Re: [PATCH] media: pvrusb2: fix warning in pvr2_i2c_core_done
On Tue, Apr 06, 2021 at 11:38:25AM +0200, Hans Verkuil wrote: > On 01/04/2021 14:33, Anirudh Rayabharam wrote: > > syzbot has reported the following warning in pvr2_i2c_done: > > > > sysfs group 'power' not found for kobject '1-0043' > > > > When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is > > not unregistered along with the USB and vl42 teardown. As part of the > > vl42 -> v4l2 > > > USB device disconnect, the sysfs files of the subdevices are also > > deleted. So, by the time pvr_i2c_core_done is called by > > pvr_context_destroy, the sysfs files have been deleted. > > > > To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make > > the device deregistration code shared by calling pvr_hdw_disconnect from > > pvr2_hdw_destory. > > destory -> destroy > > > > > Reported-and-tested-by: > > syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > Signed-off-by: Anirudh Rayabharam > > --- > > drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 5 ++--- > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c > > b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c > > index f4a727918e35..791227787ff5 100644 > > --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c > > +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c > > @@ -2676,9 +2676,7 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw) > > pvr2_stream_destroy(hdw->vid_stream); > > hdw->vid_stream = NULL; > > } > > - pvr2_i2c_core_done(hdw); > > - v4l2_device_unregister(>v4l2_dev); > > I think this should still remain since pvr2_hdw_disconnect() doesn't call > v4l2_device_unregister(). > > Can you test that with syzbot? Sent v2 with this change. Tested it with syzbot and didn't find any problems. Thanks. - Anirudh.
[PATCH v2] media: pvrusb2: fix warning in pvr2_i2c_core_done
syzbot has reported the following warning in pvr2_i2c_done:
sysfs group 'power' not found for kobject '1-0043'
When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
not unregistered along with the USB and v4l2 teardown. As part of the USB
device disconnect, the sysfs files of the subdevices are also deleted.
So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the
sysfs files have been deleted.
To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
the device deregistration code shared by calling pvr_hdw_disconnect from
pvr2_hdw_destroy.
Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com
Tested-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Anirudh Rayabharam
---
syzbot test run result:
https://groups.google.com/g/syzkaller-bugs/c/ZRtPuAv8k7g/m/_MIsLKJtAAAJ
Changes in v2:
- Corrected typos in the patch description
- Added the received "Reviewed-by:" tags
- Retain the call to v4l2_device_unregister() in pvr2_hdw_destroy()
since pvr2_hdw_disconnect doesn't call it as pointed out by Hans.
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index f4a727918e35..d38dee1792e4 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -2676,9 +2676,8 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
pvr2_stream_destroy(hdw->vid_stream);
hdw->vid_stream = NULL;
}
- pvr2_i2c_core_done(hdw);
v4l2_device_unregister(>v4l2_dev);
- pvr2_hdw_remove_usb_stuff(hdw);
+ pvr2_hdw_disconnect(hdw);
mutex_lock(_unit_mtx);
do {
if ((hdw->unit_number >= 0) &&
@@ -2705,6 +2704,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
{
pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
LOCK_TAKE(hdw->big_lock);
+ pvr2_i2c_core_done(hdw);
LOCK_TAKE(hdw->ctl_lock);
pvr2_hdw_remove_usb_stuff(hdw);
LOCK_GIVE(hdw->ctl_lock);
--
2.26.2
Re: [PATCH] media: pvrusb2: fix warning in pvr2_i2c_core_done
On Tue, Apr 06, 2021 at 11:38:25AM +0200, Hans Verkuil wrote:
> On 01/04/2021 14:33, Anirudh Rayabharam wrote:
> > syzbot has reported the following warning in pvr2_i2c_done:
> >
> > sysfs group 'power' not found for kobject '1-0043'
> >
> > When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
> > not unregistered along with the USB and vl42 teardown. As part of the
>
> vl42 -> v4l2
>
> > USB device disconnect, the sysfs files of the subdevices are also
> > deleted. So, by the time pvr_i2c_core_done is called by
> > pvr_context_destroy, the sysfs files have been deleted.
> >
> > To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
> > the device deregistration code shared by calling pvr_hdw_disconnect from
> > pvr2_hdw_destory.
>
> destory -> destroy
>
Ack, will fix these typos in v2.
> >
> > Reported-and-tested-by:
> > syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com
> > Signed-off-by: Anirudh Rayabharam
> > ---
> > drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> > b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> > index f4a727918e35..791227787ff5 100644
> > --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> > +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> > @@ -2676,9 +2676,7 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
> > pvr2_stream_destroy(hdw->vid_stream);
> > hdw->vid_stream = NULL;
> > }
> > - pvr2_i2c_core_done(hdw);
> > - v4l2_device_unregister(>v4l2_dev);
>
> I think this should still remain since pvr2_hdw_disconnect() doesn't call
> v4l2_device_unregister().
Then we might run into the same warning again. pvr2_hdw_disconnect()
calls pvr2_hdw_remove_usb_stuff() which calls v4l2_device_disconnect().
Perhaps there we should call v4l2_device_unregister() instead?
>
> Can you test that with syzbot?
Will do.
Thanks!
- Anirudh.
>
> Regards,
>
> Hans
>
> > - pvr2_hdw_remove_usb_stuff(hdw);
> > + pvr2_hdw_disconnect(hdw);
> > mutex_lock(_unit_mtx);
> > do {
> > if ((hdw->unit_number >= 0) &&
> > @@ -2705,6 +2703,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
> > {
> > pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
> > LOCK_TAKE(hdw->big_lock);
> > + pvr2_i2c_core_done(hdw);
> > LOCK_TAKE(hdw->ctl_lock);
> > pvr2_hdw_remove_usb_stuff(hdw);
> > LOCK_GIVE(hdw->ctl_lock);
> >
>
Re: [PATCH] media: pvrusb2: fix warning in pvr2_i2c_core_done
On 01/04/2021 14:33, Anirudh Rayabharam wrote:
> syzbot has reported the following warning in pvr2_i2c_done:
>
> sysfs group 'power' not found for kobject '1-0043'
>
> When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
> not unregistered along with the USB and vl42 teardown. As part of the
vl42 -> v4l2
> USB device disconnect, the sysfs files of the subdevices are also
> deleted. So, by the time pvr_i2c_core_done is called by
> pvr_context_destroy, the sysfs files have been deleted.
>
> To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
> the device deregistration code shared by calling pvr_hdw_disconnect from
> pvr2_hdw_destory.
destory -> destroy
>
> Reported-and-tested-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com
> Signed-off-by: Anirudh Rayabharam
> ---
> drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> index f4a727918e35..791227787ff5 100644
> --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> @@ -2676,9 +2676,7 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
> pvr2_stream_destroy(hdw->vid_stream);
> hdw->vid_stream = NULL;
> }
> - pvr2_i2c_core_done(hdw);
> - v4l2_device_unregister(>v4l2_dev);
I think this should still remain since pvr2_hdw_disconnect() doesn't call
v4l2_device_unregister().
Can you test that with syzbot?
Regards,
Hans
> - pvr2_hdw_remove_usb_stuff(hdw);
> + pvr2_hdw_disconnect(hdw);
> mutex_lock(_unit_mtx);
> do {
> if ((hdw->unit_number >= 0) &&
> @@ -2705,6 +2703,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
> {
> pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
> LOCK_TAKE(hdw->big_lock);
> + pvr2_i2c_core_done(hdw);
> LOCK_TAKE(hdw->ctl_lock);
> pvr2_hdw_remove_usb_stuff(hdw);
> LOCK_GIVE(hdw->ctl_lock);
>
Re: [PATCH] media: pvrusb2: fix warning in pvr2_i2c_core_done
On Thu, Apr 01, 2021 at 06:03:38PM +0530, Anirudh Rayabharam wrote:
> syzbot has reported the following warning in pvr2_i2c_done:
>
> sysfs group 'power' not found for kobject '1-0043'
>
> When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
> not unregistered along with the USB and vl42 teardown. As part of the
> USB device disconnect, the sysfs files of the subdevices are also
> deleted. So, by the time pvr_i2c_core_done is called by
> pvr_context_destroy, the sysfs files have been deleted.
>
> To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
> the device deregistration code shared by calling pvr_hdw_disconnect from
> pvr2_hdw_destory.
>
> Reported-and-tested-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com
> Signed-off-by: Anirudh Rayabharam
> ---
> drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> index f4a727918e35..791227787ff5 100644
> --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> @@ -2676,9 +2676,7 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
> pvr2_stream_destroy(hdw->vid_stream);
> hdw->vid_stream = NULL;
> }
> - pvr2_i2c_core_done(hdw);
> - v4l2_device_unregister(>v4l2_dev);
> - pvr2_hdw_remove_usb_stuff(hdw);
> + pvr2_hdw_disconnect(hdw);
> mutex_lock(_unit_mtx);
> do {
> if ((hdw->unit_number >= 0) &&
> @@ -2705,6 +2703,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
> {
> pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
> LOCK_TAKE(hdw->big_lock);
> + pvr2_i2c_core_done(hdw);
> LOCK_TAKE(hdw->ctl_lock);
> pvr2_hdw_remove_usb_stuff(hdw);
> LOCK_GIVE(hdw->ctl_lock);
> --
> 2.26.2
Looks sane to me, nice work tracking this down.
Reviewed-by: Greg Kroah-Hartman
[PATCH] media: pvrusb2: fix warning in pvr2_i2c_core_done
syzbot has reported the following warning in pvr2_i2c_done:
sysfs group 'power' not found for kobject '1-0043'
When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
not unregistered along with the USB and vl42 teardown. As part of the
USB device disconnect, the sysfs files of the subdevices are also
deleted. So, by the time pvr_i2c_core_done is called by
pvr_context_destroy, the sysfs files have been deleted.
To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
the device deregistration code shared by calling pvr_hdw_disconnect from
pvr2_hdw_destory.
Reported-and-tested-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index f4a727918e35..791227787ff5 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -2676,9 +2676,7 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
pvr2_stream_destroy(hdw->vid_stream);
hdw->vid_stream = NULL;
}
- pvr2_i2c_core_done(hdw);
- v4l2_device_unregister(>v4l2_dev);
- pvr2_hdw_remove_usb_stuff(hdw);
+ pvr2_hdw_disconnect(hdw);
mutex_lock(_unit_mtx);
do {
if ((hdw->unit_number >= 0) &&
@@ -2705,6 +2703,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
{
pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
LOCK_TAKE(hdw->big_lock);
+ pvr2_i2c_core_done(hdw);
LOCK_TAKE(hdw->ctl_lock);
pvr2_hdw_remove_usb_stuff(hdw);
LOCK_GIVE(hdw->ctl_lock);
--
2.26.2
Re: WARNING in pvr2_i2c_core_done
On Wed, 22 Jul 2020 at 14:42, Hillf Danton wrote: > > > From: syzbot > > Tue, 21 Jul 2020 21:06:10 -0700 > > Hello, > > > > syzbot has tested the proposed patch but the reproducer is still triggering > > an issue: > > general protection fault in kernfs_find_ns > > > > pvrusb2: Invalid write control endpoint > > pvrusb2: Invalid write control endpoint > > pvrusb2: Invalid write control endpoint > > pvrusb2: Invalid write control endpoint > > general protection fault, probably for non-canonical address > > 0xdc0e: [#1] SMP KASAN > > KASAN: null-ptr-deref in range [0x0070-0x0077] > > CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 > > Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d > > 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f > > 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 > > RSP: 0018:8881d419f938 EFLAGS: 00010202 > > RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 > > RDX: 000e RSI: 81901d1c RDI: 0070 > > RBP: R08: R09: 873ed1e7 > > R10: fbfff0e7da3c R11: 0001 R12: > > R13: R14: R15: 863790e0 > > FS: () GS:8881db20() knlGS: > > CS: 0010 DS: ES: CR0: 80050033 > > CR2: 7f3a7e248000 CR3: 0001d2224000 CR4: 001406f0 > > DR0: DR1: DR2: > > DR3: DR6: fffe0ff0 DR7: 0400 > > Call Trace: > > kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906 > > kernfs_find_and_get include/linux/kernfs.h:548 [inline] > > sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366 > > dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790 > > [3] > > > device_del+0x18b/0xd20 drivers/base/core.c:2834 > > device_unregister+0x22/0xc0 drivers/base/core.c:2889 > > i2c_unregister_device include/linux/err.h:41 [inline] > > [2] > > > i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465 > > device_release+0x71/0x200 drivers/base/core.c:1559 > > [1] kobject_del() goes before the release cb in kobject_cleanup() and > kobj is removed from sysfs, see [3] above. Oh, thank you for letting me know about this. Forgive me, but I did not understand you very clearly. I presume you are saying that the second call to i2c_unregister_device() is where the problem occurs? please let me know. thanks, karthik
Re: WARNING in pvr2_i2c_core_done
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in kernfs_find_ns pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint general protection fault, probably for non-canonical address 0xdc0e: [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0070-0x0077] CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 RSP: 0018:8881d419f938 EFLAGS: 00010202 RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 RDX: 000e RSI: 81901d1c RDI: 0070 RBP: R08: R09: 873ed1e7 R10: fbfff0e7da3c R11: 0001 R12: R13: R14: R15: 863790e0 FS: () GS:8881db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f3a7e248000 CR3: 0001d2224000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906 kernfs_find_and_get include/linux/kernfs.h:548 [inline] sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366 dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790 device_del+0x18b/0xd20 drivers/base/core.c:2834 device_unregister+0x22/0xc0 drivers/base/core.c:2889 i2c_unregister_device include/linux/err.h:41 [inline] i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465 device_release+0x71/0x200 drivers/base/core.c:1559 kobject_cleanup lib/kobject.c:693 [inline] kobject_release lib/kobject.c:722 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x245/0x540 lib/kobject.c:739 put_device drivers/base/core.c:2779 [inline] device_unregister+0x34/0xc0 drivers/base/core.c:2890 i2c_unregister_device+0x38/0x40 include/linux/err.h:41 v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114 v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135 pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline] pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline] pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline] pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline] pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline] pvr2_context_thread_func+0x250/0x850 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 kthread+0x392/0x470 kernel/kthread.c:291 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Modules linked in: ---[ end trace a2576a16aa8e791c ]--- RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 RSP: 0018:8881d419f938 EFLAGS: 00010202 RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 RDX: 000e RSI: 81901d1c RDI: 0070 RBP: R08: R09: 873ed1e7 R10: fbfff0e7da3c R11: 0001 R12: R13: R14: R15: 863790e0 FS: () GS:8881db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f3a7e248000 CR3: 0001d2224000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Tested on: commit: b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git.. git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=1208f43710 kernel config: https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343 dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 compiler: gcc (GCC) 10.1.0-syz 20200507 patch: https://syzkaller.appspot.com/x/patch.diff?x=14d5643090
[PATCH v2] i2c: fix WARNING in pvr2_i2c_core_done
#syz test: https://github.com/google/kasan.git usb-fuzzer
fix WARNING in pvr2_i2c_core_done by
unregistering device in the release handler
instead of the disconnect handler, setting the
linked flag after adding adapter to i2c,
and removing a call to acpi_ut_delete_generic_state()
Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com
Signed-off-by: B K Karthik
---
v1 -> v2:
remove a call to acpi_ut_delete_generic state
and set linked flag after adding adapter to
i2c as suggested by Hillf Danton
drivers/acpi/acpica/utdelete.c | 5 -
drivers/i2c/i2c-core-base.c | 2 +-
drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c | 4 ++--
3 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c
index c365faf4e6cd..e36f51725854 100644
--- a/drivers/acpi/acpica/utdelete.c
+++ b/drivers/acpi/acpica/utdelete.c
@@ -648,11 +648,6 @@ acpi_ut_update_object_reference(union acpi_operand_object
*object, u16 action)
/* Free any stacked Update State objects */
- while (state_list) {
- state = acpi_ut_pop_generic_state(_list);
- acpi_ut_delete_generic_state(state);
- }
-
return (status);
}
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index 26f03a14a478..2d377d2e89f1 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -462,6 +462,7 @@ static void i2c_device_shutdown(struct device *dev)
static void i2c_client_dev_release(struct device *dev)
{
+ i2c_unregister_device(to_i2c_client(dev));
kfree(to_i2c_client(dev));
}
@@ -1527,7 +1528,6 @@ void i2c_del_adapter(struct i2c_adapter *adap)
dev_dbg(>dev, "Removing %s at 0x%x\n", client->name,
client->addr);
list_del(>detected);
- i2c_unregister_device(client);
}
mutex_unlock(>userspace_clients_lock);
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
index 63db04fe12d3..09b2c878f459 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c
@@ -623,9 +623,9 @@ void pvr2_i2c_core_init(struct pvr2_hdw *hdw)
hdw->i2c_adap.dev.parent = >usb_dev->dev;
hdw->i2c_adap.algo = >i2c_algo;
hdw->i2c_adap.algo_data = hdw;
- hdw->i2c_linked = !0;
i2c_set_adapdata(>i2c_adap, >v4l2_dev);
- i2c_add_adapter(>i2c_adap);
+ if (!i2c_add_adapter(>i2c_adap))
+ hdw->i2c_linked =!0;
if (hdw->i2c_func[0x18] == i2c_24xxx_ir) {
/* Probe for a different type of IR receiver on this
device. This is really the only way to differentiate
--
2.20.1
signature.asc
Description: PGP signature
Re: WARNING in pvr2_i2c_core_done
On Tue, Jul 21, 2020 at 4:50 PM syzbot wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering > an issue: > general protection fault in kernfs_find_ns > > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > pvrusb2: Invalid write control endpoint > general protection fault, probably for non-canonical address > 0xdc0e: [#1] SMP KASAN > KASAN: null-ptr-deref in range [0x0070-0x0077] I'm guessing this has to do with kmem_cache_free() called by i2c_acpi_remove_space_handler() through acpi_ut_delete_generic_state() in drivers/acpi/osl.c:1708 ? > CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 > Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d > 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e > 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 > RSP: 0018:8881d4187938 EFLAGS: 00010202 > RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 > RDX: 000e RSI: 81901d1c RDI: 0070 > RBP: R08: R09: 873ed1e7 > R10: fbfff0e7da3c R11: 0001 R12: > R13: R14: R15: 863790e0 > FS: () GS:8881db20() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 557f2b45ae48 CR3: 0001d2762000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906 > kernfs_find_and_get include/linux/kernfs.h:548 [inline] > sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366 > dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790 > device_del+0x18b/0xd20 drivers/base/core.c:2834 > device_unregister+0x22/0xc0 drivers/base/core.c:2889 > i2c_unregister_device include/linux/err.h:41 [inline] > i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465 > device_release+0x71/0x200 drivers/base/core.c:1559 > kobject_cleanup lib/kobject.c:693 [inline] > kobject_release lib/kobject.c:722 [inline] > kref_put include/linux/kref.h:65 [inline] > kobject_put+0x245/0x540 lib/kobject.c:739 > put_device drivers/base/core.c:2779 [inline] > device_unregister+0x34/0xc0 drivers/base/core.c:2890 > i2c_unregister_device+0x38/0x40 include/linux/err.h:41 > v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114 > v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135 > pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline] > pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline] > pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline] > pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline] > pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339 > pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline] > pvr2_context_thread_func+0x250/0x850 > drivers/media/usb/pvrusb2/pvrusb2-context.c:158 > kthread+0x392/0x470 kernel/kthread.c:291 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 > Modules linked in: > ---[ end trace 9af941b6bcb04b01 ]--- > RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 > Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d > 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e > 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 > RSP: 0018:8881d4187938 EFLAGS: 00010202 > RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 > RDX: 000e RSI: 81901d1c RDI: 0070 > RBP: R08: R09: 873ed1e7 > R10: fbfff0e7da3c R11: 0001 R12: > R13: R14: R15: 863790e0 > FS: () GS:8881db20() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 557f2b45ae48 CR3: 0001d2762000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > > > Tested on: > > commit: b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git.. > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=16dfe44090 > kernel config: https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343 >
Re: WARNING in pvr2_i2c_core_done
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in kernfs_find_ns pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint pvrusb2: Invalid write control endpoint general protection fault, probably for non-canonical address 0xdc0e: [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0070-0x0077] CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 RSP: 0018:8881d4187938 EFLAGS: 00010202 RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 RDX: 000e RSI: 81901d1c RDI: 0070 RBP: R08: R09: 873ed1e7 R10: fbfff0e7da3c R11: 0001 R12: R13: R14: R15: 863790e0 FS: () GS:8881db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 557f2b45ae48 CR3: 0001d2762000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906 kernfs_find_and_get include/linux/kernfs.h:548 [inline] sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366 dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790 device_del+0x18b/0xd20 drivers/base/core.c:2834 device_unregister+0x22/0xc0 drivers/base/core.c:2889 i2c_unregister_device include/linux/err.h:41 [inline] i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465 device_release+0x71/0x200 drivers/base/core.c:1559 kobject_cleanup lib/kobject.c:693 [inline] kobject_release lib/kobject.c:722 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x245/0x540 lib/kobject.c:739 put_device drivers/base/core.c:2779 [inline] device_unregister+0x34/0xc0 drivers/base/core.c:2890 i2c_unregister_device+0x38/0x40 include/linux/err.h:41 v4l2_i2c_new_subdev_board+0x159/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:114 v4l2_i2c_new_subdev+0xb8/0xf0 drivers/media/v4l2-core/v4l2-i2c.c:135 pvr2_hdw_load_subdev drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2023 [inline] pvr2_hdw_load_modules drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2075 [inline] pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2156 [inline] pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2262 [inline] pvr2_hdw_initialize+0xc8d/0x3600 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2339 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:109 [inline] pvr2_context_thread_func+0x250/0x850 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 kthread+0x392/0x470 kernel/kthread.c:291 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Modules linked in: ---[ end trace 9af941b6bcb04b01 ]--- RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829 Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48 RSP: 0018:8881d4187938 EFLAGS: 00010202 RAX: dc00 RBX: 863789c0 RCX: 85a79ba7 RDX: 000e RSI: 81901d1c RDI: 0070 RBP: R08: R09: 873ed1e7 R10: fbfff0e7da3c R11: 0001 R12: R13: R14: R15: 863790e0 FS: () GS:8881db20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 557f2b45ae48 CR3: 0001d2762000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Tested on: commit: b791d1bd Merge tag 'locking-kcsan-2020-06-11' of git://git.. git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=16dfe44090 kernel config: https://syzkaller.appspot.com/x/.config?x=ccf1899337a6e343 dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 compiler: gcc (GCC) 10.1.0-syz 20200507 patch: https://syzkaller.appspot.com/x/patch.diff?x=117e281b10
[PATCH] i2c: fix WARNING in pvr2_i2c_core_done
#syz test: https://github.com/google/kasan.git usb-fuzzer
fix WARNING in pvr2_i2c_core_done by
unregistering device in the release handler
instead of the disconnect handler.
Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com
Signed-off-by: B K Karthik
---
drivers/i2c/i2c-core-base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index 26f03a14a478..2d377d2e89f1 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -462,6 +462,7 @@ static void i2c_device_shutdown(struct device *dev)
static void i2c_client_dev_release(struct device *dev)
{
+ i2c_unregister_device(to_i2c_client(dev));
kfree(to_i2c_client(dev));
}
@@ -1527,7 +1528,6 @@ void i2c_del_adapter(struct i2c_adapter *adap)
dev_dbg(>dev, "Removing %s at 0x%x\n", client->name,
client->addr);
list_del(>detected);
- i2c_unregister_device(client);
}
mutex_unlock(>userspace_clients_lock);
--
2.20.1
signature.asc
Description: PGP signature
Re: WARNING in pvr2_i2c_core_done
On Fri, 27 Sep 2019, Greg Kroah-Hartman wrote: > > It turns out the reason for this error is simple: The driver > > unregisters its subdevices in the release handler instead of in the > > disconnect handler. There probably is documentation about this > > somewhere, but I don't know exactly where -- maybe Greg remembers. > > Nope, I don't remember. It should happen in the disconnect handler, odd > of it to be in release, but maybe that's the "easiest" way for v4l to > handle this? This isn't a question of "easiest". Unregistering child devices in a release handler is just _wrong_, plain and simple. That's what gives rise to the "sysfs group 'power' not found for kobject 'i2c-0'" warning in the kernel log. The group can't be found because it has already been removed; it gets destroyed when the parent USB interface device is unregistered, because unregistering a device also removes from sysfs everything below that device. Alan Stern
Re: WARNING in pvr2_i2c_core_done
On Thu, Sep 26, 2019 at 05:44:31PM -0400, Alan Stern wrote: > On Wed, 25 Sep 2019, Andrey Konovalov wrote: > > > On Wed, Sep 25, 2019 at 4:10 PM Alan Stern > > wrote: > > > > > > On Wed, 25 Sep 2019, syzbot wrote: > > > > > > > Hello, > > > > > > > > syzbot found the following crash on: > > > > > > > > HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver > > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 > > > > kernel config: > > > > https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a > > > > dashboard link: > > > > https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > syz repro: > > > > https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > > > commit: > > > > Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > > > > > > > pvrusb2: Device being rendered inoperable > > > > cx25840 0-0044: Unable to detect h/w, assuming cx23887 > > > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) > > > > pvrusb2: Attached sub-driver cx25840 > > > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and > > > > I > > > > can't clear it. > > > > pvrusb2: You might need to power cycle the pvrusb2 device in order to > > > > recover. > > > > [ cut here ] > > > > sysfs group 'power' not found for kobject 'i2c-0' > > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group > > > > fs/sysfs/group.c:278 [inline] > > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 > > > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 > > > > > > I have seen a lot of error messages like this one (i.e., "group 'power' > > > not found for kobject"), in runs that involved fuzzing a completely > > > different USB driver. Initial testing failed to find a cause. > > > > > > This leads me to wonder whether the problem might lie somewhere else > > > entirely. A bug in some core kernel code? Memory corruption? > > > > AFAICS so far this has only been triggered from the usbvision driver > > [1] and from the pvrusb2 driver (this report). > > > > I wanted to loop in sysfs maintainers, but it seems that Greg and > > Rafael are already cc'ed on this. > > > > [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634 > > It turns out the reason for this error is simple: The driver > unregisters its subdevices in the release handler instead of in the > disconnect handler. There probably is documentation about this > somewhere, but I don't know exactly where -- maybe Greg remembers. Nope, I don't remember. It should happen in the disconnect handler, odd of it to be in release, but maybe that's the "easiest" way for v4l to handle this? thanks, greg k-h
Re: WARNING in pvr2_i2c_core_done
On Wed, 25 Sep 2019, Andrey Konovalov wrote: > On Wed, Sep 25, 2019 at 4:10 PM Alan Stern wrote: > > > > On Wed, 25 Sep 2019, syzbot wrote: > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a > > > dashboard link: > > > https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > > > > > pvrusb2: Device being rendered inoperable > > > cx25840 0-0044: Unable to detect h/w, assuming cx23887 > > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) > > > pvrusb2: Attached sub-driver cx25840 > > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I > > > can't clear it. > > > pvrusb2: You might need to power cycle the pvrusb2 device in order to > > > recover. > > > [ cut here ] > > > sysfs group 'power' not found for kobject 'i2c-0' > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group > > > fs/sysfs/group.c:278 [inline] > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 > > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 > > > > I have seen a lot of error messages like this one (i.e., "group 'power' > > not found for kobject"), in runs that involved fuzzing a completely > > different USB driver. Initial testing failed to find a cause. > > > > This leads me to wonder whether the problem might lie somewhere else > > entirely. A bug in some core kernel code? Memory corruption? > > AFAICS so far this has only been triggered from the usbvision driver > [1] and from the pvrusb2 driver (this report). > > I wanted to loop in sysfs maintainers, but it seems that Greg and > Rafael are already cc'ed on this. > > [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634 It turns out the reason for this error is simple: The driver unregisters its subdevices in the release handler instead of in the disconnect handler. There probably is documentation about this somewhere, but I don't know exactly where -- maybe Greg remembers. In the case of pvrusb2, the issues involve unregistering both the v4l2 device and the i2c device. Alan Stern
Re: WARNING in pvr2_i2c_core_done
On Wed, Sep 25, 2019 at 4:10 PM Alan Stern wrote: > > On Wed, 25 Sep 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 > > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a > > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > > > pvrusb2: Device being rendered inoperable > > cx25840 0-0044: Unable to detect h/w, assuming cx23887 > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) > > pvrusb2: Attached sub-driver cx25840 > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I > > can't clear it. > > pvrusb2: You might need to power cycle the pvrusb2 device in order to > > recover. > > [ cut here ] > > sysfs group 'power' not found for kobject 'i2c-0' > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group > > fs/sysfs/group.c:278 [inline] > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 > > I have seen a lot of error messages like this one (i.e., "group 'power' > not found for kobject"), in runs that involved fuzzing a completely > different USB driver. Initial testing failed to find a cause. > > This leads me to wonder whether the problem might lie somewhere else > entirely. A bug in some core kernel code? Memory corruption? AFAICS so far this has only been triggered from the usbvision driver [1] and from the pvrusb2 driver (this report). I wanted to loop in sysfs maintainers, but it seems that Greg and Rafael are already cc'ed on this. [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
Re: WARNING in pvr2_i2c_core_done
On Wed, 25 Sep 2019, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com > > pvrusb2: Device being rendered inoperable > cx25840 0-0044: Unable to detect h/w, assuming cx23887 > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) > pvrusb2: Attached sub-driver cx25840 > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I > can't clear it. > pvrusb2: You might need to power cycle the pvrusb2 device in order to > recover. > [ cut here ] > sysfs group 'power' not found for kobject 'i2c-0' > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group > fs/sysfs/group.c:278 [inline] > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 I have seen a lot of error messages like this one (i.e., "group 'power' not found for kobject"), in runs that involved fuzzing a completely different USB driver. Initial testing failed to find a cause. This leads me to wonder whether the problem might lie somewhere else entirely. A bug in some core kernel code? Memory corruption? Alan Stern
WARNING in pvr2_i2c_core_done
Hello, syzbot found the following crash on: HEAD commit:d9e63adc usb-fuzzer: main usb gadget fuzzer driver git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd560 kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b160 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff087160 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e74a998ca8f1df9cc...@syzkaller.appspotmail.com pvrusb2: Device being rendered inoperable cx25840 0-0044: Unable to detect h/w, assuming cx23887 cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a) pvrusb2: Attached sub-driver cx25840 pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I can't clear it. pvrusb2: You might need to power cycle the pvrusb2 device in order to recover. [ cut here ] sysfs group 'power' not found for kobject 'i2c-0' WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group fs/sysfs/group.c:278 [inline] WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 102 Comm: pvrusb2-context Not tainted 5.3.0+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xca/0x13e lib/dump_stack.c:113 panic+0x2a3/0x6da kernel/panic.c:219 __warn.cold+0x20/0x4a kernel/panic.c:576 report_bug+0x262/0x2a0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:179 [inline] fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline] RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269 Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c 01 00 75 41 48 8b 33 48 c7 c7 a0 dc d0 85 e8 e0 67 8a ff <0f> 0b eb 95 e8 72 c4 db ff e9 d2 fe ff ff 48 89 df e8 65 c4 db ff RSP: 0018:8881d5857c40 EFLAGS: 00010282 RAX: RBX: 85f33f80 RCX: RDX: RSI: 8128d3fd RDI: ed103ab0af7a RBP: R08: 8881d5e11800 R09: ed103b643ee7 R10: ed103b643ee6 R11: 8881db21f737 R12: 8881d2e68338 R13: 85f34520 R14: 8881d2e68900 R15: 8881d5e11800 dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:741 device_del+0x12a/0xb10 drivers/base/core.c:2352 device_unregister+0x11/0x30 drivers/base/core.c:2407 i2c_del_adapter drivers/i2c/i2c-core-base.c:1596 [inline] i2c_del_adapter+0x42b/0x590 drivers/i2c/i2c-core-base.c:1535 pvr2_i2c_core_done+0x69/0xb6 drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:652 pvr2_hdw_destroy+0x179/0x370 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2680 pvr2_context_destroy+0x84/0x230 drivers/media/usb/pvrusb2/pvrusb2-context.c:70 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] pvr2_context_thread_func+0x657/0x860 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 kthread+0x318/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
usb/media/pvrusb2: WARNING in pvr2_i2c_core_done/sysfs_remove_group
Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+). pvrusb2: Hardware description: OnAir Creator Hybrid USB tuner pvrusb2: Invalid write control endpoint ... pvrusb2: Invalid write control endpoint pvrusb2: Module ID 3 (saa7115) for device OnAir Creator Hybrid USB tuner failed to load. Possible missing sub-device kernel module or initialization failure within module. cs53l32a 0-0011: chip found @ 0x22 (pvrusb2_a) pvrusb2: Invalid write control endpoint ... pvrusb2: Invalid write control endpoint pvrusb2: Attached sub-driver cs53l32a pvrusb2: Invalid write control endpoint ... pvrusb2: Invalid write control endpoint pvrusb2: Module ID 4 (tuner) for device OnAir Creator Hybrid USB tuner failed to load. Possible missing sub-device kernel module or initialization failure within module. pvrusb2: Device being rendered inoperable pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the failure of one or more sub-device kernel modules. pvrusb2: You need to resolve the failing condition before this driver can function. There should be some earlier messages giving more information about the problem. usb 1-1: USB disconnect, device number 11 sysfs group 'power' not found for kobject '0-0011' [ cut here ] WARNING: CPU: 0 PID: 2896 at fs/sysfs/group.c:237 sysfs_remove_group.cold.6+0x57/0x63 Modules linked in: CPU: 0 PID: 2896 Comm: pvrusb2-context Not tainted 4.14.0-rc7-44290-gf28444df2601-dirty #52 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: 88006b752e00 task.stack: 88006b6c8000 RIP: 0010:sysfs_remove_group.cold.6+0x57/0x63 fs/sysfs/group.c:235 RSP: 0018:88006b6cfc28 EFLAGS: 00010292 RAX: 0032 RBX: 85b7a480 RCX: 812495b5 RDX: RSI: 8124d76a RDI: 0005 RBP: 88006b6cfc48 R08: 88006b752e00 R09: R10: R11: R12: 880069a3e8a0 R13: 88006b9b5530 R14: 85b7a4c8 R15: 83c90160 FS: () GS:88006ca0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 01e8a908 CR3: 63834000 CR4: 06f0 Call Trace: dpm_sysfs_remove+0x5d/0x70 drivers/base/power/sysfs.c:769 device_del+0x2b5/0xa70 drivers/base/core.c:1962 device_unregister+0x1a/0x40 drivers/base/core.c:2020 i2c_unregister_device+0xfd/0x130 drivers/i2c/i2c-core-base.c:815 __unregister_client+0x83/0x90 drivers/i2c/i2c-core-base.c:1413 device_for_each_child+0xb2/0x110 drivers/base/core.c:2120 i2c_del_adapter+0x2be/0x550 drivers/i2c/i2c-core-base.c:1477 pvr2_i2c_core_done+0x79/0xcb drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:671 pvr2_hdw_destroy+0x157/0x350 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2671 pvr2_context_destroy+0x64/0x200 drivers/media/usb/pvrusb2/pvrusb2-context.c:79 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146 pvr2_context_thread_func+0x420/0x670 drivers/media/usb/pvrusb2/pvrusb2-context.c:167 kthread+0x346/0x410 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Code: 8b 65 00 48 c1 ea 03 48 c1 e0 2a 80 3c 02 00 74 08 48 89 df e8 9e 70 e1 ff 48 8b 33 4c 89 e2 48 c7 c7 68 63 11 86 e8 66 89 aa ff <0f> ff e9 63 fc ff ff 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 ---[ end trace c49faec9cc373c2a ]--- sysfs group 'power' not found for kobject 'i2c-0' [ cut here ] WARNING: CPU: 0 PID: 2896 at fs/sysfs/group.c:237 sysfs_remove_group.cold.6+0x57/0x63 Modules linked in: CPU: 0 PID: 2896 Comm: pvrusb2-context Tainted: GW 4.14.0-rc7-44290-gf28444df2601-dirty #52 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: 88006b752e00 task.stack: 88006b6c8000 RIP: 0010:sysfs_remove_group.cold.6+0x57/0x63 fs/sysfs/group.c:235 RSP: 0018:88006b6cfcc0 EFLAGS: 00010282 RAX: 0031 RBX: 85b7a480 RCX: 812495b5 RDX: RSI: 8124d76a RDI: 0005 RBP: 88006b6cfce0 R08: 88006b752e00 R09: R10: R11: R12: 88006998b4e0 R13: 880062ba0348 R14: 85b7a4c8 R15: 880062ba0898 FS: () GS:88006ca0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 01e8a908 CR3: 63834000 CR4: 06f0 Call Trace: dpm_sysfs_remove+0x5d/0x70 drivers/base/power/sysfs.c:769 device_del+0x2b5/0xa70 drivers/base/core.c:1962 device_unregister+0x1a/0x40 drivers/base/core.c:2020 i2c_del_adapter+0x3f8/0x550 drivers/i2c/i2c-core-base.c:1500 pvr2_i2c_core_done+0x79/0xcb drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:671 pvr2_hdw_destroy+0x157/0x350 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2671 pvr2_context_destroy+0x64/0x200 drivers/media/usb/pvrusb2/pvrusb2-context.c:79 pvr2_context_check
usb/media/pvrusb2: WARNING in pvr2_i2c_core_done/sysfs_remove_group
Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+). pvrusb2: Hardware description: OnAir Creator Hybrid USB tuner pvrusb2: Invalid write control endpoint ... pvrusb2: Invalid write control endpoint pvrusb2: Module ID 3 (saa7115) for device OnAir Creator Hybrid USB tuner failed to load. Possible missing sub-device kernel module or initialization failure within module. cs53l32a 0-0011: chip found @ 0x22 (pvrusb2_a) pvrusb2: Invalid write control endpoint ... pvrusb2: Invalid write control endpoint pvrusb2: Attached sub-driver cs53l32a pvrusb2: Invalid write control endpoint ... pvrusb2: Invalid write control endpoint pvrusb2: Module ID 4 (tuner) for device OnAir Creator Hybrid USB tuner failed to load. Possible missing sub-device kernel module or initialization failure within module. pvrusb2: Device being rendered inoperable pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the failure of one or more sub-device kernel modules. pvrusb2: You need to resolve the failing condition before this driver can function. There should be some earlier messages giving more information about the problem. usb 1-1: USB disconnect, device number 11 sysfs group 'power' not found for kobject '0-0011' [ cut here ] WARNING: CPU: 0 PID: 2896 at fs/sysfs/group.c:237 sysfs_remove_group.cold.6+0x57/0x63 Modules linked in: CPU: 0 PID: 2896 Comm: pvrusb2-context Not tainted 4.14.0-rc7-44290-gf28444df2601-dirty #52 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: 88006b752e00 task.stack: 88006b6c8000 RIP: 0010:sysfs_remove_group.cold.6+0x57/0x63 fs/sysfs/group.c:235 RSP: 0018:88006b6cfc28 EFLAGS: 00010292 RAX: 0032 RBX: 85b7a480 RCX: 812495b5 RDX: RSI: 8124d76a RDI: 0005 RBP: 88006b6cfc48 R08: 88006b752e00 R09: R10: R11: R12: 880069a3e8a0 R13: 88006b9b5530 R14: 85b7a4c8 R15: 83c90160 FS: () GS:88006ca0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 01e8a908 CR3: 63834000 CR4: 06f0 Call Trace: dpm_sysfs_remove+0x5d/0x70 drivers/base/power/sysfs.c:769 device_del+0x2b5/0xa70 drivers/base/core.c:1962 device_unregister+0x1a/0x40 drivers/base/core.c:2020 i2c_unregister_device+0xfd/0x130 drivers/i2c/i2c-core-base.c:815 __unregister_client+0x83/0x90 drivers/i2c/i2c-core-base.c:1413 device_for_each_child+0xb2/0x110 drivers/base/core.c:2120 i2c_del_adapter+0x2be/0x550 drivers/i2c/i2c-core-base.c:1477 pvr2_i2c_core_done+0x79/0xcb drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:671 pvr2_hdw_destroy+0x157/0x350 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2671 pvr2_context_destroy+0x64/0x200 drivers/media/usb/pvrusb2/pvrusb2-context.c:79 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146 pvr2_context_thread_func+0x420/0x670 drivers/media/usb/pvrusb2/pvrusb2-context.c:167 kthread+0x346/0x410 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Code: 8b 65 00 48 c1 ea 03 48 c1 e0 2a 80 3c 02 00 74 08 48 89 df e8 9e 70 e1 ff 48 8b 33 4c 89 e2 48 c7 c7 68 63 11 86 e8 66 89 aa ff <0f> ff e9 63 fc ff ff 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 ---[ end trace c49faec9cc373c2a ]--- sysfs group 'power' not found for kobject 'i2c-0' [ cut here ] WARNING: CPU: 0 PID: 2896 at fs/sysfs/group.c:237 sysfs_remove_group.cold.6+0x57/0x63 Modules linked in: CPU: 0 PID: 2896 Comm: pvrusb2-context Tainted: GW 4.14.0-rc7-44290-gf28444df2601-dirty #52 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: 88006b752e00 task.stack: 88006b6c8000 RIP: 0010:sysfs_remove_group.cold.6+0x57/0x63 fs/sysfs/group.c:235 RSP: 0018:88006b6cfcc0 EFLAGS: 00010282 RAX: 0031 RBX: 85b7a480 RCX: 812495b5 RDX: RSI: 8124d76a RDI: 0005 RBP: 88006b6cfce0 R08: 88006b752e00 R09: R10: R11: R12: 88006998b4e0 R13: 880062ba0348 R14: 85b7a4c8 R15: 880062ba0898 FS: () GS:88006ca0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 01e8a908 CR3: 63834000 CR4: 06f0 Call Trace: dpm_sysfs_remove+0x5d/0x70 drivers/base/power/sysfs.c:769 device_del+0x2b5/0xa70 drivers/base/core.c:1962 device_unregister+0x1a/0x40 drivers/base/core.c:2020 i2c_del_adapter+0x3f8/0x550 drivers/i2c/i2c-core-base.c:1500 pvr2_i2c_core_done+0x79/0xcb drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:671 pvr2_hdw_destroy+0x157/0x350 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2671 pvr2_context_destroy+0x64/0x200 drivers/media/usb/pvrusb2/pvrusb2-context.c:79 pvr2_context_check
