syzbot has found a reproducer for the following issue on:
HEAD commit: 8020ae3c051d Linux 5.15.103
git tree: linux-5.15.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=1202df26c80000
kernel config:
https://syzkaller.appspot.com/x/.config?x=f95b212e0ccdd4d1
userspace arch: arm64
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=14d47281c80000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=108481bac80000
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/6153dfa8dcc0/disk-8020ae3c.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/2093d52db59f/vmlinux-8020ae3c.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/85041d0bd356/Image-8020ae3c.gz.xz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
smsusb:smsusb_probe: board id=8, interface number 0
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3550 at kernel/workqueue.c:3083 __flush_work+0x1b4/0x1c0
Modules linked in:
CPU: 1 PID: 3550 Comm: kworker/1:3 Not tainted 5.15.103-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __flush_work+0x1b4/0x1c0
lr : __flush_work+0x1b0/0x1c0 kernel/workqueue.c:3083
sp : ffff80001f3165e0
x29: ffff80001f316710 x28: 0000000000000000 x27: ffff80001f316848
x26: 0000000000000001 x25: 1fffe00019d5fc1d x24: dfff800000000000
x23: ffff700003e62cbc x22: ffff0000ceafe100 x21: ffff80001f316600
x20: 0000000000000001 x19: ffff0000ceafe0e8 x18: 0000000000000001
x17: ff808000083386a0 x16: ffff8000082eebe4 x15: ffff80000bfdb9d4
x14: ffff80000bfe5fb0 x13: ffffffffffffffff x12: 0000000000000000
x11: ff8080000820a930 x10: 0000000000000000 x9 : ffff80000820a930
x8 : ffff0000d2dc5040 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : 0000000000000000 x3 : 0000000000000020
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
__flush_work+0x1b4/0x1c0
__cancel_work_timer+0x3ec/0x548 kernel/workqueue.c:3177
cancel_work_sync+0x24/0x38 kernel/workqueue.c:3213
smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline]
smsusb_term_device+0x98/0x1cc drivers/media/usb/siano/smsusb.c:344
smsusb_init_device drivers/media/usb/siano/smsusb.c:419 [inline]
smsusb_probe+0xcb8/0x1a0c drivers/media/usb/siano/smsusb.c:567
usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
really_probe+0x26c/0xaec drivers/base/dd.c:595
__driver_probe_device+0x1bc/0x3f8 drivers/base/dd.c:750
driver_probe_device+0x78/0x34c drivers/base/dd.c:780
__device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:902
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:974
device_initial_probe+0x24/0x34 drivers/base/dd.c:1023
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3394
usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
really_probe+0x26c/0xaec drivers/base/dd.c:595
__driver_probe_device+0x1bc/0x3f8 drivers/base/dd.c:750
driver_probe_device+0x78/0x34c drivers/base/dd.c:780
__device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:902
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:974
device_initial_probe+0x24/0x34 drivers/base/dd.c:1023
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3394
usb_new_device+0x8fc/0x1448 drivers/usb/core/hub.c:2568
hub_port_connect drivers/usb/core/hub.c:5358 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
port_event drivers/usb/core/hub.c:5648 [inline]
hub_event+0x22e4/0x48c4 drivers/usb/core/hub.c:5730
process_one_work+0x84c/0x14b8 kernel/workqueue.c:2306
worker_thread+0x910/0x1034 kernel/workqueue.c:2453
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 18358
hardirqs last enabled at (18357): [<ffff80000820ad28>] __cancel_work_timer+0x3b0/0x548 kernel/workqueue.c:3170
hardirqs last disabled at (18358): [<ffff800011a00bc8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:387
softirqs last enabled at (17462): [<ffff800008020e34>] softirq_handle_end kernel/softirq.c:401 [inline]
softirqs last enabled at (17462): [<ffff800008020e34>] __do_softirq+0xcc4/0xf60 kernel/softirq.c:587
softirqs last disabled at (17457): [<ffff8000081b7b48>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (17457): [<ffff8000081b7b48>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (17457): [<ffff8000081b7b48>] __irq_exit_rcu+0x28c/0x534 kernel/softirq.c:636
---[ end trace 0b07e0f9548b998c ]---
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3550 at kernel/workqueue.c:3083 __flush_work+0x1b4/0x1c0
Modules linked in:
CPU: 1 PID: 3550 Comm: kworker/1:3 Tainted: G W 5.15.103-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __flush_work+0x1b4/0x1c0
lr : __flush_work+0x1b0/0x1c0 kernel/workqueue.c:3083
sp : ffff80001f3165e0
x29: ffff80001f316710 x28: 0000000000000000 x27: ffff80001f316848
x26: 0000000000000001 x25: 1fffe00019d5fc41 x24: dfff800000000000
x23: ffff700003e62cbc x22: ffff0000ceafe220 x21: ffff80001f316600
x20: 0000000000000001 x19: ffff0000ceafe208 x18: 0000000000000001
x17: ff808000083386a0 x16: ffff8000082eebe4 x15: ffff80000bfdb9d4
x14: ffff80000bfe5fb0 x13: ffffffffffffffff x12: 0000000000000000
x11: ff8080000820a930 x10: 0000000000000000 x9 : ffff80000820a930
x8 : ffff0000d2dc5040 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : 0000000000000000 x3 : 0000000000000020
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
__flush_work+0x1b4/0x1c0
__cancel_work_timer+0x3ec/0x548 kernel/workqueue.c:3177
cancel_work_sync+0x24/0x38 kernel/workqueue.c:3213
smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline]
smsusb_term_device+0x98/0x1cc drivers/media/usb/siano/smsusb.c:344
smsusb_init_device drivers/media/usb/siano/smsusb.c:419 [inline]
smsusb_probe+0xcb8/0x1a0c drivers/media/usb/siano/smsusb.c:567
usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
really_probe+0x26c/0xaec drivers/base/dd.c:595
__driver_probe_device+0x1bc/0x3f8 drivers/base/dd.c:750
driver_probe_device+0x78/0x34c drivers/base/dd.c:780
__device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:902
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:974
device_initial_probe+0x24/0x34 drivers/base/dd.c:1023
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3394
usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
really_probe+0x26c/0xaec drivers/base/dd.c:595
__driver_probe_device+0x1bc/0x3f8 drivers/base/dd.c:750
driver_probe_device+0x78/0x34c drivers/base/dd.c:780
__device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:902
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:974
device_initial_probe+0x24/0x34 drivers/base/dd.c:1023
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3394
usb_new_device+0x8fc/0x1448 drivers/usb/core/hub.c:2568
hub_port_connect drivers/usb/core/hub.c:5358 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
port_event drivers/usb/core/hub.c:5648 [inline]
hub_event+0x22e4/0x48c4 drivers/usb/core/hub.c:5730
process_one_work+0x84c/0x14b8 kernel/workqueue.c:2306
worker_thread+0x910/0x1034 kernel/workqueue.c:2453
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 18374
hardirqs last enabled at (18373): [<ffff80000820ad28>] __cancel_work_timer+0x3b0/0x548 kernel/workqueue.c:3170
hardirqs last disabled at (18374): [<ffff800011a00bc8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:387
softirqs last enabled at (18370): [<ffff800008020e34>] softirq_handle_end kernel/softirq.c:401 [inline]
softirqs last enabled at (18370): [<ffff800008020e34>] __do_softirq+0xcc4/0xf60 kernel/softirq.c:587
softirqs last disabled at (18361): [<ffff8000081b7b48>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (18361): [<ffff8000081b7b48>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (18361): [<ffff8000081b7b48>] __irq_exit_rcu+0x28c/0x534 kernel/softirq.c:636
---[ end trace 0b07e0f9548b998d ]---
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3550 at kernel/workqueue.c:3083 __flush_work+0x1b4/0x1c0
Modules linked in:
CPU: 1 PID: 3550 Comm: kworker/1:3 Tainted: G W 5.15.103-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __flush_work+0x1b4/0x1c0
lr : __flush_work+0x1b0/0x1c0 kernel/workqueue.c:3083
sp : ffff80001f3165e0
x29: ffff80001f316710 x28: 0000000000000000 x27: ffff80001f316848
x26: 0000000000000001 x25: 1fffe00019d5fc65 x24: dfff800000000000
x23: ffff700003e62cbc x22: ffff0000ceafe340 x21: ffff80001f316600
x20: 0000000000000001 x19: ffff0000ceafe328 x18: 0000000000000001
x17: ff808000083386a0 x16: ffff8000082eebe4 x15: ffff80000bfdb9d4
x14: ffff80000bfe5fb0 x13: ffffffffffffffff x12: 0000000000000000
x11: ff8080000820a930 x10: 0000000000000000 x9 : ffff80000820a930
x8 : ffff0000d2dc5040 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : 0000000000000000 x3 : 0000000000000020
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
__flush_work+0x1b4/0x1c0
__cancel_work_timer+0x3ec/0x548 kernel/workqueue.c:3177
cancel_work_sync+0x24/0x38 kernel/workqueue.c:3213
smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline]
smsusb_term_device+0x98/0x1cc drivers/media/usb/siano/smsusb.c:344
smsusb_init_device drivers/media/usb/siano/smsusb.c:419 [inline]
smsusb_probe+0xcb8/0x1a0c drivers/media/usb/siano/smsusb.c:567
usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
really_probe+0x26c/0xaec drivers/base/dd.c:595
__driver_probe_device+0x1bc/0x3f8 drivers/base/dd.c:750
driver_probe_device+0x78/0x34c drivers/base/dd.c:780
__device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:902
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:974
device_initial_probe+0x24/0x34 drivers/base/dd.c:1023
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3394
usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
really_probe+0x26c/0xaec drivers/base/dd.c:595
__driver_probe_device+0x1bc/0x3f8 drivers/base/dd.c:750
driver_probe_device+0x78/0x34c drivers/base/dd.c:780
__device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:902
bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
__device_attach+0x2f0/0x480 drivers/base/dd.c:974
device_initial_probe+0x24/0x34 drivers/base/dd.c:1023
bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
device_add+0xae0/0xef4 drivers/base/core.c:3394
usb_new_device+0x8fc/0x1448 drivers/usb/core/hub.c:2568
hub_port_connect drivers/usb/core/hub.c:5358 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
port_event drivers/usb/core/hub.c:5648 [inline]
hub_event+0x22e4/0x48c4 drivers/usb/core/hub.c:5730
process_one_work+0x84c/0x14b8 kernel/workqueue.c:2306
worker_thread+0x910/0x1034 kernel/workqueue.c:2453
kthread+0x37c/0x45c kernel/kthread.c:319
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 18396
hardirqs last enabled at (18395): [<ffff80000820ad28>] __cancel_work_timer+0x3b0/0x548 kernel/workqueue.c:3170
hardirqs last disabled at (18396): [<ffff800011a00bc8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:387
softirqs last enabled at (18388): [<ffff800008020e34>] softirq_handle_end kernel/softirq.c:401 [inline]
softirqs last enabled at (18388): [<ffff800008020e34>] __do_softirq+0xcc4/0xf60 kernel/softirq.c:587
softirqs last disabled at (18377): [<ffff8000081b7b48>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (18377): [<ffff8000081b7b48>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (18377): [<ffff8000081b7b48>] __irq_exit_rcu+0x28c/0x534 kernel/softirq.c:636
---[ end trace 0b07e0f9548b998e ]---
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3550