From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26189C10F13 for ; Tue, 16 Apr 2019 18:25:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F090E2087C for ; Tue, 16 Apr 2019 18:25:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730210AbfDPSZw (ORCPT ); Tue, 16 Apr 2019 14:25:52 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:43456 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1728032AbfDPSZw (ORCPT ); Tue, 16 Apr 2019 14:25:52 -0400 Received: (qmail 10000 invoked by uid 2102); 16 Apr 2019 14:25:51 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Apr 2019 14:25:51 -0400 Date: Tue, 16 Apr 2019 14:25:51 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: syzbot cc: andreyknvl@google.com, , , , , Subject: Re: INFO: task hung in usb_kill_urb In-Reply-To: <0000000000007380f90586a82005@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 16 Apr 2019, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > INFO: task hung in usb_kill_urb Okay, I think I found the problem. dummy-hcd doesn't check for unsupported speeds until it is too late. Andrey, what values does your usb-fuzzer gadget driver set for its max_speed field? Anyway, if I'm right then this patch should fix the bug. Alan Stern #syz test: https://github.com/google/kasan.git usb-fuzzer --- a/drivers/usb/gadget/udc/dummy_hcd.c +++ b/drivers/usb/gadget/udc/dummy_hcd.c @@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga struct dummy_hcd *dum_hcd = gadget_to_dummy_hcd(g); struct dummy *dum = dum_hcd->dum; - if (driver->max_speed == USB_SPEED_UNKNOWN) + switch (driver->max_speed) { + /* All the speeds we support */ + case USB_SPEED_LOW: + case USB_SPEED_FULL: + case USB_SPEED_HIGH: + case USB_SPEED_SUPER: + break; + default: + dev_err(dummy_dev(dum_hcd), "bogus driver max_speed %d\n", + driver->max_speed); return -EINVAL; + } /* * SLAVE side init ... the layer above hardware, which @@ -1785,7 +1795,8 @@ static void dummy_timer(struct timer_lis total = 490000; break; default: - dev_err(dummy_dev(dum_hcd), "bogus device speed\n"); + dev_err(dummy_dev(dum_hcd), "bogus device speed %d\n", + dum->gadget.speed); return; } From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: INFO: task hung in usb_kill_urb From: Alan Stern Message-Id: Date: Tue, 16 Apr 2019 14:25:51 -0400 (EDT) To: syzbot Cc: andreyknvl@google.com, gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com List-ID: T24gVHVlLCAxNiBBcHIgMjAxOSwgc3l6Ym90IHdyb3RlOgoKPiBIZWxsbywKPiAKPiBzeXpib3Qg aGFzIHRlc3RlZCB0aGUgcHJvcG9zZWQgcGF0Y2ggYnV0IHRoZSByZXByb2R1Y2VyIHN0aWxsIHRy aWdnZXJlZCAgCj4gY3Jhc2g6Cj4gSU5GTzogdGFzayBodW5nIGluIHVzYl9raWxsX3VyYgoKT2th eSwgSSB0aGluayBJIGZvdW5kIHRoZSBwcm9ibGVtLiAgZHVtbXktaGNkIGRvZXNuJ3QgY2hlY2sg Zm9yCnVuc3VwcG9ydGVkIHNwZWVkcyB1bnRpbCBpdCBpcyB0b28gbGF0ZS4gIEFuZHJleSwgd2hh dCB2YWx1ZXMgZG9lcyB5b3VyCnVzYi1mdXp6ZXIgZ2FkZ2V0IGRyaXZlciBzZXQgZm9yIGl0cyBt YXhfc3BlZWQgZmllbGQ/CgpBbnl3YXksIGlmIEknbSByaWdodCB0aGVuIHRoaXMgcGF0Y2ggc2hv dWxkIGZpeCB0aGUgYnVnLgoKQWxhbiBTdGVybgoKI3N5eiB0ZXN0OiBodHRwczovL2dpdGh1Yi5j b20vZ29vZ2xlL2thc2FuLmdpdCB1c2ItZnV6emVyCgotLS0gYS9kcml2ZXJzL3VzYi9nYWRnZXQv dWRjL2R1bW15X2hjZC5jCisrKyBiL2RyaXZlcnMvdXNiL2dhZGdldC91ZGMvZHVtbXlfaGNkLmMK QEAgLTk3OSw4ICs5NzksMTggQEAgc3RhdGljIGludCBkdW1teV91ZGNfc3RhcnQoc3RydWN0IHVz Yl9nYQogCXN0cnVjdCBkdW1teV9oY2QJKmR1bV9oY2QgPSBnYWRnZXRfdG9fZHVtbXlfaGNkKGcp OwogCXN0cnVjdCBkdW1teQkJKmR1bSA9IGR1bV9oY2QtPmR1bTsKIAotCWlmIChkcml2ZXItPm1h eF9zcGVlZCA9PSBVU0JfU1BFRURfVU5LTk9XTikKKwlzd2l0Y2ggKGRyaXZlci0+bWF4X3NwZWVk KSB7CisJLyogQWxsIHRoZSBzcGVlZHMgd2Ugc3VwcG9ydCAqLworCWNhc2UgVVNCX1NQRUVEX0xP VzoKKwljYXNlIFVTQl9TUEVFRF9GVUxMOgorCWNhc2UgVVNCX1NQRUVEX0hJR0g6CisJY2FzZSBV U0JfU1BFRURfU1VQRVI6CisJCWJyZWFrOworCWRlZmF1bHQ6CisJCWRldl9lcnIoZHVtbXlfZGV2 KGR1bV9oY2QpLCAiYm9ndXMgZHJpdmVyIG1heF9zcGVlZCAlZFxuIiwKKwkJCQlkcml2ZXItPm1h eF9zcGVlZCk7CiAJCXJldHVybiAtRUlOVkFMOworCX0KIAogCS8qCiAJICogU0xBVkUgc2lkZSBp bml0IC4uLiB0aGUgbGF5ZXIgYWJvdmUgaGFyZHdhcmUsIHdoaWNoCkBAIC0xNzg1LDcgKzE3OTUs OCBAQCBzdGF0aWMgdm9pZCBkdW1teV90aW1lcihzdHJ1Y3QgdGltZXJfbGlzCiAJCXRvdGFsID0g NDkwMDAwOwogCQlicmVhazsKIAlkZWZhdWx0OgotCQlkZXZfZXJyKGR1bW15X2RldihkdW1faGNk KSwgImJvZ3VzIGRldmljZSBzcGVlZFxuIik7CisJCWRldl9lcnIoZHVtbXlfZGV2KGR1bV9oY2Qp LCAiYm9ndXMgZGV2aWNlIHNwZWVkICVkXG4iLAorCQkJCWR1bS0+Z2FkZ2V0LnNwZWVkKTsKIAkJ cmV0dXJuOwogCX0KIAo=