From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC79AC282DA for ; Wed, 17 Apr 2019 11:16:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A912020821 for ; Wed, 17 Apr 2019 11:16:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="n4nsODDN" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731918AbfDQLQl (ORCPT ); Wed, 17 Apr 2019 07:16:41 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:37361 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731337AbfDQLQl (ORCPT ); Wed, 17 Apr 2019 07:16:41 -0400 Received: by mail-pg1-f194.google.com with SMTP id e6so11868968pgc.4 for ; Wed, 17 Apr 2019 04:16:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DAhaUckrpoxHtyYXB6W9rqZ88dFeqr0QxEv6Qcjpc7E=; b=n4nsODDNdeTbJBwTDUwqHsjg7tTq1wDovUzp/3Ps5JJOHsmgB8vvaD3CJGB8FXP5oS ekWMPIBa4yITCfzNikroyOxKK8HO1837Q/RfZpkgbDdOA1efgGEREisUJlFdZs3gnQtT 5IJFZ/Zh/23n/wj1TqS/PjaDOpmHhR3HqF+I9SiLBWoFiK4xb9MgPzU8Mwt7IKQ/AyS0 o8mDLtHbNPGBVBLjW5zbdpp+qfz0bP1qK6c5J/816zmc8R1jf98SRLWlvZkHlPi1sXPA 9GlYTJvpLmkt2vv/2WSjQgyb3CjmbwqX2v2j4F+yqoDyW82UTBPwePjYupe+aXXFfTOV Mq6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DAhaUckrpoxHtyYXB6W9rqZ88dFeqr0QxEv6Qcjpc7E=; b=XAZCc+t9i9u5E+nzn6f0LfaFYCkb2PHF1f9bqXtuCg/70HC80ghkthC9FaOCoFCQNT xjxXsJt59SCkHXGysnUyGVg0tow79AJ4WmLoNT6g4m0Leoo2hsai8nwkYERpMLpUDDHA YZij2ReWSk8HrqBRwDSqCjqkLiEkwOcf7VRD7NlXRf2w5ckBoLMAtPhwRSluDL7wiASf e4nP+CvsVBrVQZVb0/btLhT8jNLy0rupcERS8P7r/eCjq0BbLl7CzNgxGtgqrJNVAGBH IpHkd1URtqiXlSsVJsP2GjOYWVs+/4x34V0Jg77HbIGCw8U2qslkyZQDHmVbXho+cCmb 4hPQ== X-Gm-Message-State: APjAAAX+jofL/f4Tkki7i6upY9osRlledYu32c3qku8z6VtXuxrAUWug fTenOPUW7qNDh5dgwwp2alriVxySCnAMsTPajoiFxg== X-Google-Smtp-Source: APXvYqxHVLwGqIgZv7++lctI75Hz2Q/rX2w9jOZ9PftD0dp1WgmNTvAVnzqB+4CoubtY/ipYVX2jNcH+2I5thet27Vo= X-Received: by 2002:a63:cf0d:: with SMTP id j13mr82112417pgg.34.1555499799534; Wed, 17 Apr 2019 04:16:39 -0700 (PDT) MIME-Version: 1.0 References: <0000000000007380f90586a82005@google.com> In-Reply-To: From: Andrey Konovalov Date: Wed, 17 Apr 2019 13:16:27 +0200 Message-ID: Subject: Re: INFO: task hung in usb_kill_urb To: Alan Stern Cc: syzbot , Andrey Konovalov , Greg Kroah-Hartman , "Gustavo A. R. Silva" , LKML , USB list , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 16, 2019 at 8:25 PM Alan Stern wrote: > > On Tue, 16 Apr 2019, syzbot wrote: > > > Hello, > > > > syzbot has tested the proposed patch but the reproducer still triggered > > crash: > > INFO: task hung in usb_kill_urb > > Okay, I think I found the problem. dummy-hcd doesn't check for > unsupported speeds until it is too late. Andrey, what values does your > usb-fuzzer gadget driver set for its max_speed field? It's passed from userspace without any validation :( I'll fix this! Thanks for looking into it! I wonder why other people saw this hang as well, they didn't use the dummy hcd module for sure. I guess there are might be other reasons. > > Anyway, if I'm right then this patch should fix the bug. > > Alan Stern > > #syz test: https://github.com/google/kasan.git usb-fuzzer > > --- a/drivers/usb/gadget/udc/dummy_hcd.c > +++ b/drivers/usb/gadget/udc/dummy_hcd.c > @@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga > struct dummy_hcd *dum_hcd = gadget_to_dummy_hcd(g); > struct dummy *dum = dum_hcd->dum; > > - if (driver->max_speed == USB_SPEED_UNKNOWN) > + switch (driver->max_speed) { > + /* All the speeds we support */ > + case USB_SPEED_LOW: > + case USB_SPEED_FULL: > + case USB_SPEED_HIGH: > + case USB_SPEED_SUPER: > + break; > + default: > + dev_err(dummy_dev(dum_hcd), "bogus driver max_speed %d\n", > + driver->max_speed); > return -EINVAL; > + } > > /* > * SLAVE side init ... the layer above hardware, which > @@ -1785,7 +1795,8 @@ static void dummy_timer(struct timer_lis > total = 490000; > break; > default: > - dev_err(dummy_dev(dum_hcd), "bogus device speed\n"); > + dev_err(dummy_dev(dum_hcd), "bogus device speed %d\n", > + dum->gadget.speed); > return; > } > > > From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: INFO: task hung in usb_kill_urb From: Andrey Konovalov Message-Id: Date: Wed, 17 Apr 2019 13:16:27 +0200 To: Alan Stern Cc: syzbot , Andrey Konovalov , Greg Kroah-Hartman , "Gustavo A. R. Silva" , LKML , USB list , syzkaller-bugs List-ID: T24gVHVlLCBBcHIgMTYsIDIwMTkgYXQgODoyNSBQTSBBbGFuIFN0ZXJuIDxzdGVybkByb3dsYW5k LmhhcnZhcmQuZWR1PiB3cm90ZToKPgo+IE9uIFR1ZSwgMTYgQXByIDIwMTksIHN5emJvdCB3cm90 ZToKPgo+ID4gSGVsbG8sCj4gPgo+ID4gc3l6Ym90IGhhcyB0ZXN0ZWQgdGhlIHByb3Bvc2VkIHBh dGNoIGJ1dCB0aGUgcmVwcm9kdWNlciBzdGlsbCB0cmlnZ2VyZWQKPiA+IGNyYXNoOgo+ID4gSU5G TzogdGFzayBodW5nIGluIHVzYl9raWxsX3VyYgo+Cj4gT2theSwgSSB0aGluayBJIGZvdW5kIHRo ZSBwcm9ibGVtLiAgZHVtbXktaGNkIGRvZXNuJ3QgY2hlY2sgZm9yCj4gdW5zdXBwb3J0ZWQgc3Bl ZWRzIHVudGlsIGl0IGlzIHRvbyBsYXRlLiAgQW5kcmV5LCB3aGF0IHZhbHVlcyBkb2VzIHlvdXIK PiB1c2ItZnV6emVyIGdhZGdldCBkcml2ZXIgc2V0IGZvciBpdHMgbWF4X3NwZWVkIGZpZWxkPwoK SXQncyBwYXNzZWQgZnJvbSB1c2Vyc3BhY2Ugd2l0aG91dCBhbnkgdmFsaWRhdGlvbiA6KCBJJ2xs IGZpeCB0aGlzIQpUaGFua3MgZm9yIGxvb2tpbmcgaW50byBpdCEKCkkgd29uZGVyIHdoeSBvdGhl ciBwZW9wbGUgc2F3IHRoaXMgaGFuZyBhcyB3ZWxsLCB0aGV5IGRpZG4ndCB1c2UgdGhlCmR1bW15 IGhjZCBtb2R1bGUgZm9yIHN1cmUuIEkgZ3Vlc3MgdGhlcmUgYXJlIG1pZ2h0IGJlIG90aGVyIHJl YXNvbnMuCgo+Cj4gQW55d2F5LCBpZiBJJ20gcmlnaHQgdGhlbiB0aGlzIHBhdGNoIHNob3VsZCBm aXggdGhlIGJ1Zy4KPgo+IEFsYW4gU3Rlcm4KPgo+ICNzeXogdGVzdDogaHR0cHM6Ly9naXRodWIu Y29tL2dvb2dsZS9rYXNhbi5naXQgdXNiLWZ1enplcgo+Cj4gLS0tIGEvZHJpdmVycy91c2IvZ2Fk Z2V0L3VkYy9kdW1teV9oY2QuYwo+ICsrKyBiL2RyaXZlcnMvdXNiL2dhZGdldC91ZGMvZHVtbXlf aGNkLmMKPiBAQCAtOTc5LDggKzk3OSwxOCBAQCBzdGF0aWMgaW50IGR1bW15X3VkY19zdGFydChz dHJ1Y3QgdXNiX2dhCj4gICAgICAgICBzdHJ1Y3QgZHVtbXlfaGNkICAgICAgICAqZHVtX2hjZCA9 IGdhZGdldF90b19kdW1teV9oY2QoZyk7Cj4gICAgICAgICBzdHJ1Y3QgZHVtbXkgICAgICAgICAg ICAqZHVtID0gZHVtX2hjZC0+ZHVtOwo+Cj4gLSAgICAgICBpZiAoZHJpdmVyLT5tYXhfc3BlZWQg PT0gVVNCX1NQRUVEX1VOS05PV04pCj4gKyAgICAgICBzd2l0Y2ggKGRyaXZlci0+bWF4X3NwZWVk KSB7Cj4gKyAgICAgICAvKiBBbGwgdGhlIHNwZWVkcyB3ZSBzdXBwb3J0ICovCj4gKyAgICAgICBj YXNlIFVTQl9TUEVFRF9MT1c6Cj4gKyAgICAgICBjYXNlIFVTQl9TUEVFRF9GVUxMOgo+ICsgICAg ICAgY2FzZSBVU0JfU1BFRURfSElHSDoKPiArICAgICAgIGNhc2UgVVNCX1NQRUVEX1NVUEVSOgo+ ICsgICAgICAgICAgICAgICBicmVhazsKPiArICAgICAgIGRlZmF1bHQ6Cj4gKyAgICAgICAgICAg ICAgIGRldl9lcnIoZHVtbXlfZGV2KGR1bV9oY2QpLCAiYm9ndXMgZHJpdmVyIG1heF9zcGVlZCAl ZFxuIiwKPiArICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRyaXZlci0+bWF4X3NwZWVk KTsKPiAgICAgICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7Cj4gKyAgICAgICB9Cj4KPiAgICAg ICAgIC8qCj4gICAgICAgICAgKiBTTEFWRSBzaWRlIGluaXQgLi4uIHRoZSBsYXllciBhYm92ZSBo YXJkd2FyZSwgd2hpY2gKPiBAQCAtMTc4NSw3ICsxNzk1LDggQEAgc3RhdGljIHZvaWQgZHVtbXlf dGltZXIoc3RydWN0IHRpbWVyX2xpcwo+ICAgICAgICAgICAgICAgICB0b3RhbCA9IDQ5MDAwMDsK PiAgICAgICAgICAgICAgICAgYnJlYWs7Cj4gICAgICAgICBkZWZhdWx0Ogo+IC0gICAgICAgICAg ICAgICBkZXZfZXJyKGR1bW15X2RldihkdW1faGNkKSwgImJvZ3VzIGRldmljZSBzcGVlZFxuIik7 Cj4gKyAgICAgICAgICAgICAgIGRldl9lcnIoZHVtbXlfZGV2KGR1bV9oY2QpLCAiYm9ndXMgZGV2 aWNlIHNwZWVkICVkXG4iLAo+ICsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZHVtLT5n YWRnZXQuc3BlZWQpOwo+ICAgICAgICAgICAgICAgICByZXR1cm47Cj4gICAgICAgICB9Cj4KPgo+ Cg==