From: Michal Pecio <michal.pecio@gmail.com>
To: I Viswanath <viswanathiyyappan@gmail.com>
Cc: andrew@lunn.ch, andrew+netdev@lunn.ch, davem@davemloft.net,
david.hunter.linux@gmail.com, edumazet@google.com,
kuba@kernel.org, linux-kernel-mentees@lists.linux.dev,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com, petkan@nucleusys.com,
skhan@linuxfoundation.org,
syzbot+78cae3f37c62ad092caa@syzkaller.appspotmail.com
Subject: Re: [PATCH net v2] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
Date: Wed, 24 Sep 2025 09:47:41 +0200 [thread overview]
Message-ID: <20250924094741.65e12028.michal.pecio@gmail.com> (raw)
In-Reply-To: <20250920181852.18164-1-viswanathiyyappan@gmail.com>
On Sat, 20 Sep 2025 23:48:52 +0530, I Viswanath wrote:
> syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.
> This is the sequence of events that leads to the Warning:
>
> CPU0 (in rtl8150_start_xmit) CPU1 (in rtl8150_start_xmit) CPU2 (in rtl8150_set_multicast)
> netif_stop_queue();
> netif_stop_queue();
> usb_submit_urb();
> netif_wake_queue(); <-- Wakes up TX queue before it's ready
> netif_stop_queue();
> usb_submit_urb(); <-- Warning
> freeing urb
It's not freeing which matters but URB completion in USB subsystem.
I think this description is needlessly complex, the essence is:
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb);
}
rtl8150_set_multicast() {
netif_stop_queue();
netif_wake_queue(); <-- wakes up TX queue before URB is done
}
rtl8150_start_xmit() {
netif_stop_queue();
usb_submit_urb(dev->tx_urb); <-- double submission
}
> rtl8150_set_multicast is rtl8150's implementation of ndo_set_rx_mode and
> should not be calling netif_stop_queue and notif_start_queue as these handle
> TX queue synchronization.
>
> The net core function dev_set_rx_mode handles the synchronization
> for rtl8150_set_multicast making it safe to remove these locks.
>
> Reported-and-tested-by: syzbot+78cae3f37c62ad092caa@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=78cae3f37c62ad092caa
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: I Viswanath <viswanathiyyappan@gmail.com>
Tested-by: Michal Pecio <michal.pecio@gmail.com>
This is instantly triggered on HW simply by running:
ncat remote-host port < /dev/zero &
ifconfig ethX allmulti
and results in:
[ 1253.338536] URB ffff88810ad01240 submitted while active
[ 1253.338616] WARNING: CPU: 2 PID: 2785 at drivers/usb/core/urb.c:379 usb_submit_urb+0x5f1/0x640 [usbcore]
[ 1253.338686] Modules linked in: usbhid uvcvideo rtl8150 xhci_pci xhci_hcd usbcore ext2 uvc videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videodev videobuf2_common snd_pcsp usb_common serio_raw ppdev dm_mod nfnetlink [last unloaded: usbcore]
[ 1253.338724] CPU: 2 UID: 0 PID: 2785 Comm: ifconfig Tainted: G W 6.17.0-rc4 #1 PREEMPT
[ 1253.338734] Tainted: [W]=WARN
[ 1253.338737] Hardware name: HP HP EliteDesk 705 G3 MT/8265, BIOS P06 Ver. 02.45 07/16/2024
[ 1253.338740] RIP: 0010:usb_submit_urb+0x5f1/0x640 [usbcore]
[ 1253.338791] Code: 56 23 a0 e8 b1 17 3f e1 eb da b8 fe ff ff ff e9 fc fd ff ff 48 89 fe 48 c7 c7 88 20 25 a0 c6 05 c0 30 e1 ff 01 e8 cf 3a f0 e0 <0f> 0b eb a0 b8 f8 ff ff ff e9 d8 fd ff ff b8 ea ff ff ff c3 66 2e
[ 1253.338798] RSP: 0018:ffffc90000154e28 EFLAGS: 00010282
[ 1253.338804] RAX: 000000000000002b RBX: ffff88810ad01240 RCX: 0000000000000027
[ 1253.338808] RDX: ffff888226f17e08 RSI: 0000000000000001 RDI: ffff888226f17e00
[ 1253.338812] RBP: ffff88810be0ff00 R08: 00000000fff7ffff R09: ffffffff85a4d628
[ 1253.338816] R10: ffffffff82e4d680 R11: 0000000000000002 R12: ffff888125e19e00
[ 1253.338820] R13: 00000000000005ea R14: ffff88810be0ff00 R15: ffff8881326b4000
[ 1253.338824] FS: 00007fbb30220740(0000) GS:ffff88829ff7d000(0000) knlGS:0000000000000000
[ 1253.338830] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1253.338834] CR2: 00007fbb301e5e38 CR3: 000000010be04000 CR4: 00000000001506f0
[ 1253.338838] Call Trace:
[ 1253.338846] <IRQ>
[ 1253.338855] rtl8150_start_xmit+0xa1/0x100 [rtl8150]
[ 1253.338865] dev_hard_start_xmit+0x59/0x1c0
[ 1253.338875] sch_direct_xmit+0x117/0x280
[ 1253.338883] __qdisc_run+0x136/0x590
[ 1253.338890] net_tx_action+0x1bb/0x2c0
[ 1253.338898] handle_softirqs+0xcd/0x270
[ 1253.338907] do_softirq+0x3b/0x50
[ 1253.338914] </IRQ>
[ 1253.338916] <TASK>
[ 1253.338919] __local_bh_enable_ip+0x54/0x60
[ 1253.338927] __dev_change_flags+0x9a/0x1e0
[ 1253.338933] ? filemap_map_pages+0x3f3/0x620
[ 1253.338941] netif_change_flags+0x22/0x60
[ 1253.338946] dev_change_flags+0x3d/0x70
[ 1253.338951] devinet_ioctl+0x388/0x710
[ 1253.338959] inet_ioctl+0x145/0x190
[ 1253.338966] ? netdev_name_node_lookup_rcu+0x59/0x70
[ 1253.338971] ? netdev_name_node_lookup_rcu+0x59/0x70
[ 1253.338976] ? dev_get_by_name_rcu+0xa/0x20
[ 1253.338982] ? dev_ioctl+0x2fc/0x4b0
[ 1253.338989] sock_do_ioctl+0x2f/0xd0
[ 1253.338996] __x64_sys_ioctl+0x76/0xc0
[ 1253.339005] do_syscall_64+0x42/0x180
[ 1253.339013] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1253.339019] RIP: 0033:0x7fbb3013fced
[ 1253.339024] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[ 1253.339028] RSP: 002b:00007ffdc876a850 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1253.339035] RAX: ffffffffffffffda RBX: 00007ffdc876a960 RCX: 00007fbb3013fced
[ 1253.339039] RDX: 00007ffdc876a8b0 RSI: 0000000000008914 RDI: 0000000000000004
[ 1253.339042] RBP: 00007ffdc876a8a0 R08: 000000000000000a R09: 000000000000000b
[ 1253.339045] R10: fffffffffffff8cb R11: 0000000000000246 R12: 00007ffdc876a8b0
[ 1253.339048] R13: 0000000000000004 R14: 0000000000000200 R15: 0000000000000000
[ 1253.339054] </TASK>
[ 1253.339056] ---[ end trace 0000000000000000 ]---
[ 1253.339062] net eth1: failed tx_urb -16
[ 1253.339068] net eth1: failed tx_urb -16
[ 1253.339072] net eth1: failed tx_urb -16
[ 1253.339075] net eth1: failed tx_urb -16
[ 1253.339078] net eth1: failed tx_urb -16
[ 1253.339081] net eth1: failed tx_urb -16
[ 1253.339084] net eth1: failed tx_urb -16
[ 1253.339088] net eth1: failed tx_urb -16
[ 1253.339091] net eth1: failed tx_urb -16
[ 1253.339094] net eth1: failed tx_urb -16
[ 1253.339097] net eth1: failed tx_urb -16
[ 1253.339204] net eth1: failed tx_urb -16
[ 1253.339209] net eth1: failed tx_urb -16
[ 1253.339212] net eth1: failed tx_urb -16
[ 1253.339215] net eth1: failed tx_urb -16
[ 1253.339218] net eth1: failed tx_urb -16
[ 1253.339221] net eth1: failed tx_urb -16
[ 1253.339224] net eth1: failed tx_urb -16
[ 1253.339226] net eth1: failed tx_urb -16
[ 1253.339229] net eth1: failed tx_urb -16
[ 1253.339232] net eth1: failed tx_urb -16
[ 1253.339235] net eth1: failed tx_urb -16
[ 1253.339237] net eth1: failed tx_urb -16
[ 1253.339240] net eth1: failed tx_urb -16
[ 1253.339243] net eth1: failed tx_urb -16
[ 1253.339246] net eth1: failed tx_urb -16
[ 1253.339249] net eth1: failed tx_urb -16
[ 1253.339252] net eth1: failed tx_urb -16
[ 1253.339255] net eth1: failed tx_urb -16
[ 1253.339258] net eth1: failed tx_urb -16
[ 1253.339261] net eth1: failed tx_urb -16
[ 1253.339263] net eth1: failed tx_urb -16
[ 1253.339266] net eth1: failed tx_urb -16
[ 1253.339268] net eth1: failed tx_urb -16
[ 1253.339348] rtl8150 1-1:1.0 eth1: entered allmulticast mode
next prev parent reply other threads:[~2025-09-24 7:47 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-20 4:50 [PATCH] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast I Viswanath
2025-09-20 15:30 ` Andrew Lunn
2025-09-20 16:52 ` viswanath
2025-09-20 17:28 ` Andrew Lunn
2025-09-20 18:18 ` [PATCH net v2] " I Viswanath
2025-09-23 1:07 ` Jakub Kicinski
2025-09-23 7:47 ` Michal Pecio
2025-09-23 14:28 ` Jakub Kicinski
2025-09-23 23:20 ` Michal Pecio
2025-09-23 23:37 ` Jakub Kicinski
2025-09-25 5:59 ` Deepak Sharma
2025-09-24 7:47 ` Michal Pecio [this message]
2025-09-24 8:02 ` viswanath
2025-09-24 9:36 ` Michal Pecio
2025-09-24 10:25 ` viswanath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250924094741.65e12028.michal.pecio@gmail.com \
--to=michal.pecio@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=david.hunter.linux@gmail.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petkan@nucleusys.com \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+78cae3f37c62ad092caa@syzkaller.appspotmail.com \
--cc=viswanathiyyappan@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.