| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <559eddf1.5c68.195b1d950ef.Coremail.baishuoran@hrbeu.edu.cn> Date: Thu, 20 Mar 2025 12:39:24 +0800 (GMT+08:00) From: 白烁冉 <baishuoran@...eu.edu.cn> To: "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>, "Dmitry Torokhov" <dmitry.torokhov@...il.com> Cc: "Kun Hu" <huk23@...udan.edu.cn>, "Jiaji Qin" <jjtan24@...udan.edu.cn>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, linux-input@...r.kernel.org, syzkaller@...glegroups.com Subject: WARNING in cm109_urb_irq_callback/usb_submit_urb Dear Maintainers, When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (94th)was triggered. HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2 git tree: upstream Output:https://github.com/pghk13/Kernel-Bug/tree/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/config.txt C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open/94repro.c Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0305_6.14rc5/94-INFO_%20rcu%20detected%20stall%20in%20dcache_dir_open/94report The error occurs around line 379 of the urb.c file. The problem ends up in the cm109_urb_irq_callback function in the cm109.c file:In the cm109_urb_irq_callback function, the driver attempts to resubmit a URB that has not yet been processed. There may be a race condition in the driver that resubmits the URB in the URB completion callback, but the same URB may have already been committed to another location in the system. This issue seems to involve the creation of USB devices, the operation of TTY devices, and file descriptor copying. This complex interaction resulted in duplicate commits of the URB. We have reproduced this issue several times on 6.14-rc5 again. If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn> ================================================================== URB ffff888045c81800 submitted while active WARNING: CPU: 0 PID: 0 at drivers/usb/core/urb.c:379 usb_submit_urb+0x134e/0x1750 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.14.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:usb_submit_urb+0x134e/0x1750 Code: e8 c7 b4 a0 fa 84 db 0f 85 47 f5 ff ff e8 0a b3 a0 fa c6 05 c3 ba 30 09 01 90 48 c7 c7 00 3e 2f 8c 4c 89 fe e8 e3 a8 60 fa 90 <0f> 0b 90 90 e9 21 f5 ff ff 48 89 7c 24 38 e8 df b2 a0 fa 48 8b 7c RSP: 0018:ffffc90000007ad0 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8179ec7a RDX: 0000000000000000 RSI: ffffffff8de97740 RDI: 0000000000000002 RBP: ffff888022bee740 R08: 0000000000000000 R09: ffffed1005705182 R10: ffffed1005705181 R11: ffff88802b828c0b R12: 0000000000000046 R13: ffff888027b24058 R14: 00000000fffffff0 R15: ffff888045c81800 FS: 0000000000000000(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffca04ff60 CR3: 000000000df80000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <IRQ> cm109_urb_irq_callback+0x44b/0xb60 __usb_hcd_giveback_urb+0x2e4/0x6b0 usb_hcd_giveback_urb+0x391/0x450 dummy_timer+0x1217/0x3540 __hrtimer_run_queues+0x1b7/0xc30 hrtimer_run_softirq+0x17f/0x2e0 handle_softirqs+0x1bd/0x880 irq_exit_rcu+0xfd/0x150 sysvec_apic_timer_interrupt+0xa8/0xc0 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0x1e/0x30 Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 eb 0c 0f 1f 44 00 00 0f 00 2d c9 a9 0d 00 0f 1f 44 00 00 fb f4 <fa> e9 a7 41 b7 f5 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffffffff8de07e08 EFLAGS: 00000206 RAX: 000000000027dec5 RBX: 0000000000000000 RCX: ffffffff8b58e5a7 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: 0000000000000001 R09: ffffed1005706f86 R10: ffffed1005706f85 R11: ffff88802b837c2b R12: 0000000000000000 R13: ffffffff90616a10 R14: 0000000000000000 R15: 0000000000000000 default_idle_call+0x6d/0xb0 do_idle+0x312/0x3c0 cpu_startup_entry+0x4f/0x60 rest_init+0x1a9/0x2f0 start_kernel+0x3fa/0x4e0 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xb3/0xc0 common_startup_64+0x13e/0x148 </TASK> -------------------------------- Code disassembly (best guess): 0: 90 nop 1: 90 nop 2: 90 nop 3: 90 nop 4: 90 nop 5: 90 nop 6: 90 nop 7: 90 nop 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: f3 0f 1e fa endbr64 10: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 15: eb 0c jmp 0x23 17: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 1c: 0f 00 2d c9 a9 0d 00 verw 0xda9c9(%rip) # 0xda9ec 23: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 28: fb sti 29: f4 hlt * 2a: fa cli <-- trapping instruction 2b: e9 a7 41 b7 f5 jmpq 0xf5b741d7 30: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1) 37: 00 00 00 00 3b: 90 nop 3c: 90 nop 3d: 90 nop 3e: 90 nop 3f: 90 nop -------------------------------- thanks, Kun Hu
Powered by blists - more mailing lists