* WARNING in port100_send_frame_async/usb_submit_urb
@ 2020-12-01 9:21 syzbot
[not found] ` <20201201094702.1762-1-hdanton@sina.com>
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: syzbot @ 2020-12-01 9:21 UTC (permalink / raw)
To: eli.billauer, gregkh, gustavoars, ingrassia, linux-kernel,
linux-usb, stern, syzkaller-bugs, tiwai
Hello,
syzbot found the following issue on:
HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000
kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dbec6695a6565a9c6bc0@syzkaller.appspotmail.com
usb 1-1: string descriptor 0 read error: -32
------------[ cut here ]------------
URB 000000005c26bc1e submitted while active
WARNING: CPU: 0 PID: 5 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
Modules linked in:
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
Code: 5c 41 5d 41 5e 41 5f 5d e9 76 5b ff ff e8 f1 e8 04 fc c6 05 25 0e 8b 07 01 48 c7 c7 a0 b7 5b 8a 4c 89 e6 31 c0 e8 89 07 d5 fb <0f> 0b e9 20 f1 ff ff e8 cd e8 04 fc eb 05 e8 c6 e8 04 fc bb a6 ff
RSP: 0018:ffffc90000ca6ec8 EFLAGS: 00010246
RAX: cf72e284cb303700 RBX: ffff888021723708 RCX: ffff888011108000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000cc0 R08: ffffffff815d29f2 R09: ffffed1017383ffc
R10: ffffed1017383ffc R11: 0000000000000000 R12: ffff888021723700
R13: dffffc0000000000 R14: ffff888012cfa458 R15: 1ffff1100259f489
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056157313d160 CR3: 000000001e22c000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
port100_send_frame_async+0x1ea/0x390 drivers/nfc/port100.c:780
port100_send_cmd_async+0x6c7/0x950 drivers/nfc/port100.c:876
port100_send_cmd_sync drivers/nfc/port100.c:916 [inline]
port100_set_command_type drivers/nfc/port100.c:987 [inline]
port100_probe+0xd4f/0x1600 drivers/nfc/port100.c:1567
usb_probe_interface+0x662/0xb40 drivers/usb/core/driver.c:396
really_probe+0x4ab/0x1380 drivers/base/dd.c:558
driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
__device_attach+0x2c9/0x480 drivers/base/dd.c:912
bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
device_add+0x1612/0x19e0 drivers/base/core.c:2936
usb_set_configuration+0x1c17/0x2100 drivers/usb/core/message.c:2159
usb_generic_driver_probe+0x82/0x140 drivers/usb/core/generic.c:238
usb_probe_device+0x13a/0x260 drivers/usb/core/driver.c:293
really_probe+0x4ab/0x1380 drivers/base/dd.c:558
driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
__device_attach+0x2c9/0x480 drivers/base/dd.c:912
bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
device_add+0x1612/0x19e0 drivers/base/core.c:2936
usb_new_device+0xcc3/0x1700 drivers/usb/core/hub.c:2554
hub_port_connect+0xec7/0x2540 drivers/usb/core/hub.c:5222
hub_port_connect_change+0x600/0xb00 drivers/usb/core/hub.c:5362
port_event+0xae9/0x10a0 drivers/usb/core/hub.c:5508
hub_event+0x417/0xcb0 drivers/usb/core/hub.c:5590
process_one_work+0x789/0xfc0 kernel/workqueue.c:2272
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2418
kthread+0x39a/0x3c0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in port100_send_frame_async/usb_submit_urb
[not found] ` <20201201094702.1762-1-hdanton@sina.com>
@ 2020-12-01 9:59 ` Greg KH
2020-12-01 14:50 ` Alan Stern
[not found] ` <20201201103626.1819-1-hdanton@sina.com>
1 sibling, 1 reply; 6+ messages in thread
From: Greg KH @ 2020-12-01 9:59 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, eli.billauer, gustavoars, ingrassia, linux-kernel,
linux-usb, stern, syzkaller-bugs, tiwai
On Tue, Dec 01, 2020 at 05:47:02PM +0800, Hillf Danton wrote:
> On Tue, 01 Dec 2020 01:21:27 -0800
> > syzbot found the following issue on:
> >
> > HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
> > dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
> > compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+dbec6695a6565a9c6bc0@syzkaller.appspotmail.com
> >
> > usb 1-1: string descriptor 0 read error: -32
> > ------------[ cut here ]------------
> > URB 000000005c26bc1e submitted while active
> > WARNING: CPU: 0 PID: 5 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> > Modules linked in:
> > CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc5-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > RIP: 0010:usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> > Code: 5c 41 5d 41 5e 41 5f 5d e9 76 5b ff ff e8 f1 e8 04 fc c6 05 25 0e 8b 07 01 48 c7 c7 a0 b7 5b 8a 4c 89 e6 31 c0 e8 89 07 d5 fb <0f> 0b e9 20 f1 ff ff e8 cd e8 04 fc eb 05 e8 c6 e8 04 fc bb a6 ff
> > RSP: 0018:ffffc90000ca6ec8 EFLAGS: 00010246
> > RAX: cf72e284cb303700 RBX: ffff888021723708 RCX: ffff888011108000
> > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> > RBP: 0000000000000cc0 R08: ffffffff815d29f2 R09: ffffed1017383ffc
> > R10: ffffed1017383ffc R11: 0000000000000000 R12: ffff888021723700
> > R13: dffffc0000000000 R14: ffff888012cfa458 R15: 1ffff1100259f489
> > FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 000056157313d160 CR3: 000000001e22c000 CR4: 00000000001506f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> > port100_send_frame_async+0x1ea/0x390 drivers/nfc/port100.c:780
> > port100_send_cmd_async+0x6c7/0x950 drivers/nfc/port100.c:876
> > port100_send_cmd_sync drivers/nfc/port100.c:916 [inline]
> > port100_set_command_type drivers/nfc/port100.c:987 [inline]
> > port100_probe+0xd4f/0x1600 drivers/nfc/port100.c:1567
> > usb_probe_interface+0x662/0xb40 drivers/usb/core/driver.c:396
> > really_probe+0x4ab/0x1380 drivers/base/dd.c:558
> > driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
> > bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
> > __device_attach+0x2c9/0x480 drivers/base/dd.c:912
> > bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
> > device_add+0x1612/0x19e0 drivers/base/core.c:2936
> > usb_set_configuration+0x1c17/0x2100 drivers/usb/core/message.c:2159
> > usb_generic_driver_probe+0x82/0x140 drivers/usb/core/generic.c:238
> > usb_probe_device+0x13a/0x260 drivers/usb/core/driver.c:293
> > really_probe+0x4ab/0x1380 drivers/base/dd.c:558
> > driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
> > bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
> > __device_attach+0x2c9/0x480 drivers/base/dd.c:912
> > bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
> > device_add+0x1612/0x19e0 drivers/base/core.c:2936
> > usb_new_device+0xcc3/0x1700 drivers/usb/core/hub.c:2554
> > hub_port_connect+0xec7/0x2540 drivers/usb/core/hub.c:5222
> > hub_port_connect_change+0x600/0xb00 drivers/usb/core/hub.c:5362
> > port_event+0xae9/0x10a0 drivers/usb/core/hub.c:5508
> > hub_event+0x417/0xcb0 drivers/usb/core/hub.c:5590
> > process_one_work+0x789/0xfc0 kernel/workqueue.c:2272
> > worker_thread+0xaa4/0x1460 kernel/workqueue.c:2418
> > kthread+0x39a/0x3c0 kernel/kthread.c:292
> > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
>
> Clear urb before putting it in use.
>
> --- a/drivers/nfc/port100.c
> +++ b/drivers/nfc/port100.c
> @@ -1525,7 +1525,7 @@ static int port100_probe(struct usb_inte
> }
>
> dev->in_urb = usb_alloc_urb(0, GFP_KERNEL);
> - dev->out_urb = usb_alloc_urb(0, GFP_KERNEL);
> + dev->out_urb = usb_alloc_urb(0, GFP_KERNEL | __GFP_ZERO);
>
> if (!dev->in_urb || !dev->out_urb) {
> nfc_err(&interface->dev, "Could not allocate USB URBs\n");
How does this solve a warning in the USB core about a string descriptor
error?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in port100_send_frame_async/usb_submit_urb
2020-12-01 9:59 ` Greg KH
@ 2020-12-01 14:50 ` Alan Stern
0 siblings, 0 replies; 6+ messages in thread
From: Alan Stern @ 2020-12-01 14:50 UTC (permalink / raw)
To: Greg KH
Cc: Hillf Danton, syzbot, eli.billauer, gustavoars, ingrassia,
linux-kernel, linux-usb, syzkaller-bugs, tiwai
On Tue, Dec 01, 2020 at 10:59:06AM +0100, Greg KH wrote:
> On Tue, Dec 01, 2020 at 05:47:02PM +0800, Hillf Danton wrote:
> > On Tue, 01 Dec 2020 01:21:27 -0800
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
> > > compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+dbec6695a6565a9c6bc0@syzkaller.appspotmail.com
> > >
> > > usb 1-1: string descriptor 0 read error: -32
> > > ------------[ cut here ]------------
> > > URB 000000005c26bc1e submitted while active
> > Clear urb before putting it in use.
> >
> > --- a/drivers/nfc/port100.c
> > +++ b/drivers/nfc/port100.c
> > @@ -1525,7 +1525,7 @@ static int port100_probe(struct usb_inte
> > }
> >
> > dev->in_urb = usb_alloc_urb(0, GFP_KERNEL);
> > - dev->out_urb = usb_alloc_urb(0, GFP_KERNEL);
> > + dev->out_urb = usb_alloc_urb(0, GFP_KERNEL | __GFP_ZERO);
> >
> > if (!dev->in_urb || !dev->out_urb) {
> > nfc_err(&interface->dev, "Could not allocate USB URBs\n");
>
> How does this solve a warning in the USB core about a string descriptor
> error?
Greg, you misread the bug report. The problem wasn't the string
descriptor read error; it was URB submitted while active.
More to the point, adding __GFP_ZERO to the usb_alloc_urb call won't fix
anything, because usb_alloc_urb calls usb_init_urb, which already does a
memset.
Alan Stern
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in port100_send_frame_async/usb_submit_urb
[not found] ` <20201201103626.1819-1-hdanton@sina.com>
@ 2020-12-01 16:41 ` Greg KH
0 siblings, 0 replies; 6+ messages in thread
From: Greg KH @ 2020-12-01 16:41 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, eli.billauer, gustavoars, ingrassia, linux-kernel,
linux-usb, stern, syzkaller-bugs, tiwai
On Tue, Dec 01, 2020 at 06:36:26PM +0800, Hillf Danton wrote:
> On Tue, 1 Dec 2020 10:59:06 +0100 Greg KH wrote:
> >On Tue, Dec 01, 2020 at 05:47:02PM +0800, Hillf Danton wrote:
> >> On Tue, 01 Dec 2020 01:21:27 -0800
> >> > syzbot found the following issue on:
> >> >
> >> > HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
> >> > git tree: upstream
> >> > console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000
> >> > kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
> >> > dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
> >> > compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
> >> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
> >> >
> >> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> > Reported-by: syzbot+dbec6695a6565a9c6bc0@syzkaller.appspotmail.com
> >> >
> >> > usb 1-1: string descriptor 0 read error: -32
> >> > ------------[ cut here ]------------
> >> > URB 000000005c26bc1e submitted while active
> >> > WARNING: CPU: 0 PID: 5 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> >> > Modules linked in:
> >> > CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc5-syzkaller #0
> >> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >> > Workqueue: usb_hub_wq hub_event
> >> > RIP: 0010:usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> >> > Code: 5c 41 5d 41 5e 41 5f 5d e9 76 5b ff ff e8 f1 e8 04 fc c6 05 25 0e 8b 07 01 48 c7 c7 a0 b7 5b 8a 4c 89 e6 31 c0 e8 89 07 d5 fb <0f> 0b e9 20 f1 ff ff e8 cd e8 04 fc eb 05 e8 c6 e8 04 fc bb a6 ff
> >> > RSP: 0018:ffffc90000ca6ec8 EFLAGS: 00010246
> >> > RAX: cf72e284cb303700 RBX: ffff888021723708 RCX: ffff888011108000
> >> > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> >> > RBP: 0000000000000cc0 R08: ffffffff815d29f2 R09: ffffed1017383ffc
> >> > R10: ffffed1017383ffc R11: 0000000000000000 R12: ffff888021723700
> >> > R13: dffffc0000000000 R14: ffff888012cfa458 R15: 1ffff1100259f489
> >> > FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> >> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> > CR2: 000056157313d160 CR3: 000000001e22c000 CR4: 00000000001506f0
> >> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >> > Call Trace:
> >> > port100_send_frame_async+0x1ea/0x390 drivers/nfc/port100.c:780
> >> > port100_send_cmd_async+0x6c7/0x950 drivers/nfc/port100.c:876
> >> > port100_send_cmd_sync drivers/nfc/port100.c:916 [inline]
> >> > port100_set_command_type drivers/nfc/port100.c:987 [inline]
> >> > port100_probe+0xd4f/0x1600 drivers/nfc/port100.c:1567
> >> > usb_probe_interface+0x662/0xb40 drivers/usb/core/driver.c:396
> >> > really_probe+0x4ab/0x1380 drivers/base/dd.c:558
> >> > driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
> >> > bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
> >> > __device_attach+0x2c9/0x480 drivers/base/dd.c:912
> >> > bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
> >> > device_add+0x1612/0x19e0 drivers/base/core.c:2936
> >> > usb_set_configuration+0x1c17/0x2100 drivers/usb/core/message.c:2159
> >> > usb_generic_driver_probe+0x82/0x140 drivers/usb/core/generic.c:238
> >> > usb_probe_device+0x13a/0x260 drivers/usb/core/driver.c:293
> >> > really_probe+0x4ab/0x1380 drivers/base/dd.c:558
> >> > driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
> >> > bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
> >> > __device_attach+0x2c9/0x480 drivers/base/dd.c:912
> >> > bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
> >> > device_add+0x1612/0x19e0 drivers/base/core.c:2936
> >> > usb_new_device+0xcc3/0x1700 drivers/usb/core/hub.c:2554
> >> > hub_port_connect+0xec7/0x2540 drivers/usb/core/hub.c:5222
> >> > hub_port_connect_change+0x600/0xb00 drivers/usb/core/hub.c:5362
> >> > port_event+0xae9/0x10a0 drivers/usb/core/hub.c:5508
> >> > hub_event+0x417/0xcb0 drivers/usb/core/hub.c:5590
> >> > process_one_work+0x789/0xfc0 kernel/workqueue.c:2272
> >> > worker_thread+0xaa4/0x1460 kernel/workqueue.c:2418
> >> > kthread+0x39a/0x3c0 kernel/kthread.c:292
> >> > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
> >>
> >> Clear urb before putting it in use.
> >>
> >> --- a/drivers/nfc/port100.c
> >> +++ b/drivers/nfc/port100.c
> >> @@ -1525,7 +1525,7 @@ static int port100_probe(struct usb_inte
> >> }
> >>
> >> dev->in_urb = usb_alloc_urb(0, GFP_KERNEL);
> >> - dev->out_urb = usb_alloc_urb(0, GFP_KERNEL);
> >> + dev->out_urb = usb_alloc_urb(0, GFP_KERNEL | __GFP_ZERO);
> >>
> >> if (!dev->in_urb || !dev->out_urb) {
> >> nfc_err(&interface->dev, "Could not allocate USB URBs\n");
> >
> >How does this solve a warning in the USB core about a string descriptor
> >error?
>
> If I dont misread your question, it makes the check at
> drivers/usb/core/urb.c:377 fail.
Ah, as Alan pointed out, I missed that the string descriptor issue was
not the real problem here.
But, as he also points out, this change will not do anything, nor should
it even if that flag worked. The problem is that the urb is already
under control by a host controller driver and shouldn't have been
submitted again.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in port100_send_frame_async/usb_submit_urb
2020-12-01 9:21 WARNING in port100_send_frame_async/usb_submit_urb syzbot
[not found] ` <20201201094702.1762-1-hdanton@sina.com>
@ 2020-12-02 21:19 ` Alan Stern
2021-10-22 17:46 ` [syzbot] " syzbot
2 siblings, 0 replies; 6+ messages in thread
From: Alan Stern @ 2020-12-02 21:19 UTC (permalink / raw)
To: syzbot, Thierry Escande
Cc: eli.billauer, gregkh, gustavoars, ingrassia, linux-kernel,
linux-usb, netdev, syzkaller-bugs, tiwai
On Tue, Dec 01, 2020 at 01:21:27AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000
> kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
> dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
> compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+dbec6695a6565a9c6bc0@syzkaller.appspotmail.com
>
> usb 1-1: string descriptor 0 read error: -32
> ------------[ cut here ]------------
> URB 000000005c26bc1e submitted while active
> WARNING: CPU: 0 PID: 5 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> Modules linked in:
> CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> Code: 5c 41 5d 41 5e 41 5f 5d e9 76 5b ff ff e8 f1 e8 04 fc c6 05 25 0e 8b 07 01 48 c7 c7 a0 b7 5b 8a 4c 89 e6 31 c0 e8 89 07 d5 fb <0f> 0b e9 20 f1 ff ff e8 cd e8 04 fc eb 05 e8 c6 e8 04 fc bb a6 ff
> RSP: 0018:ffffc90000ca6ec8 EFLAGS: 00010246
> RAX: cf72e284cb303700 RBX: ffff888021723708 RCX: ffff888011108000
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: 0000000000000cc0 R08: ffffffff815d29f2 R09: ffffed1017383ffc
> R10: ffffed1017383ffc R11: 0000000000000000 R12: ffff888021723700
> R13: dffffc0000000000 R14: ffff888012cfa458 R15: 1ffff1100259f489
> FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056157313d160 CR3: 000000001e22c000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> port100_send_frame_async+0x1ea/0x390 drivers/nfc/port100.c:780
> port100_send_cmd_async+0x6c7/0x950 drivers/nfc/port100.c:876
> port100_send_cmd_sync drivers/nfc/port100.c:916 [inline]
> port100_set_command_type drivers/nfc/port100.c:987 [inline]
> port100_probe+0xd4f/0x1600 drivers/nfc/port100.c:1567
I don't understand this driver very well. It looks like the problem
stems from the fact that port100_send_frame_async() submits two URBs,
but port100_send_cmd_sync() only waits for one of them to complete. The
other URB may then still be active when the driver tries to reuse it.
Maybe someone who's more familiar with the port100 driver can fix the
problem.
Alan Stern
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] WARNING in port100_send_frame_async/usb_submit_urb
2020-12-01 9:21 WARNING in port100_send_frame_async/usb_submit_urb syzbot
[not found] ` <20201201094702.1762-1-hdanton@sina.com>
2020-12-02 21:19 ` Alan Stern
@ 2021-10-22 17:46 ` syzbot
2 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2021-10-22 17:46 UTC (permalink / raw)
To: coreteam, davem, edumazet, eli.billauer, fw, gregkh, gustavoars,
hdanton, ingrassia, k.kozlowski.k, kadlec, kuba, linux-kernel,
linux-usb, netdev, netfilter-devel, pablo, stern, syzkaller-bugs,
thierry.escande, tiwai
syzbot suspects this issue was fixed by commit:
commit e9edc188fc76499b0b9bd60364084037f6d03773
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Sep 17 22:15:56 2021 +0000
netfilter: conntrack: serialize hash resizes and cleanups
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1633b4b0b00000
start commit: c84e1efae022 Merge tag 'asm-generic-fixes-5.10-2' of git:/..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: netfilter: conntrack: serialize hash resizes and cleanups
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-10-22 17:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-01 9:21 WARNING in port100_send_frame_async/usb_submit_urb syzbot
[not found] ` <20201201094702.1762-1-hdanton@sina.com>
2020-12-01 9:59 ` Greg KH
2020-12-01 14:50 ` Alan Stern
[not found] ` <20201201103626.1819-1-hdanton@sina.com>
2020-12-01 16:41 ` Greg KH
2020-12-02 21:19 ` Alan Stern
2021-10-22 17:46 ` [syzbot] " syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).