From: Andrey Konovalov <andreyknvl@google.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com>,
Andrey Konovalov <andreyknvl@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
LKML <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: INFO: task hung in usb_kill_urb
Date: Wed, 17 Apr 2019 13:16:27 +0200 [thread overview]
Message-ID: <CAAeHK+zCwXpAb02vaPuanStYCp_x8g92HDEvm_LTN_F+Y_wOfQ@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1904161421530.1605-100000@iolanthe.rowland.org>
On Tue, Apr 16, 2019 at 8:25 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Tue, 16 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > INFO: task hung in usb_kill_urb
>
> Okay, I think I found the problem. dummy-hcd doesn't check for
> unsupported speeds until it is too late. Andrey, what values does your
> usb-fuzzer gadget driver set for its max_speed field?
It's passed from userspace without any validation :( I'll fix this!
Thanks for looking into it!
I wonder why other people saw this hang as well, they didn't use the
dummy hcd module for sure. I guess there are might be other reasons.
>
> Anyway, if I'm right then this patch should fix the bug.
>
> Alan Stern
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer
>
> --- a/drivers/usb/gadget/udc/dummy_hcd.c
> +++ b/drivers/usb/gadget/udc/dummy_hcd.c
> @@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga
> struct dummy_hcd *dum_hcd = gadget_to_dummy_hcd(g);
> struct dummy *dum = dum_hcd->dum;
>
> - if (driver->max_speed == USB_SPEED_UNKNOWN)
> + switch (driver->max_speed) {
> + /* All the speeds we support */
> + case USB_SPEED_LOW:
> + case USB_SPEED_FULL:
> + case USB_SPEED_HIGH:
> + case USB_SPEED_SUPER:
> + break;
> + default:
> + dev_err(dummy_dev(dum_hcd), "bogus driver max_speed %d\n",
> + driver->max_speed);
> return -EINVAL;
> + }
>
> /*
> * SLAVE side init ... the layer above hardware, which
> @@ -1785,7 +1795,8 @@ static void dummy_timer(struct timer_lis
> total = 490000;
> break;
> default:
> - dev_err(dummy_dev(dum_hcd), "bogus device speed\n");
> + dev_err(dummy_dev(dum_hcd), "bogus device speed %d\n",
> + dum->gadget.speed);
> return;
> }
>
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Andrey Konovalov <andreyknvl@google.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com>,
Andrey Konovalov <andreyknvl@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
LKML <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: INFO: task hung in usb_kill_urb
Date: Wed, 17 Apr 2019 13:16:27 +0200 [thread overview]
Message-ID: <CAAeHK+zCwXpAb02vaPuanStYCp_x8g92HDEvm_LTN_F+Y_wOfQ@mail.gmail.com> (raw)
On Tue, Apr 16, 2019 at 8:25 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Tue, 16 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > INFO: task hung in usb_kill_urb
>
> Okay, I think I found the problem. dummy-hcd doesn't check for
> unsupported speeds until it is too late. Andrey, what values does your
> usb-fuzzer gadget driver set for its max_speed field?
It's passed from userspace without any validation :( I'll fix this!
Thanks for looking into it!
I wonder why other people saw this hang as well, they didn't use the
dummy hcd module for sure. I guess there are might be other reasons.
>
> Anyway, if I'm right then this patch should fix the bug.
>
> Alan Stern
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer
>
> --- a/drivers/usb/gadget/udc/dummy_hcd.c
> +++ b/drivers/usb/gadget/udc/dummy_hcd.c
> @@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga
> struct dummy_hcd *dum_hcd = gadget_to_dummy_hcd(g);
> struct dummy *dum = dum_hcd->dum;
>
> - if (driver->max_speed == USB_SPEED_UNKNOWN)
> + switch (driver->max_speed) {
> + /* All the speeds we support */
> + case USB_SPEED_LOW:
> + case USB_SPEED_FULL:
> + case USB_SPEED_HIGH:
> + case USB_SPEED_SUPER:
> + break;
> + default:
> + dev_err(dummy_dev(dum_hcd), "bogus driver max_speed %d\n",
> + driver->max_speed);
> return -EINVAL;
> + }
>
> /*
> * SLAVE side init ... the layer above hardware, which
> @@ -1785,7 +1795,8 @@ static void dummy_timer(struct timer_lis
> total = 490000;
> break;
> default:
> - dev_err(dummy_dev(dum_hcd), "bogus device speed\n");
> + dev_err(dummy_dev(dum_hcd), "bogus device speed %d\n",
> + dum->gadget.speed);
> return;
> }
>
>
>
next prev parent reply other threads:[~2019-04-17 11:16 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAAeHK+wDEOpkuh0+OmPra3Yu8ri-8As82CyZ-1KyYC62AJkj1Q@mail.gmail.com>
2019-04-16 15:44 ` INFO: task hung in usb_kill_urb Alan Stern
2019-04-16 15:44 ` Alan Stern
2019-04-16 16:19 ` syzbot
2019-04-16 16:19 ` syzbot
2019-04-16 18:25 ` Alan Stern
2019-04-16 18:25 ` Alan Stern
2019-04-16 19:03 ` syzbot
2019-04-16 19:03 ` syzbot
2019-04-16 21:14 ` Alan Stern
2019-04-16 21:14 ` Alan Stern
2019-04-16 21:53 ` syzbot
2019-04-16 21:53 ` syzbot
2019-04-17 19:09 ` Alan Stern
2019-04-17 19:09 ` Alan Stern
2019-04-17 19:56 ` syzbot
2019-04-17 19:56 ` syzbot
2019-04-18 12:21 ` Andrey Konovalov
2019-04-18 12:21 ` Andrey Konovalov
2019-04-17 11:16 ` Andrey Konovalov [this message]
2019-04-17 11:16 ` Andrey Konovalov
2019-04-19 18:36 ` UDC hardware for fuzzing [was: Re: INFO: task hung in usb_kill_urb] Alan Stern
2019-04-19 18:36 ` INFO: task hung in usb_kill_urb Alan Stern
2019-04-23 12:44 ` UDC hardware for fuzzing [was: Re: INFO: task hung in usb_kill_urb] Andrey Konovalov
2019-04-23 12:44 ` INFO: task hung in usb_kill_urb Andrey Konovalov
2019-04-18 17:12 USB: dummy-hcd: Fix failure to give back unlinked URBs Alan Stern
2019-04-18 17:12 ` [PATCH] " Alan Stern
-- strict thread matches above, loose matches on Subject: below --
2019-04-12 11:46 INFO: task hung in usb_kill_urb syzbot
2019-04-12 19:46 ` Alan Stern
2019-04-15 17:48 ` Andrey Konovalov
2019-04-15 18:06 ` Alan Stern
2019-04-15 18:39 ` Gustavo A. R. Silva
2019-04-15 19:00 ` Greg Kroah-Hartman
2019-04-15 19:35 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAeHK+zCwXpAb02vaPuanStYCp_x8g92HDEvm_LTN_F+Y_wOfQ@mail.gmail.com \
--to=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.