lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aXn1A7IjYbcQuFhh@hovoldconsulting.com>
Date: Wed, 28 Jan 2026 12:37:39 +0100
From: Johan Hovold <johan@...nel.org>
To: syzbot <syzbot+c63f59479d561970dc2b@...kaller.appspotmail.com>
Cc: gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
	linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [usb?] general protection fault in
 qt2_read_bulk_callback (2)

On Tue, Jan 27, 2026 at 04:34:29PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    615aad0f61e0 Add linux-next specific files for 20260126
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1761a05a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d51c584a7396ddf1
> dashboard link: https://syzkaller.appspot.com/bug?extid=c63f59479d561970dc2b
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145d6bfa580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14dac98a580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/5318e5f027be/disk-615aad0f.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/d165e561fa49/vmlinux-615aad0f.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/fb0e01c90aa5/bzImage-615aad0f.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+c63f59479d561970dc2b@...kaller.appspotmail.com
> 
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
> CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:__queue_work+0xa2/0xf90 kernel/workqueue.c:2269
> Code: 11 31 ff 89 ee e8 4e f4 37 00 85 ed 0f 85 ef 0c 00 00 e8 01 f0 37 00 4d 8d b7 c0 01 00 00 4c 89 f0 48 c1 e8 03 48 89 44 24 28 <42> 0f b6 04 20 84 c0 0f 85 22 0d 00 00 4c 89 34 24 41 8b 2e 89 ee
> RSP: 0018:ffffc900000077f8 EFLAGS: 00010002
> RAX: 0000000000000038 RBX: 0000000000000008 RCX: ffff88801dafdac0
> RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 0000000000000000 R08: ffff88803642c01f R09: 1ffff11006c85803
> R10: dffffc0000000000 R11: ffffed1006c85804 R12: dffffc0000000000
> R13: ffff88803642c018 R14: 00000000000001c0 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8881252b4000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fef907e8600 CR3: 000000000e54a000 CR4: 00000000003526f0
> Call Trace:
>  <IRQ>
>  queue_work_on+0x106/0x1d0 kernel/workqueue.c:2405
>  qt2_process_read_urb drivers/usb/serial/quatech2.c:541 [inline]
>  qt2_read_bulk_callback+0xe96/0x1030 drivers/usb/serial/quatech2.c:574
>  __usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1657
>  dummy_timer+0xbbd/0x45d0 drivers/usb/gadget/udc/dummy_hcd.c:1995
>  __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
>  __hrtimer_run_queues+0x529/0xc30 kernel/time/hrtimer.c:1849
>  hrtimer_run_softirq+0x182/0x5a0 kernel/time/hrtimer.c:1866
>  handle_softirqs+0x22a/0x7c0 kernel/softirq.c:626
>  __do_softirq kernel/softirq.c:660 [inline]
>  invoke_softirq kernel/softirq.c:496 [inline]
>  __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:727
>  irq_exit_rcu+0x9/0x30 kernel/softirq.c:743
>  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
>  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
>  </IRQ>
>  <TASK>

This looks like it could be related to commit d000422a46aa ("tty:
tty_port: add workqueue to flip TTY buffer") in Greg's tty-next branch,
which was reverted yesterday:

	https://lore.kernel.org/lkml/2026012739-compile-bling-3779@gregkh/

Someone who knows the syzbot interface can probably verify and close
this as fixed.

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ