ci starts bisection 2023-07-06 14:01:58.040985894 +0000 UTC m=+6469.708996207 bisecting cause commit starting from d528014517f2b0531862c02865b9d4c908019dc4 building syzkaller on 80298b6ff976aafe8f55904f88dabecb4c39d037 ensuring issue is reproducible on original commit d528014517f2b0531862c02865b9d4c908019dc4 testing commit d528014517f2b0531862c02865b9d4c908019dc4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6853ff00b925ef624c9f1b8a1161e8763ff6cb90abf8e5c7ff36026ad7177e3e all runs: crashed: WARNING in smsusb_start_streaming representative crash: WARNING in smsusb_start_streaming, types: [WARNING] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit d528014517f2b0531862c02865b9d4c908019dc4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 081f7c779b5c6be91e8282b323959a49eaed51b938bdae2d407a4d8d2b957e16 all runs: crashed: WARNING in smsusb_start_streaming representative crash: WARNING in smsusb_start_streaming, types: [WARNING] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing release v6.4 testing commit 6995e2de6891c724bfeb2db33d7b87775f913ad1 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7d7d9e08bf822fc4d5666d3f38bcd3e55a78f03512ca7915a4f073d68b0fd1cc all runs: crashed: WARNING in smsusb_start_streaming representative crash: WARNING in smsusb_start_streaming, types: [WARNING] testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 460bb5f0cbdb5ecfea94af2deb822fcbe8dce89ee6b7b002f05c5b6f22a306cc all runs: crashed: WARNING in smsusb_start_streaming representative crash: WARNING in smsusb_start_streaming, types: [WARNING] testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 24c29c49064a2edb0a3ebe86c2e6e572f2546c282b3d33c05b67400a78a8dbeb all runs: OK # git bisect start 457391b0380335d5e9a5babdec90ac53928b23b4 c9c3395d5e3dcc6daee66c6908354d47bf98cb0c Bisecting: 7399 revisions left to test after this (roughly 13 steps) [a5c95ca18a98d742d0a4a04063c32556b5b66378] Merge tag 'drm-next-2023-02-23' of git://anongit.freedesktop.org/drm/drm testing commit a5c95ca18a98d742d0a4a04063c32556b5b66378 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2e4499b9328381356e990bf84c2be9ecdc8c2cfdb9bdd4df77f09e99aeb411ff all runs: OK # git bisect good a5c95ca18a98d742d0a4a04063c32556b5b66378 Bisecting: 3619 revisions left to test after this (roughly 12 steps) [1ec35eadc3b448c91a6b763371a7073444e95f9d] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit 1ec35eadc3b448c91a6b763371a7073444e95f9d gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2ec1e0ff680f98a2ca2c843f22c5a28fc80da2e102f4fef4a511c13fb73827f9 all runs: OK # git bisect good 1ec35eadc3b448c91a6b763371a7073444e95f9d Bisecting: 1808 revisions left to test after this (roughly 11 steps) [3b11717f95b1880b9cab4b90bbaf61268e6bda2b] Merge tag 'vfs.misc.v6.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping testing commit 3b11717f95b1880b9cab4b90bbaf61268e6bda2b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7b7e52fba4b781f7b019be14f380681f88dd6dc7ca107ed42766996ff2419f56 all runs: crashed: WARNING in smsusb_start_streaming representative crash: WARNING in smsusb_start_streaming, types: [WARNING] # git bisect bad 3b11717f95b1880b9cab4b90bbaf61268e6bda2b Bisecting: 896 revisions left to test after this (roughly 10 steps) [b07ce43db665a6b5a622d5bb1447950d7e1e3fb1] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit b07ce43db665a6b5a622d5bb1447950d7e1e3fb1 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c2490441d2f969a138eb41eadaf11a6ef91e0a6e81ce0005c587504fadf79b37 all runs: crashed: WARNING in smsusb_start_streaming representative crash: WARNING in smsusb_start_streaming, types: [WARNING] # git bisect bad b07ce43db665a6b5a622d5bb1447950d7e1e3fb1 Bisecting: 445 revisions left to test after this (roughly 9 steps) [f3a2439f20d918930cc4ae8f76fe1c1afd26958f] Merge tag 'rproc-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux testing commit f3a2439f20d918930cc4ae8f76fe1c1afd26958f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8c309e81ed49bd2626581b780e10965b93e5b08bada536f37d1c90bcdb5a02d3 all runs: crashed: WARNING in smsusb_start_streaming representative crash: WARNING in smsusb_start_streaming, types: [WARNING] # git bisect bad f3a2439f20d918930cc4ae8f76fe1c1afd26958f Bisecting: 233 revisions left to test after this (roughly 8 steps) [b8bfc7464bfa6b5ccb9b5556d92124cfca135efe] media: atomisp: ov2680: Consistently indent define values testing commit b8bfc7464bfa6b5ccb9b5556d92124cfca135efe gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f71c547cbad0014a0665b9b20c52941f4f239a0a0228c7c825dd62e27507cce8 all runs: OK # git bisect good b8bfc7464bfa6b5ccb9b5556d92124cfca135efe Bisecting: 89 revisions left to test after this (roughly 7 steps) [498a1cf902c31c3af398082d65cf150b33b367e6] Merge tag 'kbuild-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 498a1cf902c31c3af398082d65cf150b33b367e6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 90c2c008267b80389866a6cb2671afa5de973834ab2ec40bfd6b43d8cb350150 all runs: crashed: WARNING in smsusb_start_streaming representative crash: WARNING in smsusb_start_streaming, types: [WARNING] # git bisect bad 498a1cf902c31c3af398082d65cf150b33b367e6 Bisecting: 71 revisions left to test after this (roughly 6 steps) [ae41e0e41ba04b4b51641b504fb3b405aef7ec04] .gitattributes: use 'dts' diff driver for *.dtso files testing commit ae41e0e41ba04b4b51641b504fb3b405aef7ec04 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ceee13a8407568c1dd2ae4a8c27bc0986fa354b1d6295a451fb19ff893efe0d2 all runs: OK # git bisect good ae41e0e41ba04b4b51641b504fb3b405aef7ec04 Bisecting: 35 revisions left to test after this (roughly 5 steps) [49a82584b87c385b267f4ca12674f08bd229ab57] media: imx: imx7-media-csi: Drop unneeded pad checks testing commit 49a82584b87c385b267f4ca12674f08bd229ab57 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 90a80d4a57fb8ac5221a394bf1e5605f2429e47899fcb2a6603b08b867fc38a2 all runs: crashed: WARNING in smsusb_stop_streaming representative crash: WARNING in smsusb_stop_streaming, types: [WARNING] # git bisect bad 49a82584b87c385b267f4ca12674f08bd229ab57 Bisecting: 17 revisions left to test after this (roughly 4 steps) [8963c1195235e5cfff805b84ca7fd40004e8d155] media: dvb-frontends: cxd2880: return 0 instead of 'ret'. testing commit 8963c1195235e5cfff805b84ca7fd40004e8d155 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e03b11e82b0fd976c8ca3c0fd0b20f4b95676d9011715dad365f1f5dde973e3b all runs: OK # git bisect good 8963c1195235e5cfff805b84ca7fd40004e8d155 Bisecting: 8 revisions left to test after this (roughly 3 steps) [107b7a219bb6ca4e70254cb2247af54939fb4713] media: dvb-frontends: mb86a16.c: always use the same error path testing commit 107b7a219bb6ca4e70254cb2247af54939fb4713 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6634dcb14210323365eca39bcbc7a58ecadefbf85bc9e188d249cc966f1f2537 all runs: OK # git bisect good 107b7a219bb6ca4e70254cb2247af54939fb4713 Bisecting: 4 revisions left to test after this (roughly 2 steps) [bc7635c6435c77a0c168e2cc6535740adfaff4e4] media: saa7134: Use video_unregister_device for radio_dev testing commit bc7635c6435c77a0c168e2cc6535740adfaff4e4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5cbb775454d78c537cacd8544a1b4c63b1be67adf181854ffddf0dc952dfb70a all runs: crashed: WARNING in smsusb_stop_streaming representative crash: WARNING in smsusb_stop_streaming, types: [WARNING] # git bisect bad bc7635c6435c77a0c168e2cc6535740adfaff4e4 Bisecting: 1 revision left to test after this (roughly 1 step) [4ab3f69cba785988b7cb386e35e661bfa1aa0706] media: meson: vdec: remove redundant if statement testing commit 4ab3f69cba785988b7cb386e35e661bfa1aa0706 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 53631029cd3107a9ca95dbc0b267939ccf26ee661147d6898d740ea4cf897549 all runs: crashed: WARNING in smsusb_stop_streaming representative crash: WARNING in smsusb_stop_streaming, types: [WARNING] # git bisect bad 4ab3f69cba785988b7cb386e35e661bfa1aa0706 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ebad8e731c1c06adf04621d6fd327b860c0861b5] media: usb: siano: Fix use after free bugs caused by do_submit_urb testing commit ebad8e731c1c06adf04621d6fd327b860c0861b5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 473d76d764ceed32541bb747f1bf9d786501a05ba6ee5bcc345ed54fb5cdfc90 all runs: crashed: WARNING in smsusb_stop_streaming representative crash: WARNING in smsusb_stop_streaming, types: [WARNING] # git bisect bad ebad8e731c1c06adf04621d6fd327b860c0861b5 ebad8e731c1c06adf04621d6fd327b860c0861b5 is the first bad commit commit ebad8e731c1c06adf04621d6fd327b860c0861b5 Author: Duoming Zhou Date: Mon Jan 23 03:04:38 2023 +0100 media: usb: siano: Fix use after free bugs caused by do_submit_urb There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+0x34c/0x5b0 [ 36.517396] worker_thread+0x4b7/0x890 [ 36.518591] kthread+0x166/0x190 [ 36.519599] ret_from_fork+0x22/0x30 [ 36.520851] [ 36.521405] Last potentially related work creation: [ 36.523143] kasan_save_stack+0x3f/0x60 [ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.525831] insert_work+0x25/0x130 [ 36.527039] __queue_work+0x4d4/0x620 [ 36.528236] queue_work_on+0x72/0xb0 [ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.530819] dummy_timer+0x350/0x1a40 [ 36.532149] call_timer_fn+0x2c/0x190 [ 36.533567] expire_timers+0x69/0x1f0 [ 36.534736] __run_timers+0x289/0x2d0 [ 36.535841] run_timer_softirq+0x2d/0x60 [ 36.537110] __do_softirq+0x116/0x380 [ 36.538377] [ 36.538950] Second to last potentially related work creation: [ 36.540855] kasan_save_stack+0x3f/0x60 [ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.543592] insert_work+0x25/0x130 [ 36.544891] __queue_work+0x4d4/0x620 [ 36.546168] queue_work_on+0x72/0xb0 [ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.548805] dummy_timer+0x350/0x1a40 [ 36.550116] call_timer_fn+0x2c/0x190 [ 36.551570] expire_timers+0x69/0x1f0 [ 36.552762] __run_timers+0x289/0x2d0 [ 36.553916] run_timer_softirq+0x2d/0x60 [ 36.555118] __do_softirq+0x116/0x380 [ 36.556239] [ 36.556807] The buggy address belongs to the object at ffff888005960000 [ 36.556807] which belongs to the cache kmalloc-4k of size 4096 [ 36.560652] The buggy address is located 232 bytes inside of [ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) [ 36.564791] [ 36.565355] The buggy address belongs to the physical page: [ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 [ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 [ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 [ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 36.580175] page dumped because: kasan: bad access detected [ 36.581994] [ 36.582548] Memory state around the buggy address: [ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.591071] ^ [ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.598026] ================================================================== [ 36.600224] Disabling lock debugging due to kernel taint [ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I [ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 [ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.615026] Workqueue: events do_submit_urb [ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.643411] Call Trace: [ 36.644215] [ 36.644902] smscore_getbuffer+0x3e/0x1e0 [ 36.646147] do_submit_urb+0x4f/0x190 [ 36.647449] process_one_work+0x34c/0x5b0 [ 36.648777] worker_thread+0x4b7/0x890 [ 36.649984] ? worker_clr_flags+0x90/0x90 [ 36.651166] kthread+0x166/0x190 [ 36.652151] ? kthread_blkcg+0x50/0x50 [ 36.653547] ret_from_fork+0x22/0x30 [ 36.655051] [ 36.655733] Modules linked in: [ 36.656787] ---[ end trace 0000000000000000 ]--- [ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.685733] Kernel panic - not syncing: Fatal exception [ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) [ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- When the siano device is plugged in, it may call the following functions to initialize the device. smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). When smscore_start_device() gets failed, the function smsusb_term_device() will be called and smsusb_device_t will be deallocated. Although we use usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests and wait for them to finish, the worker threads that are scheduled by smsusb_onresponse() may be still running. As a result, the UAF bugs could happen. We add cancel_work_sync() in smsusb_stop_streaming() in order that the worker threads could finish before the smsusb_device_t is deallocated. Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic") Signed-off-by: Duoming Zhou Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/usb/siano/smsusb.c | 1 + 1 file changed, 1 insertion(+) culprit signature: 473d76d764ceed32541bb747f1bf9d786501a05ba6ee5bcc345ed54fb5cdfc90 parent signature: 6634dcb14210323365eca39bcbc7a58ecadefbf85bc9e188d249cc966f1f2537 revisions tested: 19, total time: 7h31m46.258883462s (build: 5h27m52.736488669s, test: 1h52m2.035950754s) first bad commit: ebad8e731c1c06adf04621d6fd327b860c0861b5 media: usb: siano: Fix use after free bugs caused by do_submit_urb recipients (to): ["duoming@zju.edu.cn" "hverkuil-cisco@xs4all.nl" "mchehab@kernel.org"] recipients (cc): [] crash: WARNING in smsusb_stop_streaming smsusb:smsusb_probe: board id=7, interface number 55 smsusb:smsusb_probe: board id=7, interface number 147 smsusb:smsusb_probe: board id=7, interface number 0 smsusb:siano_media_device_register: media controller created smsusb:smsusb_start_streaming: smsusb_submit_urb(...) failed ------------[ cut here ]------------ WARNING: CPU: 0 PID: 898 at kernel/workqueue.c:3066 rcu_lock_release include/linux/rcupdate.h:330 [inline] WARNING: CPU: 0 PID: 898 at kernel/workqueue.c:3066 rcu_read_unlock include/linux/rcupdate.h:797 [inline] WARNING: CPU: 0 PID: 898 at kernel/workqueue.c:3066 start_flush_work kernel/workqueue.c:3055 [inline] WARNING: CPU: 0 PID: 898 at kernel/workqueue.c:3066 __flush_work+0x4db/0x560 kernel/workqueue.c:3072 Modules linked in: CPU: 0 PID: 898 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:__flush_work+0x4db/0x560 kernel/workqueue.c:3066 Code: 02 e8 e9 a5 07 00 84 c0 74 67 e8 e0 ff 07 00 48 c7 c6 5b e2 20 81 48 c7 c7 c0 a0 ff 84 45 31 f6 e8 9a 4e 05 00 e9 4f fe ff ff <0f> 0b 45 31 f6 e9 45 fe ff ff 0f 0b e9 32 fd ff ff e8 bf 7a 7b 02 RSP: 0018:ffffc90003eab5b0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888142ecf0e8 RBP: ffffc90003eab6a8 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000014 R11: ffff8881017e0ac0 R12: ffff888142ecf0e8 R13: ffff888142ecf0e8 R14: 0000000000000001 R15: ffffc90003eab770 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd8b2cb9440 CR3: 000000010dddd000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __cancel_work_timer+0x140/0x1e0 kernel/workqueue.c:3160 smsusb_stop_streaming+0x26/0x60 drivers/media/usb/siano/smsusb.c:182 smsusb_start_streaming+0xdb/0xf7 drivers/media/usb/siano/smsusb.c:199 smsusb_init_device+0x31c/0x3da drivers/media/usb/siano/smsusb.c:476 smsusb_probe+0x47e/0x4cd drivers/media/usb/siano/smsusb.c:567 usb_probe_interface+0xde/0x2a0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x275/0x370 drivers/base/dd.c:639 __driver_probe_device+0x73/0x170 drivers/base/dd.c:778 driver_probe_device+0x19/0x90 drivers/base/dd.c:808 __device_attach_driver+0x75/0xf0 drivers/base/dd.c:936 bus_for_each_drv+0x7d/0xc0 drivers/base/bus.c:427 __device_attach+0xb9/0x210 drivers/base/dd.c:1008 bus_probe_device+0x9b/0xb0 drivers/base/bus.c:487 device_add+0x44d/0x970 drivers/base/core.c:3479 usb_set_configuration+0x4d7/0x900 drivers/usb/core/message.c:2171 usb_generic_driver_probe+0x4b/0x70 drivers/usb/core/generic.c:238 usb_probe_device+0x2f/0xe0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x275/0x370 drivers/base/dd.c:639 __driver_probe_device+0x73/0x170 drivers/base/dd.c:778 driver_probe_device+0x19/0x90 drivers/base/dd.c:808 __device_attach_driver+0x75/0xf0 drivers/base/dd.c:936 bus_for_each_drv+0x7d/0xc0 drivers/base/bus.c:427 __device_attach+0xb9/0x210 drivers/base/dd.c:1008 bus_probe_device+0x9b/0xb0 drivers/base/bus.c:487 device_add+0x44d/0x970 drivers/base/core.c:3479 usb_new_device.cold+0x1cb/0x44e drivers/usb/core/hub.c:2573 hub_port_connect drivers/usb/core/hub.c:5405 [inline] hub_port_connect_change drivers/usb/core/hub.c:5549 [inline] port_event drivers/usb/core/hub.c:5709 [inline] hub_event+0x121e/0x1a30 drivers/usb/core/hub.c:5791 process_one_work+0x2a5/0x5f0 kernel/workqueue.c:2289 worker_thread+0x51/0x3a0 kernel/workqueue.c:2436 kthread+0xe4/0x110 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308