ci starts bisection 2023-02-26 21:36:11.638911163 +0000 UTC m=+200695.841489082 bisecting cause commit starting from 8232539f864ca60474e38eb42d451f5c26415856 building syzkaller on ee50e71ca65deab5f014ff0481809c7b2afa5427 ensuring issue is reproducible on original commit 8232539f864ca60474e38eb42d451f5c26415856 testing commit 8232539f864ca60474e38eb42d451f5c26415856 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5c6f4ea03464f4448d6dd2d8965e7203322d6ef6b66ba91c7696dc53a2024de1 all runs: crashed: WARNING in smsusb_term_device testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 33bc5566dfb40a1cf48d1d2b0e9df0725913d4afaa61497a23a92c8521ebff91 all runs: OK # git bisect start 8232539f864ca60474e38eb42d451f5c26415856 c9c3395d5e3dcc6daee66c6908354d47bf98cb0c Bisecting: 7256 revisions left to test after this (roughly 13 steps) [fe3130bc4df0b1303de4321af2bc4dcee5d7db2f] cifs: reuse cifs_match_ipaddr for comparison of dstaddr too testing commit fe3130bc4df0b1303de4321af2bc4dcee5d7db2f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4f832cb06fab09ef713958890b25cff647b454ebce3640125b7881eedbe4e5e7 all runs: OK # git bisect good fe3130bc4df0b1303de4321af2bc4dcee5d7db2f Bisecting: 3588 revisions left to test after this (roughly 12 steps) [8138ddac3c324feb92cc30f6d0d3a1bba51345a9] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git testing commit 8138ddac3c324feb92cc30f6d0d3a1bba51345a9 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 967d36a01150e1f3ff95082ec5f445cd3e1583ad6464553546559b9e1ea65348 all runs: OK # git bisect good 8138ddac3c324feb92cc30f6d0d3a1bba51345a9 Bisecting: 1729 revisions left to test after this (roughly 11 steps) [2a15ddbcd09ca3a7843a48832884e37e703eaf83] Merge branch 'master' of git://linuxtv.org/media_tree.git testing commit 2a15ddbcd09ca3a7843a48832884e37e703eaf83 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a58b029dc9d8622a69ce8d2663759111932222f25b26627a8b0662b2924cb5ed all runs: crashed: WARNING in smsusb_term_device # git bisect bad 2a15ddbcd09ca3a7843a48832884e37e703eaf83 Bisecting: 917 revisions left to test after this (roughly 10 steps) [a7d241d71cf464413307df69177ae2dec8481d37] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git testing commit a7d241d71cf464413307df69177ae2dec8481d37 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5ab1168d295afc049d60867069f039a16871c7afc249a48af8047b4ef0bc5c3e all runs: OK # git bisect good a7d241d71cf464413307df69177ae2dec8481d37 Bisecting: 511 revisions left to test after this (roughly 9 steps) [bc008210b3dfbc18c06cef17988a01f4f2b5bb96] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux.git testing commit bc008210b3dfbc18c06cef17988a01f4f2b5bb96 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7d98df64b06c851b7701858a506ee0135314060294eb7284eec26121800f67d2 all runs: OK # git bisect good bc008210b3dfbc18c06cef17988a01f4f2b5bb96 Bisecting: 255 revisions left to test after this (roughly 8 steps) [55869f435d7f6a121722c687e3ac056168e473eb] media: dvb-frontends: drx39xyj: replace return with goto for proper unwind testing commit 55869f435d7f6a121722c687e3ac056168e473eb gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b828806c53e75c7251363380245349185c7ad7b07f1b73dd322ee14b10573f9b all runs: OK # git bisect good 55869f435d7f6a121722c687e3ac056168e473eb Bisecting: 125 revisions left to test after this (roughly 7 steps) [bb9d0e091d4ecb936ec3092f6b70fe617bfb5639] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git testing commit bb9d0e091d4ecb936ec3092f6b70fe617bfb5639 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 576632207f39c370ca4bb62818497cca3ea36bcd7d96d824f2bb6ccfc850e699 all runs: OK # git bisect good bb9d0e091d4ecb936ec3092f6b70fe617bfb5639 Bisecting: 59 revisions left to test after this (roughly 6 steps) [dc67b2d9043871add05cbe9c584d8d736f3c4d2f] Merge branch 'i2c/for-mergewindow' into i2c/for-next testing commit dc67b2d9043871add05cbe9c584d8d736f3c4d2f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0b4954755e5081aba9c588603776ee57b537dddf135c3f81418a613a63c6b421 all runs: OK # git bisect good dc67b2d9043871add05cbe9c584d8d736f3c4d2f Bisecting: 29 revisions left to test after this (roughly 5 steps) [371ab9c41be7514c7699aea1ff221519fdb7d127] media: imx-pxp: Sort headers alphabetically testing commit 371ab9c41be7514c7699aea1ff221519fdb7d127 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: feea6eea4e537266d21eea85f9ad8676f0a5a3b821c1fe4b11e5396e918328eb all runs: crashed: WARNING in smsusb_term_device # git bisect bad 371ab9c41be7514c7699aea1ff221519fdb7d127 Bisecting: 14 revisions left to test after this (roughly 4 steps) [2c117550d70578b0b9eb183807b0984c11ecb44b] media: imx: imx7-media-csi: Cleanup errors in imx7_csi_async_register() testing commit 2c117550d70578b0b9eb183807b0984c11ecb44b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d46955482ae8c4526a0a2d7cacd6fab82ac3b33084afd7daafd0d5af1be3ed2c all runs: crashed: WARNING in smsusb_term_device # git bisect bad 2c117550d70578b0b9eb183807b0984c11ecb44b Bisecting: 7 revisions left to test after this (roughly 3 steps) [4ab3f69cba785988b7cb386e35e661bfa1aa0706] media: meson: vdec: remove redundant if statement testing commit 4ab3f69cba785988b7cb386e35e661bfa1aa0706 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 444c653482da87bc40b3c6bfb8e4f7b774332395939d688a2a270e9c2b3bd1d8 all runs: crashed: WARNING in smsusb_term_device # git bisect bad 4ab3f69cba785988b7cb386e35e661bfa1aa0706 Bisecting: 3 revisions left to test after this (roughly 2 steps) [0d3732fb1b20d2a636d294cdf51c35f9233d622a] media: ti: davinci: vpbe_display.c: return 0 instead of 'ret'. testing commit 0d3732fb1b20d2a636d294cdf51c35f9233d622a gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1e3df13e84d4793d2936711c18e11a75f26506b08f6ebe7cc52ccb57478f7a15 all runs: OK # git bisect good 0d3732fb1b20d2a636d294cdf51c35f9233d622a Bisecting: 1 revision left to test after this (roughly 1 step) [107b7a219bb6ca4e70254cb2247af54939fb4713] media: dvb-frontends: mb86a16.c: always use the same error path testing commit 107b7a219bb6ca4e70254cb2247af54939fb4713 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 182d1169967fc56dca7652665bd379fa64b11ecfe48a57fde96033f943a5699a all runs: OK # git bisect good 107b7a219bb6ca4e70254cb2247af54939fb4713 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ebad8e731c1c06adf04621d6fd327b860c0861b5] media: usb: siano: Fix use after free bugs caused by do_submit_urb testing commit ebad8e731c1c06adf04621d6fd327b860c0861b5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ec5299a288fe3de16a6c95e5ee358a45e7fd2674df7b2ee8b045426649c8745a all runs: crashed: WARNING in smsusb_term_device # git bisect bad ebad8e731c1c06adf04621d6fd327b860c0861b5 ebad8e731c1c06adf04621d6fd327b860c0861b5 is the first bad commit commit ebad8e731c1c06adf04621d6fd327b860c0861b5 Author: Duoming Zhou Date: Mon Jan 23 03:04:38 2023 +0100 media: usb: siano: Fix use after free bugs caused by do_submit_urb There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+0x34c/0x5b0 [ 36.517396] worker_thread+0x4b7/0x890 [ 36.518591] kthread+0x166/0x190 [ 36.519599] ret_from_fork+0x22/0x30 [ 36.520851] [ 36.521405] Last potentially related work creation: [ 36.523143] kasan_save_stack+0x3f/0x60 [ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.525831] insert_work+0x25/0x130 [ 36.527039] __queue_work+0x4d4/0x620 [ 36.528236] queue_work_on+0x72/0xb0 [ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.530819] dummy_timer+0x350/0x1a40 [ 36.532149] call_timer_fn+0x2c/0x190 [ 36.533567] expire_timers+0x69/0x1f0 [ 36.534736] __run_timers+0x289/0x2d0 [ 36.535841] run_timer_softirq+0x2d/0x60 [ 36.537110] __do_softirq+0x116/0x380 [ 36.538377] [ 36.538950] Second to last potentially related work creation: [ 36.540855] kasan_save_stack+0x3f/0x60 [ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.543592] insert_work+0x25/0x130 [ 36.544891] __queue_work+0x4d4/0x620 [ 36.546168] queue_work_on+0x72/0xb0 [ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.548805] dummy_timer+0x350/0x1a40 [ 36.550116] call_timer_fn+0x2c/0x190 [ 36.551570] expire_timers+0x69/0x1f0 [ 36.552762] __run_timers+0x289/0x2d0 [ 36.553916] run_timer_softirq+0x2d/0x60 [ 36.555118] __do_softirq+0x116/0x380 [ 36.556239] [ 36.556807] The buggy address belongs to the object at ffff888005960000 [ 36.556807] which belongs to the cache kmalloc-4k of size 4096 [ 36.560652] The buggy address is located 232 bytes inside of [ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) [ 36.564791] [ 36.565355] The buggy address belongs to the physical page: [ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 [ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 [ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 [ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 36.580175] page dumped because: kasan: bad access detected [ 36.581994] [ 36.582548] Memory state around the buggy address: [ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.591071] ^ [ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.598026] ================================================================== [ 36.600224] Disabling lock debugging due to kernel taint [ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I [ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 [ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.615026] Workqueue: events do_submit_urb [ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.643411] Call Trace: [ 36.644215] [ 36.644902] smscore_getbuffer+0x3e/0x1e0 [ 36.646147] do_submit_urb+0x4f/0x190 [ 36.647449] process_one_work+0x34c/0x5b0 [ 36.648777] worker_thread+0x4b7/0x890 [ 36.649984] ? worker_clr_flags+0x90/0x90 [ 36.651166] kthread+0x166/0x190 [ 36.652151] ? kthread_blkcg+0x50/0x50 [ 36.653547] ret_from_fork+0x22/0x30 [ 36.655051] [ 36.655733] Modules linked in: [ 36.656787] ---[ end trace 0000000000000000 ]--- [ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.685733] Kernel panic - not syncing: Fatal exception [ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) [ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- When the siano device is plugged in, it may call the following functions to initialize the device. smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). When smscore_start_device() gets failed, the function smsusb_term_device() will be called and smsusb_device_t will be deallocated. Although we use usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests and wait for them to finish, the worker threads that are scheduled by smsusb_onresponse() may be still running. As a result, the UAF bugs could happen. We add cancel_work_sync() in smsusb_stop_streaming() in order that the worker threads could finish before the smsusb_device_t is deallocated. Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic") Signed-off-by: Duoming Zhou Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/usb/siano/smsusb.c | 1 + 1 file changed, 1 insertion(+) culprit signature: ec5299a288fe3de16a6c95e5ee358a45e7fd2674df7b2ee8b045426649c8745a parent signature: 182d1169967fc56dca7652665bd379fa64b11ecfe48a57fde96033f943a5699a revisions tested: 16, total time: 4h29m44.704200934s (build: 2h38m7.267293043s, test: 1h48m42.277239477s) first bad commit: ebad8e731c1c06adf04621d6fd327b860c0861b5 media: usb: siano: Fix use after free bugs caused by do_submit_urb recipients (to): ["duoming@zju.edu.cn" "hverkuil-cisco@xs4all.nl" "mchehab@kernel.org"] recipients (cc): [] crash: WARNING in smsusb_term_device usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: config 0 descriptor?? smsusb:smsusb_probe: board id=8, interface number 0 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 Modules linked in: CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 Code: 00 00 00 e8 4a d7 17 00 48 c7 c6 01 58 4a 81 48 c7 c7 60 5d 78 8b 45 31 ff e8 14 76 10 00 e9 55 fd ff ff 0f 0b e9 4e fd ff ff <0f> 0b 45 31 ff e9 44 fd ff ff 4c 89 95 88 fe ff ff e8 a2 2f 6f 00 RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246 RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8 RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8 R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 usb_probe_interface+0x278/0x6a0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x5a6/0xa50 drivers/base/dd.c:639 __driver_probe_device+0x186/0x460 drivers/base/dd.c:778 driver_probe_device+0x44/0x110 drivers/base/dd.c:808 __device_attach_driver+0x14e/0x270 drivers/base/dd.c:936 bus_for_each_drv+0x122/0x1a0 drivers/base/bus.c:427 __device_attach+0x19e/0x440 drivers/base/dd.c:1008 bus_probe_device+0x1a1/0x250 drivers/base/bus.c:487 device_add+0xa18/0x1b90 drivers/base/core.c:3479 usb_set_configuration+0xa05/0x18a0 drivers/usb/core/message.c:2171 usb_generic_driver_probe+0x78/0xa0 drivers/usb/core/generic.c:238 usb_probe_device+0x98/0x240 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x5a6/0xa50 drivers/base/dd.c:639 __driver_probe_device+0x186/0x460 drivers/base/dd.c:778 driver_probe_device+0x44/0x110 drivers/base/dd.c:808 __device_attach_driver+0x14e/0x270 drivers/base/dd.c:936 bus_for_each_drv+0x122/0x1a0 drivers/base/bus.c:427 __device_attach+0x19e/0x440 drivers/base/dd.c:1008 bus_probe_device+0x1a1/0x250 drivers/base/bus.c:487 device_add+0xa18/0x1b90 drivers/base/core.c:3479 usb_new_device.cold+0x600/0xf02 drivers/usb/core/hub.c:2573 hub_port_connect drivers/usb/core/hub.c:5405 [inline] hub_port_connect_change drivers/usb/core/hub.c:5549 [inline] port_event drivers/usb/core/hub.c:5709 [inline] hub_event+0x2450/0x3ce0 drivers/usb/core/hub.c:5791 process_one_work+0x8ba/0x14c0 kernel/workqueue.c:2289 worker_thread+0x59c/0xec0 kernel/workqueue.c:2436 kthread+0x298/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308