Re: INFO: task hung in usb_kill_urb

From: Andrey Konovalov <andreyknvl@google.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com>,
	Andrey Konovalov <andreyknvl@google.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	LKML <linux-kernel@vger.kernel.org>,
	USB list <linux-usb@vger.kernel.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: INFO: task hung in usb_kill_urb
Date: Thu, 18 Apr 2019 14:21:42 +0200	[thread overview]
Message-ID: <CAAeHK+yPfrbM4id7dft3aDfvNh46LVsFGB9JAaDN-AxV45H_8A@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1904171503410.1400-100000@iolanthe.rowland.org>

On Wed, Apr 17, 2019 at 9:09 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Tue, 16 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > INFO: task hung in usb_kill_urb
>
> That's surprising.  This patch was awfully similar to the previous one,
> which did prevent the crash earlier.
>
> > Tested on:
> >
> > commit:         9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan/tree/usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10b5e057200000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > patch:          https://syzkaller.appspot.com/x/patch.diff?x=131dca6b200000
>
> Andrey, is there any way to increase the console output buffer size?

Hm, I'm not sure why it got truncated here, the previous one was full.
I would try running the syz test command again in this case.

> The link above doesn't go all the way back to the beginning of the test
> (it starts at timestamp 486.614697).
>
> Also, here's a slightly revised patch for testing.
>
> Alan Stern
>
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer
>
> --- a/drivers/usb/gadget/udc/dummy_hcd.c
> +++ b/drivers/usb/gadget/udc/dummy_hcd.c
> @@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga
>         struct dummy_hcd        *dum_hcd = gadget_to_dummy_hcd(g);
>         struct dummy            *dum = dum_hcd->dum;
>
> -       if (driver->max_speed == USB_SPEED_UNKNOWN)
> +       switch (g->speed) {
> +       /* All the speeds we support */
> +       case USB_SPEED_LOW:
> +       case USB_SPEED_FULL:
> +       case USB_SPEED_HIGH:
> +       case USB_SPEED_SUPER:
> +               break;
> +       default:
> +               dev_err(dummy_dev(dum_hcd), "Unsupported driver max speed %d\n",
> +                               driver->max_speed);
>                 return -EINVAL;
> +       }
>
>         /*
>          * SLAVE side init ... the layer above hardware, which
> @@ -1784,9 +1794,10 @@ static void dummy_timer(struct timer_lis
>                 /* Bus speed is 500000 bytes/ms, so use a little less */
>                 total = 490000;
>                 break;
> -       default:
> +       default:        /* Can't happen */
>                 dev_err(dummy_dev(dum_hcd), "bogus device speed\n");
> -               return;
> +               total = 0;
> +               break;
>         }
>
>         /* FIXME if HZ != 1000 this will probably misbehave ... */
> @@ -1828,7 +1839,7 @@ restart:
>
>                 /* Used up this frame's bandwidth? */
>                 if (total <= 0)
> -                       break;
> +                       continue;
>
>                 /* find the gadget's ep for this request (if configured) */
>                 address = usb_pipeendpoint (urb->pipe);
>