ci starts bisection 2023-05-19 00:33:46.490761275 +0000 UTC m=+88013.109442444 bisecting cause commit starting from 4d6d4c7f541d7027beed4fb86eb2c451bd8d6fff building syzkaller on 3bb7af1def6b7b99e4c1c9573162eb41b5893cd3 ensuring issue is reproducible on original commit 4d6d4c7f541d7027beed4fb86eb2c451bd8d6fff testing commit 4d6d4c7f541d7027beed4fb86eb2c451bd8d6fff gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 215222c6f2281c42dc2934dcd599df3f2dfc9d669ff6f1736a95c94c5a4efe33 all runs: crashed: WARNING in smsusb_term_device testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e148157fe791de283ed2b260a5e7599ec067bf0da656d291f7053e34f285533c all runs: crashed: WARNING in smsusb_term_device testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6f6b78ea6cb8fb00f421aa09d42102639010cd3d2bf3c91f514936403ad7c7a2 all runs: OK # git bisect start 457391b0380335d5e9a5babdec90ac53928b23b4 c9c3395d5e3dcc6daee66c6908354d47bf98cb0c Bisecting: 7399 revisions left to test after this (roughly 13 steps) [a5c95ca18a98d742d0a4a04063c32556b5b66378] Merge tag 'drm-next-2023-02-23' of git://anongit.freedesktop.org/drm/drm testing commit a5c95ca18a98d742d0a4a04063c32556b5b66378 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a24e3b2ab975b96141cba7e5bbece87e9bc1a98950e564b480628c0966d5583f all runs: OK # git bisect good a5c95ca18a98d742d0a4a04063c32556b5b66378 Bisecting: 3619 revisions left to test after this (roughly 12 steps) [1ec35eadc3b448c91a6b763371a7073444e95f9d] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit 1ec35eadc3b448c91a6b763371a7073444e95f9d gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2a677da13742ec4fb7576295186c06ff32e549373d4d7f24f10ff067c567616e all runs: OK # git bisect good 1ec35eadc3b448c91a6b763371a7073444e95f9d Bisecting: 1808 revisions left to test after this (roughly 11 steps) [3b11717f95b1880b9cab4b90bbaf61268e6bda2b] Merge tag 'vfs.misc.v6.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping testing commit 3b11717f95b1880b9cab4b90bbaf61268e6bda2b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4c8ff883b82eb1164a24593e6176a4b87a424a215f7fe1509ebe0faeb4f6d9ea all runs: crashed: WARNING in smsusb_term_device # git bisect bad 3b11717f95b1880b9cab4b90bbaf61268e6bda2b Bisecting: 896 revisions left to test after this (roughly 10 steps) [b07ce43db665a6b5a622d5bb1447950d7e1e3fb1] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit b07ce43db665a6b5a622d5bb1447950d7e1e3fb1 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 07c6caa77914b65447f741cf7842c7bf4e2f29e2dce2c48f87f7218a3bcd0178 all runs: crashed: WARNING in smsusb_term_device # git bisect bad b07ce43db665a6b5a622d5bb1447950d7e1e3fb1 Bisecting: 445 revisions left to test after this (roughly 9 steps) [f3a2439f20d918930cc4ae8f76fe1c1afd26958f] Merge tag 'rproc-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux testing commit f3a2439f20d918930cc4ae8f76fe1c1afd26958f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 39e1e84c1ba5bee6d723b4ae78c5978d7ff9e9152a8ac11abe6272f00a8ca1c3 all runs: crashed: WARNING in smsusb_term_device # git bisect bad f3a2439f20d918930cc4ae8f76fe1c1afd26958f Bisecting: 233 revisions left to test after this (roughly 8 steps) [b8bfc7464bfa6b5ccb9b5556d92124cfca135efe] media: atomisp: ov2680: Consistently indent define values testing commit b8bfc7464bfa6b5ccb9b5556d92124cfca135efe gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7de997e36c39fac3ec81e45e70be80fcd154dc188f88777e03fd1f66c53e2935 all runs: OK # git bisect good b8bfc7464bfa6b5ccb9b5556d92124cfca135efe Bisecting: 89 revisions left to test after this (roughly 7 steps) [498a1cf902c31c3af398082d65cf150b33b367e6] Merge tag 'kbuild-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 498a1cf902c31c3af398082d65cf150b33b367e6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e18bc7a7958c76ed5fdd0505ba1c7169526f07a1d838e1c61eeb3d5c976e5142 all runs: crashed: WARNING in smsusb_term_device # git bisect bad 498a1cf902c31c3af398082d65cf150b33b367e6 Bisecting: 71 revisions left to test after this (roughly 6 steps) [ae41e0e41ba04b4b51641b504fb3b405aef7ec04] .gitattributes: use 'dts' diff driver for *.dtso files testing commit ae41e0e41ba04b4b51641b504fb3b405aef7ec04 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fee32574bc37a8620be4ee9100f905e55b2ac760e4f16bfe07f8b7a01810b09f all runs: OK # git bisect good ae41e0e41ba04b4b51641b504fb3b405aef7ec04 Bisecting: 35 revisions left to test after this (roughly 5 steps) [49a82584b87c385b267f4ca12674f08bd229ab57] media: imx: imx7-media-csi: Drop unneeded pad checks testing commit 49a82584b87c385b267f4ca12674f08bd229ab57 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3a1b8237c53320a60fc3de3dbe7822723d8839999f376e8c8b0b2e243ee5a035 all runs: crashed: WARNING in smsusb_term_device # git bisect bad 49a82584b87c385b267f4ca12674f08bd229ab57 Bisecting: 17 revisions left to test after this (roughly 4 steps) [8963c1195235e5cfff805b84ca7fd40004e8d155] media: dvb-frontends: cxd2880: return 0 instead of 'ret'. testing commit 8963c1195235e5cfff805b84ca7fd40004e8d155 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 29003acda79501de6788f7bf64809e35cfd0a503cedfb9edbbc06cfdfdbeb2eb all runs: OK # git bisect good 8963c1195235e5cfff805b84ca7fd40004e8d155 Bisecting: 8 revisions left to test after this (roughly 3 steps) [107b7a219bb6ca4e70254cb2247af54939fb4713] media: dvb-frontends: mb86a16.c: always use the same error path testing commit 107b7a219bb6ca4e70254cb2247af54939fb4713 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 99f26d480f22740aeec3c267538640c32dbe90094b5ed1b62833ff81c03b44ef all runs: OK # git bisect good 107b7a219bb6ca4e70254cb2247af54939fb4713 Bisecting: 4 revisions left to test after this (roughly 2 steps) [bc7635c6435c77a0c168e2cc6535740adfaff4e4] media: saa7134: Use video_unregister_device for radio_dev testing commit bc7635c6435c77a0c168e2cc6535740adfaff4e4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: be2d9983bbebdc39ea5325117a5b482a0a1c3e4c5879e96db86f1ecc94da617c all runs: crashed: WARNING in smsusb_term_device # git bisect bad bc7635c6435c77a0c168e2cc6535740adfaff4e4 Bisecting: 1 revision left to test after this (roughly 1 step) [4ab3f69cba785988b7cb386e35e661bfa1aa0706] media: meson: vdec: remove redundant if statement testing commit 4ab3f69cba785988b7cb386e35e661bfa1aa0706 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3cf48e88344bb762f395b889b01dd3db19df97c87666c66b079764c27cf89bb8 all runs: crashed: WARNING in smsusb_term_device # git bisect bad 4ab3f69cba785988b7cb386e35e661bfa1aa0706 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ebad8e731c1c06adf04621d6fd327b860c0861b5] media: usb: siano: Fix use after free bugs caused by do_submit_urb testing commit ebad8e731c1c06adf04621d6fd327b860c0861b5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 92edf46ac59d6223c13e7d55b7df5fc94a71f763e99289f293e1d553f2828195 all runs: crashed: WARNING in smsusb_term_device # git bisect bad ebad8e731c1c06adf04621d6fd327b860c0861b5 ebad8e731c1c06adf04621d6fd327b860c0861b5 is the first bad commit commit ebad8e731c1c06adf04621d6fd327b860c0861b5 Author: Duoming Zhou Date: Mon Jan 23 03:04:38 2023 +0100 media: usb: siano: Fix use after free bugs caused by do_submit_urb There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+0x34c/0x5b0 [ 36.517396] worker_thread+0x4b7/0x890 [ 36.518591] kthread+0x166/0x190 [ 36.519599] ret_from_fork+0x22/0x30 [ 36.520851] [ 36.521405] Last potentially related work creation: [ 36.523143] kasan_save_stack+0x3f/0x60 [ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.525831] insert_work+0x25/0x130 [ 36.527039] __queue_work+0x4d4/0x620 [ 36.528236] queue_work_on+0x72/0xb0 [ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.530819] dummy_timer+0x350/0x1a40 [ 36.532149] call_timer_fn+0x2c/0x190 [ 36.533567] expire_timers+0x69/0x1f0 [ 36.534736] __run_timers+0x289/0x2d0 [ 36.535841] run_timer_softirq+0x2d/0x60 [ 36.537110] __do_softirq+0x116/0x380 [ 36.538377] [ 36.538950] Second to last potentially related work creation: [ 36.540855] kasan_save_stack+0x3f/0x60 [ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.543592] insert_work+0x25/0x130 [ 36.544891] __queue_work+0x4d4/0x620 [ 36.546168] queue_work_on+0x72/0xb0 [ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.548805] dummy_timer+0x350/0x1a40 [ 36.550116] call_timer_fn+0x2c/0x190 [ 36.551570] expire_timers+0x69/0x1f0 [ 36.552762] __run_timers+0x289/0x2d0 [ 36.553916] run_timer_softirq+0x2d/0x60 [ 36.555118] __do_softirq+0x116/0x380 [ 36.556239] [ 36.556807] The buggy address belongs to the object at ffff888005960000 [ 36.556807] which belongs to the cache kmalloc-4k of size 4096 [ 36.560652] The buggy address is located 232 bytes inside of [ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) [ 36.564791] [ 36.565355] The buggy address belongs to the physical page: [ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 [ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 [ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 [ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 36.580175] page dumped because: kasan: bad access detected [ 36.581994] [ 36.582548] Memory state around the buggy address: [ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.591071] ^ [ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.598026] ================================================================== [ 36.600224] Disabling lock debugging due to kernel taint [ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I [ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 [ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.615026] Workqueue: events do_submit_urb [ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.643411] Call Trace: [ 36.644215] [ 36.644902] smscore_getbuffer+0x3e/0x1e0 [ 36.646147] do_submit_urb+0x4f/0x190 [ 36.647449] process_one_work+0x34c/0x5b0 [ 36.648777] worker_thread+0x4b7/0x890 [ 36.649984] ? worker_clr_flags+0x90/0x90 [ 36.651166] kthread+0x166/0x190 [ 36.652151] ? kthread_blkcg+0x50/0x50 [ 36.653547] ret_from_fork+0x22/0x30 [ 36.655051] [ 36.655733] Modules linked in: [ 36.656787] ---[ end trace 0000000000000000 ]--- [ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.685733] Kernel panic - not syncing: Fatal exception [ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) [ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- When the siano device is plugged in, it may call the following functions to initialize the device. smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). When smscore_start_device() gets failed, the function smsusb_term_device() will be called and smsusb_device_t will be deallocated. Although we use usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests and wait for them to finish, the worker threads that are scheduled by smsusb_onresponse() may be still running. As a result, the UAF bugs could happen. We add cancel_work_sync() in smsusb_stop_streaming() in order that the worker threads could finish before the smsusb_device_t is deallocated. Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic") Signed-off-by: Duoming Zhou Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/usb/siano/smsusb.c | 1 + 1 file changed, 1 insertion(+) culprit signature: 92edf46ac59d6223c13e7d55b7df5fc94a71f763e99289f293e1d553f2828195 parent signature: 99f26d480f22740aeec3c267538640c32dbe90094b5ed1b62833ff81c03b44ef revisions tested: 17, total time: 5h56m1.917124404s (build: 4h21m21.181935711s, test: 1h31m12.127697511s) first bad commit: ebad8e731c1c06adf04621d6fd327b860c0861b5 media: usb: siano: Fix use after free bugs caused by do_submit_urb recipients (to): ["duoming@zju.edu.cn" "hverkuil-cisco@xs4all.nl" "mchehab@kernel.org"] recipients (cc): [] crash: WARNING in smsusb_term_device usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: config 0 descriptor?? smsusb:smsusb_probe: board id=7, interface number 0 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 5065 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 Modules linked in: CPU: 1 PID: 5065 Comm: kworker/1:5 Not tainted 6.2.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 Code: 00 00 00 e8 8a dd 17 00 48 c7 c6 51 79 4a 81 48 c7 c7 e0 6e 78 8b 45 31 ff e8 d4 79 10 00 e9 55 fd ff ff 0f 0b e9 4e fd ff ff <0f> 0b 45 31 ff e9 44 fd ff ff 4c 89 95 88 fe ff ff e8 c2 43 6f 00 RSP: 0018:ffffc900040bebf8 EFLAGS: 00010246 RAX: 1ffff1100fb2c820 RBX: 0000000000000021 RCX: 1ffffffff205161e RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff88807d9640e8 RBP: ffffc900040bed98 R08: 0000000000000001 R09: ffffffff90261bef R10: 0000000000000001 R11: 0000000000000000 R12: ffff88807d9640e8 R13: ffff88807d9640e8 R14: ffff88807d964100 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005620e17f6950 CR3: 0000000024178000 CR4: 0000000000350ee0 Call Trace: __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 usb_probe_interface+0x278/0x6a0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x5a6/0xa50 drivers/base/dd.c:639 __driver_probe_device+0x186/0x460 drivers/base/dd.c:778 driver_probe_device+0x44/0x110 drivers/base/dd.c:808 __device_attach_driver+0x14e/0x270 drivers/base/dd.c:936 bus_for_each_drv+0x122/0x1a0 drivers/base/bus.c:427 __device_attach+0x19e/0x440 drivers/base/dd.c:1008 bus_probe_device+0x1a1/0x250 drivers/base/bus.c:487 device_add+0xa18/0x1b90 drivers/base/core.c:3479 usb_set_configuration+0xa05/0x18a0 drivers/usb/core/message.c:2171 usb_generic_driver_probe+0x78/0xa0 drivers/usb/core/generic.c:238 usb_probe_device+0x98/0x240 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x5a6/0xa50 drivers/base/dd.c:639 __driver_probe_device+0x186/0x460 drivers/base/dd.c:778 driver_probe_device+0x44/0x110 drivers/base/dd.c:808 __device_attach_driver+0x14e/0x270 drivers/base/dd.c:936 bus_for_each_drv+0x122/0x1a0 drivers/base/bus.c:427 __device_attach+0x19e/0x440 drivers/base/dd.c:1008 bus_probe_device+0x1a1/0x250 drivers/base/bus.c:487 device_add+0xa18/0x1b90 drivers/base/core.c:3479 usb_new_device.cold+0x600/0xf02 drivers/usb/core/hub.c:2573 hub_port_connect drivers/usb/core/hub.c:5405 [inline] hub_port_connect_change drivers/usb/core/hub.c:5549 [inline] port_event drivers/usb/core/hub.c:5709 [inline] hub_event+0x2450/0x3ce0 drivers/usb/core/hub.c:5791 process_one_work+0x8ba/0x14c0 kernel/workqueue.c:2289 worker_thread+0x59c/0xec0 kernel/workqueue.c:2436 kthread+0x29e/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308