From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>,
syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 26/31] USB: core: Fix misleading driver bug report
Date: Thu, 14 May 2020 14:54:08 -0400 [thread overview]
Message-ID: <20200514185413.20755-26-sashal@kernel.org> (raw)
In-Reply-To: <20200514185413.20755-1-sashal@kernel.org>
From: Alan Stern <stern@rowland.harvard.edu>
[ Upstream commit ac854131d9844f79e2fdcef67a7707227538d78a ]
The syzbot fuzzer found a race between URB submission to endpoint 0
and device reset. Namely, during the reset we call usb_ep0_reinit()
because the characteristics of ep0 may have changed (if the reset
follows a firmware update, for example). While usb_ep0_reinit() is
running there is a brief period during which the pointers stored in
udev->ep_in[0] and udev->ep_out[0] are set to NULL, and if an URB is
submitted to ep0 during that period, usb_urb_ep_type_check() will
report it as a driver bug. In the absence of those pointers, the
routine thinks that the endpoint doesn't exist. The log message looks
like this:
------------[ cut here ]------------
usb 2-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478
usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
Now, although submitting an URB while the device is being reset is a
questionable thing to do, it shouldn't count as a driver bug as severe
as submitting an URB for an endpoint that doesn't exist. Indeed,
endpoint 0 always exists, even while the device is in its unconfigured
state.
To prevent these misleading driver bug reports, this patch updates
usb_disable_endpoint() to avoid clearing the ep_in[] and ep_out[]
pointers when the endpoint being disabled is ep0. There's no danger
of leaving a stale pointer in place, because the usb_host_endpoint
structure being pointed to is stored permanently in udev->ep0; it
doesn't get deallocated until the entire usb_device structure does.
Reported-and-tested-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2005011558590.903-100000@netrider.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/message.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index fcf84bfc08e34..f705ea52eb973 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1143,11 +1143,11 @@ void usb_disable_endpoint(struct usb_device *dev, unsigned int epaddr,
if (usb_endpoint_out(epaddr)) {
ep = dev->ep_out[epnum];
- if (reset_hardware)
+ if (reset_hardware && epnum != 0)
dev->ep_out[epnum] = NULL;
} else {
ep = dev->ep_in[epnum];
- if (reset_hardware)
+ if (reset_hardware && epnum != 0)
dev->ep_in[epnum] = NULL;
}
if (ep) {
--
2.20.1
next prev parent reply other threads:[~2020-05-14 18:55 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 18:53 [PATCH AUTOSEL 4.19 01/31] Makefile: disallow data races on gcc-10 as well Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 02/31] gcc-common.h: Update for GCC 10 Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 03/31] HID: multitouch: add eGalaxTouch P80H84 support Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 04/31] HID: alps: Add AUI1657 device ID Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 05/31] HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 06/31] phy: tegra: Select USB_COMMON for usb_get_maximum_speed() Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 07/31] scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 08/31] scsi: qla2xxx: Delete all sessions before unregister local nvme port Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 09/31] configfs: fix config_item refcnt leak in configfs_rmdir() Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 10/31] vhost/vsock: fix packet delivery order to monitoring devices Sasha Levin
2020-05-14 18:53 ` Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 11/31] aquantia: Fix the media type of AQC100 ethernet controller in the driver Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 12/31] net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()' Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 13/31] most: core: use function subsys_initcall() Sasha Levin
2020-05-14 18:53 ` Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 14/31] component: Silence bind error on -EPROBE_DEFER Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 15/31] scsi: ibmvscsi: Fix WARN_ON during event pool release Sasha Levin
2020-05-14 18:53 ` Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 16/31] HID: i2c-hid: reset Synaptics SYNA2393 on resume Sasha Levin
2020-05-14 18:53 ` [PATCH AUTOSEL 4.19 17/31] soc: qcom: ipa: IPA endpoints Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 18/31] net: ipa: fix a bug in ipa_endpoint_stop() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 19/31] net: moxa: Fix a potential double 'free_irq()' Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 20/31] x86/apic: Move TSC deadline timer debug printk Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 21/31] gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 22/31] virtio-blk: handle block_device_operations callbacks after hot unplug Sasha Levin
2020-05-14 18:54 ` Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 23/31] HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 24/31] ceph: fix double unlock in handle_cap_export() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 25/31] stmmac: fix pointer check after utilization in stmmac_interrupt Sasha Levin
2020-05-14 18:54 ` Sasha Levin
2020-05-14 18:54 ` Sasha Levin [this message]
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 27/31] platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 28/31] ARM: futex: Address build warning Sasha Levin
2020-05-14 18:54 ` Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 29/31] crypto: lrw - simplify error handling in create() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 30/31] crypto: xts - simplify error handling in ->create() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.19 31/31] gcc-10: avoid shadowing standard library 'free()' in crypto Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200514185413.20755-26-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.