WARNING in carl9170_usb_submit_cmd_urb/usb_submit

WARNING in carl9170_usb_submit_cmd_urb/usb_submit_urb
Status: upstream: reported C repro on 2020/05/14 20:18
Reported-by: syzbot+9468df99cb63a4a4c4e1@syzkaller.appspotmail.com
First crash: 494d, last: 21d

Cause bisection: introduced by (bisect log) :
commit 6a66a7ded12baa6ebbb2e3e82f8cb91382814839
Author: zhangyi (F) <yi.zhang@huawei.com>
Date: Thu Feb 13 06:38:20 2020 +0000

jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()

Crash: SYZFAIL: wrong response packet (log)
Repro: C syz .config

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/09/15 02:15	16m	brookebasile@gmail.com		upstream	OK

Sample crash report:

usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: reset high-speed USB device number 2 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 32
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 7 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.14.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Code: 7c 24 18 e8 50 ae 1e fc 48 8b 7c 24 18 e8 96 ff 0b ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 31 27 8a e8 f6 1a 92 03 <0f> 0b e9 58 f8 ff ff e8 22 ae 1e fc 48 81 c5 80 06 00 00 e9 84 f7
RSP: 0018:ffffc90000edee88 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff888011e2a1c0 RSI: ffffffff815cb995 RDI: fffff520001dbdc3
RBP: ffff8880175f8800 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815c579e R11: 0000000000000000 R12: 0000000000000001
R13: ffff88802a0b0980 R14: 0000000000000002 R15: ffff888018193b00
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3dd173208 CR3: 000000002f911000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 carl9170_usb_submit_cmd_urb+0x7e/0x130 drivers/net/wireless/ath/carl9170/usb.c:229
 __carl9170_exec_cmd+0x30b/0x5b0 drivers/net/wireless/ath/carl9170/usb.c:643
 carl9170_reboot+0xaf/0xf0 drivers/net/wireless/ath/carl9170/cmd.c:141
 carl9170_usb_disconnect+0x141/0x190 drivers/net/wireless/ath/carl9170/usb.c:1116
 usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458
 __device_release_driver+0x3bd/0x6f0 drivers/base/dd.c:1201
 device_release_driver_internal drivers/base/dd.c:1232 [inline]
 device_release_driver+0x26/0x40 drivers/base/dd.c:1255
 usb_driver_release_interface drivers/usb/core/driver.c:627 [inline]
 usb_forced_unbind_intf+0x17d/0x220 drivers/usb/core/driver.c:1117
 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6094
 carl9170_usb_probe+0x48/0xd30 drivers/net/wireless/ath/carl9170/usb.c:1044
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3355
 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x23c/0xcd0 drivers/base/dd.c:595
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:965
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xc2f/0x2180 drivers/base/core.c:3355
 usb_new_device.cold+0x63f/0x108e drivers/usb/core/hub.c:2563
 hub_port_connect drivers/usb/core/hub.c:5348 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5488 [inline]
 port_event drivers/usb/core/hub.c:5634 [inline]
 hub_event+0x2357/0x4330 drivers/usb/core/hub.c:5716
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce	2021/07/02 06:06	upstream	3dbdb38e2869	06ed56cd	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/06/02 05:44	upstream	231bc5390667	06ed56cd	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/05/03 05:15	upstream	9ccce092fc64	06ed56cd	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/04/03 04:53	upstream	d93a0d43e3d0	06ed56cd	.config	log	report	syz	C

Crashes (8):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-selinux-root	2021/08/29 20:17	upstream	3f5ad13cb012	be2c130d	.config	log	report	syz	C		WARNING in carl9170_usb_submit_cmd_urb/usb_submit_urb
ci-upstream-kasan-gce-smack-root	2021/07/21 12:51	upstream	8cae8cd89f05	1b201b48	.config	log	report	syz	C		WARNING in carl9170_usb_submit_cmd_urb/usb_submit_urb
ci-upstream-kasan-gce-root	2021/07/12 08:32	upstream	e73f0f0ee754	a4869c92	.config	log	report	syz	C		WARNING in carl9170_usb_submit_cmd_urb/usb_submit_urb
ci-upstream-kasan-gce	2021/03/04 02:33	upstream	f69d02e37a85	06ed56cd	.config	log	report	syz	C		WARNING in carl9170_usb_submit_cmd_urb/usb_submit_urb
ci-upstream-linux-next-kasan-gce-root	2021/08/08 22:20	linux-next	7999516e20bd	6972b106	.config	log	report	syz	C		WARNING in carl9170_usb_submit_cmd_urb/usb_submit_urb
ci2-upstream-usb	2021/01/10 18:30	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	841081d89d5a	2c1f2513	.config	log	report	syz	C
ci2-upstream-usb	2020/05/14 07:54	https://github.com/google/kasan.git usb-fuzzer	059e7e0ff26c	a885920d	.config	log	report	syz	C
ci2-upstream-usb	2020/10/28 06:37	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	3650b228f83a	96e03c1c	.config	log	report			info