LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* WARNING: ODEBUG bug in del_timer
@ 2018-04-29 16:10 syzbot
  0 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2018-04-29 16:10 UTC (permalink / raw)
  To: davem, linux-kernel, linux-s390, netdev, syzkaller-bugs, ubraun

Hello,

syzbot hit the following crash on net-next commit
af201bab50a89aa6cf4df952b2c3bf55895c8eee (Fri Apr 27 15:12:10 2018 +0000)
udp: remove stray export symbol
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=03faa2dc16b8b64be396

So far this crash happened 26 times on net-next.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5925539139289088
syzkaller reproducer:  
https://syzkaller.appspot.com/x/repro.syz?id=4983245594689536
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5476181675606016
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=4410550353033654931
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+03faa2dc16b8b64be396@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
------------[ cut here ]------------
ODEBUG: assert_init not available (active state 0) object type: timer_list  
hint:           (null)
WARNING: CPU: 1 PID: 4490 at lib/debugobjects.c:329  
debug_print_object+0x16a/0x210 lib/debugobjects.c:326
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 4490 Comm: syz-executor609 Not tainted 4.17.0-rc2+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1b9/0x294 lib/dump_stack.c:113
  panic+0x22f/0x4de kernel/panic.c:184
  __warn.cold.8+0x163/0x1b3 kernel/panic.c:536
  report_bug+0x252/0x2d0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:178 [inline]
  do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326
RSP: 0018:ffff8801af1e7880 EFLAGS: 00010086
RAX: 0000000000000061 RBX: 0000000000000005 RCX: ffffffff818433e8
RDX: 0000000000000000 RSI: ffffffff8160f561 RDI: 0000000000000001
RBP: ffff8801af1e78c0 R08: ffff8801afa62100 R09: ffffed003b5e3eb2
R10: ffffed003b5e3eb2 R11: ffff8801daf1f597 R12: 0000000000000001
R13: ffffffff88d96cc0 R14: ffffffff87fa34e0 R15: ffffffff81666d30
  debug_object_assert_init+0x309/0x500 lib/debugobjects.c:692
  debug_timer_assert_init kernel/time/timer.c:724 [inline]
  debug_assert_init kernel/time/timer.c:776 [inline]
  del_timer+0x74/0x140 kernel/time/timer.c:1198
  try_to_grab_pending+0x439/0x9a0 kernel/workqueue.c:1223
  mod_delayed_work_on+0x91/0x250 kernel/workqueue.c:1592
  mod_delayed_work include/linux/workqueue.h:541 [inline]
  smc_setsockopt+0x33d/0x630 net/smc/af_smc.c:1353
  __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
  __do_sys_setsockopt net/socket.c:1914 [inline]
  __se_sys_setsockopt net/socket.c:1911 [inline]
  __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fd09
RSP: 002b:00007ffe1f251c58 EFLAGS: 00000207 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd09
RDX: 0000000000000001 RSI: 0000000000000006 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000004 R09: 00000000004002c8
R10: 0000000020000180 R11: 0000000000000207 R12: 0000000000401630
R13: 00000000004016c0 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: WARNING: ODEBUG bug in del_timer
  2019-10-18 23:36   ` zzoru
@ 2019-10-21  7:32     ` Dmitry Vyukov
  0 siblings, 0 replies; 5+ messages in thread
From: Dmitry Vyukov @ 2019-10-21  7:32 UTC (permalink / raw)
  To: zzoru
  Cc: Alan Stern, Greg Kroah-Hartman, USB list, usb-storage, LKML,
	dokyungs, syzkaller, Andrey Konovalov

On Sat, Oct 19, 2019 at 1:36 AM zzoru <zzoru007@gmail.com> wrote:
>
> Hi
>
> The customizations are related to driver fuzzing.
> We added some more descriptions of USB driver & narrowed the
> constraints (targeted fuzzing).

Please consider upstreaming these improvements to syzkaller.

> And sorry about I have not much time to make patches of these bugs.
>
> On Fri, Oct 18, 2019 at 2:33 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > On Wed, Oct 16, 2019 at 11:59 AM zzoru <zzoru007@gmail.com> wrote:
> > >
> > > We found the following crash on Linux 5.4-rc1 (Not patched in currnet
> > > HEAD commit 3b1f00aceb7a67bf079a5a64aa5c6baf78a8f442)
> > > with our customized syzkaller.
> >
> > Hi zzoru,
> >
> > Do you mind sharing what customizations you did to syzkaller? Are
> > these related to USB? I've noticed several reports were related to USB
> > subsystem.
> >
> > > ODEBUG: assert_init not available (active state 0) object type:
> > > timer_list hint: 0x0
> > > WARNING: CPU: 0 PID: 141 at linux/lib/debugobjects.c:484
> > > debug_print_object+0x15e/0x220 linux/lib/debugobjects.c:481
> > > Kernel panic - not syncing: panic_on_warn set ...
> > > CPU: 0 PID: 141 Comm: kworker/0:3 Not tainted 5.4.0-rc1 #5
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > > rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> > > Workqueue: usb_hub_wq hub_event
> > > Call Trace:
> > >  __dump_stack linux/lib/dump_stack.c:77 [inline]
> > >  dump_stack+0x7c/0xbb linux/lib/dump_stack.c:113
> > >  panic+0x205/0x48e linux/kernel/panic.c:220
> > >  __warn+0x19c/0x1c0 linux/kernel/panic.c:581
> > >  report_bug+0x1a9/0x2b0 linux/lib/bug.c:195
> > >  fixup_bug.part.11+0x32/0x80 linux/arch/x86/kernel/traps.c:179
> > >  fixup_bug linux/arch/x86/include/asm/irqflags.h:54 [inline]
> > >  do_error_trap+0xf5/0x160 linux/arch/x86/kernel/traps.c:272
> > >  do_invalid_op+0x31/0x40 linux/arch/x86/kernel/traps.c:291
> > >  invalid_op+0x23/0x30 linux/arch/x86/entry/entry_64.S:1028
> > > RIP: 0010:debug_print_object+0x15e/0x220 linux/lib/debugobjects.c:481
> > > Code: 3c dd 80 05 9a 85 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7f 48 8b
> > > 14 dd 80 05 9a 85 4c 89 ee 48 c7 c7 00 fb 99 85 e8 d2 a7 43 ff <0f> 0b
> > > 83 05 cd bd 70 05 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
> > > RSP: 0018:ffff888017017668 EFLAGS: 00010282
> > > RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff814153b0
> > > RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88801a41f730
> > > RBP: 0000000000000001 R08: ffffed1003483ee7 R09: ffffed1003483ee7
> > > R10: 0000000000000001 R11: ffffed1003483ee6 R12: ffffffff86908460
> > > R13: ffffffff859a01a0 R14: ffffffff812b6bc0 R15: ffff888017fb0420
> > >  debug_object_assert_init+0x290/0x430 linux/lib/debugobjects.c:866
> > >  debug_timer_assert_init linux/kernel/time/timer.c:729 [inline]
> > >  debug_assert_init linux/kernel/time/timer.c:774 [inline]
> > >  del_timer+0x67/0xf0 linux/kernel/time/timer.c:1196
> > >  realtek_cr_destructor+0x5a/0x90 linux/drivers/usb/storage/realtek_cr.c:937
> > >  usb_stor_release_resources linux/drivers/usb/storage/usb.c:817 [inline]
> > >  release_everything+0xc0/0x2c0 linux/drivers/usb/storage/usb.c:879
> > >  usb_unbind_interface+0x19f/0x810 linux/drivers/usb/core/driver.c:423
> > >  __device_release_driver linux/drivers/base/dd.c:1134 [inline]
> > >  device_release_driver_internal+0x429/0x4f0 linux/drivers/base/dd.c:1165
> > >  bus_remove_device+0x2d1/0x490 linux/drivers/base/bus.c:532
> > >  device_del+0x403/0xaa0 linux/drivers/base/core.c:2375
> > >  usb_disable_device+0x1d7/0x5f0 linux/drivers/usb/core/message.c:1237
> > >  usb_disconnect+0x25a/0x840 linux/drivers/usb/core/hub.c:2199
> > >  hub_port_connect linux/drivers/usb/core/hub.c:4949 [inline]
> > >  hub_port_connect_change linux/drivers/usb/core/hub.c:5213 [inline]
> > >  port_event linux/drivers/usb/core/hub.c:5359 [inline]
> > >  hub_event+0x11f5/0x3610 linux/drivers/usb/core/hub.c:5441
> > >  process_one_work+0x8b5/0x17c0 linux/kernel/workqueue.c:2269
> > >  worker_thread+0x82/0xb80 linux/kernel/workqueue.c:2415
> > >  kthread+0x325/0x3e0 linux/kernel/kthread.c:255
> > >  ret_from_fork+0x24/0x30 linux/arch/x86/entry/entry_64.S:352
> > > Dumping ftrace buffer:
> > >    (ftrace buffer empty)
> > > Kernel Offset: disabled
> > >
> > > Following is my analysis of this bug (Just add some comments in source code):
> > > https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L887-L891
> > > static int realtek_cr_autosuspend_setup(struct us_data *us)
> > > {
> > >     ...
> > >     if (retval != STATUS_SUCCESS) {
> > >         usb_stor_dbg(us, "Read status fail\n");
> > >         return -EIO; // Error!
> > >     }
> > >     ...
> > >     timer_setup(&chip->rts51x_suspend_timer, rts51x_suspend_timer_fn,
> > > 0); // rts51x_suspend_timer wasn't be initialized. When
> > > realtek_cr_autosuspend_setup just returns an error.
> > > }
> > >
> > >
> > > https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L1010-L1012
> > >
> > > #ifdef CONFIG_REALTEK_AUTOPM
> > > if (ss_en)
> > >     realtek_cr_autosuspend_setup(us); // There isn't any check about
> > > return code.
> > > #endif
> > >
> > > https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L936-L939
> > > static void realtek_cr_destructor(void *extra)
> > > {
> > >     ...
> > >     if (ss_en) {
> > >         del_timer(&chip->rts51x_suspend_timer); // Ouch! :(
> > >         chip->timer_expires = 0;
> > >     }
> > >     ...
> > > }

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: WARNING: ODEBUG bug in del_timer
  2019-10-18  9:33 ` Dmitry Vyukov
@ 2019-10-18 23:36   ` zzoru
  2019-10-21  7:32     ` Dmitry Vyukov
  0 siblings, 1 reply; 5+ messages in thread
From: zzoru @ 2019-10-18 23:36 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: Alan Stern, Greg Kroah-Hartman, USB list, usb-storage, LKML,
	dokyungs, syzkaller

Hi

The customizations are related to driver fuzzing.
We added some more descriptions of USB driver & narrowed the
constraints (targeted fuzzing).

And sorry about I have not much time to make patches of these bugs.

On Fri, Oct 18, 2019 at 2:33 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Wed, Oct 16, 2019 at 11:59 AM zzoru <zzoru007@gmail.com> wrote:
> >
> > We found the following crash on Linux 5.4-rc1 (Not patched in currnet
> > HEAD commit 3b1f00aceb7a67bf079a5a64aa5c6baf78a8f442)
> > with our customized syzkaller.
>
> Hi zzoru,
>
> Do you mind sharing what customizations you did to syzkaller? Are
> these related to USB? I've noticed several reports were related to USB
> subsystem.
>
> > ODEBUG: assert_init not available (active state 0) object type:
> > timer_list hint: 0x0
> > WARNING: CPU: 0 PID: 141 at linux/lib/debugobjects.c:484
> > debug_print_object+0x15e/0x220 linux/lib/debugobjects.c:481
> > Kernel panic - not syncing: panic_on_warn set ...
> > CPU: 0 PID: 141 Comm: kworker/0:3 Not tainted 5.4.0-rc1 #5
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> >  __dump_stack linux/lib/dump_stack.c:77 [inline]
> >  dump_stack+0x7c/0xbb linux/lib/dump_stack.c:113
> >  panic+0x205/0x48e linux/kernel/panic.c:220
> >  __warn+0x19c/0x1c0 linux/kernel/panic.c:581
> >  report_bug+0x1a9/0x2b0 linux/lib/bug.c:195
> >  fixup_bug.part.11+0x32/0x80 linux/arch/x86/kernel/traps.c:179
> >  fixup_bug linux/arch/x86/include/asm/irqflags.h:54 [inline]
> >  do_error_trap+0xf5/0x160 linux/arch/x86/kernel/traps.c:272
> >  do_invalid_op+0x31/0x40 linux/arch/x86/kernel/traps.c:291
> >  invalid_op+0x23/0x30 linux/arch/x86/entry/entry_64.S:1028
> > RIP: 0010:debug_print_object+0x15e/0x220 linux/lib/debugobjects.c:481
> > Code: 3c dd 80 05 9a 85 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7f 48 8b
> > 14 dd 80 05 9a 85 4c 89 ee 48 c7 c7 00 fb 99 85 e8 d2 a7 43 ff <0f> 0b
> > 83 05 cd bd 70 05 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
> > RSP: 0018:ffff888017017668 EFLAGS: 00010282
> > RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff814153b0
> > RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88801a41f730
> > RBP: 0000000000000001 R08: ffffed1003483ee7 R09: ffffed1003483ee7
> > R10: 0000000000000001 R11: ffffed1003483ee6 R12: ffffffff86908460
> > R13: ffffffff859a01a0 R14: ffffffff812b6bc0 R15: ffff888017fb0420
> >  debug_object_assert_init+0x290/0x430 linux/lib/debugobjects.c:866
> >  debug_timer_assert_init linux/kernel/time/timer.c:729 [inline]
> >  debug_assert_init linux/kernel/time/timer.c:774 [inline]
> >  del_timer+0x67/0xf0 linux/kernel/time/timer.c:1196
> >  realtek_cr_destructor+0x5a/0x90 linux/drivers/usb/storage/realtek_cr.c:937
> >  usb_stor_release_resources linux/drivers/usb/storage/usb.c:817 [inline]
> >  release_everything+0xc0/0x2c0 linux/drivers/usb/storage/usb.c:879
> >  usb_unbind_interface+0x19f/0x810 linux/drivers/usb/core/driver.c:423
> >  __device_release_driver linux/drivers/base/dd.c:1134 [inline]
> >  device_release_driver_internal+0x429/0x4f0 linux/drivers/base/dd.c:1165
> >  bus_remove_device+0x2d1/0x490 linux/drivers/base/bus.c:532
> >  device_del+0x403/0xaa0 linux/drivers/base/core.c:2375
> >  usb_disable_device+0x1d7/0x5f0 linux/drivers/usb/core/message.c:1237
> >  usb_disconnect+0x25a/0x840 linux/drivers/usb/core/hub.c:2199
> >  hub_port_connect linux/drivers/usb/core/hub.c:4949 [inline]
> >  hub_port_connect_change linux/drivers/usb/core/hub.c:5213 [inline]
> >  port_event linux/drivers/usb/core/hub.c:5359 [inline]
> >  hub_event+0x11f5/0x3610 linux/drivers/usb/core/hub.c:5441
> >  process_one_work+0x8b5/0x17c0 linux/kernel/workqueue.c:2269
> >  worker_thread+0x82/0xb80 linux/kernel/workqueue.c:2415
> >  kthread+0x325/0x3e0 linux/kernel/kthread.c:255
> >  ret_from_fork+0x24/0x30 linux/arch/x86/entry/entry_64.S:352
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > Kernel Offset: disabled
> >
> > Following is my analysis of this bug (Just add some comments in source code):
> > https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L887-L891
> > static int realtek_cr_autosuspend_setup(struct us_data *us)
> > {
> >     ...
> >     if (retval != STATUS_SUCCESS) {
> >         usb_stor_dbg(us, "Read status fail\n");
> >         return -EIO; // Error!
> >     }
> >     ...
> >     timer_setup(&chip->rts51x_suspend_timer, rts51x_suspend_timer_fn,
> > 0); // rts51x_suspend_timer wasn't be initialized. When
> > realtek_cr_autosuspend_setup just returns an error.
> > }
> >
> >
> > https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L1010-L1012
> >
> > #ifdef CONFIG_REALTEK_AUTOPM
> > if (ss_en)
> >     realtek_cr_autosuspend_setup(us); // There isn't any check about
> > return code.
> > #endif
> >
> > https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L936-L939
> > static void realtek_cr_destructor(void *extra)
> > {
> >     ...
> >     if (ss_en) {
> >         del_timer(&chip->rts51x_suspend_timer); // Ouch! :(
> >         chip->timer_expires = 0;
> >     }
> >     ...
> > }

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: WARNING: ODEBUG bug in del_timer
  2019-10-16  9:58 zzoru
@ 2019-10-18  9:33 ` Dmitry Vyukov
  2019-10-18 23:36   ` zzoru
  0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Vyukov @ 2019-10-18  9:33 UTC (permalink / raw)
  To: zzoru
  Cc: Alan Stern, Greg Kroah-Hartman, USB list, usb-storage, LKML,
	dokyungs, syzkaller

On Wed, Oct 16, 2019 at 11:59 AM zzoru <zzoru007@gmail.com> wrote:
>
> We found the following crash on Linux 5.4-rc1 (Not patched in currnet
> HEAD commit 3b1f00aceb7a67bf079a5a64aa5c6baf78a8f442)
> with our customized syzkaller.

Hi zzoru,

Do you mind sharing what customizations you did to syzkaller? Are
these related to USB? I've noticed several reports were related to USB
subsystem.

> ODEBUG: assert_init not available (active state 0) object type:
> timer_list hint: 0x0
> WARNING: CPU: 0 PID: 141 at linux/lib/debugobjects.c:484
> debug_print_object+0x15e/0x220 linux/lib/debugobjects.c:481
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 0 PID: 141 Comm: kworker/0:3 Not tainted 5.4.0-rc1 #5
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> Workqueue: usb_hub_wq hub_event
> Call Trace:
>  __dump_stack linux/lib/dump_stack.c:77 [inline]
>  dump_stack+0x7c/0xbb linux/lib/dump_stack.c:113
>  panic+0x205/0x48e linux/kernel/panic.c:220
>  __warn+0x19c/0x1c0 linux/kernel/panic.c:581
>  report_bug+0x1a9/0x2b0 linux/lib/bug.c:195
>  fixup_bug.part.11+0x32/0x80 linux/arch/x86/kernel/traps.c:179
>  fixup_bug linux/arch/x86/include/asm/irqflags.h:54 [inline]
>  do_error_trap+0xf5/0x160 linux/arch/x86/kernel/traps.c:272
>  do_invalid_op+0x31/0x40 linux/arch/x86/kernel/traps.c:291
>  invalid_op+0x23/0x30 linux/arch/x86/entry/entry_64.S:1028
> RIP: 0010:debug_print_object+0x15e/0x220 linux/lib/debugobjects.c:481
> Code: 3c dd 80 05 9a 85 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7f 48 8b
> 14 dd 80 05 9a 85 4c 89 ee 48 c7 c7 00 fb 99 85 e8 d2 a7 43 ff <0f> 0b
> 83 05 cd bd 70 05 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
> RSP: 0018:ffff888017017668 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff814153b0
> RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88801a41f730
> RBP: 0000000000000001 R08: ffffed1003483ee7 R09: ffffed1003483ee7
> R10: 0000000000000001 R11: ffffed1003483ee6 R12: ffffffff86908460
> R13: ffffffff859a01a0 R14: ffffffff812b6bc0 R15: ffff888017fb0420
>  debug_object_assert_init+0x290/0x430 linux/lib/debugobjects.c:866
>  debug_timer_assert_init linux/kernel/time/timer.c:729 [inline]
>  debug_assert_init linux/kernel/time/timer.c:774 [inline]
>  del_timer+0x67/0xf0 linux/kernel/time/timer.c:1196
>  realtek_cr_destructor+0x5a/0x90 linux/drivers/usb/storage/realtek_cr.c:937
>  usb_stor_release_resources linux/drivers/usb/storage/usb.c:817 [inline]
>  release_everything+0xc0/0x2c0 linux/drivers/usb/storage/usb.c:879
>  usb_unbind_interface+0x19f/0x810 linux/drivers/usb/core/driver.c:423
>  __device_release_driver linux/drivers/base/dd.c:1134 [inline]
>  device_release_driver_internal+0x429/0x4f0 linux/drivers/base/dd.c:1165
>  bus_remove_device+0x2d1/0x490 linux/drivers/base/bus.c:532
>  device_del+0x403/0xaa0 linux/drivers/base/core.c:2375
>  usb_disable_device+0x1d7/0x5f0 linux/drivers/usb/core/message.c:1237
>  usb_disconnect+0x25a/0x840 linux/drivers/usb/core/hub.c:2199
>  hub_port_connect linux/drivers/usb/core/hub.c:4949 [inline]
>  hub_port_connect_change linux/drivers/usb/core/hub.c:5213 [inline]
>  port_event linux/drivers/usb/core/hub.c:5359 [inline]
>  hub_event+0x11f5/0x3610 linux/drivers/usb/core/hub.c:5441
>  process_one_work+0x8b5/0x17c0 linux/kernel/workqueue.c:2269
>  worker_thread+0x82/0xb80 linux/kernel/workqueue.c:2415
>  kthread+0x325/0x3e0 linux/kernel/kthread.c:255
>  ret_from_fork+0x24/0x30 linux/arch/x86/entry/entry_64.S:352
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
>
> Following is my analysis of this bug (Just add some comments in source code):
> https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L887-L891
> static int realtek_cr_autosuspend_setup(struct us_data *us)
> {
>     ...
>     if (retval != STATUS_SUCCESS) {
>         usb_stor_dbg(us, "Read status fail\n");
>         return -EIO; // Error!
>     }
>     ...
>     timer_setup(&chip->rts51x_suspend_timer, rts51x_suspend_timer_fn,
> 0); // rts51x_suspend_timer wasn't be initialized. When
> realtek_cr_autosuspend_setup just returns an error.
> }
>
>
> https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L1010-L1012
>
> #ifdef CONFIG_REALTEK_AUTOPM
> if (ss_en)
>     realtek_cr_autosuspend_setup(us); // There isn't any check about
> return code.
> #endif
>
> https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L936-L939
> static void realtek_cr_destructor(void *extra)
> {
>     ...
>     if (ss_en) {
>         del_timer(&chip->rts51x_suspend_timer); // Ouch! :(
>         chip->timer_expires = 0;
>     }
>     ...
> }

^ permalink raw reply	[flat|nested] 5+ messages in thread

* WARNING: ODEBUG bug in del_timer
@ 2019-10-16  9:58 zzoru
  2019-10-18  9:33 ` Dmitry Vyukov
  0 siblings, 1 reply; 5+ messages in thread
From: zzoru @ 2019-10-16  9:58 UTC (permalink / raw)
  To: stern, gregkh, linux-usb, usb-storage, LKML; +Cc: dokyungs, syzkaller

We found the following crash on Linux 5.4-rc1 (Not patched in currnet
HEAD commit 3b1f00aceb7a67bf079a5a64aa5c6baf78a8f442)
with our customized syzkaller.

ODEBUG: assert_init not available (active state 0) object type:
timer_list hint: 0x0
WARNING: CPU: 0 PID: 141 at linux/lib/debugobjects.c:484
debug_print_object+0x15e/0x220 linux/lib/debugobjects.c:481
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 141 Comm: kworker/0:3 Not tainted 5.4.0-rc1 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack linux/lib/dump_stack.c:77 [inline]
 dump_stack+0x7c/0xbb linux/lib/dump_stack.c:113
 panic+0x205/0x48e linux/kernel/panic.c:220
 __warn+0x19c/0x1c0 linux/kernel/panic.c:581
 report_bug+0x1a9/0x2b0 linux/lib/bug.c:195
 fixup_bug.part.11+0x32/0x80 linux/arch/x86/kernel/traps.c:179
 fixup_bug linux/arch/x86/include/asm/irqflags.h:54 [inline]
 do_error_trap+0xf5/0x160 linux/arch/x86/kernel/traps.c:272
 do_invalid_op+0x31/0x40 linux/arch/x86/kernel/traps.c:291
 invalid_op+0x23/0x30 linux/arch/x86/entry/entry_64.S:1028
RIP: 0010:debug_print_object+0x15e/0x220 linux/lib/debugobjects.c:481
Code: 3c dd 80 05 9a 85 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7f 48 8b
14 dd 80 05 9a 85 4c 89 ee 48 c7 c7 00 fb 99 85 e8 d2 a7 43 ff <0f> 0b
83 05 cd bd 70 05 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffff888017017668 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff814153b0
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88801a41f730
RBP: 0000000000000001 R08: ffffed1003483ee7 R09: ffffed1003483ee7
R10: 0000000000000001 R11: ffffed1003483ee6 R12: ffffffff86908460
R13: ffffffff859a01a0 R14: ffffffff812b6bc0 R15: ffff888017fb0420
 debug_object_assert_init+0x290/0x430 linux/lib/debugobjects.c:866
 debug_timer_assert_init linux/kernel/time/timer.c:729 [inline]
 debug_assert_init linux/kernel/time/timer.c:774 [inline]
 del_timer+0x67/0xf0 linux/kernel/time/timer.c:1196
 realtek_cr_destructor+0x5a/0x90 linux/drivers/usb/storage/realtek_cr.c:937
 usb_stor_release_resources linux/drivers/usb/storage/usb.c:817 [inline]
 release_everything+0xc0/0x2c0 linux/drivers/usb/storage/usb.c:879
 usb_unbind_interface+0x19f/0x810 linux/drivers/usb/core/driver.c:423
 __device_release_driver linux/drivers/base/dd.c:1134 [inline]
 device_release_driver_internal+0x429/0x4f0 linux/drivers/base/dd.c:1165
 bus_remove_device+0x2d1/0x490 linux/drivers/base/bus.c:532
 device_del+0x403/0xaa0 linux/drivers/base/core.c:2375
 usb_disable_device+0x1d7/0x5f0 linux/drivers/usb/core/message.c:1237
 usb_disconnect+0x25a/0x840 linux/drivers/usb/core/hub.c:2199
 hub_port_connect linux/drivers/usb/core/hub.c:4949 [inline]
 hub_port_connect_change linux/drivers/usb/core/hub.c:5213 [inline]
 port_event linux/drivers/usb/core/hub.c:5359 [inline]
 hub_event+0x11f5/0x3610 linux/drivers/usb/core/hub.c:5441
 process_one_work+0x8b5/0x17c0 linux/kernel/workqueue.c:2269
 worker_thread+0x82/0xb80 linux/kernel/workqueue.c:2415
 kthread+0x325/0x3e0 linux/kernel/kthread.c:255
 ret_from_fork+0x24/0x30 linux/arch/x86/entry/entry_64.S:352
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled

Following is my analysis of this bug (Just add some comments in source code):
https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L887-L891
static int realtek_cr_autosuspend_setup(struct us_data *us)
{
    ...
    if (retval != STATUS_SUCCESS) {
        usb_stor_dbg(us, "Read status fail\n");
        return -EIO; // Error!
    }
    ...
    timer_setup(&chip->rts51x_suspend_timer, rts51x_suspend_timer_fn,
0); // rts51x_suspend_timer wasn't be initialized. When
realtek_cr_autosuspend_setup just returns an error.
}


https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L1010-L1012

#ifdef CONFIG_REALTEK_AUTOPM
if (ss_en)
    realtek_cr_autosuspend_setup(us); // There isn't any check about
return code.
#endif

https://github.com/torvalds/linux/blob/e0703556644a531e50b5dc61b9f6ea83af5f6604/drivers/usb/storage/realtek_cr.c#L936-L939
static void realtek_cr_destructor(void *extra)
{
    ...
    if (ss_en) {
        del_timer(&chip->rts51x_suspend_timer); // Ouch! :(
        chip->timer_expires = 0;
    }
    ...
}

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2019-10-21  7:32 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-29 16:10 WARNING: ODEBUG bug in del_timer syzbot
2019-10-16  9:58 zzoru
2019-10-18  9:33 ` Dmitry Vyukov
2019-10-18 23:36   ` zzoru
2019-10-21  7:32     ` Dmitry Vyukov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).