Hello,
syzbot found the following crash on:
HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
pvrusb2: Device being rendered inoperable
cx25840 0-0044: Unable to detect h/w, assuming cx23887
cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
pvrusb2: Attached sub-driver cx25840
pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
can't clear it.
pvrusb2: You might need to power cycle the pvrusb2 device in order to
recover.
------------[ cut here ]------------
sysfs group 'power' not found for kobject 'i2c-0'
WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
fs/sysfs/group.c:278 [inline]
WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 102 Comm: pvrusb2-context Not tainted 5.3.0+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2a3/0x6da kernel/panic.c:219
__warn.cold+0x20/0x4a kernel/panic.c:576
report_bug+0x262/0x2a0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:sysfs_remove_group fs/sysfs/group.c:278 [inline]
RIP: 0010:sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c
01 00 75 41 48 8b 33 48 c7 c7 a0 dc d0 85 e8 e0 67 8a ff <0f> 0b eb 95 e8
72 c4 db ff e9 d2 fe ff ff 48 89 df e8 65 c4 db ff
RSP: 0018:ffff8881d5857c40 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff85f33f80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8128d3fd RDI: ffffed103ab0af7a
RBP: 0000000000000000 R08: ffff8881d5e11800 R09: ffffed103b643ee7
R10: ffffed103b643ee6 R11: ffff8881db21f737 R12: ffff8881d2e68338
R13: ffffffff85f34520 R14: ffff8881d2e68900 R15: ffff8881d5e11800
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:741
device_del+0x12a/0xb10 drivers/base/core.c:2352
device_unregister+0x11/0x30 drivers/base/core.c:2407
i2c_del_adapter drivers/i2c/i2c-core-base.c:1596 [inline]
i2c_del_adapter+0x42b/0x590 drivers/i2c/i2c-core-base.c:1535
pvr2_i2c_core_done+0x69/0xb6
drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:652
pvr2_hdw_destroy+0x179/0x370 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2680
pvr2_context_destroy+0x84/0x230
drivers/media/usb/pvrusb2/pvrusb2-context.c:70
pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]
pvr2_context_thread_func+0x657/0x860
drivers/media/usb/pvrusb2/pvrusb2-context.c:158
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
On Wed, 25 Sep 2019, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
>
> pvrusb2: Device being rendered inoperable
> cx25840 0-0044: Unable to detect h/w, assuming cx23887
> cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> pvrusb2: Attached sub-driver cx25840
> pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> can't clear it.
> pvrusb2: You might need to power cycle the pvrusb2 device in order to
> recover.
> ------------[ cut here ]------------
> sysfs group 'power' not found for kobject 'i2c-0'
> WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> fs/sysfs/group.c:278 [inline]
> WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
I have seen a lot of error messages like this one (i.e., "group 'power'
not found for kobject"), in runs that involved fuzzing a completely
different USB driver. Initial testing failed to find a cause.
This leads me to wonder whether the problem might lie somewhere else
entirely. A bug in some core kernel code? Memory corruption?
Alan Stern
On Wed, Sep 25, 2019 at 4:10 PM Alan Stern <[email protected]> wrote:
>
> On Wed, 25 Sep 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > pvrusb2: Device being rendered inoperable
> > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > pvrusb2: Attached sub-driver cx25840
> > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> > can't clear it.
> > pvrusb2: You might need to power cycle the pvrusb2 device in order to
> > recover.
> > ------------[ cut here ]------------
> > sysfs group 'power' not found for kobject 'i2c-0'
> > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> > fs/sysfs/group.c:278 [inline]
> > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
>
> I have seen a lot of error messages like this one (i.e., "group 'power'
> not found for kobject"), in runs that involved fuzzing a completely
> different USB driver. Initial testing failed to find a cause.
>
> This leads me to wonder whether the problem might lie somewhere else
> entirely. A bug in some core kernel code? Memory corruption?
AFAICS so far this has only been triggered from the usbvision driver
[1] and from the pvrusb2 driver (this report).
I wanted to loop in sysfs maintainers, but it seems that Greg and
Rafael are already cc'ed on this.
[1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
On Wed, 25 Sep 2019, Andrey Konovalov wrote:
> On Wed, Sep 25, 2019 at 4:10 PM Alan Stern <[email protected]> wrote:
> >
> > On Wed, 25 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > >
> > > pvrusb2: Device being rendered inoperable
> > > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > > pvrusb2: Attached sub-driver cx25840
> > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> > > can't clear it.
> > > pvrusb2: You might need to power cycle the pvrusb2 device in order to
> > > recover.
> > > ------------[ cut here ]------------
> > > sysfs group 'power' not found for kobject 'i2c-0'
> > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> > > fs/sysfs/group.c:278 [inline]
> > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> >
> > I have seen a lot of error messages like this one (i.e., "group 'power'
> > not found for kobject"), in runs that involved fuzzing a completely
> > different USB driver. Initial testing failed to find a cause.
> >
> > This leads me to wonder whether the problem might lie somewhere else
> > entirely. A bug in some core kernel code? Memory corruption?
>
> AFAICS so far this has only been triggered from the usbvision driver
> [1] and from the pvrusb2 driver (this report).
>
> I wanted to loop in sysfs maintainers, but it seems that Greg and
> Rafael are already cc'ed on this.
>
> [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
It turns out the reason for this error is simple: The driver
unregisters its subdevices in the release handler instead of in the
disconnect handler. There probably is documentation about this
somewhere, but I don't know exactly where -- maybe Greg remembers.
In the case of pvrusb2, the issues involve unregistering both the v4l2
device and the i2c device.
Alan Stern
On Thu, Sep 26, 2019 at 05:44:31PM -0400, Alan Stern wrote:
> On Wed, 25 Sep 2019, Andrey Konovalov wrote:
>
> > On Wed, Sep 25, 2019 at 4:10 PM Alan Stern <[email protected]> wrote:
> > >
> > > On Wed, 25 Sep 2019, syzbot wrote:
> > >
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: d9e63adc usb-fuzzer: main usb gadget fuzzer driver
> > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b5fcd5600000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=f4fa60e981ee8e6a
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e74a998ca8f1df9cc332
> > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ec07b1600000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ff0871600000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: [email protected]
> > > >
> > > > pvrusb2: Device being rendered inoperable
> > > > cx25840 0-0044: Unable to detect h/w, assuming cx23887
> > > > cx25840 0-0044: cx23887 A/V decoder found @ 0x88 (pvrusb2_a)
> > > > pvrusb2: Attached sub-driver cx25840
> > > > pvrusb2: ***WARNING*** pvrusb2 device hardware appears to be jammed and I
> > > > can't clear it.
> > > > pvrusb2: You might need to power cycle the pvrusb2 device in order to
> > > > recover.
> > > > ------------[ cut here ]------------
> > > > sysfs group 'power' not found for kobject 'i2c-0'
> > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278 sysfs_remove_group
> > > > fs/sysfs/group.c:278 [inline]
> > > > WARNING: CPU: 0 PID: 102 at fs/sysfs/group.c:278
> > > > sysfs_remove_group+0x155/0x1b0 fs/sysfs/group.c:269
> > >
> > > I have seen a lot of error messages like this one (i.e., "group 'power'
> > > not found for kobject"), in runs that involved fuzzing a completely
> > > different USB driver. Initial testing failed to find a cause.
> > >
> > > This leads me to wonder whether the problem might lie somewhere else
> > > entirely. A bug in some core kernel code? Memory corruption?
> >
> > AFAICS so far this has only been triggered from the usbvision driver
> > [1] and from the pvrusb2 driver (this report).
> >
> > I wanted to loop in sysfs maintainers, but it seems that Greg and
> > Rafael are already cc'ed on this.
> >
> > [1] https://syzkaller.appspot.com/bug?extid=7fa38a608b1075dfd634
>
> It turns out the reason for this error is simple: The driver
> unregisters its subdevices in the release handler instead of in the
> disconnect handler. There probably is documentation about this
> somewhere, but I don't know exactly where -- maybe Greg remembers.
Nope, I don't remember. It should happen in the disconnect handler, odd
of it to be in release, but maybe that's the "easiest" way for v4l to
handle this?
thanks,
greg k-h
On Fri, 27 Sep 2019, Greg Kroah-Hartman wrote:
> > It turns out the reason for this error is simple: The driver
> > unregisters its subdevices in the release handler instead of in the
> > disconnect handler. There probably is documentation about this
> > somewhere, but I don't know exactly where -- maybe Greg remembers.
>
> Nope, I don't remember. It should happen in the disconnect handler, odd
> of it to be in release, but maybe that's the "easiest" way for v4l to
> handle this?
This isn't a question of "easiest". Unregistering child devices in a
release handler is just _wrong_, plain and simple. That's what gives
rise to the
"sysfs group 'power' not found for kobject 'i2c-0'"
warning in the kernel log. The group can't be found because it has
already been removed; it gets destroyed when the parent USB interface
device is unregistered, because unregistering a device also removes
from sysfs everything below that device.
Alan Stern
On Wed, 22 Jul 2020 at 14:42, Hillf Danton <[email protected]> wrote:
>
>
> From: syzbot <[email protected]>
>
> Tue, 21 Jul 2020 21:06:10 -0700
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > general protection fault in kernfs_find_ns
> >
> > pvrusb2: Invalid write control endpoint
> > pvrusb2: Invalid write control endpoint
> > pvrusb2: Invalid write control endpoint
> > pvrusb2: Invalid write control endpoint
> > general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
> > CPU: 0 PID: 78 Comm: pvrusb2-context Not tainted 5.7.0-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:kernfs_find_ns+0x31/0x370 fs/kernfs/dir.c:829
> > Code: 49 89 d6 41 55 41 54 55 48 89 fd 53 48 83 ec 08 e8 f4 61 af ff 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 03 00 00 48 8d bd 98 00 00 00 48 8b 5d 70 48
> > RSP: 0018:ffff8881d419f938 EFLAGS: 00010202
> > RAX: dffffc0000000000 RBX: ffffffff863789c0 RCX: ffffffff85a79ba7
> > RDX: 000000000000000e RSI: ffffffff81901d1c RDI: 0000000000000070
> > RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff873ed1e7
> > R10: fffffbfff0e7da3c R11: 0000000000000001 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff863790e0
> > FS: 0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f3a7e248000 CR3: 00000001d2224000 CR4: 00000000001406f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> > kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:906
> > kernfs_find_and_get include/linux/kernfs.h:548 [inline]
> > sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366
> > dpm_sysfs_remove+0x62/0xb0 drivers/base/power/sysfs.c:790
>
> [3]
>
> > device_del+0x18b/0xd20 drivers/base/core.c:2834
> > device_unregister+0x22/0xc0 drivers/base/core.c:2889
> > i2c_unregister_device include/linux/err.h:41 [inline]
>
> [2]
>
> > i2c_client_dev_release+0x39/0x50 drivers/i2c/i2c-core-base.c:465
> > device_release+0x71/0x200 drivers/base/core.c:1559
>
> [1] kobject_del() goes before the release cb in kobject_cleanup() and
> kobj is removed from sysfs, see [3] above.
Oh, thank you for letting me know about this. Forgive me, but I did
not understand you very clearly.
I presume you are saying that the second call to
i2c_unregister_device() is where the problem occurs?
please let me know.
thanks,
karthik