syzbot


WARNING in usbhid_raw_request/usb_submit_urb (3)

Status: fixed on 2020/07/17 17:58
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com
Fix commit: ac854131d984 USB: core: Fix misleading driver bug report
First crash: 1560d, last: 1452d
Discussions (15)
Title Replies (including bot) Last reply
[PATCH AUTOSEL 5.6 001/606] hwmon: (da9052) Synchronize access with mfd 327 (327) 2020/06/10 13:44
[PATCH 5.6 000/126] 5.6.15-rc1 review 141 (141) 2020/05/31 11:34
[PATCH 4.19 00/81] 4.19.125-rc1 review 93 (93) 2020/05/29 16:26
[PATCH 4.4 00/65] 4.4.225-rc1 review 74 (74) 2020/05/27 17:16
[PATCH 4.9 00/64] 4.9.225-rc1 review 69 (69) 2020/05/27 16:53
[PATCH 4.14 00/59] 4.14.182-rc1 review 64 (64) 2020/05/27 16:51
[PATCH 5.4 000/111] 5.4.43-rc1 review 116 (116) 2020/05/27 16:34
[PATCH AUTOSEL 5.6 01/62] kbuild: avoid concurrency issue in parallel building dtbs and dtbs_check 66 (66) 2020/05/21 00:24
[PATCH AUTOSEL 4.14 01/39] Makefile: disallow data races on gcc-10 as well 42 (42) 2020/05/16 01:35
[PATCH AUTOSEL 4.4 01/14] Makefile: disallow data races on gcc-10 as well 14 (14) 2020/05/14 18:56
[PATCH AUTOSEL 4.9 01/27] Makefile: disallow data races on gcc-10 as well 27 (27) 2020/05/14 18:55
[PATCH AUTOSEL 4.19 01/31] Makefile: disallow data races on gcc-10 as well 31 (31) 2020/05/14 18:54
[PATCH AUTOSEL 5.4 01/49] kbuild: avoid concurrency issue in parallel building dtbs and dtbs_check 49 (49) 2020/05/14 18:53
[PATCH] USB: core: Fix misleading driver bug report 1 (1) 2020/05/01 20:07
WARNING in usbhid_raw_request/usb_submit_urb (3) 16 (34) 2020/04/30 15:18
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING in usbhid_raw_request/usb_submit_urb (2) usb syz 27 1563d 1643d 0/26 closed as invalid on 2020/01/10 16:46
upstream WARNING in usbhid_raw_request/usb_submit_urb usb syz 37 1658d 1728d 0/26 closed as dup on 2019/08/21 14:08
Last patch testing requests (16)
Created Duration User Patch Repo Result
2020/04/30 14:58 18m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 OK
2020/04/29 23:41 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 report log
2020/04/29 20:11 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 OK
2020/04/25 20:25 18m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 OK
2020/04/24 19:14 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 OK
2020/04/24 15:20 13m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 report log
2020/04/24 12:20 11m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 report log
2020/04/24 01:39 9m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 report log
2020/04/24 01:00 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 OK
2020/04/23 21:09 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 OK
2020/04/23 18:54 16m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 report log
2020/04/23 16:37 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 OK
2020/04/23 01:18 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 report log
2020/04/02 19:00 16m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 report log
2020/04/02 15:57 17m andreyknvl@google.com patch https://github.com/google/kasan.git 0fa84af8 report log
2020/04/02 15:35 17m stern@rowland.harvard.edu patch https://github.com/google/kasan.git 0fa84af8 OK

Sample crash report:
------------[ cut here ]------------
usb 2-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478 usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 9241 Comm: syz-executor.1 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 panic+0x2aa/0x6e1 kernel/panic.c:221
 __warn.cold+0x2f/0x30 kernel/panic.c:582
 report_bug+0x27b/0x2f0 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:174 [inline]
 fixup_bug arch/x86/kernel/traps.c:169 [inline]
 do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:267
 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
Code: 4d 85 ed 74 46 e8 68 87 dd fd 4c 89 f7 e8 90 57 17 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 80 dd 3b 86 e8 10 18 b2 fd <0f> 0b e9 20 f4 ff ff e8 3c 87 dd fd 0f 1f 44 00 00 e8 32 87 dd fd
RSP: 0018:ffff8881c7a47b38 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff812974dd RDI: ffffed1038f48f59
RBP: 0000000000000000 R08: ffff8881cd811880 R09: ffffed103b646248
R10: ffffed103b646247 R11: ffff8881db23123f R12: 0000000000000002
R13: ffff8881c5c764b0 R14: ffff8881c8daf0a0 R15: ffff8881d0117500
 usb_start_wait_urb+0x108/0x4c0 drivers/usb/core/message.c:58
 usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
 usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153
 usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
 usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
 hid_hw_raw_request include/linux/hid.h:1079 [inline]
 hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
 hidraw_ioctl+0x620/0xaf0 drivers/hid/hidraw.c:422
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
 do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa05ffffc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa0600006d4 RCX: 000000000045c849
RDX: 00000000200000c0 RSI: 0000000080404806 RDI: 0000000000000006
RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000335 R14: 00000000004c59df R15: 000000000076bfac
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (18):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/04/01 20:48 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 a34e2c33 .config console log report syz ci2-upstream-usb
2020/04/29 19:17 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c ba2806db .config console log report ci2-upstream-usb
2020/04/29 08:37 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c e3ecea2e .config console log report ci2-upstream-usb
2020/04/20 04:25 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 9f7c6d12 .config console log report ci2-upstream-usb
2020/04/11 05:11 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 a8c6a3f8 .config console log report ci2-upstream-usb
2020/04/08 20:46 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 db9bcd4b .config console log report ci2-upstream-usb
2020/04/02 14:58 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 a34e2c33 .config console log report ci2-upstream-usb
2020/04/01 15:41 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 a34e2c33 .config console log report ci2-upstream-usb
2020/03/18 15:20 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 0a96a13c .config console log report ci2-upstream-usb
2020/03/04 05:04 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 1f73b64b .config console log report ci2-upstream-usb
2020/02/29 02:59 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c c88c7b75 .config console log report ci2-upstream-usb
2020/02/20 23:09 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 81230308 .config console log report ci2-upstream-usb
2020/02/16 04:38 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/15 12:22 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/13 15:15 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 e6247653 .config console log report ci2-upstream-usb
2020/01/25 01:33 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 2e95ab33 .config console log report ci2-upstream-usb
2020/01/20 06:34 https://github.com/google/kasan.git usb-fuzzer 4cc301ee04d9 0342f8c7 .config console log report ci2-upstream-usb
2020/01/13 18:27 https://github.com/google/kasan.git usb-fuzzer 5a67532ceae3 99565c1a .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.