From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: 白烁冉 <baishuoran@hrbeu.edu.cn>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Kun Hu <huk23@m.fudan.edu.cn>, Jiaji Qin <jjtan24@m.fudan.edu.cn>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-input@vger.kernel.org, syzkaller@googlegroups.com
Subject: Re: WARNING in cm109_urb_irq_callback/usb_submit_urb
Date: Thu, 20 Mar 2025 06:40:27 -0700 [thread overview]
Message-ID: <2025032045-certified-pennant-2291@gregkh> (raw)
In-Reply-To: <559eddf1.5c68.195b1d950ef.Coremail.baishuoran@hrbeu.edu.cn>
On Thu, Mar 20, 2025 at 12:39:24PM +0800, 白烁冉 wrote:
> Dear Maintainers,
>
> When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (94th)was triggered.
>
>
> HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
> git tree: upstream
> Output:https://github.com/pghk13/Kernel-Bug/tree/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open
> Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/config.txt
> C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open/94repro.c
> Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open/94report
>
>
> The error occurs around line 379 of the urb.c file. The problem ends up in the cm109_urb_irq_callback function in the cm109.c file:In the cm109_urb_irq_callback function, the driver attempts to resubmit a URB that has not yet been processed. There may be a race condition in the driver that resubmits the URB in the URB completion callback, but the same URB may have already been committed to another location in the system. This issue seems to involve the creation of USB devices, the operation of TTY devices, and file descriptor copying. This complex interaction resulted in duplicate commits of the URB.
> We have reproduced this issue several times on 6.14-rc5 again.
Great! Can you submit a fix for this as you have a reproducer you can
use to prove that it resolves the issue?
thanks,
greg k-h
next prev parent reply other threads:[~2025-03-20 13:41 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 4:39 WARNING in cm109_urb_irq_callback/usb_submit_urb 白烁冉
2025-03-20 13:35 ` Oliver Neukum
2025-03-20 14:16 ` 胡焜
2025-03-20 14:25 ` Alan Stern
2025-03-20 15:42 ` Oliver Neukum
2025-03-20 17:25 ` Alan Stern
2025-03-27 11:42 ` Oliver Neukum
2025-03-27 14:27 ` Alan Stern
2025-04-01 9:40 ` 胡焜
2025-04-07 3:46 ` 胡焜
2025-03-20 13:40 ` Greg Kroah-Hartman [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-12-30 3:58 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025032045-certified-pennant-2291@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=baishuoran@hrbeu.edu.cn \
--cc=dmitry.torokhov@gmail.com \
--cc=huk23@m.fudan.edu.cn \
--cc=jjtan24@m.fudan.edu.cn \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox