Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp5834674ybc; Wed, 27 Nov 2019 10:08:58 -0800 (PST) X-Google-Smtp-Source: APXvYqwjWrkzRooEr1NjhDgbFG7TTmiDZXsNkyOavzYbbirYpPy0ujeRZplIxIUAQto2NA+D5o3j X-Received: by 2002:a17:906:7c5a:: with SMTP id g26mr1330212ejp.249.1574878137972; Wed, 27 Nov 2019 10:08:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574878137; cv=none; d=google.com; s=arc-20160816; b=n/TEiwnl5bqNIYecqCauicQU4kGTpCAiriAiP0cKLH+nfAvMnDdtNY65bZ6VKkQJmf eEAxOBAoBxUf/uP73XkwzGQhf4UYnN7e0OVhogGvzDmmvj1OqmipD3JPg/N0dUJ3bNkn o4+M2LfbnD+EqnFQFpGgI4deIE5OgLI2enKjuaCevmqa4vx55dtAzeKmHnw+ZdG803v8 e7RQHHiZgcTLzpAbvep6hMuxqW+9cm2L4qv6r0godkQ4a5xdAMl+TQVbKIPIMYJqiSeA Z4LudCDn6IJ5Qv6tA7oFjT0fB/9IFK7Ku1hG4qFqDAHO8XCL9IknS+czyzzL+n6+YcGr L0yQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=xkkhcvR/+XpE7lgygNC9fIABnArMP7r3eNomNTwb2oE=; b=s3rvnbyWlxI8ONdMoXXf0iffyZxiac7BWzsAwiDUVA921ct06tZ3eoTRHLZTBeNzzI JHvnGhEO+GRjhEw0yQN9Ou9GaDUyznAIX5mzCmRFCPYKmK6C99zCfccSN6SDSUdXRoRL /+ao4IZB6ZJzqFZcrIPoF8VwagBzs4/SJZiRN06ZVFvTYeC0Gq+DjNUKaqy+9eDjdXK9 6XWmh1xKWWMte2uGmKCNXoZFZM7xBxiKUg2kN6I0eGx/YEjMX2AOkJ+blHebhaJVEf3g hYYrZiS1ysyjnrRk84zz/C2/N5u6r1oOxLNR6KHoEhbzAGt2NbxUup3QH8HRm236BMDB eHZg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q15si10936870edw.361.2019.11.27.10.08.33; Wed, 27 Nov 2019 10:08:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727111AbfK0SHO (ORCPT + 99 others); Wed, 27 Nov 2019 13:07:14 -0500 Received: from iolanthe.rowland.org ([192.131.102.54]:38490 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726729AbfK0SHO (ORCPT ); Wed, 27 Nov 2019 13:07:14 -0500 Received: (qmail 2901 invoked by uid 2102); 27 Nov 2019 13:07:13 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Nov 2019 13:07:13 -0500 Date: Wed, 27 Nov 2019 13:07:13 -0500 (EST) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: syzbot cc: andreyknvl@google.com, , , , , , , Subject: Re: KASAN: use-after-free Read in si470x_int_in_callback (2) In-Reply-To: <0000000000001dec4905985682c9@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 27 Nov 2019, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > INFO: rcu detected stall in dummy_timer > > radio-si470x 5-1:0.0: non-zero urb status (-71) > radio-si470x 3-1:0.0: non-zero urb status (-71) > rcu: INFO: rcu_sched self-detected stall on CPU > rcu: 1-....: (8213 ticks this GP) idle=4f6/1/0x4000000000000004 Almost the same as Oliver's patch, but this one stops when the interrupt-IN URB gets an unrecognized error status. Alan Stern #syz test: https://github.com/google/kasan.git 22be26f7 Index: usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c =================================================================== --- usb-devel.orig/drivers/media/radio/si470x/radio-si470x-usb.c +++ usb-devel/drivers/media/radio/si470x/radio-si470x-usb.c @@ -370,15 +370,14 @@ static void si470x_int_in_callback(struc unsigned char tmpbuf[3]; if (urb->status) { - if (urb->status == -ENOENT || + if (!(urb->status == -ENOENT || urb->status == -ECONNRESET || - urb->status == -ESHUTDOWN) { - return; - } else { + urb->status == -ESHUTDOWN)) dev_warn(&radio->intf->dev, - "non-zero urb status (%d)\n", urb->status); - goto resubmit; /* Maybe we can recover. */ - } + "unrecognized urb status (%d)\n", + urb->status); + radio->int_in_running = 0; + return; } /* Sometimes the device returns len 0 packets */ @@ -542,6 +541,8 @@ static int si470x_start_usb(struct si470 radio->int_in_running = 0; } radio->status_rssi_auto_update = radio->int_in_running; + if (retval < 0) + return retval; /* start radio */ retval = si470x_start(radio); @@ -734,7 +735,8 @@ static int si470x_usb_driver_probe(struc /* start radio */ retval = si470x_start_usb(radio); if (retval < 0) - goto err_buf; + /* the urb may be running even after an error */ + goto err_all; /* set initial frequency */ si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */ @@ -749,7 +751,7 @@ static int si470x_usb_driver_probe(struc return 0; err_all: - usb_kill_urb(radio->int_in_urb); + usb_poison_urb(radio->int_in_urb); err_buf: kfree(radio->buffer); err_ctrl: @@ -824,7 +826,7 @@ static void si470x_usb_driver_disconnect mutex_lock(&radio->lock); v4l2_device_disconnect(&radio->v4l2_dev); video_unregister_device(&radio->videodev); - usb_kill_urb(radio->int_in_urb); + usb_poison_urb(radio->int_in_urb); usb_set_intfdata(intf, NULL); mutex_unlock(&radio->lock); v4l2_device_put(&radio->v4l2_dev);