Re: usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns

From: Alan Stern <stern@rowland.harvard.edu>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	USB list <linux-usb@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Dmitry Vyukov <dvyukov@google.com>,
	Kostya Serebryany <kcc@google.com>,
	syzkaller <syzkaller@googlegroups.com>
Subject: Re: usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns
Date: Fri, 16 Dec 2016 13:01:45 -0500 (EST)	[thread overview]
Message-ID: <Pine.LNX.4.44L0.1612161300240.1533-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <CAAeHK+wnfCUAuN9skpGFsc+diddt0=Vv1+Xq=rzpK3SuzKhQDw@mail.gmail.com>

On Mon, 12 Dec 2016, Andrey Konovalov wrote:

> Hi!
> 
> While running the syzkaller fuzzer I've got the following error report.
> 
> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dev 2).
> 
> WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
> gadgetfs: disconnected
> sysfs: cannot create duplicate filename
> '/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
> Kernel panic - not syncing: panic_on_warn set ...
> 
> CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
>  ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
>  ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
>  ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
> Call Trace:
>  [<     inline     >] __dump_stack lib/dump_stack.c:15
>  [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
>  [<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
>  [<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
>  [<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
>  [<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
>  [<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
>  [<     inline     >] create_dir lib/kobject.c:71
>  [<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
>  [<     inline     >] kobject_add_varg lib/kobject.c:366
>  [<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
>  [<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
>  [<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
>  [<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260
> drivers/usb/core/endpoint.c:195
>  [<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200
> drivers/usb/core/message.c:1030
>  [<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0
> drivers/usb/core/message.c:1937

Hi, Andrey:

Please check whether the patch below fixes this problem.

Alan Stern



Index: usb-4.x/drivers/usb/core/config.c
===================================================================

--- usb-4.x.orig/drivers/usb/core/config.c
+++ usb-4.x/drivers/usb/core/config.c
@@ -234,6 +234,16 @@ static int usb_parse_endpoint(struct dev
 	if (ifp->desc.bNumEndpoints >= num_ep)
 		goto skip_to_next_endpoint_or_interface_descriptor;
 
+	/* Check for duplicate endpoint addresses */
+	for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+		if (ifp->endpoint[i].desc.bEndpointAddress ==
+		    d->bEndpointAddress) {
+			dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+			    cfgno, inum, asnum, d->bEndpointAddress);
+			goto skip_to_next_endpoint_or_interface_descriptor;
+		}
+	}
+
 	endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
 	++ifp->desc.bNumEndpoints;
 
