Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1684889rdb; Thu, 25 Jan 2024 03:11:18 -0800 (PST) X-Google-Smtp-Source: AGHT+IEdrTzmzWvvV8PIB5a7usm39bAcJ12Mpp+VPY3Vdl3KM/XsjHYTUPxKd2dFz/aQ24MAC508 X-Received: by 2002:a62:ce44:0:b0:6db:786e:759a with SMTP id y65-20020a62ce44000000b006db786e759amr784742pfg.21.1706181078293; Thu, 25 Jan 2024 03:11:18 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706181078; cv=pass; d=google.com; s=arc-20160816; b=fe/9LdjvwXdURa6fnAYoSExevMYPHs3qErZKYgm+Bx4tg50yVHJC0d4Euw8+BJqWwQ IDqDNcVekiGUzponf7Ki5de2sGz6nkuh/ykEyRrUMih4TRYY2z+jEZEpbEUH3eH4r9gk 3rxXvhh51KO8Qxo8qgpMhEOkx54gdhxEne3Jl1VttXn4DVZUUd1uNKLv+W4UmxLZPqLV t8T1iwWxujQ3/ohq75Cs2KqdUDBigM6Of71VGPu5h8F8EqeRsFwpJ8F93g0eAeLTAzr5 yeYx/Kbnf6Qjqk20UhrWxn5mTONKofDPFPsJXrTqN8NaV/+Ck88KieQ0hoPldWqHXOQY Fbrw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=j6hSYRnfUIcgURdffb2WB7MW1r4AFOZ50WWNuN9Ev+o=; fh=UeLN0hREXRw8KwKj3He1byeTh0ii8v9HHgvMGhH8UOk=; b=vW1LcCisQTscBYhNCexLENczjcgNpSV592g69CzComFCgMxkavGF3Ktgz0FjVs6ohv WFE4aT6aUJleH6W+sxNOfENPwnvKWZFtoORhN0CC0sfPBKsGU3j2dH+YWn7Lvzvt97ag lbi2Kd/sc6JUK1b1D2ScKQNDcZa6T1ya99wIIZfx+rT/BtXghORceHcMpbt9DvQGOy38 cRmvhhD5PRCLrfccBSrZLI50TCkwaj65SaMF9LAQqyX3xqNarV60lw3v6g7vywLPTSLy sznpvRRomEZpDVHIxYu3soKUiUw20esnU3fbIILHtzOFjDmMNIDEVfjhaCcs28cDtc27 hecw== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of linux-kernel+bounces-38398-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-38398-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xs4all.nl Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id ih5-20020a056a008c0500b006d6f98a58a4si15693853pfb.255.2024.01.25.03.11.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 03:11:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-38398-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of linux-kernel+bounces-38398-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-38398-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xs4all.nl Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 9D8F7B240B9 for ; Thu, 25 Jan 2024 10:35:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CE3441CD18; Thu, 25 Jan 2024 10:35:23 +0000 (UTC) Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5314C1CAA5; Thu, 25 Jan 2024 10:35:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706178923; cv=none; b=TksjSyfP+UMppCYyP3YLpZLAaplQKt9+AKFAKuKJiTloJFYAimZMnr3H4r/YOZa/tNw7byTO9JXs0Jn8mEfRRu4AJ5DR9Np4W4wgMH4eSimsHcIAmNvoyVgXQd4WB8AN4Rsu6xZN99lww4e6lL4bkK4aGChYUrhPKD+rngMIDlU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706178923; c=relaxed/simple; bh=1C0aCqfqyBTMwwnHrg5/KQ6WSYj5J+UY6F50mVDHc8Q=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=R23lRIXRBYucULLHO48WsykVQ3zbAm4+/ybjXmDmMqCG6k9UupUau3VopM6N2T7GhQeI4VWolA8Zb0FkMjAmciwHLeVd/Wu8vYCedZKwmihyy6rUOzy2lYacvqJIsjTpZvRA/ZW/gqZpvqB5WBDKMGyli1man7dYMFccccNjnhM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 71B03C433C7; Thu, 25 Jan 2024 10:35:21 +0000 (UTC) Message-ID: Date: Thu, 25 Jan 2024 11:35:19 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [Linux Kernel Bugs] KASAN: slab-use-after-free Read in cec_queue_msg_fh and 4 other crashes in the cec device (`cec_ioctl`) Content-Language: en-US, nl To: "Yang, Chenyuan" , "linux-media@vger.kernel.org" , "linux-kernel@vger.kernel.org" Cc: "jani.nikula@intel.com" , "syzkaller@googlegroups.com" , "mchehab@kernel.org" , "Zhao, Zijie" , "Zhang, Lingming" References: <89ED2612-DFEA-448A-9637-3522B9E92B74@illinois.edu> From: Hans Verkuil In-Reply-To: <89ED2612-DFEA-448A-9637-3522B9E92B74@illinois.edu> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi Chenyuan, On 24/01/2024 14:33, Yang, Chenyuan wrote: > Hi Hans, > > Thanks for your prompt response! > > After applying the new patch, the system hang issue persists. I also tested with the latest Linux version, but the problem remains. The error displayed is 'INFO: task syz-executor372:16736 blocked for more than 143 seconds.' Could it be that the timeout setting for the CEC is too extensive, contributing to this hang? Again, thank you for testing this. After investigation I suspect the issue is elsewhere. Can you test with the patch below instead? Thank you! Hans Signed-off-by: Hans Verkuil --- diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c index 079c3b142d91..e5c86bc5ed93 100644 --- a/drivers/media/cec/core/cec-adap.c +++ b/drivers/media/cec/core/cec-adap.c @@ -1562,10 +1562,12 @@ static int cec_config_thread_func(void *arg) cec_transmit_msg_fh(adap, &msg, NULL, false); } } + mutex_unlock(&adap->lock); + call_void_op(adap, configured); + mutex_lock(&adap->lock); adap->kthread_config = NULL; complete(&adap->config_completion); mutex_unlock(&adap->lock); - call_void_op(adap, configured); return 0; unconfigure: @@ -1591,6 +1593,12 @@ static void cec_claim_log_addrs(struct cec_adapter *adap, bool block) if (WARN_ON(adap->is_configuring || adap->is_configured)) return; + if (adap->kthread_config) { + mutex_unlock(&adap->lock); + wait_for_completion(&adap->config_completion); + mutex_lock(&adap->lock); + } + init_completion(&adap->config_completion); /* Ready to kick off the thread */ @@ -1598,8 +1606,8 @@ static void cec_claim_log_addrs(struct cec_adapter *adap, bool block) adap->kthread_config = kthread_run(cec_config_thread_func, adap, "ceccfg-%s", adap->name); if (IS_ERR(adap->kthread_config)) { - adap->kthread_config = NULL; adap->is_configuring = false; + adap->kthread_config = NULL; } else if (block) { mutex_unlock(&adap->lock); wait_for_completion(&adap->config_completion);