WARNING in __queue_work

WARNING in __queue_work

[Hao Sun]

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 4357f03d6611 Merge tag 'pm-5.15-rc2
git tree: upstream
console output:
https://drive.google.com/file/d/10dFvcbiBLWmCS05daXKnBH-ZEa8M7aI9/view?usp=sharing
kernel config: https://drive.google.com/file/d/1HKZtF_s3l6PL3OoQbNq_ei9CdBus-Tz0/view?usp=sharing

Sorry, I don't have a reproducer for this crash, hope the symbolized
report can help.
If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@gmail.com>

Bluetooth: hci1: command 0x040f tx timeout
------------[ cut here ]------------
WARNING: CPU: 2 PID: 10555 at kernel/workqueue.c:1440
__queue_work+0x437/0x8d0 kernel/workqueue.c:1440
Modules linked in:
CPU: 2 PID: 10555 Comm: kworker/2:7 Not tainted 5.15.0-rc1+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Workqueue: events hci_cmd_timeout
RIP: 0010:__queue_work+0x437/0x8d0 kernel/workqueue.c:1440
Code: 11 00 48 89 df e8 09 a7 00 00 48 85 c0 48 89 c3 74 13 e8 ec c7
11 00 48 8b 43 20 4c 3b 70 08 0f 84 22 fc ff ff e8 d9 c7 11 00 <0f> 0b
e9 30 fe ff ff e8 cd c7 11 00 65 ff 05 a6 a6 db 7e 48 8b 05
RSP: 0018:ffffc90000b93dd0 EFLAGS: 00010093
RAX: 0000000000000000 RBX: ffff88813db5af60 RCX: 0000000000000000
RDX: ffff88800d752240 RSI: ffffffff8125c947 RDI: ffff88800d752240
RBP: ffffc90000b93e10 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc90000b93d18 R11: 0000000000000002 R12: ffff888111f8ab30
R13: 0000000000000008 R14: ffff88810c7fb000 R15: 0000000000000008
FS:  0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f5a4c974a8 CR3: 0000000046d36000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 queue_work_on+0x97/0xb0 kernel/workqueue.c:1546
 process_one_work+0x359/0x850 kernel/workqueue.c:2297
 worker_thread+0x41/0x4d0 kernel/workqueue.c:2444
 kthread+0x178/0x1b0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Re: WARNING in __queue_work

[Lai Jiangshan]

On Mon, Sep 20, 2021 at 9:13 PM Hao Sun <sunhao.th@gmail.com> wrote:
>
> Hello,
>
> When using Healer to fuzz the latest Linux kernel, the following crash
> was triggered.
>
> HEAD commit: 4357f03d6611 Merge tag 'pm-5.15-rc2
> git tree: upstream
> console output:
> https://drive.google.com/file/d/10dFvcbiBLWmCS05daXKnBH-ZEa8M7aI9/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1HKZtF_s3l6PL3OoQbNq_ei9CdBus-Tz0/view?usp=sharing
>
> Sorry, I don't have a reproducer for this crash, hope the symbolized
> report can help.
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <sunhao.th@gmail.com>
>
> Bluetooth: hci1: command 0x040f tx timeout
> ------------[ cut here ]------------
> WARNING: CPU: 2 PID: 10555 at kernel/workqueue.c:1440
> __queue_work+0x437/0x8d0 kernel/workqueue.c:1440
> Modules linked in:
> CPU: 2 PID: 10555 Comm: kworker/2:7 Not tainted 5.15.0-rc1+ #19
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> Workqueue: events hci_cmd_timeout

Add CC to Bluetooth people to deal with it together since the code
is also just changed.

It seems cmd_timer or cmd_timer.work is still active or pending for
unknown reasons when hdev->workqueue is being drained.