+EXPORT_SYMBOL_GPL(ASadd);
+
+void ASremove(struct kernfs_node *parent)
+{
+ struct rb_node **r = &parent->dir.children.rb_node;
+
+ mutex_lock(&ASmutex);
+ for (i = 0; i < ASnum; ++i) {
+ if (ASlist[i] == r) {
+ ASlist[i] = NULL;
+ break;
+ }
+ }
+ mutex_unlock(&ASmutex);
+}
+EXPORT_SYMBOL_GPL(ASremove);
+ }
+ mutex_unlock(&ASmutex);
+}
+
+void AScheck(void)
+{
+ int i;
+
+ mutex_lock(&ASmutex);
+ for (i = 0; i < ASnum; ++i) {
+ if (ASlist[i] && !*ASlist[i]) {
+ printk(KERN_INFO "AS rb_mode erased at %px\n",
+ ASlist[i]);
+ dump_stack();
+ ASlist[i] = NULL;
+ }
+ }
+ mutex_unlock(&ASmutex);
+}
+ }
+ mutex_unlock(&ASmutex);
+}
+
static bool kernfs_active(struct kernfs_node *kn)
{
lockdep_assert_held(&kernfs_mutex);
@@ -462,6 +520,7 @@ static void kernfs_drain(struct kernfs_n
static bool kernfs_active(struct kernfs_node *kn)
{
lockdep_assert_held(&kernfs_mutex);
lockdep_assert_held(&kernfs_mutex);
WARN_ON_ONCE(kernfs_active(kn));
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (kernfs_lockdep(kn)) {
@@ -586,9 +645,11 @@ static int kernfs_dop_revalidate(struct
WARN_ON_ONCE(kernfs_active(kn));
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (kernfs_lockdep(kn)) {
kernfs_info(dentry->d_sb)->ns != kn->ns)
goto out_bad;
+ AScheck();
mutex_unlock(&kernfs_mutex);
return 1;
out_bad:
+ AScheck();
mutex_unlock(&kernfs_mutex);
out_bad_unlocked:
return 0;
@@ -800,6 +861,7 @@ int kernfs_add_one(struct kernfs_node *k
goto out_bad;
+ AScheck();
mutex_unlock(&kernfs_mutex);
return 1;
out_bad:
+ AScheck();
mutex_unlock(&kernfs_mutex);
out_bad_unlocked:
return 0;
ps_iattrs->ia_mtime = ps_iattrs->ia_ctime;
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
/*
@@ -814,6 +876,7 @@ int kernfs_add_one(struct kernfs_node *k
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
/*
return 0;
out_unlock:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -910,6 +973,7 @@ struct kernfs_node *kernfs_find_and_get_
out_unlock:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
mutex_lock(&kernfs_mutex);
kn = kernfs_find_ns(parent, name, ns);
kernfs_get(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return kn;
@@ -934,6 +998,7 @@ struct kernfs_node *kernfs_walk_and_get_
+ AScheck();
mutex_unlock(&kernfs_mutex);
return kn;
mutex_lock(&kernfs_mutex);
kn = kernfs_walk_ns(parent, path, ns);
kernfs_get(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return kn;
@@ -1102,6 +1167,7 @@ static struct dentry *kernfs_iop_lookup(
kernfs_get(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return kn;
/* instantiate and hash dentry */
ret = d_splice_alias(inode, dentry);
out_unlock:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -1271,6 +1337,7 @@ void kernfs_activate(struct kernfs_node
ret = d_splice_alias(inode, dentry);
out_unlock:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
pos->flags |= KERNFS_ACTIVATED;
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -1351,6 +1418,7 @@ void kernfs_remove(struct kernfs_node *k
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
{
mutex_lock(&kernfs_mutex);
__kernfs_remove(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -1466,6 +1534,7 @@ bool kernfs_remove_self(struct kernfs_no
atomic_read(&kn->active) == KN_DEACTIVATED_BIAS)
break;
+ AScheck();
mutex_unlock(&kernfs_mutex);
schedule();
mutex_lock(&kernfs_mutex);
@@ -1481,6 +1550,7 @@ bool kernfs_remove_self(struct kernfs_no
break;
+ AScheck();
mutex_unlock(&kernfs_mutex);
schedule();
mutex_lock(&kernfs_mutex);
*/
kernfs_unbreak_active_protection(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
@@ -1511,6 +1581,7 @@ int kernfs_remove_by_name_ns(struct kern
kernfs_unbreak_active_protection(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
return ret;
}
if (kn)
__kernfs_remove(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (kn)
@@ -1591,6 +1662,7 @@ int kernfs_rename_ns(struct kernfs_node
__kernfs_remove(kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (kn)
error = 0;
out:
+ AScheck();
mutex_unlock(&kernfs_mutex);
return error;
}
file->private_data = pos;
kernfs_get(pos);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (!dir_emit(ctx, name, len, ino, type))
return 0;
mutex_lock(&kernfs_mutex);
}
+ AScheck();
kernfs_get(pos);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (!dir_emit(ctx, name, len, ino, type))
return 0;
mutex_lock(&kernfs_mutex);
}
+ AScheck();
mutex_unlock(&kernfs_mutex);
file->private_data = NULL;
ctx->pos = INT_MAX;
Index: usb-devel/fs/kernfs/kernfs-internal.h
file->private_data = NULL;
ctx->pos = INT_MAX;
===================================================================
--- usb-devel.orig/fs/kernfs/kernfs-internal.h
+++ usb-devel/fs/kernfs/kernfs-internal.h
@@ -19,6 +19,8 @@
#include <linux/kernfs.h>
#include <linux/fs_context.h>
+extern void AScheck(void);
+
struct kernfs_iattrs {
struct iattr ia_iattr;
void *ia_secdata;
Index: usb-devel/fs/kernfs/mount.c
===================================================================
--- usb-devel.orig/fs/kernfs/mount.c
+++ usb-devel/fs/kernfs/mount.c
@@ -235,6 +235,7 @@ static int kernfs_fill_super(struct supe
/* get root inode, initialize and unlock it */
mutex_lock(&kernfs_mutex);
inode = kernfs_get_inode(sb, info->root->kn);
+ AScheck();
mutex_unlock(&kernfs_mutex);
if (!inode) {
pr_debug("kernfs: could not get root inode\n");
@@ -324,6 +325,7 @@ int kernfs_get_tree(struct fs_context *f
mutex_lock(&kernfs_mutex);
list_add(&info->node, &info->root->supers);
+ AScheck();
mutex_unlock(&kernfs_mutex);
}
@@ -352,6 +354,7 @@ void kernfs_kill_sb(struct super_block *
mutex_lock(&kernfs_mutex);
list_del(&info->node);
+ AScheck();
mutex_unlock(&kernfs_mutex);
/*
Index: usb-devel/fs/kernfs/symlink.c
===================================================================
--- usb-devel.orig/fs/kernfs/symlink.c
+++ usb-devel/fs/kernfs/symlink.c
@@ -119,6 +119,7 @@ static int kernfs_getlink(struct inode *
mutex_lock(&kernfs_mutex);
error = kernfs_get_target_path(parent, target, path);
syzbot
Sep 26, 2019, 1:53:02 PM9/26/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'radio10'
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in video_unregister_device
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2932 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 1 PID: 2932 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2932 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Kernel panic - not syncing: panic_on_warn set ...
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 e0 c9 d0 85 e8 50 0a 8b ff <0f> 0b eb 95 e8
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
92 cd db ff e9 d2 fe ff ff 48 89 df e8 85 cd db ff
RSP: 0018:ffff8881d3c6fc50 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffffffff85f2d800 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81288ddd RDI: ffffed103a78df7c
RBP: 0000000000000000 R08: ffff8881d40d6000 R09: ffffed103b663ee7
R10: ffffed103b663ee6 R11: ffff8881db31f737 R12: ffff8881d53cabd8
R13: ffffffff85f2dda0 R14: 0000000000000000 R15: ffff8881d53cb078
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:735
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
usbvision_unregister_video+0xc0/0x170
device_del+0x12a/0xb10 drivers/base/core.c:2316
device_unregister+0x11/0x30 drivers/base/core.c:2371
video_unregister_device+0xa2/0xc0 drivers/media/v4l2-core/v4l2-dev.c:1051
drivers/media/usb/usbvision/usbvision-video.c:1289
usbvision_release+0x10d/0x1c0
drivers/media/usb/usbvision/usbvision-video.c:1403
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1173
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f9745fec2b0
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007ffd6931b168 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f9745fec2b0
RDX: 00007f97462a2df0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007f97462a2df0 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007ffd6931b2c0 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=141fc6a9600000
Rebooting in 86400 seconds..
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=13d3074d600000
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 26, 2019, 2:20:46 PM9/26/19
to syzbot, syzkall...@googlegroups.com
drivers/media/usb/usbvision/usbvision-video.c | 66 +++++++++++++++++++++--
@@ -1348,8 +1399,6 @@ static void usbvision_release(struct usb
usbvision->initialized = 0;
- usbvision_remove_sysfs(&usbvision->vdev);
- usbvision_unregister_video(usbvision);
kfree(usbvision->alt_max_pkt_size);
usb_free_urb(usbvision->ctrl_urb);
@@ -1551,6 +1600,7 @@ err_usb:
+ usbvision_unregister_video(usbvision);
+
fs/kernfs/dir.c | 74 ++++++++++++++++++++++++++
fs/kernfs/kernfs-internal.h | 2
fs/kernfs/mount.c | 3 +
fs/kernfs/symlink.c | 1
5 files changed, 140 insertions(+), 6 deletions(-)
fs/kernfs/kernfs-internal.h | 2
fs/kernfs/mount.c | 3 +
fs/kernfs/symlink.c | 1
usbvision->initialized = 0;
- usbvision_remove_sysfs(&usbvision->vdev);
- usbvision_unregister_video(usbvision);
kfree(usbvision->alt_max_pkt_size);
usb_free_urb(usbvision->ctrl_urb);
@@ -1551,6 +1600,7 @@ err_usb:
static void usbvision_disconnect(struct usb_interface *intf)
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
@@ -1567,13 +1617,17 @@ static void usbvision_disconnect(struct
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
v4l2_device_disconnect(&usbvision->v4l2_dev);
usbvision_i2c_unregister(usbvision);
usbvision->remove_pending = 1; /* Now all ISO data will be ignored */
+ u = usbvision->user;
usb_put_dev(usbvision->dev);
usbvision->dev = NULL; /* USB device is no more */
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->user) {
+ usbvision_remove_sysfs(&usbvision->vdev);
usbvision_i2c_unregister(usbvision);
usbvision->remove_pending = 1; /* Now all ISO data will be ignored */
+ u = usbvision->user;
usb_put_dev(usbvision->dev);
usbvision->dev = NULL; /* USB device is no more */
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->user) {
+ usbvision_unregister_video(usbvision);
+
syzbot
Sep 26, 2019, 2:32:01 PM9/26/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in v4l2_release
syzbot has tested the proposed patch but the reproducer still triggered
crash:
video4linux radio0: AS Power gone: radio close 4
usbvision_radio_close: Final disconnect
==================================================================
BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390
drivers/media/v4l2-core/v4l2-dev.c:459
Read of size 4 at addr ffff8881d03ad228 by task v4l_id/2876
CPU: 1 PID: 2876 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:618
v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f94c6f3a2b0
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007fffc6506128 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f94c6f3a2b0
RDX: 00007f94c71f0df0 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007f94c71f0df0 R09: 000000000000000a
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007fffc6506280 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 83:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:493 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:466
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]
usbvision_alloc drivers/media/usb/usbvision/usbvision-video.c:1361 [inline]
usbvision_probe.cold+0x586/0x1e86
drivers/media/usb/usbvision/usbvision-video.c:1513
usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
hub_port_connect drivers/usb/core/hub.c:5098 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 2876:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:455
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1474 [inline]
slab_free mm/slub.c:3016 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3957
usbvision_release+0xcf/0x110
drivers/media/usb/usbvision/usbvision-video.c:1408
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1173
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881d03ac200
drivers/media/usb/usbvision/usbvision-video.c:1173
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4136 bytes inside of
8192-byte region [ffff8881d03ac200, ffff8881d03ae200)
The buggy address belongs to the page:
page:ffffea000740ea00 refcount:1 mapcount:0 mapping:ffff8881da00c500
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c500
raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d03ad100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d03ad180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881d03ad200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d03ad280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d03ad300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=133b2dd5600000
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 26, 2019, 3:39:46 PM9/26/19
to syzbot, syzkall...@googlegroups.com
drivers/media/usb/usbvision/usbvision-video.c | 34 +++++++++++++++++++-------
1 file changed, 26 insertions(+), 8 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
@@ -314,6 +314,10 @@ static int usbvision_v4l2_open(struct fi
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
@@ -1105,21 +1119,24 @@ out:
PDEBUG(DBG_PROBE, "");
usbvision->initialized = 0;
-
- usbvision_remove_sysfs(&usbvision->vdev);
- usbvision_unregister_video(usbvision);
kfree(usbvision->alt_max_pkt_size);
-
usb_free_urb(usbvision->ctrl_urb);
v4l2_ctrl_handler_free(&usbvision->hdl);
@@ -1551,6 +1564,7 @@ err_usb:
1 file changed, 26 insertions(+), 8 deletions(-)
Index: usb-devel/drivers/media/usb/usbvision/usbvision-video.c
===================================================================
--- usb-devel.orig/drivers/media/usb/usbvision/usbvision-video.c
+++ usb-devel/drivers/media/usb/usbvision/usbvision-video.c
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
@@ -377,6 +381,7 @@ unlock:
return -ERESTARTSYS;
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto unlock;
+ }
if (usbvision->user) {
err_code = -EBUSY;
} else {
static int usbvision_v4l2_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
@@ -391,9 +396,10 @@ static int usbvision_v4l2_close(struct f
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "close");
usbvision_scratch_free(usbvision);
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
@@ -453,6 +459,9 @@ static int vidioc_querycap(struct file *
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
usbvision_release(usbvision);
return 0;
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
@@ -1073,6 +1082,11 @@ static int usbvision_radio_open(struct f
struct usb_usbvision *usbvision = video_drvdata(file);
+ if (!usbvision->dev)
+ return -ENODEV;
+
strscpy(vc->driver, "USBVision", sizeof(vc->driver));
strscpy(vc->card,
usbvision_device_data[usbvision->dev_model].model_string,
if (mutex_lock_interruptible(&usbvision->v4l2_lock))
return -ERESTARTSYS;
+
+ if (usbvision->remove_pending) {
+ err_code = -ENODEV;
+ goto out;
+ }
err_code = v4l2_fh_open(file);
if (err_code)
goto out;
static int usbvision_radio_close(struct file *file)
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "");
mutex_lock(&usbvision->v4l2_lock);
{
struct usb_usbvision *usbvision = video_drvdata(file);
+ int r;
PDEBUG(DBG_IO, "");
/* Set packet size to 0 */
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
usbvision->iface_alt = 0;
- usb_set_interface(usbvision->dev, usbvision->iface,
+ if (usbvision->dev)
+ usb_set_interface(usbvision->dev, usbvision->iface,
usbvision->iface_alt);
usbvision_audio_off(usbvision);
usbvision->radio = 0;
usbvision->user--;
+ r = usbvision->remove_pending;
usbvision->radio = 0;
usbvision->user--;
+ r = usbvision->remove_pending;
mutex_unlock(&usbvision->v4l2_lock);
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
v4l2_fh_release(file);
usbvision_release(usbvision);
@@ -1347,11 +1364,7 @@ static void usbvision_release(struct usb
- if (usbvision->remove_pending) {
+ if (r) {
printk(KERN_INFO "%s: Final disconnect\n", __func__);
v4l2_fh_release(file);
usbvision_release(usbvision);
PDEBUG(DBG_PROBE, "");
usbvision->initialized = 0;
-
- usbvision_remove_sysfs(&usbvision->vdev);
- usbvision_unregister_video(usbvision);
kfree(usbvision->alt_max_pkt_size);
usb_free_urb(usbvision->ctrl_urb);
v4l2_ctrl_handler_free(&usbvision->hdl);
@@ -1551,6 +1564,7 @@ err_usb:
static void usbvision_disconnect(struct usb_interface *intf)
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
@@ -1567,13 +1581,17 @@ static void usbvision_disconnect(struct
{
struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+ int u;
PDEBUG(DBG_PROBE, "");
syzbot
Sep 26, 2019, 3:51:02 PM9/26/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in v4l2_release
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in v4l2_release
==================================================================
BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390
drivers/media/v4l2-core/v4l2-dev.c:459
Read of size 4 at addr ffff8881c6e31028 by task v4l_id/2884
BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390
drivers/media/v4l2-core/v4l2-dev.c:459
CPU: 1 PID: 2884 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:618
v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fc6c77342b0
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:618
v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007ffcea3a5dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007fc6c77342b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007ffcea3a5f20 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 2841:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:493 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:466
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]
usbvision_alloc drivers/media/usb/usbvision/usbvision-video.c:1327 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:493 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:466
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]
usbvision_probe.cold+0x586/0x1e56
drivers/media/usb/usbvision/usbvision-video.c:1477
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:455
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1474 [inline]
slab_free mm/slub.c:3016 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3957
usbvision_release+0xcf/0x110
drivers/media/usb/usbvision/usbvision-video.c:1372
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:455
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1474 [inline]
slab_free mm/slub.c:3016 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3957
usbvision_release+0xcf/0x110
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1142
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881c6e30000
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4136 bytes inside of
8192-byte region [ffff8881c6e30000, ffff8881c6e32000)
The buggy address is located 4136 bytes inside of
The buggy address belongs to the page:
page:ffffea00071b8c00 refcount:1 mapcount:0 mapping:ffff8881da00c500
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c500
raw: 0000000000000000 0000000080030003 00000001ffffffff 0000000000000000
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c500
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c6e30f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8881c6e30f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881c6e31000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c6e31080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c6e31100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1475a74d600000
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=148d45d3600000
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Alan Stern
Sep 26, 2019, 5:03:31 PM9/26/19
to Hans Verkuil, Mauro Carvalho Chehab, linux...@vger.kernel.org, USB list, syzkall...@googlegroups.com
Hans, Mauro, and other V4L2 maintainers:
The patch tested here (URL listed at the bottom of the syzbot message
below) fixes a couple of bugs in the usbvision driver:
There are several races between the open, close, and disconnect
routines (and also vidioc_querycap).
The driver unregisters its video and radio devices from sysfs
in the usbvision_release() routine, not in
usbvision_disconnect(). (This causes problems when userspace
keeps the device open, because by the time the release routine
runs, the relevant sysfs directories have already been
removed -- drivers in general need to unregister things in
their disconnect handlers.)
However, as report below shows, fixing those bugs has revealed an
apparent problem involving reference counting in the V4L2 core. I
don't understand much about this subsystem, so maybe you can explain
what's going wrong.
The usbvision driver deallocates its private data structure when a
disconnect has occurred and the radio/video device files are closed.
But in this bug report, the v4l2_release() routine tries to access the
embedded v4l2_device (via video_put) after the structure has been
freed.
Clearly something is wrong, and I can't tell how this is all intended
to work. Is the deallocation supposed to occur at a later time?
Any ideas or suggestions?
Alan Stern
The patch tested here (URL listed at the bottom of the syzbot message
below) fixes a couple of bugs in the usbvision driver:
There are several races between the open, close, and disconnect
routines (and also vidioc_querycap).
The driver unregisters its video and radio devices from sysfs
in the usbvision_release() routine, not in
usbvision_disconnect(). (This causes problems when userspace
keeps the device open, because by the time the release routine
runs, the relevant sysfs directories have already been
removed -- drivers in general need to unregister things in
their disconnect handlers.)
However, as report below shows, fixing those bugs has revealed an
apparent problem involving reference counting in the V4L2 core. I
don't understand much about this subsystem, so maybe you can explain
what's going wrong.
The usbvision driver deallocates its private data structure when a
disconnect has occurred and the radio/video device files are closed.
But in this bug report, the v4l2_release() routine tries to access the
embedded v4l2_device (via video_put) after the structure has been
freed.
Clearly something is wrong, and I can't tell how this is all intended
to work. Is the deallocation supposed to occur at a later time?
Any ideas or suggestions?
Alan Stern
Alan Stern
Sep 26, 2019, 5:44:32 PM9/26/19
to Andrey Konovalov, Greg Kroah-Hartman, Rafael J. Wysocki, syzbot, LKML, USB list, syzkaller-bugs
On Wed, 25 Sep 2019, Andrey Konovalov wrote:
> On Wed, Sep 25, 2019 at 4:10 PM Alan Stern <st...@rowland.harvard.edu> wrote:
> > >
> > > HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+e74a99...@syzkaller.appspotmail.com
> > >
> > > pvrusb2: Device being rendered inoperable
> > > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > > pvrusb2: Attached sub-driver cx25840
> > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> > > can't clear it.
> > > pvrusb2: You might need to power cycle the pvrusb2 device in order to
> > > recover.
> > > ------------[ cut here ]------------
> > > sysfs group 'power' not found for kobject 'i2c-0'
> > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> > > fs/sysfs/group.c:278 [inline]
> > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> >
> > I have seen a lot of error messages like this one (i.e., "group 'power'
> > not found for kobject"), in runs that involved fuzzing a completely
> > different USB driver. Initial testing failed to find a cause.
> >
> > This leads me to wonder whether the problem might lie somewhere else
> > entirely. A bug in some core kernel code? Memory corruption?
>
> AFAICS so far this has only been triggered from the usbvision driver
> [1] and from the pvrusb2 driver (this report).
>
> I wanted to loop in sysfs maintainers, but it seems that Greg and
> Rafael are already cc'ed on this.
>
> [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
It turns out the reason for this error is simple: The driver
unregisters its subdevices in the release handler instead of in the
disconnect handler. There probably is documentation about this
somewhere, but I don't know exactly where -- maybe Greg remembers.
In the case of pvrusb2, the issues involve unregistering both the v4l2
device and the i2c device.
Alan Stern
> On Wed, Sep 25, 2019 at 4:10 PM Alan Stern <st...@rowland.harvard.edu> wrote:
> >
> > On Wed, 25 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > On Wed, 25 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > >
> > > HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+e74a99...@syzkaller.appspotmail.com
> > >
> > > pvrusb2: Device being rendered inoperable
> > > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > > pvrusb2: Attached sub-driver cx25840
> > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> > > can't clear it.
> > > pvrusb2: You might need to power cycle the pvrusb2 device in order to
> > > recover.
> > > ------------[ cut here ]------------
> > > sysfs group 'power' not found for kobject 'i2c-0'
> > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> > > fs/sysfs/group.c:278 [inline]
> > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> >
> > I have seen a lot of error messages like this one (i.e., "group 'power'
> > not found for kobject"), in runs that involved fuzzing a completely
> > different USB driver. Initial testing failed to find a cause.
> >
> > This leads me to wonder whether the problem might lie somewhere else
> > entirely. A bug in some core kernel code? Memory corruption?
>
> AFAICS so far this has only been triggered from the usbvision driver
> [1] and from the pvrusb2 driver (this report).
>
> I wanted to loop in sysfs maintainers, but it seems that Greg and
> Rafael are already cc'ed on this.
>
> [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
It turns out the reason for this error is simple: The driver
unregisters its subdevices in the release handler instead of in the
disconnect handler. There probably is documentation about this
somewhere, but I don't know exactly where -- maybe Greg remembers.
In the case of pvrusb2, the issues involve unregistering both the v4l2
device and the i2c device.
Alan Stern
Greg Kroah-Hartman
Sep 27, 2019, 1:10:58 AM9/27/19
to Alan Stern, Andrey Konovalov, Rafael J. Wysocki, syzbot, LKML, USB list, syzkaller-bugs
of it to be in release, but maybe that's the "easiest" way for v4l to
handle this?
thanks,
greg k-h
Alan Stern
Sep 27, 2019, 10:21:02 AM9/27/19
to Greg Kroah-Hartman, Andrey Konovalov, Rafael J. Wysocki, syzbot, LKML, USB list, syzkaller-bugs
On Fri, 27 Sep 2019, Greg Kroah-Hartman wrote:
> > It turns out the reason for this error is simple: The driver
> > unregisters its subdevices in the release handler instead of in the
> > disconnect handler. There probably is documentation about this
> > somewhere, but I don't know exactly where -- maybe Greg remembers.
>
> Nope, I don't remember. It should happen in the disconnect handler, odd
> of it to be in release, but maybe that's the "easiest" way for v4l to
> handle this?
This isn't a question of "easiest". Unregistering child devices in a
> > It turns out the reason for this error is simple: The driver
> > unregisters its subdevices in the release handler instead of in the
> > disconnect handler. There probably is documentation about this
> > somewhere, but I don't know exactly where -- maybe Greg remembers.
>
> Nope, I don't remember. It should happen in the disconnect handler, odd
> of it to be in release, but maybe that's the "easiest" way for v4l to
> handle this?
release handler is just _wrong_, plain and simple. That's what gives
rise to the
"sysfs group 'power' not found for kobject 'i2c-0'"
already been removed; it gets destroyed when the parent USB interface
device is unregistered, because unregistering a device also removes
from sysfs everything below that device.
Alan Stern
syzbot
Sep 28, 2019, 1:21:02 PM9/28/19
to st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in v4l2_release
usbvision_radio_close: Final disconnect
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in v4l2_release
==================================================================
BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390
drivers/media/v4l2-core/v4l2-dev.c:459
Read of size 4 at addr ffff8881c768b128 by task v4l_id/2877
BUG: KASAN: use-after-free in v4l2_release+0x2f1/0x390
drivers/media/v4l2-core/v4l2-dev.c:459
CPU: 0 PID: 2877 Comm: v4l_id Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:618
v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f070a7402b0
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:618
v4l2_release+0x2f1/0x390 drivers/media/v4l2-core/v4l2-dev.c:459
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 40 75 0b 31 c0 48 83 c4 08 e9 0c ff ff ff 48 8d 3d c5 32 08 00 e8 c0
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RSP: 002b:00007fff49f97d28 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
07 02 00 83 3d 45 a3 2b 00 00 75 10 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 31 c3 48 83 ec 08 e8 ce 8a 01 00 48 89 04 24
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f070a7402b0
RDX: 0000000000000013 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
R13: 00007fff49f97e80 R14: 0000000000000000 R15: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400884
Allocated by task 1740:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:493 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:466
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]
usbvision_alloc drivers/media/usb/usbvision/usbvision-video.c:1327 [inline]
usbvision_probe.cold+0x586/0x1e56
drivers/media/usb/usbvision/usbvision-video.c:1476
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:493 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:466
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]
usbvision_alloc drivers/media/usb/usbvision/usbvision-video.c:1327 [inline]
usbvision_probe.cold+0x586/0x1e56
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:455
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1474 [inline]
slab_free mm/slub.c:3016 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3957
usbvision_release+0xc3/0x100
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:455
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1474 [inline]
slab_free mm/slub.c:3016 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3957
drivers/media/usb/usbvision/usbvision-video.c:1371
usbvision_radio_close.cold+0x2b/0x74
drivers/media/usb/usbvision/usbvision-video.c:1142
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881c768a100
drivers/media/usb/usbvision/usbvision-video.c:1142
v4l2_release+0x2e7/0x390 drivers/media/v4l2-core/v4l2-dev.c:455
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4136 bytes inside of
8192-byte region [ffff8881c768a100, ffff8881c768c100)
The buggy address is located 4136 bytes inside of
The buggy address belongs to the page:
page:ffffea00071da200 refcount:1 mapcount:0 mapping:ffff8881da00c500
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c500
raw: 0000000000000000 0000000080030003 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c768b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c500
raw: 0000000000000000 0000000080030003 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c768b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881c768b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c768b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c768b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13dffdd3600000
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
dashboard link: https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=14f5a79d600000
Hillf Danton
Jul 21, 2020, 10:10:15 PM7/21/20
to syzbot, andre...@google.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, B K Karthik, Dan Carpenter, raf...@kernel.org, syzkall...@googlegroups.com, Markus Elfring, Hillf Danton
Wed, 25 Sep 2019 05:59:05 -0700
> syzbot found the following crash on:
>
> HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
>
> HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e74a99...@syzkaller.appspotmail.com
>
> pvrusb2: Device being rendered inoperable
> cx25840 0-0044: Unable to detect h/w, assuming cx23887
> cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> pvrusb2: Attached sub-driver cx25840
> pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> can't clear it.
> pvrusb2: You might need to power cycle the pvrusb2 device in order to
> recover.
> ------------[ cut here ]------------
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e74a99...@syzkaller.appspotmail.com
>
> pvrusb2: Device being rendered inoperable
> cx25840 0-0044: Unable to detect h/w, assuming cx23887
> cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> pvrusb2: Attached sub-driver cx25840
> pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> can't clear it.
> pvrusb2: You might need to power cycle the pvrusb2 device in order to
> recover.
> ------------[ cut here ]------------
> sysfs group 'power' not found for kobject 'i2c-0'
> WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> fs/sysfs/group.c:278 [inline]
> WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> fs/sysfs/group.c:278 [inline]
> WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 0 PID: 102 Comm: pvrusb2-context Not tainted 5.3.0+ #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xca/0x13e lib/dump_stack.c:113
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xca/0x13e lib/dump_stack.c:113
> panic+0x2a3/0x6da kernel/panic.c:219
> __warn.cold+0x20/0x4a kernel/panic.c:576
> report_bug+0x262/0x2a0 lib/bug.c:186
> fixup_bug arch/x86/kernel/traps.c:179 [inline]
> fixup_bug arch/x86/kernel/traps.c:174 [inline]
> do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
> do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
> invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
> RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
> RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
> 01 00 75 41 48 8b 33 48 c7 c7 a0 dc d0 85 e8 e0 67 8a ff <0f> 0b eb 95 e8
> __warn.cold+0x20/0x4a kernel/panic.c:576
> report_bug+0x262/0x2a0 lib/bug.c:186
> fixup_bug arch/x86/kernel/traps.c:179 [inline]
> fixup_bug arch/x86/kernel/traps.c:174 [inline]
> do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
> do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
> invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
> RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
> RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
> 72 c4 db ff e9 d2 fe ff ff 48 89 df e8 65 c4 db ff
> RSP: 0018:ffff8881d5857c40 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: ffffffff85f33f80 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff8128d3fd RDI: ffffed103ab0af7a
> RBP: 0000000000000000 R08: ffff8881d5e11800 R09: ffffed103b643ee7
> R10: ffffed103b643ee6 R11: ffff8881db21f737 R12: ffff8881d2e68338
> R13: ffffffff85f34520 R14: ffff8881d2e68900 R15: ffff8881d5e11800
> dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:741
> device_del+0x12a/0xb10 drivers/base/core.c:2352
> device_unregister+0x11/0x30 drivers/base/core.c:2407
> i2c_del_adapter drivers/i2c/i2c-core-base.c:1596 [inline]
> i2c_del_adapter+0x42b/0x590 drivers/i2c/i2c-core-base.c:1535
> pvr2_i2c_core_done+0x69/0xb6 drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:652
> pvr2_hdw_destroy+0x179/0x370 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2680
> pvr2_context_destroy+0x84/0x230 drivers/media/usb/pvrusb2/pvrusb2-context.c:70
> pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]
> pvr2_context_thread_func+0x657/0x860 drivers/media/usb/pvrusb2/pvrusb2-context.c:158
> kthread+0x318/0x420 kernel/kthread.c:255
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Set the linked flag after adding adapter to i2c.
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
--- a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
@@ -623,9 +623,9 @@ void pvr2_i2c_core_init(struct pvr2_hdw
hdw->i2c_adap.dev.parent = &hdw->usb_dev->dev;
hdw->i2c_adap.algo = &hdw->i2c_algo;
hdw->i2c_adap.algo_data = hdw;
- hdw->i2c_linked = !0;
i2c_set_adapdata(&hdw->i2c_adap, &hdw->v4l2_dev);
- i2c_add_adapter(&hdw->i2c_adap);
+ if (!i2c_add_adapter(&hdw->i2c_adap))
+ hdw->i2c_linked = !0;
if (hdw->i2c_func[0x18] == i2c_24xxx_ir) {
/* Probe for a different type of IR receiver on this
device. This is really the only way to differentiate
Reply all
Reply to author
Forward
0 new messages