From: syzbot <syzbot+e6a50a2e7cbb4f775d04@syzkaller.appspotmail.com>
To: charmitro@posteo.net, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] WARNING in usb_start_wait_urb
Date: Thu, 04 Dec 2025 12:56:01 -0800 [thread overview]
Message-ID: <6931f561.a70a0220.2ea503.00e7.GAE@google.com> (raw)
In-Reply-To: <m2o6oe85fv.fsf@posteo.net>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in usb_start_wait_urb
------------[ cut here ]------------
usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
WARNING: drivers/usb/core/urb.c:414 at 0x0, CPU#1: syz.0.17/6455
Modules linked in:
CPU: 1 UID: 0 PID: 6455 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:usb_submit_urb+0x111c/0x18d0 drivers/usb/core/urb.c:412
Code: b8 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 a7 05 00 00 45 0f b6 45 00 48 8b 3c 24 48 8b 74 24 20 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 b7 f2 ff ff 89 e9
RSP: 0018:ffffc90003f1f800 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88807523df00 RCX: 0000000080000280
RDX: ffff8881404becc0 RSI: ffffffff8c35e540 RDI: ffffffff8fd058d0
RBP: 1ffff110287ec848 R08: 00000000000000c0 R09: 0000000000000000
R10: ffffc90003f1f900 R11: fffff520007e3f2c R12: ffff88807d6a5100
R13: ffff888143f64240 R14: 0000000080000280 R15: ffff8881404becc0
FS: 00007f80746386c0(0000) GS:ffff888125af0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000558e2419d738 CR3: 000000007303a000 CR4: 00000000003526f0
Call Trace:
<TASK>
usb_start_wait_urb+0x115/0x4f0 drivers/usb/core/message.c:59
usb_internal_control_msg drivers/usb/core/message.c:103 [inline]
usb_control_msg+0x232/0x3e0 drivers/usb/core/message.c:154
dtv5100_i2c_msg+0x231/0x2f0 drivers/media/usb/dvb-usb/dtv5100.c:65
dtv5100_i2c_xfer+0x269/0x3c0 drivers/media/usb/dvb-usb/dtv5100.c:86
__i2c_transfer+0x871/0x2110 drivers/i2c/i2c-core-base.c:-1
i2c_transfer+0x25b/0x3a0 drivers/i2c/i2c-core-base.c:2317
i2cdev_ioctl_rdwr+0x460/0x740 drivers/i2c/i2c-dev.c:306
i2cdev_ioctl+0x64b/0x820 drivers/i2c/i2c-dev.c:467
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f807378f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8074638038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f80739e5fa0 RCX: 00007f807378f749
RDX: 0000200000000240 RSI: 0000000000000707 RDI: 0000000000000004
RBP: 00007f8073813f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f80739e6038 R14: 00007f80739e5fa0 R15: 00007ffc05fa7018
</TASK>
----------------
Code disassembly (best guess):
0: b8 00 00 00 00 mov $0x0,%eax
5: 00 fc add %bh,%ah
7: ff (bad)
8: df 0f fisttps (%rdi)
a: b6 44 mov $0x44,%dh
c: 05 00 84 c0 0f add $0xfc08400,%eax
11: 85 a7 05 00 00 45 test %esp,0x45000005(%rdi)
17: 0f b6 45 00 movzbl 0x0(%rbp),%eax
1b: 48 8b 3c 24 mov (%rsp),%rdi
1f: 48 8b 74 24 20 mov 0x20(%rsp),%rsi
24: 4c 89 fa mov %r15,%rdx
27: 44 89 f1 mov %r14d,%ecx
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
36: fc ff df
39: e9 b7 f2 ff ff jmp 0xfffff2f5
3e: 89 e9 mov %ebp,%ecx
Tested on:
commit: f231ce51 media: dvb-usb: dib0700: fix zero-length cont..
git tree: https://github.com/charmitro/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=122b301a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b9f785244b836412
dashboard link: https://syzkaller.appspot.com/bug?extid=e6a50a2e7cbb4f775d04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: no patches were applied.
prev parent reply other threads:[~2025-12-04 20:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-30 19:41 [syzbot] [usb?] WARNING in usb_start_wait_urb syzbot
2025-12-04 18:31 ` Charalampos Mitrodimas
2025-12-04 20:56 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6931f561.a70a0220.2ea503.00e7.GAE@google.com \
--to=syzbot+e6a50a2e7cbb4f775d04@syzkaller.appspotmail.com \
--cc=charmitro@posteo.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.