Re: WARNING in pvr2_i2c_core_done
On Wed, 22 Jul 2020 at 14:42, Hillf Danton wrote: > > > From: syzbot > > Tue, 21 Jul 2020 21:06:10 -0700 > > Hello, > > > > syzbot has tested the proposed patch but the reproducer is still triggering > > an issue: > > general protection fault in kernfs_find_ns > > > > pvrusb2: Invalid write control endpoint > > pvrusb2: Invalid write control endpoint > > pvrusb2: Invalid write control endpoint > > pvrusb2: Invalid write control endpoint > > general protection fault, probably for non-canonical address > > 0xdc0e: [#1] SMP KASAN > > KASAN: null-ptr-deref in range [0x0070-0x0077] > > CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 > > Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d > > 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f > > 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 > > RSP: 0018:8881d419f938 EFLAGS: 00010202 > > RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 > > RDX: 000e RSI: 81901d1c RDI: 0070 > > RBP: R08: R09: 873ed1e7 > > R10: fbfff0e7da3c R11: 0001 R12: > > R13: R14: R15: 863790e0 > > FS: () GS:8881db20() knlGS: > > CS: 0010 DS: ES: CR0: 80050033 > > CR2: 7f3a7e248000 CR3: 0001d2224000 CR4: 001406f0 > > DR0: DR1: DR2: > > DR3: DR6: fffe0ff0 DR7: 0400 > > Call Trace: > > kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906 > > kernfs_find_and_get include/linux/kernfs.h:548 [inline] > > sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366 > > dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790 > > [3] > > > device_del+0x18b/0xd20 drivers/base/core.c:2834 > > device_unregister+0x22/0xc0 drivers/base/core.c:2889 > > i2c_unregister_device include/linux/err.h:41 [inline] > > [2] > > > i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465 > > device_release+0x71/0x200 drivers/base/core.c:1559 > > [1] kobject_del() goes before the release cb in kobject_cleanup() and > kobj is removed from sysfs, see [3] above. Oh, thank you for letting me know about this. Forgive me, but I did not understand you very clearly. I presume you are saying that the second call to i2c_unregister_device() is where the problem occurs? please let me know. thanks, karthik
Re: WARNING in pvr2_i2c_core_done
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in kernfs_find_ns pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint general protection fault, probably for non-canonical address 0xdc0e: [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0070-0x0077] CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 RSP: 0018:8881d419f938 EFLAGS: 00010202 RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 RDX: 000e RSI: 81901d1c RDI: 0070 RBP: R08: R09: 873ed1e7 R10: fbfff0e7da3c R11: 0001 R12: R13: R14: R15: 863790e0 FS: () GS:8881db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f3a7e248000 CR3: 0001d2224000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906 kernfs_find_and_get include/linux/kernfs.h:548 [inline] sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366 dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790 device_del+0x18b/0xd20 drivers/base/core.c:2834 device_unregister+0x22/0xc0 drivers/base/core.c:2889 i2c_unregister_device include/linux/err.h:41 [inline] i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465 device_release+0x71/0x200 drivers/base/core.c:1559 kobject_cleanup lib/kobject.c:693 [inline] kobject_release lib/kobject.c:722 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x245/0x540 lib/kobject.c:739 put_device drivers/base/core.c:2779 [inline] device_unregister+0x34/0xc0 drivers/base/core.c:2890 i2c_unregister_device+0x38/0x40 include/linux/err.h:41 v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114 v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135 pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline] pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline] pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline] pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline] pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline] pvr2_context_thread_func+0x250/0x850 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 kthread+0x392/0x470 kernel/kthread.c:291 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Modules linked in: ---[ end trace a2576a16aa8e791c ]--- RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 RSP: 0018:8881d419f938 EFLAGS: 00010202 RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 RDX: 000e RSI: 81901d1c RDI: 0070 RBP: R08: R09: 873ed1e7 R10: fbfff0e7da3c R11: 0001 R12: R13: R14: R15: 863790e0 FS: () GS:8881db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f3a7e248000 CR3: 0001d2224000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Tested on: commit: b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git.. git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=1208f43710 kernel config: https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343 dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 compiler: gcc (GCC) 10.1.0-syz 20200507 patch: https://syzkaller.appspot.com/x/patch.diff?x=14d5643090
Re: WARNING in pvr2_i2c_core_done
On Tue, Jul 21, 2020 at 4:50 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering > an issue: > general protection fault in kernfs_find_ns > > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > general protection fault, probably for non-canonical address > 0xdc0e: [#1] SMP KASAN > KASAN: null-ptr-deref in range [0x0070-0x0077] I'm guessing this has to do with kmem_cache_free() called by i2c_acpi_remove_space_handler() through acpi_ut_delete_generic_state() in drivers/acpi/osl.c:1708 ? > CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 > Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d > 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e > 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 > RSP: 0018:8881d4187938 EFLAGS: 00010202 > RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 > RDX: 000e RSI: 81901d1c RDI: 0070 > RBP: R08: R09: 873ed1e7 > R10: fbfff0e7da3c R11: 0001 R12: > R13: R14: R15: 863790e0 > FS: () GS:8881db20() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 557f2b45ae48 CR3: 0001d2762000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906 > kernfs_find_and_get include/linux/kernfs.h:548 [inline] > sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366 > dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790 > device_del+0x18b/0xd20 drivers/base/core.c:2834 > device_unregister+0x22/0xc0 drivers/base/core.c:2889 > i2c_unregister_device include/linux/err.h:41 [inline] > i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465 > device_release+0x71/0x200 drivers/base/core.c:1559 > kobject_cleanup lib/kobject.c:693 [inline] > kobject_release lib/kobject.c:722 [inline] > kref_put include/linux/kref.h:65 [inline] > kobject_put+0x245/0x540 lib/kobject.c:739 > put_device drivers/base/core.c:2779 [inline] > device_unregister+0x34/0xc0 drivers/base/core.c:2890 > i2c_unregister_device+0x38/0x40 include/linux/err.h:41 > v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114 > v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135 > pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline] > pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline] > pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline] > pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline] > pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339 > pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline] > pvr2_context_thread_func+0x250/0x850 > drivers/media/usb/pvrusb2/pvrusb2-context.c:158 > kthread+0x392/0x470 kernel/kthread.c:291 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 > Modules linked in: > ---[ end trace 9af941b6bcb04b01 ]--- > RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 > Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d > 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e > 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 > RSP: 0018:8881d4187938 EFLAGS: 00010202 > RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 > RDX: 000e RSI: 81901d1c RDI: 0070 > RBP: R08: R09: 873ed1e7 > R10: fbfff0e7da3c R11: 0001 R12: > R13: R14: R15: 863790e0 > FS: () GS:8881db20() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 557f2b45ae48 CR3: 0001d2762000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > > > Tested on: > > commit: b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git.. > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=16dfe44090 > kernel config: https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343 >
Re: WARNING in pvr2_i2c_core_done
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in kernfs_find_ns pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint general protection fault, probably for non-canonical address 0xdc0e: [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0070-0x0077] CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 RSP: 0018:8881d4187938 EFLAGS: 00010202 RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 RDX: 000e RSI: 81901d1c RDI: 0070 RBP: R08: R09: 873ed1e7 R10: fbfff0e7da3c R11: 0001 R12: R13: R14: R15: 863790e0 FS: () GS:8881db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 557f2b45ae48 CR3: 0001d2762000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906 kernfs_find_and_get include/linux/kernfs.h:548 [inline] sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366 dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790 device_del+0x18b/0xd20 drivers/base/core.c:2834 device_unregister+0x22/0xc0 drivers/base/core.c:2889 i2c_unregister_device include/linux/err.h:41 [inline] i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465 device_release+0x71/0x200 drivers/base/core.c:1559 kobject_cleanup lib/kobject.c:693 [inline] kobject_release lib/kobject.c:722 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x245/0x540 lib/kobject.c:739 put_device drivers/base/core.c:2779 [inline] device_unregister+0x34/0xc0 drivers/base/core.c:2890 i2c_unregister_device+0x38/0x40 include/linux/err.h:41 v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114 v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135 pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline] pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline] pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline] pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline] pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline] pvr2_context_thread_func+0x250/0x850 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 kthread+0x392/0x470 kernel/kthread.c:291 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Modules linked in: ---[ end trace 9af941b6bcb04b01 ]--- RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 RSP: 0018:8881d4187938 EFLAGS: 00010202 RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 RDX: 000e RSI: 81901d1c RDI: 0070 RBP: R08: R09: 873ed1e7 R10: fbfff0e7da3c R11: 0001 R12: R13: R14: R15: 863790e0 FS: () GS:8881db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 557f2b45ae48 CR3: 0001d2762000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Tested on: commit: b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git.. git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=16dfe44090 kernel config: https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343 dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 compiler: gcc (GCC) 10.1.0-syz 20200507 patch: https://syzkaller.appspot.com/x/patch.diff?x=117e281b10
Re: WARNING in pvr2_i2c_core_done
On Fri, 27 Sep 2019, Greg Kroah-Hartman wrote: > > It turns out the reason for this error is simple: The driver > > unregisters its subdevices in the release handler instead of in the > > disconnect handler. There probably is documentation about this > > somewhere, but I don't know exactly where -- maybe Greg remembers. > > Nope, I don't remember. It should happen in the disconnect handler, odd > of it to be in release, but maybe that's the "easiest" way for v4l to > handle this? This isn't a question of "easiest". Unregistering child devices in a release handler is just _wrong_, plain and simple. That's what gives rise to the "sysfs group 'power' not found for kobject 'i2c-0'" warning in the kernel log. The group can't be found because it has already been removed; it gets destroyed when the parent USB interface device is unregistered, because unregistering a device also removes from sysfs everything below that device. Alan Stern
Re: WARNING in pvr2_i2c_core_done
On Thu, Sep 26, 2019 at 05:44:31PM -0400, Alan Stern wrote: > On Wed, 25 Sep 2019, Andrey Konovalov wrote: > > > On Wed, Sep 25, 2019 at 4:10 PM Alan Stern > > wrote: > > > > > > On Wed, 25 Sep 2019, syzbot wrote: > > > > > > > Hello, > > > > > > > > syzbot found the following crash on: > > > > > > > > HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver > > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 > > > > kernel config: > > > > https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a > > > > dashboard link: > > > > https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > syz repro: > > > > https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > commit: > > > > Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > > > > > > > pvrusb2: Device being rendered inoperable > > > > cx25840 0-0044: Unable to detect h/w, assuming cx23887 > > > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) > > > > pvrusb2: Attached sub-driver cx25840 > > > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and > > > > I > > > > can't clear it. > > > > pvrusb2: You might need to power cycle the pvrusb2 device in order to > > > > recover. > > > > [ cut here ] > > > > sysfs group 'power' not found for kobject 'i2c-0' > > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group > > > > fs/sysfs/group.c:278 [inline] > > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 > > > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 > > > > > > I have seen a lot of error messages like this one (i.e., "group 'power' > > > not found for kobject"), in runs that involved fuzzing a completely > > > different USB driver. Initial testing failed to find a cause. > > > > > > This leads me to wonder whether the problem might lie somewhere else > > > entirely. A bug in some core kernel code? Memory corruption? > > > > AFAICS so far this has only been triggered from the usbvision driver > > [1] and from the pvrusb2 driver (this report). > > > > I wanted to loop in sysfs maintainers, but it seems that Greg and > > Rafael are already cc'ed on this. > > > > [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634 > > It turns out the reason for this error is simple: The driver > unregisters its subdevices in the release handler instead of in the > disconnect handler. There probably is documentation about this > somewhere, but I don't know exactly where -- maybe Greg remembers. Nope, I don't remember. It should happen in the disconnect handler, odd of it to be in release, but maybe that's the "easiest" way for v4l to handle this? thanks, greg k-h
Re: WARNING in pvr2_i2c_core_done
On Wed, 25 Sep 2019, Andrey Konovalov wrote: > On Wed, Sep 25, 2019 at 4:10 PM Alan Stern wrote: > > > > On Wed, 25 Sep 2019, syzbot wrote: > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a > > > dashboard link: > > > https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > > > > > pvrusb2: Device being rendered inoperable > > > cx25840 0-0044: Unable to detect h/w, assuming cx23887 > > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) > > > pvrusb2: Attached sub-driver cx25840 > > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I > > > can't clear it. > > > pvrusb2: You might need to power cycle the pvrusb2 device in order to > > > recover. > > > [ cut here ] > > > sysfs group 'power' not found for kobject 'i2c-0' > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group > > > fs/sysfs/group.c:278 [inline] > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 > > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 > > > > I have seen a lot of error messages like this one (i.e., "group 'power' > > not found for kobject"), in runs that involved fuzzing a completely > > different USB driver. Initial testing failed to find a cause. > > > > This leads me to wonder whether the problem might lie somewhere else > > entirely. A bug in some core kernel code? Memory corruption? > > AFAICS so far this has only been triggered from the usbvision driver > [1] and from the pvrusb2 driver (this report). > > I wanted to loop in sysfs maintainers, but it seems that Greg and > Rafael are already cc'ed on this. > > [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634 It turns out the reason for this error is simple: The driver unregisters its subdevices in the release handler instead of in the disconnect handler. There probably is documentation about this somewhere, but I don't know exactly where -- maybe Greg remembers. In the case of pvrusb2, the issues involve unregistering both the v4l2 device and the i2c device. Alan Stern
Re: WARNING in pvr2_i2c_core_done
On Wed, Sep 25, 2019 at 4:10 PM Alan Stern wrote: > > On Wed, 25 Sep 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 > > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a > > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > > > pvrusb2: Device being rendered inoperable > > cx25840 0-0044: Unable to detect h/w, assuming cx23887 > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) > > pvrusb2: Attached sub-driver cx25840 > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I > > can't clear it. > > pvrusb2: You might need to power cycle the pvrusb2 device in order to > > recover. > > [ cut here ] > > sysfs group 'power' not found for kobject 'i2c-0' > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group > > fs/sysfs/group.c:278 [inline] > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 > > I have seen a lot of error messages like this one (i.e., "group 'power' > not found for kobject"), in runs that involved fuzzing a completely > different USB driver. Initial testing failed to find a cause. > > This leads me to wonder whether the problem might lie somewhere else > entirely. A bug in some core kernel code? Memory corruption? AFAICS so far this has only been triggered from the usbvision driver [1] and from the pvrusb2 driver (this report). I wanted to loop in sysfs maintainers, but it seems that Greg and Rafael are already cc'ed on this. [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
Re: WARNING in pvr2_i2c_core_done
On Wed, 25 Sep 2019, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > pvrusb2: Device being rendered inoperable > cx25840 0-0044: Unable to detect h/w, assuming cx23887 > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) > pvrusb2: Attached sub-driver cx25840 > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I > can't clear it. > pvrusb2: You might need to power cycle the pvrusb2 device in order to > recover. > [ cut here ] > sysfs group 'power' not found for kobject 'i2c-0' > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group > fs/sysfs/group.c:278 [inline] > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 I have seen a lot of error messages like this one (i.e., "group 'power' not found for kobject"), in runs that involved fuzzing a completely different USB driver. Initial testing failed to find a cause. This leads me to wonder whether the problem might lie somewhere else entirely. A bug in some core kernel code? Memory corruption? Alan Stern
