Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp8765pxu; Wed, 2 Dec 2020 13:23:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJz8Byigr4ec1CGzK1JHFqABvr78wNCR9kBd5johr4UJN9IcyJeOtK4CFVW79QbSI3d7465W X-Received: by 2002:a50:d745:: with SMTP id i5mr12789edj.166.1606944204605; Wed, 02 Dec 2020 13:23:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606944204; cv=none; d=google.com; s=arc-20160816; b=QsZyWbNYpZFO4GGiUCnG0pUlCRtMWYa9e5OZF0pm2MIuNEoTQ0XxEWQH4zW4DIOWZM 4oJcwgJTqdXV3nkLpNJ7FLMtJMTho/KyWPpMM1A9SBfdU48pYiLcSx8bOgJnglYFCG8x FVHAJLYZ5Gwao7qDZVq/ArcRbr2EPw5YBaF+QplLzesWX1N5zw5Htv11Xe+IpjwlfdOR WMmW9SFK3X9q1rM8X9fRi5AI9WsaoVHyA0VOZmxdjE5/VnLWgEA77Xi/z5Hro1Beww7Y HIGmY0na7D8h8v1PBAmYI2fQBfTk8KPXZ+C3qixBCcIwYy7/id5zov4Q28rs4TW6ii2m jshg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=bcaZS+MtYoVjWvKbWWxi1WYn4GWnvoTedamBq6pIDcI=; b=u5bCLhfR03MPlYzD8y5LYbGp5qW5GygmmV8/rqyKfsHz+JZriRI3xqmNBJh6IkETFK VPD5qNZo3LA0Acwdj3Aa2jtSR5N4cZLnZTRm/KkWAMnZhAU6jljaWEGPK6MsK/FMIQqE UN5krVdmJ6uTx+4BfcB7VRFk8Zamrwd7v5/YPx6B6Oyqy3QnJYHy3+A/NeYhg+cUlYZm or7tOxzYCUUPnrdFq7e4UOiho/o1MQ30io6MIxRnuhUxdEss15P0qIJTndlZEDTD2yfc C9GOjAtPUAh6+By7LbkXe5kcNG2P288fKUmLiSWJ0tnSKYUvKZF6tPzuWuX7PaBul/7p C51A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si719983ejk.9.2020.12.02.13.23.00; Wed, 02 Dec 2020 13:23:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729401AbgLBVUO (ORCPT + 99 others); Wed, 2 Dec 2020 16:20:14 -0500 Received: from netrider.rowland.org ([192.131.102.5]:44113 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726671AbgLBVUN (ORCPT ); Wed, 2 Dec 2020 16:20:13 -0500 Received: (qmail 1069741 invoked by uid 1000); 2 Dec 2020 16:19:32 -0500 Date: Wed, 2 Dec 2020 16:19:32 -0500 From: Alan Stern To: syzbot , Thierry Escande Cc: eli.billauer@gmail.com, gregkh@linuxfoundation.org, gustavoars@kernel.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, tiwai@suse.de Subject: Re: WARNING in port100_send_frame_async/usb_submit_urb Message-ID: <20201202211932.GD1062758@rowland.harvard.edu> References: <000000000000bab70f05b563a6cc@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000000000000bab70f05b563a6cc@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 01, 2020 at 01:21:27AM -0800, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000 > kernel config: https://syzkaller.appspot.com/x/.config?x=7be70951fca93701 > dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0 > compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+dbec6695a6565a9c6bc0@syzkaller.appspotmail.com > > usb 1-1: string descriptor 0 read error: -32 > ------------[ cut here ]------------ > URB 000000005c26bc1e submitted while active > WARNING: CPU: 0 PID: 5 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378 > Modules linked in: > CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc5-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > RIP: 0010:usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378 > Code: 5c 41 5d 41 5e 41 5f 5d e9 76 5b ff ff e8 f1 e8 04 fc c6 05 25 0e 8b 07 01 48 c7 c7 a0 b7 5b 8a 4c 89 e6 31 c0 e8 89 07 d5 fb <0f> 0b e9 20 f1 ff ff e8 cd e8 04 fc eb 05 e8 c6 e8 04 fc bb a6 ff > RSP: 0018:ffffc90000ca6ec8 EFLAGS: 00010246 > RAX: cf72e284cb303700 RBX: ffff888021723708 RCX: ffff888011108000 > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 > RBP: 0000000000000cc0 R08: ffffffff815d29f2 R09: ffffed1017383ffc > R10: ffffed1017383ffc R11: 0000000000000000 R12: ffff888021723700 > R13: dffffc0000000000 R14: ffff888012cfa458 R15: 1ffff1100259f489 > FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000056157313d160 CR3: 000000001e22c000 CR4: 00000000001506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > port100_send_frame_async+0x1ea/0x390 drivers/nfc/port100.c:780 > port100_send_cmd_async+0x6c7/0x950 drivers/nfc/port100.c:876 > port100_send_cmd_sync drivers/nfc/port100.c:916 [inline] > port100_set_command_type drivers/nfc/port100.c:987 [inline] > port100_probe+0xd4f/0x1600 drivers/nfc/port100.c:1567 I don't understand this driver very well. It looks like the problem stems from the fact that port100_send_frame_async() submits two URBs, but port100_send_cmd_sync() only waits for one of them to complete. The other URB may then still be active when the driver tries to reuse it. Maybe someone who's more familiar with the port100 driver can fix the problem. Alan Stern