Hello,
syzbot found the following issue on:
HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000
kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
usb 1-1: string descriptor 0 read error: -32
------------[ cut here ]------------
URB 000000005c26bc1e submitted while active
WARNING: CPU: 0 PID: 5 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
Modules linked in:
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
Code: 5c 41 5d 41 5e 41 5f 5d e9 76 5b ff ff e8 f1 e8 04 fc c6 05 25 0e 8b 07 01 48 c7 c7 a0 b7 5b 8a 4c 89 e6 31 c0 e8 89 07 d5 fb <0f> 0b e9 20 f1 ff ff e8 cd e8 04 fc eb 05 e8 c6 e8 04 fc bb a6 ff
RSP: 0018:ffffc90000ca6ec8 EFLAGS: 00010246
RAX: cf72e284cb303700 RBX: ffff888021723708 RCX: ffff888011108000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000cc0 R08: ffffffff815d29f2 R09: ffffed1017383ffc
R10: ffffed1017383ffc R11: 0000000000000000 R12: ffff888021723700
R13: dffffc0000000000 R14: ffff888012cfa458 R15: 1ffff1100259f489
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056157313d160 CR3: 000000001e22c000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
port100_send_frame_async+0x1ea/0x390 drivers/nfc/port100.c:780
port100_send_cmd_async+0x6c7/0x950 drivers/nfc/port100.c:876
port100_send_cmd_sync drivers/nfc/port100.c:916 [inline]
port100_set_command_type drivers/nfc/port100.c:987 [inline]
port100_probe+0xd4f/0x1600 drivers/nfc/port100.c:1567
usb_probe_interface+0x662/0xb40 drivers/usb/core/driver.c:396
really_probe+0x4ab/0x1380 drivers/base/dd.c:558
driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
__device_attach+0x2c9/0x480 drivers/base/dd.c:912
bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
device_add+0x1612/0x19e0 drivers/base/core.c:2936
usb_set_configuration+0x1c17/0x2100 drivers/usb/core/message.c:2159
usb_generic_driver_probe+0x82/0x140 drivers/usb/core/generic.c:238
usb_probe_device+0x13a/0x260 drivers/usb/core/driver.c:293
really_probe+0x4ab/0x1380 drivers/base/dd.c:558
driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
__device_attach+0x2c9/0x480 drivers/base/dd.c:912
bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
device_add+0x1612/0x19e0 drivers/base/core.c:2936
usb_new_device+0xcc3/0x1700 drivers/usb/core/hub.c:2554
hub_port_connect+0xec7/0x2540 drivers/usb/core/hub.c:5222
hub_port_connect_change+0x600/0xb00 drivers/usb/core/hub.c:5362
port_event+0xae9/0x10a0 drivers/usb/core/hub.c:5508
hub_event+0x417/0xcb0 drivers/usb/core/hub.c:5590
process_one_work+0x789/0xfc0 kernel/workqueue.c:2272
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2418
kthread+0x39a/0x3c0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
On Tue, Dec 01, 2020 at 01:21:27AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000
> kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
> dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
> compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> usb 1-1: string descriptor 0 read error: -32
> ------------[ cut here ]------------
> URB 000000005c26bc1e submitted while active
> WARNING: CPU: 0 PID: 5 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> Modules linked in:
> CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> Code: 5c 41 5d 41 5e 41 5f 5d e9 76 5b ff ff e8 f1 e8 04 fc c6 05 25 0e 8b 07 01 48 c7 c7 a0 b7 5b 8a 4c 89 e6 31 c0 e8 89 07 d5 fb <0f> 0b e9 20 f1 ff ff e8 cd e8 04 fc eb 05 e8 c6 e8 04 fc bb a6 ff
> RSP: 0018:ffffc90000ca6ec8 EFLAGS: 00010246
> RAX: cf72e284cb303700 RBX: ffff888021723708 RCX: ffff888011108000
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: 0000000000000cc0 R08: ffffffff815d29f2 R09: ffffed1017383ffc
> R10: ffffed1017383ffc R11: 0000000000000000 R12: ffff888021723700
> R13: dffffc0000000000 R14: ffff888012cfa458 R15: 1ffff1100259f489
> FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056157313d160 CR3: 000000001e22c000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> port100_send_frame_async+0x1ea/0x390 drivers/nfc/port100.c:780
> port100_send_cmd_async+0x6c7/0x950 drivers/nfc/port100.c:876
> port100_send_cmd_sync drivers/nfc/port100.c:916 [inline]
> port100_set_command_type drivers/nfc/port100.c:987 [inline]
> port100_probe+0xd4f/0x1600 drivers/nfc/port100.c:1567
I don't understand this driver very well. It looks like the problem
stems from the fact that port100_send_frame_async() submits two URBs,
but port100_send_cmd_sync() only waits for one of them to complete. The
other URB may then still be active when the driver tries to reuse it.
Maybe someone who's more familiar with the port100 driver can fix the
problem.
Alan Stern
syzbot suspects this issue was fixed by commit:
commit e9edc188fc76499b0b9bd60364084037f6d03773
Author: Eric Dumazet <[email protected]>
Date: Fri Sep 17 22:15:56 2021 +0000
netfilter: conntrack: serialize hash resizes and cleanups
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1633b4b0b00000
start commit: c84e1efae022 Merge tag 'asm-generic-fixes-5.10-2' of git:/..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: netfilter: conntrack: serialize hash resizes and cleanups
For information about bisection process see: https://goo.gl/tpsmEJ#bisection