Re: [syzbot] [media?] [usb?] KASAN: slab-out-of-bounds Read in imon_probe

From: syzbot
Date: Tue Sep 19 2023 - 14:40:43 EST

Next message: Charlie Jenkins: "[PATCH v7 0/4] riscv: Add fine-tuned checksum functions"
Previous message: Steven Rostedt: "Re: Arches that don't support PREEMPT"
In reply to: Ricardo B. Marliere: "Re: [syzbot] [media?] [usb?] KASAN: slab-out-of-bounds Read in imon_probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in imon_probe

WARNING: CPU: 0 PID: 1384 at kernel/locking/mutex.c:582 __mutex_lock_common kernel/locking/mutex.c:582 [inline]
WARNING: CPU: 0 PID: 1384 at kernel/locking/mutex.c:582 __mutex_lock+0x63e/0xa56 kernel/locking/mutex.c:747
Modules linked in:
CPU: 0 PID: 1384 Comm: kworker/0:2 Not tainted 6.6.0-rc2-next-20230919-syzkaller-g29e400e3ea48 #0
Hardware name: riscv-virtio,qemu (DT)
Workqueue: usb_hub_wq hub_event
epc : __mutex_lock_common kernel/locking/mutex.c:582 [inline]
epc : __mutex_lock+0x63e/0xa56 kernel/locking/mutex.c:747
ra : __mutex_lock_common kernel/locking/mutex.c:582 [inline]
ra : __mutex_lock+0x63e/0xa56 kernel/locking/mutex.c:747
epc : ffffffff8362613e ra : ffffffff8362613e sp : ff200000040e6bc0
gp : ffffffff861a8a20 tp : ff60000013168000 t0 : ffffffff852a92a0
t1 : 00000000000f0000 t2 : 2d2d2d2d2d2d2d2d s0 : ff200000040e6d40
s1 : ff600000223f69a8 a0 : 0000000000000001 a1 : 00000000000f0000
a2 : ffffffff80077fb0 a3 : 0000000000000002 a4 : 0000000000000000
a5 : 0000000000000000 a6 : 0000000000000003 a7 : 0000000000000000
s2 : ff200000040e6cc0 s3 : 0000000000000000 s4 : ff200000040e6c50
s5 : ffffffff861d5880 s6 : 0000000000000002 s7 : 0000000000000000
s8 : 1fe400000081cd80 s9 : ff60000022f6b000 s10: 0000000000000001
s11: ffffffffffffffed t3 : ffffffff80158656 t4 : ffebffff0f9ac56a
t5 : ffebffff0f9ac56b t6 : ff200000040e6778
status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
[<ffffffff8362613e>] __mutex_lock_common kernel/locking/mutex.c:582 [inline]
[<ffffffff8362613e>] __mutex_lock+0x63e/0xa56 kernel/locking/mutex.c:747
[<ffffffff8362656a>] mutex_lock_nested+0x14/0x1c kernel/locking/mutex.c:799
[<ffffffff82205abc>] imon_init_intf1 drivers/media/rc/imon.c:2321 [inline]
[<ffffffff82205abc>] imon_probe+0x128/0x1ab2 drivers/media/rc/imon.c:2449
[<ffffffff81d8ec8c>] usb_probe_interface+0x208/0x552 drivers/usb/core/driver.c:396
[<ffffffff816837fa>] call_driver_probe drivers/base/dd.c:579 [inline]
[<ffffffff816837fa>] really_probe+0x1c8/0x7c6 drivers/base/dd.c:658
[<ffffffff81683f36>] __driver_probe_device+0x13e/0x2ae drivers/base/dd.c:800
[<ffffffff81684106>] driver_probe_device+0x60/0x1a6 drivers/base/dd.c:830
[<ffffffff816843b4>] __device_attach_driver+0x168/0x218 drivers/base/dd.c:958
[<ffffffff8167f734>] bus_for_each_drv+0x12c/0x1ae drivers/base/bus.c:457
[<ffffffff81684c30>] __device_attach+0x184/0x390 drivers/base/dd.c:1030
[<ffffffff81685146>] device_initial_probe+0x1c/0x26 drivers/base/dd.c:1079
[<ffffffff816817f8>] bus_probe_device+0x120/0x122 drivers/base/bus.c:532
[<ffffffff8167c302>] device_add+0xce6/0x105c drivers/base/core.c:3624
[<ffffffff81d8acba>] usb_set_configuration+0xb48/0xfb6 drivers/usb/core/message.c:2207
[<ffffffff81da5b7a>] usb_generic_driver_probe+0xb2/0x124 drivers/usb/core/generic.c:238
[<ffffffff81d8e09e>] usb_probe_device+0x9e/0x1fc drivers/usb/core/driver.c:293
[<ffffffff816837fa>] call_driver_probe drivers/base/dd.c:579 [inline]
[<ffffffff816837fa>] really_probe+0x1c8/0x7c6 drivers/base/dd.c:658
[<ffffffff81683f36>] __driver_probe_device+0x13e/0x2ae drivers/base/dd.c:800
[<ffffffff81684106>] driver_probe_device+0x60/0x1a6 drivers/base/dd.c:830
[<ffffffff816843b4>] __device_attach_driver+0x168/0x218 drivers/base/dd.c:958
[<ffffffff8167f734>] bus_for_each_drv+0x12c/0x1ae drivers/base/bus.c:457
[<ffffffff81684c30>] __device_attach+0x184/0x390 drivers/base/dd.c:1030
[<ffffffff81685146>] device_initial_probe+0x1c/0x26 drivers/base/dd.c:1079
[<ffffffff816817f8>] bus_probe_device+0x120/0x122 drivers/base/bus.c:532
[<ffffffff8167c302>] device_add+0xce6/0x105c drivers/base/core.c:3624
[<ffffffff81d73702>] usb_new_device+0x5c8/0xd38 drivers/usb/core/hub.c:2589
[<ffffffff81d77fdc>] hub_port_connect drivers/usb/core/hub.c:5440 [inline]
[<ffffffff81d77fdc>] hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
[<ffffffff81d77fdc>] port_event drivers/usb/core/hub.c:5740 [inline]
[<ffffffff81d77fdc>] hub_event+0x2016/0x30aa drivers/usb/core/hub.c:5822
[<ffffffff800c4484>] process_one_work+0x54c/0xd66 kernel/workqueue.c:2630
[<ffffffff800c51a4>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff800c51a4>] worker_thread+0x506/0x980 kernel/workqueue.c:2784
[<ffffffff800db770>] kthread+0x1bc/0x22c kernel/kthread.c:388
[<ffffffff80005d5a>] ret_from_fork+0xa/0x1c arch/riscv/kernel/entry.S:264

Tested on:

commit: 29e400e3 Add linux-next specific files for 20230919
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git next-20230919
console output: https://syzkaller.appspot.com/x/log.txt?x=15aa5754680000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb7d3cfa08298a9
dashboard link: https://syzkaller.appspot.com/bug?extid=59875ffef5cb9c9b29e9
compiler: riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64

Note: no patches were applied.

Next message: Charlie Jenkins: "[PATCH v7 0/4] riscv: Add fine-tuned checksum functions"
Previous message: Steven Rostedt: "Re: Arches that don't support PREEMPT"
In reply to: Ricardo B. Marliere: "Re: [syzbot] [media?] [usb?] KASAN: slab-out-of-bounds Read in imon_probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]