Re: [syzbot] [usb?] general protection fault in qt2_read_bulk_callback (2)

public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed

From: Johan Hovold <johan@kernel.org>
To: syzbot <syzbot+c63f59479d561970dc2b@syzkaller.appspotmail.com>
Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
	linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] general protection fault in qt2_read_bulk_callback (2)
Date: Wed, 28 Jan 2026 12:37:39 +0100	[thread overview]
Message-ID: <aXn1A7IjYbcQuFhh@hovoldconsulting.com> (raw)
In-Reply-To: <69795995.050a0220.c9109.0028.GAE@google.com>

On Tue, Jan 27, 2026 at 04:34:29PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    615aad0f61e0 Add linux-next specific files for 20260126
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1761a05a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d51c584a7396ddf1
> dashboard link: https://syzkaller.appspot.com/bug?extid=c63f59479d561970dc2b
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145d6bfa580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14dac98a580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/5318e5f027be/disk-615aad0f.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/d165e561fa49/vmlinux-615aad0f.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/fb0e01c90aa5/bzImage-615aad0f.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+c63f59479d561970dc2b@syzkaller.appspotmail.com
> 
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
> CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:__queue_work+0xa2/0xf90 kernel/workqueue.c:2269
> Code: 11 31 ff 89 ee e8 4e f4 37 00 85 ed 0f 85 ef 0c 00 00 e8 01 f0 37 00 4d 8d b7 c0 01 00 00 4c 89 f0 48 c1 e8 03 48 89 44 24 28 <42> 0f b6 04 20 84 c0 0f 85 22 0d 00 00 4c 89 34 24 41 8b 2e 89 ee
> RSP: 0018:ffffc900000077f8 EFLAGS: 00010002
> RAX: 0000000000000038 RBX: 0000000000000008 RCX: ffff88801dafdac0
> RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 0000000000000000 R08: ffff88803642c01f R09: 1ffff11006c85803
> R10: dffffc0000000000 R11: ffffed1006c85804 R12: dffffc0000000000
> R13: ffff88803642c018 R14: 00000000000001c0 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8881252b4000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fef907e8600 CR3: 000000000e54a000 CR4: 00000000003526f0
> Call Trace:
>  <IRQ>
>  queue_work_on+0x106/0x1d0 kernel/workqueue.c:2405
>  qt2_process_read_urb drivers/usb/serial/quatech2.c:541 [inline]
>  qt2_read_bulk_callback+0xe96/0x1030 drivers/usb/serial/quatech2.c:574
>  __usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1657
>  dummy_timer+0xbbd/0x45d0 drivers/usb/gadget/udc/dummy_hcd.c:1995
>  __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
>  __hrtimer_run_queues+0x529/0xc30 kernel/time/hrtimer.c:1849
>  hrtimer_run_softirq+0x182/0x5a0 kernel/time/hrtimer.c:1866
>  handle_softirqs+0x22a/0x7c0 kernel/softirq.c:626
>  __do_softirq kernel/softirq.c:660 [inline]
>  invoke_softirq kernel/softirq.c:496 [inline]
>  __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:727
>  irq_exit_rcu+0x9/0x30 kernel/softirq.c:743
>  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
>  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
>  </IRQ>
>  <TASK>

This looks like it could be related to commit d000422a46aa ("tty:
tty_port: add workqueue to flip TTY buffer") in Greg's tty-next branch,
which was reverted yesterday:

	https://lore.kernel.org/lkml/2026012739-compile-bling-3779@gregkh/

Someone who knows the syzbot interface can probably verify and close
this as fixed.

Johan

next prev parent reply	other threads:[~2026-01-28 11:37 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-28  0:34 [syzbot] [usb?] general protection fault in qt2_read_bulk_callback (2) syzbot
2026-01-28 11:37 ` Johan Hovold [this message]
2026-01-28 14:18 ` Jeongjun Park
2026-01-28 15:01   ` syzbot
2026-01-28 15:15 ` Jeongjun Park

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aXn1A7IjYbcQuFhh@hovoldconsulting.com \
    --to=johan@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=syzbot+c63f59479d561970dc2b@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox