WARNING in carl9170_usb_submit_cmd_urb/usb_submit

WARNING in carl9170_usb_submit_cmd_urb/usb_submit_urb
Status: upstream: reported C repro on 2020/05/14 20:18
Reported-by: syzbot+9468df99cb63a4a4c4e1@syzkaller.appspotmail.com
First crash: 401d, last: 17d

Cause bisection: introduced by (bisect log) :
commit 6a66a7ded12baa6ebbb2e3e82f8cb91382814839
Author: zhangyi (F) <yi.zhang@huawei.com>
Date: Thu Feb 13 06:38:20 2020 +0000

jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()

Crash: SYZFAIL: wrong response packet (log)
Repro: C syz .config

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/09/15 02:15	16m	brookebasile@gmail.com		upstream	OK

Sample crash report:

usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: reset high-speed USB device number 2 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 32
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 3192 at drivers/usb/core/urb.c:493 usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493
Modules linked in:
CPU: 0 PID: 3192 Comm: kworker/0:3 Not tainted 5.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493
Code: 84 d4 02 00 00 e8 69 16 37 fc 4c 89 ef e8 41 df 10 ff 41 89 d8 44 89 e1 4c 89 f2 48 89 c6 48 c7 c7 a0 5b 02 8a e8 c5 36 85 03 <0f> 0b e9 81 f8 ff ff e8 3d 16 37 fc 48 81 c5 38 06 00 00 e9 ad f7
RSP: 0018:ffffc900027b6ef0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff88801b4d1bc0 RSI: ffffffff815bd175 RDI: fffff520004f6dd0
RBP: ffff88802ac16000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815b624e R11: 0000000000000000 R12: 0000000000000001
R13: ffff88801b7190a0 R14: ffff88801dccf190 R15: ffff888012dcfb00
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd4d744c000 CR3: 000000002646a000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 carl9170_usb_submit_cmd_urb+0x7e/0x130 drivers/net/wireless/ath/carl9170/usb.c:229
 __carl9170_exec_cmd+0x30b/0x5b0 drivers/net/wireless/ath/carl9170/usb.c:643
 carl9170_reboot+0xaf/0xf0 drivers/net/wireless/ath/carl9170/cmd.c:141
 carl9170_usb_disconnect+0x141/0x190 drivers/net/wireless/ath/carl9170/usb.c:1116
 usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458
 __device_release_driver+0x3bd/0x6f0 drivers/base/dd.c:1156
 device_release_driver_internal drivers/base/dd.c:1187 [inline]
 device_release_driver+0x26/0x40 drivers/base/dd.c:1210
 usb_driver_release_interface drivers/usb/core/driver.c:631 [inline]
 usb_forced_unbind_intf+0x180/0x220 drivers/usb/core/driver.c:1121
 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:5964
 carl9170_usb_probe+0x48/0xd30 drivers/net/wireless/ath/carl9170/usb.c:1044
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 really_probe+0x291/0xe60 drivers/base/dd.c:554
 driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:740
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:846
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
 __device_attach+0x228/0x4a0 drivers/base/dd.c:914
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0xbdb/0x1db0 drivers/base/core.c:3242
 usb_set_configuration+0x113f/0x1910 drivers/usb/core/message.c:2164
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
 really_probe+0x291/0xe60 drivers/base/dd.c:554
 driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:740
 __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:846
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
 __device_attach+0x228/0x4a0 drivers/base/dd.c:914
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
 device_add+0xbdb/0x1db0 drivers/base/core.c:3242
 usb_new_device.cold+0x721/0x1058 drivers/usb/core/hub.c:2555
 hub_port_connect drivers/usb/core/hub.c:5223 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
 port_event drivers/usb/core/hub.c:5509 [inline]
 hub_event+0x2357/0x4320 drivers/usb/core/hub.c:5591
 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce	2021/06/02 05:44	upstream	231bc539	06ed56cd	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/05/03 05:15	upstream	9ccce092	06ed56cd	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/04/03 04:53	upstream	d93a0d43	06ed56cd	.config	log	report	syz	C

Crashes (4):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce	2021/03/04 02:33	upstream	f69d02e3	06ed56cd	.config	log	report	syz	C		WARNING in carl9170_usb_submit_cmd_urb/usb_submit_urb
ci2-upstream-usb	2021/01/10 18:30	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	841081d8	2c1f2513	.config	log	report	syz	C
ci2-upstream-usb	2020/05/14 07:54	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	a885920d	.config	log	report	syz	C
ci2-upstream-usb	2020/10/28 06:37	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	3650b228	96e03c1c	.config	log	report			info