WARNING in cm109_urb_irq_callback/usb_submit_urb
9 views
Skip to first unread message
syzbot
Dec 29, 2020, 10:58:15 PM12/29/20
to dmitry....@gmail.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vu...@iscas.ac.cn
Hello,
syzbot found the following issue on:
HEAD commit: 5814bc2d Merge tag 'perf-tools-2020-12-24' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12f074db500000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf519e1e96191576
dashboard link: https://syzkaller.appspot.com/bug?extid=2d6d691af5ab4b7e66df
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2d6d69...@syzkaller.appspotmail.com
cm109 2-1:0.0: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB 0000000096f203b6 submitted while active
WARNING: CPU: 0 PID: 18262 at drivers/usb/core/urb.c:378 usb_submit_urb+0x128e/0x1560 drivers/usb/core/urb.c:378
Modules linked in:
CPU: 0 PID: 18262 Comm: syz-executor.5 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:usb_submit_urb+0x128e/0x1560 drivers/usb/core/urb.c:378
Code: 89 de e8 55 99 31 fc 84 db 0f 85 74 f4 ff ff e8 68 91 31 fc 4c 89 fe 48 c7 c7 a0 c6 02 8a c6 05 4b 89 28 08 01 e8 f6 1c 89 03 <0f> 0b e9 52 f4 ff ff c7 44 24 14 01 00 00 00 e9 09 f5 ff ff 41 be
RSP: 0018:ffffc900000079e8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815b94d5 RDI: fffff52000000f2f
RBP: ffff88802517c4c0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815b792b R11: 0000000000000000 R12: 0000000000000012
R13: ffff88801e060058 R14: 00000000fffffff0 R15: ffff88801f2b6500
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f62d000 CR3: 000000002aba6000 CR4: 00000000001526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
cm109_urb_irq_callback+0x44f/0xaa0 drivers/input/misc/cm109.c:422
__usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x38c/0x430 drivers/usb/core/hcd.c:1728
dummy_timer+0x11f4/0x32a0 drivers/usb/gadget/udc/dummy_hcd.c:1971
call_timer_fn+0x1a5/0x710 kernel/time/timer.c:1417
expire_timers kernel/time/timer.c:1462 [inline]
__run_timers.part.0+0x692/0xa80 kernel/time/timer.c:1731
__run_timers kernel/time/timer.c:1712 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1744
__do_softirq+0x2bc/0xa77 kernel/softirq.c:343
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:226 [inline]
__irq_exit_rcu+0x17f/0x200 kernel/softirq.c:420
irq_exit_rcu+0x5/0x20 kernel/softirq.c:432
sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628
RIP: 0010:check_kcov_mode+0x2c/0x40 kernel/kcov.c:174
Code: 05 09 a8 8e 7e 89 c2 81 e2 00 01 00 00 a9 00 01 ff 00 74 10 31 c0 85 d2 74 15 8b 96 cc 14 00 00 85 d2 74 0b 8b 86 a8 14 00 00 <39> f8 0f 94 c0 c3 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 31 c0
RSP: 0018:ffffc90014ebf628 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 00000000000001fe RCX: 00000000000000aa
RDX: 0000000000000000 RSI: ffff888066450280 RDI: 0000000000000003
RBP: ffffea00004ca500 R08: 00000000000001fe R09: 00000000004ca500
R10: ffffffff819a63e0 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88802d906560 R14: 00000000000000aa R15: dffffc0000000000
write_comp_data kernel/kcov.c:218 [inline]
__sanitizer_cov_trace_cmp4+0x1c/0x70 kernel/kcov.c:258
release_pages+0x6f0/0x1d60 mm/swap.c:864
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0xe9/0x6b0 mm/mmu_gather.c:249
zap_pte_range mm/memory.c:1330 [inline]
zap_pmd_range mm/memory.c:1368 [inline]
zap_pud_range mm/memory.c:1397 [inline]
zap_p4d_range mm/memory.c:1418 [inline]
unmap_page_range+0x1a75/0x2640 mm/memory.c:1439
unmap_single_vma+0x198/0x300 mm/memory.c:1484
unmap_vmas+0x168/0x2e0 mm/memory.c:1516
exit_mmap+0x2b1/0x5a0 mm/mmap.c:3220
__mmput+0x122/0x470 kernel/fork.c:1083
mmput+0x53/0x60 kernel/fork.c:1104
exit_mm kernel/exit.c:500 [inline]
do_exit+0xa97/0x2a00 kernel/exit.c:810
do_group_exit+0x125/0x310 kernel/exit.c:920
get_signal+0x3e9/0x2160 kernel/signal.c:2770
arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
handle_signal_work kernel/entry/common.c:147 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x124/0x200 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:302
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e229
Code: Unable to access opcode bytes at RIP 0x45e1ff.
RSP: 002b:00007f2f8ae53cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 000000000119c030 RCX: 000000000045e229
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000119c034
RBP: 000000000119c028 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000040 R11: 0000000000000246 R12: 000000000119c034
R13: 00007fffb9d4ee7f R14: 00007f2f8ae549c0 R15: 000000000119c034
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 5814bc2d Merge tag 'perf-tools-2020-12-24' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12f074db500000
kernel config: https://syzkaller.appspot.com/x/.config?x=bf519e1e96191576
dashboard link: https://syzkaller.appspot.com/bug?extid=2d6d691af5ab4b7e66df
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2d6d69...@syzkaller.appspotmail.com
cm109 2-1:0.0: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB 0000000096f203b6 submitted while active
WARNING: CPU: 0 PID: 18262 at drivers/usb/core/urb.c:378 usb_submit_urb+0x128e/0x1560 drivers/usb/core/urb.c:378
Modules linked in:
CPU: 0 PID: 18262 Comm: syz-executor.5 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:usb_submit_urb+0x128e/0x1560 drivers/usb/core/urb.c:378
Code: 89 de e8 55 99 31 fc 84 db 0f 85 74 f4 ff ff e8 68 91 31 fc 4c 89 fe 48 c7 c7 a0 c6 02 8a c6 05 4b 89 28 08 01 e8 f6 1c 89 03 <0f> 0b e9 52 f4 ff ff c7 44 24 14 01 00 00 00 e9 09 f5 ff ff 41 be
RSP: 0018:ffffc900000079e8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815b94d5 RDI: fffff52000000f2f
RBP: ffff88802517c4c0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815b792b R11: 0000000000000000 R12: 0000000000000012
R13: ffff88801e060058 R14: 00000000fffffff0 R15: ffff88801f2b6500
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f62d000 CR3: 000000002aba6000 CR4: 00000000001526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
cm109_urb_irq_callback+0x44f/0xaa0 drivers/input/misc/cm109.c:422
__usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x38c/0x430 drivers/usb/core/hcd.c:1728
dummy_timer+0x11f4/0x32a0 drivers/usb/gadget/udc/dummy_hcd.c:1971
call_timer_fn+0x1a5/0x710 kernel/time/timer.c:1417
expire_timers kernel/time/timer.c:1462 [inline]
__run_timers.part.0+0x692/0xa80 kernel/time/timer.c:1731
__run_timers kernel/time/timer.c:1712 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1744
__do_softirq+0x2bc/0xa77 kernel/softirq.c:343
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:226 [inline]
__irq_exit_rcu+0x17f/0x200 kernel/softirq.c:420
irq_exit_rcu+0x5/0x20 kernel/softirq.c:432
sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628
RIP: 0010:check_kcov_mode+0x2c/0x40 kernel/kcov.c:174
Code: 05 09 a8 8e 7e 89 c2 81 e2 00 01 00 00 a9 00 01 ff 00 74 10 31 c0 85 d2 74 15 8b 96 cc 14 00 00 85 d2 74 0b 8b 86 a8 14 00 00 <39> f8 0f 94 c0 c3 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 31 c0
RSP: 0018:ffffc90014ebf628 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 00000000000001fe RCX: 00000000000000aa
RDX: 0000000000000000 RSI: ffff888066450280 RDI: 0000000000000003
RBP: ffffea00004ca500 R08: 00000000000001fe R09: 00000000004ca500
R10: ffffffff819a63e0 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88802d906560 R14: 00000000000000aa R15: dffffc0000000000
write_comp_data kernel/kcov.c:218 [inline]
__sanitizer_cov_trace_cmp4+0x1c/0x70 kernel/kcov.c:258
release_pages+0x6f0/0x1d60 mm/swap.c:864
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0xe9/0x6b0 mm/mmu_gather.c:249
zap_pte_range mm/memory.c:1330 [inline]
zap_pmd_range mm/memory.c:1368 [inline]
zap_pud_range mm/memory.c:1397 [inline]
zap_p4d_range mm/memory.c:1418 [inline]
unmap_page_range+0x1a75/0x2640 mm/memory.c:1439
unmap_single_vma+0x198/0x300 mm/memory.c:1484
unmap_vmas+0x168/0x2e0 mm/memory.c:1516
exit_mmap+0x2b1/0x5a0 mm/mmap.c:3220
__mmput+0x122/0x470 kernel/fork.c:1083
mmput+0x53/0x60 kernel/fork.c:1104
exit_mm kernel/exit.c:500 [inline]
do_exit+0xa97/0x2a00 kernel/exit.c:810
do_group_exit+0x125/0x310 kernel/exit.c:920
get_signal+0x3e9/0x2160 kernel/signal.c:2770
arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
handle_signal_work kernel/entry/common.c:147 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x124/0x200 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:302
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e229
Code: Unable to access opcode bytes at RIP 0x45e1ff.
RSP: 002b:00007f2f8ae53cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 000000000119c030 RCX: 000000000045e229
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000119c034
RBP: 000000000119c028 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000040 R11: 0000000000000246 R12: 000000000119c034
R13: 00007fffb9d4ee7f R14: 00007f2f8ae549c0 R15: 000000000119c034
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Hillf Danton
Dec 30, 2020, 4:09:04 AM12/30/20
to syzbot, dmitry....@gmail.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Greg Kroah-Hartman, vu...@iscas.ac.cn
Tue, 29 Dec 2020 19:58:14 -0800
To quiesce the warning, make use of dev->ctl_submit_lock to serialize
the callbacks of irq and ctl urb, and no ctl urb will be submitted in
the irq urb callback if they are still queued in the usb core.
--- a/drivers/input/misc/cm109.c
+++ b/drivers/input/misc/cm109.c
@@ -417,15 +417,19 @@ static void cm109_urb_irq_callback(struc
dev->ctl_data->byte[HID_OR2] = dev->keybit;
dev->buzzer_pending = 0;
- dev->ctl_urb_pending = 1;
+ if (dev->ctl_urb_pending != 0)
+ goto unlock;
error = usb_submit_urb(dev->urb_ctl, GFP_ATOMIC);
if (error)
dev_err(&dev->intf->dev,
"%s: usb_submit_urb (urb_ctl) failed %d\n",
__func__, error);
+ else
+ dev->ctl_urb_pending = 1;
}
+unlock:
spin_unlock_irqrestore(&dev->ctl_submit_lock, flags);
}
the callbacks of irq and ctl urb, and no ctl urb will be submitted in
the irq urb callback if they are still queued in the usb core.
--- a/drivers/input/misc/cm109.c
+++ b/drivers/input/misc/cm109.c
@@ -417,15 +417,19 @@ static void cm109_urb_irq_callback(struc
dev->ctl_data->byte[HID_OR2] = dev->keybit;
dev->buzzer_pending = 0;
- dev->ctl_urb_pending = 1;
+ if (dev->ctl_urb_pending != 0)
+ goto unlock;
error = usb_submit_urb(dev->urb_ctl, GFP_ATOMIC);
if (error)
dev_err(&dev->intf->dev,
"%s: usb_submit_urb (urb_ctl) failed %d\n",
__func__, error);
+ else
+ dev->ctl_urb_pending = 1;
}
+unlock:
spin_unlock_irqrestore(&dev->ctl_submit_lock, flags);
}
syzbot
Apr 7, 2021, 2:44:14 PM4/7/21
to dmitry....@gmail.com, gre...@linuxfoundation.org, hda...@sina.com, isa...@tglworldwide.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vu...@iscas.ac.cn
syzbot has found a reproducer for the following issue on:
HEAD commit: 2d743660 Merge branch 'fixes' of git://git.kernel.org/pub/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1548f46ad00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f91155ccddaf919c
dashboard link: https://syzkaller.appspot.com/bug?extid=2d6d691af5ab4b7e66df
compiler: Debian clang version 11.0.1-2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d6cc96d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142de07ed00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2d6d69...@syzkaller.appspotmail.com
cm109 3-1:0.0: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB 000000003185a218 submitted while active
WARNING: CPU: 0 PID: 8764 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf7f/0x1550 drivers/usb/core/urb.c:378
Modules linked in:
CPU: 0 PID: 8764 Comm: systemd-udevd Not tainted 5.12.0-rc6-syzkaller #0
Code: 5c 41 5d 41 5e 41 5f 5d e9 4e 5b ff ff e8 39 a0 fc fb c6 05 b4 45 25 08 01 48 c7 c7 e0 6e 5f 8a 4c 89 e6 31 c0 e8 81 84 cb fb <0f> 0b e9 f8 f0 ff ff e8 15 a0 fc fb eb 05 e8 0e a0 fc fb bb a6 ff
RSP: 0018:ffffc900000079a8 EFLAGS: 00010046
RAX: 300ec5186f788100 RBX: ffff888020ad2508 RCX: ffff88803054d4c0
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: 0000000000000a20 R08: ffffffff8160b632 R09: ffffed1017383f1c
R10: ffffed1017383f1c R11: 0000000000000000 R12: ffff888020ad2500
R13: dffffc0000000000 R14: dffffc0000000000 R15: 0000000000000082
FS: 00007f65b13318c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
__usb_hcd_giveback_urb+0x375/0x520 drivers/usb/core/hcd.c:1656
dummy_timer+0xa22/0x2e70 drivers/usb/gadget/udc/dummy_hcd.c:1971
call_timer_fn+0x91/0x160 kernel/time/timer.c:1431
expire_timers kernel/time/timer.c:1476 [inline]
__run_timers+0x6c0/0x8a0 kernel/time/timer.c:1745
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1758
__do_softirq+0x318/0x714 kernel/softirq.c:345
invoke_softirq kernel/softirq.c:221 [inline]
__irq_exit_rcu+0x1d8/0x200 kernel/softirq.c:422
irq_exit_rcu+0x5/0x20 kernel/softirq.c:434
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100
</IRQ>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
RIP: 0010:tomoyo_check_acl+0xb1/0x430 security/tomoyo/domain.c:173
Code: 85 05 03 00 00 48 8b 1c 24 4c 8b 23 49 39 dc 0f 84 14 02 00 00 0f 1f 40 00 49 8d 6c 24 18 48 89 e8 48 c1 e8 03 42 0f b6 04 28 <84> c0 0f 85 1d 01 00 00 0f b6 6d 00 31 ff 89 ee e8 4a df d8 fd 85
RSP: 0018:ffffc9000276fbb8 EFLAGS: 00000a02
RAX: 0000000000000000 RBX: ffff888011bcec90 RCX: ffff88803054d4c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffff888013c51118 R08: ffffffff83a03cb6 R09: ffffffff83a09b20
R10: 0000000000000003 R11: ffff88803054d4c0 R12: ffff888013c51100
R13: dffffc0000000000 R14: ffff888011bcec80 R15: 0000000000000000
tomoyo_path_permission+0x1af/0x370 security/tomoyo/file.c:586
tomoyo_path_perm+0x32f/0x570 security/tomoyo/file.c:838
security_inode_getattr+0xc0/0x140 security/security.c:1288
vfs_getattr fs/stat.c:131 [inline]
vfs_statx+0xe8/0x320 fs/stat.c:199
vfs_fstatat fs/stat.c:217 [inline]
vfs_lstat include/linux/fs.h:3240 [inline]
__do_sys_newlstat fs/stat.c:372 [inline]
__se_sys_newlstat fs/stat.c:366 [inline]
__x64_sys_newlstat+0x81/0xd0 fs/stat.c:366
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f65b01a3335
Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89
RSP: 002b:00007ffda12b2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
RAX: ffffffffffffffda RBX: 000055b4a2eaa170 RCX: 00007f65b01a3335
RDX: 00007ffda12b2cb0 RSI: 00007ffda12b2cb0 RDI: 000055b4a2ea9170
RBP: 00007ffda12b2d70 R08: 00007f65b0462218 R09: 0000000000001010
R10: 00000000000001a0 R11: 0000000000000246 R12: 000055b4a2ea9170
R13: 000055b4a2ea9191 R14: 000055b4a2eb1fd6 R15: 000055b4a2eb1fe1
HEAD commit: 2d743660 Merge branch 'fixes' of git://git.kernel.org/pub/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1548f46ad00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f91155ccddaf919c
dashboard link: https://syzkaller.appspot.com/bug?extid=2d6d691af5ab4b7e66df
compiler: Debian clang version 11.0.1-2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d6cc96d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142de07ed00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2d6d69...@syzkaller.appspotmail.com
------------[ cut here ]------------
URB 000000003185a218 submitted while active
WARNING: CPU: 0 PID: 8764 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf7f/0x1550 drivers/usb/core/urb.c:378
Modules linked in:
CPU: 0 PID: 8764 Comm: systemd-udevd Not tainted 5.12.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:usb_submit_urb+0xf7f/0x1550 drivers/usb/core/urb.c:378
Code: 5c 41 5d 41 5e 41 5f 5d e9 4e 5b ff ff e8 39 a0 fc fb c6 05 b4 45 25 08 01 48 c7 c7 e0 6e 5f 8a 4c 89 e6 31 c0 e8 81 84 cb fb <0f> 0b e9 f8 f0 ff ff e8 15 a0 fc fb eb 05 e8 0e a0 fc fb bb a6 ff
RSP: 0018:ffffc900000079a8 EFLAGS: 00010046
RAX: 300ec5186f788100 RBX: ffff888020ad2508 RCX: ffff88803054d4c0
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: 0000000000000a20 R08: ffffffff8160b632 R09: ffffed1017383f1c
R10: ffffed1017383f1c R11: 0000000000000000 R12: ffff888020ad2500
R13: dffffc0000000000 R14: dffffc0000000000 R15: 0000000000000082
FS: 00007f65b13318c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffda12b4ff8 CR3: 0000000020ed4000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
cm109_urb_irq_callback+0x693/0xbf0 drivers/input/misc/cm109.c:422
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__usb_hcd_giveback_urb+0x375/0x520 drivers/usb/core/hcd.c:1656
dummy_timer+0xa22/0x2e70 drivers/usb/gadget/udc/dummy_hcd.c:1971
call_timer_fn+0x91/0x160 kernel/time/timer.c:1431
expire_timers kernel/time/timer.c:1476 [inline]
__run_timers+0x6c0/0x8a0 kernel/time/timer.c:1745
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1758
__do_softirq+0x318/0x714 kernel/softirq.c:345
invoke_softirq kernel/softirq.c:221 [inline]
__irq_exit_rcu+0x1d8/0x200 kernel/softirq.c:422
irq_exit_rcu+0x5/0x20 kernel/softirq.c:434
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100
</IRQ>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
RIP: 0010:tomoyo_check_acl+0xb1/0x430 security/tomoyo/domain.c:173
Code: 85 05 03 00 00 48 8b 1c 24 4c 8b 23 49 39 dc 0f 84 14 02 00 00 0f 1f 40 00 49 8d 6c 24 18 48 89 e8 48 c1 e8 03 42 0f b6 04 28 <84> c0 0f 85 1d 01 00 00 0f b6 6d 00 31 ff 89 ee e8 4a df d8 fd 85
RSP: 0018:ffffc9000276fbb8 EFLAGS: 00000a02
RAX: 0000000000000000 RBX: ffff888011bcec90 RCX: ffff88803054d4c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffff888013c51118 R08: ffffffff83a03cb6 R09: ffffffff83a09b20
R10: 0000000000000003 R11: ffff88803054d4c0 R12: ffff888013c51100
R13: dffffc0000000000 R14: ffff888011bcec80 R15: 0000000000000000
tomoyo_path_permission+0x1af/0x370 security/tomoyo/file.c:586
tomoyo_path_perm+0x32f/0x570 security/tomoyo/file.c:838
security_inode_getattr+0xc0/0x140 security/security.c:1288
vfs_getattr fs/stat.c:131 [inline]
vfs_statx+0xe8/0x320 fs/stat.c:199
vfs_fstatat fs/stat.c:217 [inline]
vfs_lstat include/linux/fs.h:3240 [inline]
__do_sys_newlstat fs/stat.c:372 [inline]
__se_sys_newlstat fs/stat.c:366 [inline]
__x64_sys_newlstat+0x81/0xd0 fs/stat.c:366
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f65b01a3335
Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89
RSP: 002b:00007ffda12b2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
RAX: ffffffffffffffda RBX: 000055b4a2eaa170 RCX: 00007f65b01a3335
RDX: 00007ffda12b2cb0 RSI: 00007ffda12b2cb0 RDI: 000055b4a2ea9170
RBP: 00007ffda12b2d70 R08: 00007f65b0462218 R09: 0000000000001010
R10: 00000000000001a0 R11: 0000000000000246 R12: 000055b4a2ea9170
R13: 000055b4a2ea9191 R14: 000055b4a2eb1fd6 R15: 000055b4a2eb1fe1
Reply all
Reply to author
Forward
0 new messages