Created
July 25, 2025 19:33
-
-
Save kzall0c/9455aaa246f4aa1135353a51753adbbe to your computer and use it in GitHub Desktop.
PREEPT_RT have BUG from f85d39dd7ed8 ("kcov, usb: disable interrupts in kcov_remote_start_usb_softirq")
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ 114.639440][ C1] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | |
| [ 114.639474][ C1] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 30, name: ksoftirqd/1 | |
| [ 114.639483][ C1] preempt_count: 0, expected: 0 | |
| [ 114.639488][ C1] RCU nest depth: 2, expected: 2 | |
| [ 114.639501][ C1] CPU: 1 UID: 0 PID: 30 Comm: ksoftirqd/1 Tainted: G W 6.16.0-rc1-rt1 #11 PREEMPT_RT | |
| [ 114.639516][ C1] Tainted: [W]=WARN | |
| [ 114.639519][ C1] Hardware name: QEMU KVM Virtual Machine, BIOS 2025.02-8 05/13/2025 | |
| [ 114.639525][ C1] Call trace: | |
| [ 114.639529][ C1] show_stack+0x2c/0x3c (C) | |
| [ 114.639561][ C1] __dump_stack+0x30/0x40 | |
| [ 114.639586][ C1] dump_stack_lvl+0x148/0x1d8 | |
| [ 114.639599][ C1] dump_stack+0x1c/0x3c | |
| [ 114.639611][ C1] __might_resched+0x2e4/0x52c | |
| [ 114.639622][ C1] rt_spin_lock+0xa8/0x1bc | |
| [ 114.639635][ C1] kcov_remote_start+0xb0/0x490 | |
| [ 114.639657][ C1] __usb_hcd_giveback_urb+0x2d0/0x5e8 | |
| [ 114.639680][ C1] usb_giveback_urb_bh+0x234/0x3c4 | |
| [ 114.639694][ C1] process_scheduled_works+0x678/0xd18 | |
| [ 114.639719][ C1] bh_worker+0x2f0/0x59c | |
| [ 114.639730][ C1] workqueue_softirq_action+0x104/0x14c | |
| [ 114.639742][ C1] tasklet_action+0x18/0x8c | |
| [ 114.639754][ C1] handle_softirqs+0x208/0x63c | |
| [ 114.639762][ C1] run_ksoftirqd+0x64/0x264 | |
| SYZFAIL: failed to recv rpc | |
| fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) | |
| [ 114.639772][ C1] smpboot_thread_fn+0x4ac/0x908 | |
| [ 114.639787][ C1] kthread+0x5e8/0x734 | |
| [ 114.639805][ C1] ret_from_fork+0x10/0x20 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <fcntl.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <sys/stat.h> | |
| #include <sys/syscall.h> | |
| #include <sys/types.h> | |
| #include <unistd.h> | |
| #ifndef __NR_mmap | |
| #define __NR_mmap 222 | |
| #endif | |
| static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) | |
| { | |
| if (a0 == 0xc || a0 == 0xb) { | |
| char buf[128]; | |
| sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, | |
| (uint8_t)a2); | |
| return open(buf, O_RDWR, 0); | |
| } else { | |
| unsigned long nb = a1; | |
| char buf[1024]; | |
| char* hash; | |
| strncpy(buf, (char*)a0, sizeof(buf) - 1); | |
| buf[sizeof(buf) - 1] = 0; | |
| while ((hash = strchr(buf, '#'))) { | |
| *hash = '0' + (char)(nb % 10); | |
| nb /= 10; | |
| } | |
| return open(buf, a2, 0); | |
| } | |
| } | |
| int main(void) | |
| { | |
| syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
| /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, | |
| /*fd=*/(intptr_t)-1, /*offset=*/0ul); | |
| syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, | |
| /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, | |
| /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, | |
| /*fd=*/(intptr_t)-1, /*offset=*/0ul); | |
| if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { | |
| } | |
| memcpy((void*)0x20000040, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000040, /*id=*/2, /*flags=*/0); | |
| memcpy((void*)0x20000080, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000080, /*id=*/2, /*flags=O_WRONLY*/ 1); | |
| memcpy((void*)0x200000c0, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x200000c0, /*id=*/2, /*flags=O_RDWR*/ 2); | |
| memcpy((void*)0x20000100, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000100, /*id=*/2, /*flags=O_NONBLOCK*/ 0x800); | |
| memcpy((void*)0x20000140, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000140, /*id=*/0xc, /*flags=*/0); | |
| memcpy((void*)0x20000180, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000180, /*id=*/0xc, /*flags=O_WRONLY*/ 1); | |
| memcpy((void*)0x200001c0, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x200001c0, /*id=*/0xc, /*flags=O_RDWR*/ 2); | |
| memcpy((void*)0x20000200, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000200, /*id=*/0xc, /*flags=O_NONBLOCK*/ 0x800); | |
| memcpy((void*)0x20000240, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000240, /*id=*/0x16, /*flags=*/0); | |
| memcpy((void*)0x20000280, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000280, /*id=*/0x16, /*flags=O_WRONLY*/ 1); | |
| memcpy((void*)0x200002c0, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x200002c0, /*id=*/0x16, /*flags=O_RDWR*/ 2); | |
| memcpy((void*)0x20000300, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000300, /*id=*/0x16, /*flags=O_NONBLOCK*/ 0x800); | |
| memcpy((void*)0x20000340, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000340, /*id=*/0x20, /*flags=*/0); | |
| memcpy((void*)0x20000380, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000380, /*id=*/0x20, /*flags=O_WRONLY*/ 1); | |
| memcpy((void*)0x200003c0, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x200003c0, /*id=*/0x20, /*flags=O_RDWR*/ 2); | |
| memcpy((void*)0x20000400, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000400, /*id=*/0x20, /*flags=O_NONBLOCK*/ 0x800); | |
| memcpy((void*)0x20000440, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000440, /*id=*/0x2a, /*flags=*/0); | |
| memcpy((void*)0x20000480, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000480, /*id=*/0x2a, /*flags=O_WRONLY*/ 1); | |
| memcpy((void*)0x200004c0, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x200004c0, /*id=*/0x2a, /*flags=O_RDWR*/ 2); | |
| memcpy((void*)0x20000500, "/dev/bus/usb/00#/00#\000", 21); | |
| syz_open_dev(/*dev=*/0x20000500, /*id=*/0x2a, /*flags=O_NONBLOCK*/ 0x800); | |
| return 0; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| syz_open_dev$usbfs(&(0x7f0000000040), 0x2, 0x0) | |
| syz_open_dev$usbfs(&(0x7f0000000080), 0x2, 0x1) | |
| syz_open_dev$usbfs(&(0x7f00000000c0), 0x2, 0x2) | |
| syz_open_dev$usbfs(&(0x7f0000000100), 0x2, 0x800) | |
| syz_open_dev$usbfs(&(0x7f0000000140), 0xc, 0x0) | |
| syz_open_dev$usbfs(&(0x7f0000000180), 0xc, 0x1) | |
| syz_open_dev$usbfs(&(0x7f00000001c0), 0xc, 0x2) | |
| syz_open_dev$usbfs(&(0x7f0000000200), 0xc, 0x800) | |
| syz_open_dev$usbfs(&(0x7f0000000240), 0x16, 0x0) | |
| syz_open_dev$usbfs(&(0x7f0000000280), 0x16, 0x1) | |
| syz_open_dev$usbfs(&(0x7f00000002c0), 0x16, 0x2) | |
| syz_open_dev$usbfs(&(0x7f0000000300), 0x16, 0x800) | |
| syz_open_dev$usbfs(&(0x7f0000000340), 0x20, 0x0) | |
| syz_open_dev$usbfs(&(0x7f0000000380), 0x20, 0x1) | |
| syz_open_dev$usbfs(&(0x7f00000003c0), 0x20, 0x2) | |
| syz_open_dev$usbfs(&(0x7f0000000400), 0x20, 0x800) | |
| syz_open_dev$usbfs(&(0x7f0000000440), 0x2a, 0x0) | |
| syz_open_dev$usbfs(&(0x7f0000000480), 0x2a, 0x1) | |
| syz_open_dev$usbfs(&(0x7f00000004c0), 0x2a, 0x2) | |
| syz_open_dev$usbfs(&(0x7f0000000500), 0x2a, 0x800) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment