WARNING in cm109_urb_irq_callback/usb_submit_urb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Maintainers,

When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (94th)was triggered.


HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
git tree: upstream
Output:https://github.com/pghk13/Kernel-Bug/tree/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open
Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/config.txt
C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open/94repro.c
Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open/94report


The error occurs around line 379 of the urb.c file. The problem ends up in the cm109_urb_irq_callback function in the cm109.c file:In the cm109_urb_irq_callback function, the driver attempts to resubmit a URB that has not yet been processed. There may be a race condition in the driver that resubmits the URB in the URB completion callback, but the same URB may have already been committed to another location in the system. This issue seems to involve the creation of USB devices, the operation of TTY devices, and file descriptor copying. This complex interaction resulted in duplicate commits of the URB.
We have reproduced this issue several times on 6.14-rc5 again.




If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>, Jiaji Qin <jjtan24@xxxxxxxxxxxxxx>, Shuoran Bai <baishuoran@xxxxxxxxxxxx>


================================================================== 
URB ffff888045c81800 submitted while active
WARNING: CPU: 0 PID: 0 at drivers/usb/core/urb.c:379 usb_submit_urb+0x134e/0x1750
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.14.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:usb_submit_urb+0x134e/0x1750
Code: e8 c7 b4 a0 fa 84 db 0f 85 47 f5 ff ff e8 0a b3 a0 fa c6 05 c3 ba 30 09 01 90 48 c7 c7 00 3e 2f 8c 4c 89 fe e8 e3 a8 60 fa 90 <0f> 0b 90 90 e9 21 f5 ff ff 48 89 7c 24 38 e8 df b2 a0 fa 48 8b 7c
RSP: 0018:ffffc90000007ad0 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8179ec7a
RDX: 0000000000000000 RSI: ffffffff8de97740 RDI: 0000000000000002
RBP: ffff888022bee740 R08: 0000000000000000 R09: ffffed1005705182
R10: ffffed1005705181 R11: ffff88802b828c0b R12: 0000000000000046
R13: ffff888027b24058 R14: 00000000fffffff0 R15: ffff888045c81800
FS:  0000000000000000(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffca04ff60 CR3: 000000000df80000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <IRQ>
 cm109_urb_irq_callback+0x44b/0xb60
 __usb_hcd_giveback_urb+0x2e4/0x6b0
 usb_hcd_giveback_urb+0x391/0x450
 dummy_timer+0x1217/0x3540
 __hrtimer_run_queues+0x1b7/0xc30
 hrtimer_run_softirq+0x17f/0x2e0
 handle_softirqs+0x1bd/0x880
 irq_exit_rcu+0xfd/0x150
 sysvec_apic_timer_interrupt+0xa8/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:default_idle+0x1e/0x30
Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 eb 0c 0f 1f 44 00 00 0f 00 2d c9 a9 0d 00 0f 1f 44 00 00 fb f4 <fa> e9 a7 41 b7 f5 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffffff8de07e08 EFLAGS: 00000206
RAX: 000000000027dec5 RBX: 0000000000000000 RCX: ffffffff8b58e5a7
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000001 R09: ffffed1005706f86
R10: ffffed1005706f85 R11: ffff88802b837c2b R12: 0000000000000000
R13: ffffffff90616a10 R14: 0000000000000000 R15: 0000000000000000
 default_idle_call+0x6d/0xb0
 do_idle+0x312/0x3c0
 cpu_startup_entry+0x4f/0x60
 rest_init+0x1a9/0x2f0
 start_kernel+0x3fa/0x4e0
 x86_64_start_reservations+0x18/0x30
 x86_64_start_kernel+0xb3/0xc0
 common_startup_64+0x13e/0x148
 </TASK>
--------------------------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	f3 0f 1e fa          	endbr64
  10:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  15:	eb 0c                	jmp    0x23
  17:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1c:	0f 00 2d c9 a9 0d 00 	verw   0xda9c9(%rip)        # 0xda9ec
  23:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	fa                   	cli <-- trapping instruction
  2b:	e9 a7 41 b7 f5       	jmpq   0xf5b741d7
  30:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
  37:	00 00 00 00
  3b:	90                   	nop
  3c:	90                   	nop
  3d:	90                   	nop
  3e:	90                   	nop
  3f:	90                   	nop
--------------------------------





thanks,
Kun Hu
[Index of Archives]     [Linux Media Devel]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Linux Wireless Networking]     [Linux Omap]

  Powered by Linux