* Re: [usb?] WARNING: ODEBUG bug in corrupted (3)
2024-10-11 11:51 syzbot
@ 2024-10-12 9:14 Lizhi Xu
2024-10-12 9:39 ` [syzbot] " syzbot
-1 siblings, 1 reply; 4+ messages in thread
From: Lizhi Xu @ 2024-10-12 9:14 UTC (permalink / raw)
To: syzbot+90f31ac02b7ae5e8b578; +Cc: linux-kernel, syzkaller-bugs
rtl delayed work not be canceled before put usb device, it trigger following issue:
ODEBUG: free active (active state 0) object: ffff88811dc037c8 object type: timer_list hint: rtl_ips_nic_off_wq_callback+0x0/0x680
#syz test
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index aab4605de9c4..4d68a2437b0e 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -440,6 +440,7 @@ static void rtl_watchdog_wq_callback(struct work_struct *work);
static void rtl_fwevt_wq_callback(struct work_struct *work);
static void rtl_c2hcmd_wq_callback(struct work_struct *work);
+static char deinit;
static int _rtl_init_deferred_work(struct ieee80211_hw *hw)
{
struct rtl_priv *rtlpriv = rtl_priv(hw);
@@ -449,6 +450,7 @@ static int _rtl_init_deferred_work(struct ieee80211_hw *hw)
if (!wq)
return -ENOMEM;
+ deinit = 0;
/* <1> timer */
timer_setup(&rtlpriv->works.watchdog_timer,
rtl_watch_dog_timer_callback, 0);
@@ -473,6 +475,8 @@ void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq)
{
struct rtl_priv *rtlpriv = rtl_priv(hw);
+ if (deinit)
+ return;
del_timer_sync(&rtlpriv->works.watchdog_timer);
cancel_delayed_work_sync(&rtlpriv->works.watchdog_wq);
@@ -484,6 +488,7 @@ void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq)
cancel_delayed_work_sync(&rtlpriv->works.ps_rfon_wq);
cancel_delayed_work_sync(&rtlpriv->works.fwevt_wq);
cancel_delayed_work_sync(&rtlpriv->works.c2hcmd_wq);
+ deinit = 1;
}
EXPORT_SYMBOL_GPL(rtl_deinit_deferred_work);
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
index d37a017b2b81..aaa16bc23e91 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
@@ -1064,9 +1064,9 @@ void rtl_usb_disconnect(struct usb_interface *intf)
ieee80211_unregister_hw(hw);
rtlmac->mac80211_registered = 0;
} else {
- rtl_deinit_deferred_work(hw, false);
rtlpriv->intf_ops->adapter_stop(hw);
}
+ rtl_deinit_deferred_work(hw, false);
/*deinit rfkill */
/* rtl_deinit_rfkill(hw); */
rtl_usb_deinit(hw);
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [usb?] WARNING: ODEBUG bug in corrupted (3)
2024-10-11 11:51 syzbot
@ 2024-10-12 2:47 Lizhi Xu
2024-10-12 3:56 ` [syzbot] " syzbot
-1 siblings, 1 reply; 4+ messages in thread
From: Lizhi Xu @ 2024-10-12 2:47 UTC (permalink / raw)
To: syzbot+90f31ac02b7ae5e8b578; +Cc: linux-kernel, syzkaller-bugs
rtl delayed work not be canceled before put usb device, it trigger following issue:
ODEBUG: free active (active state 0) object: ffff88811dc037c8 object type: timer_list hint: rtl_ips_nic_off_wq_callback+0x0/0x680
#syz test
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index aab4605de9c4..c6e4a5e59880 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -472,7 +472,10 @@ static int _rtl_init_deferred_work(struct ieee80211_hw *hw)
void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq)
{
struct rtl_priv *rtlpriv = rtl_priv(hw);
+ static char deinit = 0;
+ if (deinit)
+ return;
del_timer_sync(&rtlpriv->works.watchdog_timer);
cancel_delayed_work_sync(&rtlpriv->works.watchdog_wq);
@@ -484,6 +487,7 @@ void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq)
cancel_delayed_work_sync(&rtlpriv->works.ps_rfon_wq);
cancel_delayed_work_sync(&rtlpriv->works.fwevt_wq);
cancel_delayed_work_sync(&rtlpriv->works.c2hcmd_wq);
+ deinit = 1;
}
EXPORT_SYMBOL_GPL(rtl_deinit_deferred_work);
diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
index d37a017b2b81..aaa16bc23e91 100644
--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
@@ -1064,9 +1064,9 @@ void rtl_usb_disconnect(struct usb_interface *intf)
ieee80211_unregister_hw(hw);
rtlmac->mac80211_registered = 0;
} else {
- rtl_deinit_deferred_work(hw, false);
rtlpriv->intf_ops->adapter_stop(hw);
}
+ rtl_deinit_deferred_work(hw, false);
/*deinit rfkill */
/* rtl_deinit_rfkill(hw); */
rtl_usb_deinit(hw);
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [syzbot] [usb?] WARNING: ODEBUG bug in corrupted (3)
2024-10-12 2:47 Lizhi Xu
@ 2024-10-12 3:56 ` syzbot
0 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2024-10-12 3:56 UTC (permalink / raw)
To: linux-kernel, lizhi.xu, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in call_timer_fn
------------[ cut here ]------------
WARNING: CPU: 1 PID: 6517 at kernel/workqueue.c:2257 __queue_work+0xc3a/0x1080 kernel/workqueue.c:2256
Modules linked in:
CPU: 1 UID: 0 PID: 6517 Comm: udevd Not tainted 6.12.0-rc1-syzkaller-00027-g4a9fe2a8ac53-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__queue_work+0xc3a/0x1080 kernel/workqueue.c:2256
Code: 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 9f 2d 8b 00 8b 5b 2c 31 ff 83 e3 20 89 de e8 a0 b1 32 00 85 db 75 60 e8 57 af 32 00 90 <0f> 0b 90 e9 f9 f7 ff ff e8 49 af 32 00 90 0f 0b 90 e9 a8 f7 ff ff
RSP: 0018:ffffc900001b8bf0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000100 RCX: ffffffff81233571
RDX: ffff888119dbd7c0 RSI: ffffffff812335c9 RDI: 0000000000000005
RBP: ffff88811a4e3780 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000000 R12: 1ffff92000037190
R13: 0000000000000001 R14: 0000000000000100 R15: ffff888119bd2000
FS: 00007f099cc31c80(0000) GS:ffff8881f5900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff415ce0a8 CR3: 0000000116684000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1794
expire_timers kernel/time/timer.c:1840 [inline]
__run_timers+0x56a/0x930 kernel/time/timer.c:2419
__run_timer_base kernel/time/timer.c:2430 [inline]
__run_timer_base kernel/time/timer.c:2423 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2439
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2449
handle_softirqs+0x206/0x8d0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xac/0x110 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]
sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1037
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_release+0x3e5/0x6f0 kernel/locking/lockdep.c:5833
Code: 7e 83 f8 01 0f 85 fd 01 00 00 9c 58 f6 c4 02 0f 85 e8 01 00 00 48 f7 04 24 00 02 00 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 c7 43 08 00 00 00 00 48 8b 84 24 88
RSP: 0018:ffffc90001a8f8c0 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 1ffff92000351f1a RCX: ffffc90001a8f910
RDX: 1ffff110233b7c49 RSI: ffffffff8727f4c0 RDI: ffffffff8746eac0
RBP: ffffffffffffffff R08: 0000000000000000 R09: fffffbfff14ac839
R10: ffffffff8a5641cf R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffff888119dbe250 R15: ffff888119dbd7c0
up_read+0x16/0x20 kernel/locking/rwsem.c:1619
kernfs_dop_revalidate+0x352/0x5a0 fs/kernfs/dir.c:1178
d_revalidate fs/namei.c:868 [inline]
d_revalidate fs/namei.c:865 [inline]
lookup_fast+0x239/0x540 fs/namei.c:1693
walk_component+0x5b/0x5b0 fs/namei.c:2049
link_path_walk.part.0.constprop.0+0x669/0xd40 fs/namei.c:2418
link_path_walk fs/namei.c:2350 [inline]
path_openat+0x228/0x2d60 fs/namei.c:3929
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f099cd5c9a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fff98e1ac60 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000055f5be29ddd0 RCX: 00007f099cd5c9a4
RDX: 0000000000080000 RSI: 00007fff98e1ad78 RDI: 00000000ffffff9c
RBP: 00007fff98e1ad78 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000
R13: 000055f5be29dec0 R14: 00007fff98e1ad78 R15: 000055f5902b8a04
</TASK>
----------------
Code disassembly (best guess):
0: 7e 83 jle 0xffffff85
2: f8 clc
3: 01 0f add %ecx,(%rdi)
5: 85 fd test %edi,%ebp
7: 01 00 add %eax,(%rax)
9: 00 9c 58 f6 c4 02 0f add %bl,0xf02c4f6(%rax,%rbx,2)
10: 85 e8 test %ebp,%eax
12: 01 00 add %eax,(%rax)
14: 00 48 f7 add %cl,-0x9(%rax)
17: 04 24 add $0x24,%al
19: 00 02 add %al,(%rdx)
1b: 00 00 add %al,(%rax)
1d: 74 01 je 0x20
1f: fb sti
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 48 01 c3 add %rax,%rbx <-- trapping instruction
2d: 48 c7 03 00 00 00 00 movq $0x0,(%rbx)
34: c7 43 08 00 00 00 00 movl $0x0,0x8(%rbx)
3b: 48 rex.W
3c: 8b .byte 0x8b
3d: 84 24 88 test %ah,(%rax,%rcx,4)
Tested on:
commit: 4a9fe2a8 dt-bindings: usb: dwc3-imx8mp: add compatible..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=17246087980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4510af5d637450fb
dashboard link: https://syzkaller.appspot.com/bug?extid=90f31ac02b7ae5e8b578
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=161d3b27980000
^ permalink raw reply [flat|nested] 4+ messages in thread
* [syzbot] [usb?] WARNING: ODEBUG bug in corrupted (3)
@ 2024-10-11 11:51 syzbot
0 siblings, 0 replies; 4+ messages in thread
From: syzbot @ 2024-10-11 11:51 UTC (permalink / raw)
To: akpm, linux-kernel, linux-usb, syzkaller-bugs, tglx
Hello,
syzbot found the following issue on:
HEAD commit: 4a9fe2a8ac53 dt-bindings: usb: dwc3-imx8mp: add compatible..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=10b02707980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4510af5d637450fb
dashboard link: https://syzkaller.appspot.com/bug?extid=90f31ac02b7ae5e8b578
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1597a7d0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/883c5319cb52/disk-4a9fe2a8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/caf4421ed2ef/vmlinux-4a9fe2a8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d8e3beb01d49/bzImage-4a9fe2a8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+90f31ac02b7ae5e8b578@syzkaller.appspotmail.com
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff88811dc037c8 object type: timer_list hint: rtl_ips_nic_off_wq_callback+0x0/0x680 drivers/net/wireless/realtek/rtlwifi/ps.c:283
WARNING: CPU: 1 PID: 5503 at lib/debugobjects.c:514 debug_print_object+0x1a3/0x2b0 lib/debugobjects.c:514
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-10-12 14:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20241012133220.4121757-1-lizhi.xu@windriver.com>
2024-10-12 14:11 ` [syzbot] [usb?] WARNING: ODEBUG bug in corrupted (3) syzbot
2024-10-12 9:14 Lizhi Xu
2024-10-12 9:39 ` [syzbot] " syzbot
-- strict thread matches above, loose matches on Subject: below --
2024-10-12 2:47 Lizhi Xu
2024-10-12 3:56 ` [syzbot] " syzbot
2024-10-11 11:51 syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox