From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>,
syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 11/14] USB: core: Fix misleading driver bug report
Date: Thu, 14 May 2020 14:56:22 -0400 [thread overview]
Message-ID: <20200514185625.21753-11-sashal@kernel.org> (raw)
In-Reply-To: <20200514185625.21753-1-sashal@kernel.org>
From: Alan Stern <stern@rowland.harvard.edu>
[ Upstream commit ac854131d9844f79e2fdcef67a7707227538d78a ]
The syzbot fuzzer found a race between URB submission to endpoint 0
and device reset. Namely, during the reset we call usb_ep0_reinit()
because the characteristics of ep0 may have changed (if the reset
follows a firmware update, for example). While usb_ep0_reinit() is
running there is a brief period during which the pointers stored in
udev->ep_in[0] and udev->ep_out[0] are set to NULL, and if an URB is
submitted to ep0 during that period, usb_urb_ep_type_check() will
report it as a driver bug. In the absence of those pointers, the
routine thinks that the endpoint doesn't exist. The log message looks
like this:
------------[ cut here ]------------
usb 2-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478
usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
Now, although submitting an URB while the device is being reset is a
questionable thing to do, it shouldn't count as a driver bug as severe
as submitting an URB for an endpoint that doesn't exist. Indeed,
endpoint 0 always exists, even while the device is in its unconfigured
state.
To prevent these misleading driver bug reports, this patch updates
usb_disable_endpoint() to avoid clearing the ep_in[] and ep_out[]
pointers when the endpoint being disabled is ep0. There's no danger
of leaving a stale pointer in place, because the usb_host_endpoint
structure being pointed to is stored permanently in udev->ep0; it
doesn't get deallocated until the entire usb_device structure does.
Reported-and-tested-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2005011558590.903-100000@netrider.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/message.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 747343c61398b..f083ecfddd1b1 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1080,11 +1080,11 @@ void usb_disable_endpoint(struct usb_device *dev, unsigned int epaddr,
if (usb_endpoint_out(epaddr)) {
ep = dev->ep_out[epnum];
- if (reset_hardware)
+ if (reset_hardware && epnum != 0)
dev->ep_out[epnum] = NULL;
} else {
ep = dev->ep_in[epnum];
- if (reset_hardware)
+ if (reset_hardware && epnum != 0)
dev->ep_in[epnum] = NULL;
}
if (ep) {
--
2.20.1
next prev parent reply other threads:[~2020-05-14 18:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-14 18:56 [PATCH AUTOSEL 4.4 01/14] Makefile: disallow data races on gcc-10 as well Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 02/14] HID: multitouch: add eGalaxTouch P80H84 support Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 03/14] batman-adv: fix batadv_nc_random_weight_tq Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 04/14] net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()' Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 05/14] dp83640: reverse arguments to list_add_tail Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 06/14] soc: qcom: ipa: IPA endpoints Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 07/14] net: ipa: fix a bug in ipa_endpoint_stop() Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 08/14] net: moxa: Fix a potential double 'free_irq()' Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 09/14] ceph: fix double unlock in handle_cap_export() Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 10/14] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Sasha Levin
2020-05-14 18:56 ` Sasha Levin [this message]
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 12/14] platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 13/14] ARM: futex: Address build warning Sasha Levin
2020-05-14 18:56 ` Sasha Levin
2020-05-14 18:56 ` [PATCH AUTOSEL 4.4 14/14] scripts/decodecode: fix trapping instruction formatting Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200514185625.21753-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.