* [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb @ 2021-11-15 7:28 syzbot 2021-11-15 14:31 ` Oliver Neukum 2023-06-23 13:32 ` [syzbot] [usb?] " syzbot 0 siblings, 2 replies; 6+ messages in thread From: syzbot @ 2021-11-15 7:28 UTC (permalink / raw) To: davem, kuba, linux-kernel, linux-usb, netdev, oneukum, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: 048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel... git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000 kernel config: https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3 dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 0 PID: 1291 Comm: kworker/0:3 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Code: 7c 24 18 e8 40 2b aa fd 48 8b 7c 24 18 e8 c6 23 1a ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 40 c0 85 86 e8 e5 66 03 02 <0f> 0b e9 58 f8 ff ff e8 12 2b aa fd 48 81 c5 80 06 00 00 e9 84 f7 RSP: 0018:ffffc90000f0f580 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff888108599c00 RSI: ffffffff812bae18 RDI: fffff520001e1ea2 RBP: ffff88810b887b00 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff812b4bfe R11: 0000000000000000 R12: 0000000000000003 R13: ffff8881067d9dc0 R14: 0000000000000003 R15: ffff88810d2dd700 FS: 0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3815d25ff8 CR3: 000000010bdba000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> usbnet_start_xmit+0x5ed/0x1f70 drivers/net/usb/usbnet.c:1460 __netdev_start_xmit include/linux/netdevice.h:4987 [inline] netdev_start_xmit include/linux/netdevice.h:5001 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3606 sch_direct_xmit+0x25b/0x790 net/sched/sch_generic.c:342 __dev_xmit_skb net/core/dev.c:3817 [inline] __dev_queue_xmit+0x11bf/0x31d0 net/core/dev.c:4194 neigh_resolve_output net/core/neighbour.c:1523 [inline] neigh_resolve_output+0x50e/0x820 net/core/neighbour.c:1503 neigh_output include/net/neighbour.h:527 [inline] ip6_finish_output2+0xb49/0x1af0 net/ipv6/ip6_output.c:126 __ip6_finish_output.part.0+0x387/0xbb0 net/ipv6/ip6_output.c:191 __ip6_finish_output include/linux/skbuff.h:986 [inline] ip6_finish_output net/ipv6/ip6_output.c:201 [inline] NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x3d2/0x810 net/ipv6/ip6_output.c:224 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] mld_sendpack+0x96d/0xe00 net/ipv6/mcast.c:1826 mld_send_cr net/ipv6/mcast.c:2127 [inline] mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2659 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 kthread+0x40b/0x500 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb 2021-11-15 7:28 [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb syzbot @ 2021-11-15 14:31 ` Oliver Neukum 2021-12-04 10:18 ` Dmitry Vyukov 2023-06-23 13:32 ` [syzbot] [usb?] " syzbot 1 sibling, 1 reply; 6+ messages in thread From: Oliver Neukum @ 2021-11-15 14:31 UTC (permalink / raw) To: syzbot, davem, kuba, linux-kernel, linux-usb, netdev, oneukum, syzkaller-bugs On 15.11.21 08:28, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel... > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing > console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3 > dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com > > ------------[ cut here ]------------ > usb 5-1: BOGUS urb xfer, pipe 3 != type 1 > WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Hi, here I understand what is happening, but not why it can happen. Usbnet checks the endpoint type. May I request an addition to syzbot? Could you include the output of "lsusb -v" at the time of the error condition for USB bugs? Regards Oliver ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb 2021-11-15 14:31 ` Oliver Neukum @ 2021-12-04 10:18 ` Dmitry Vyukov 0 siblings, 0 replies; 6+ messages in thread From: Dmitry Vyukov @ 2021-12-04 10:18 UTC (permalink / raw) To: Oliver Neukum Cc: syzbot, davem, kuba, linux-kernel, linux-usb, netdev, syzkaller-bugs, Aleksandr Nogikh, Andrey Konovalov On Mon, 15 Nov 2021 at 15:31, 'Oliver Neukum' via syzkaller-bugs <syzkaller-bugs@googlegroups.com> wrote: > > > On 15.11.21 08:28, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel... > > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing > > console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3 > > dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com > > > > ------------[ cut here ]------------ > > usb 5-1: BOGUS urb xfer, pipe 3 != type 1 > > WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 > > Hi, > > here I understand what is happening, but not why it can happen. Usbnet > checks the endpoint type. > > May I request an addition to syzbot? Could you include the output of > "lsusb -v" at the time > of the error condition for USB bugs? Hi Oliver, Aleksandr filed https://github.com/google/syzkaller/issues/2889 for this request. But so far we did not find a good solution. syzbot collects some info about the machine after boot, but that's obviously wrong moment. After the bug it's also too late -- the kernel is dead/corrupted. It's also unclear what exactly is "usb bug". It may be easier to do from the kernel by hooking into panic. Would also benefit all other kernel testing as this is not really syzbot-specific, so better belongs to kernel. Is it possible to do it from the kernel? If not, maybe the kernel could at least log connect/disconnect events to the console. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb 2021-11-15 7:28 [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb syzbot 2021-11-15 14:31 ` Oliver Neukum @ 2023-06-23 13:32 ` syzbot 2023-06-23 15:23 ` Alan Stern 1 sibling, 1 reply; 6+ messages in thread From: syzbot @ 2023-06-23 13:32 UTC (permalink / raw) To: andreyknvl, davem, dvyukov, edumazet, gregkh, kbuild-all, kuba, linux-kernel, linux-usb, lkp, netdev, nogikh, oneukum, pabeni, stern, syzkaller-bugs, troels syzbot has bisected this issue to: commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 Author: Alan Stern <stern@rowland.harvard.edu> Date: Tue Jan 31 20:49:04 2023 +0000 USB: core: Don't hold device lock while reading the "descriptors" sysfs file bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000 start commit: 692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g.. git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=114b5877280000 console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000 kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140 dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000 Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb 2023-06-23 13:32 ` [syzbot] [usb?] " syzbot @ 2023-06-23 15:23 ` Alan Stern 2023-06-23 16:07 ` syzbot 0 siblings, 1 reply; 6+ messages in thread From: Alan Stern @ 2023-06-23 15:23 UTC (permalink / raw) To: syzbot Cc: andreyknvl, davem, dvyukov, edumazet, gregkh, kbuild-all, kuba, linux-kernel, linux-usb, lkp, netdev, nogikh, oneukum, pabeni, syzkaller-bugs, troels On Fri, Jun 23, 2023 at 06:32:22AM -0700, syzbot wrote: > syzbot has bisected this issue to: > > commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 > Author: Alan Stern <stern@rowland.harvard.edu> > Date: Tue Jan 31 20:49:04 2023 +0000 > > USB: core: Don't hold device lock while reading the "descriptors" sysfs file > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000 > start commit: 692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g.. > git tree: upstream > final oops: https://syzkaller.appspot.com/x/report.txt?x=114b5877280000 > console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140 > dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000 > > Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com > Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection The bisection result is wrong, but the issue still needs to be fixed. Alan Stern #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7 Index: usb-devel/drivers/net/usb/usbnet.c =================================================================== --- usb-devel.orig/drivers/net/usb/usbnet.c +++ usb-devel/drivers/net/usb/usbnet.c @@ -1775,6 +1775,9 @@ usbnet_probe (struct usb_interface *udev } else if (!info->in || !info->out) status = usbnet_get_endpoints (dev, udev); else { + u8 ep_addrs[3] = { + info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0}; + dev->in = usb_rcvbulkpipe (xdev, info->in); dev->out = usb_sndbulkpipe (xdev, info->out); if (!(info->flags & FLAG_NO_SETINT)) @@ -1784,6 +1787,8 @@ usbnet_probe (struct usb_interface *udev else status = 0; + if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs)) + status = -EINVAL; } if (status >= 0 && dev->status) status = init_status (dev, udev); ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb 2023-06-23 15:23 ` Alan Stern @ 2023-06-23 16:07 ` syzbot 0 siblings, 0 replies; 6+ messages in thread From: syzbot @ 2023-06-23 16:07 UTC (permalink / raw) To: andreyknvl, davem, dvyukov, edumazet, gregkh, kbuild-all, kuba, linux-kernel, linux-usb, lkp, netdev, nogikh, oneukum, pabeni, stern, syzkaller-bugs, troels Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com Tested on: commit: 45a3e24f Linux 6.4-rc7 git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7 console output: https://syzkaller.appspot.com/x/log.txt?x=1210e557280000 kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140 dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=14e0e557280000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-23 16:07 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-11-15 7:28 [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb syzbot 2021-11-15 14:31 ` Oliver Neukum 2021-12-04 10:18 ` Dmitry Vyukov 2023-06-23 13:32 ` [syzbot] [usb?] " syzbot 2023-06-23 15:23 ` Alan Stern 2023-06-23 16:07 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox