From: Alan Stern <stern@rowland.harvard.edu>
To: syzbot <syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com>
Cc: andreyknvl@google.com, <gregkh@linuxfoundation.org>,
<gustavo@embeddedor.com>, <linux-kernel@vger.kernel.org>,
<linux-usb@vger.kernel.org>, <syzkaller-bugs@googlegroups.com>
Subject: Re: INFO: task hung in usb_kill_urb
Date: Wed, 17 Apr 2019 15:09:44 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1904171503410.1400-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <000000000000edf1630586acca2b@google.com>
On Tue, 16 Apr 2019, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> INFO: task hung in usb_kill_urb
That's surprising. This patch was awfully similar to the previous one,
which did prevent the crash earlier.
> Tested on:
>
> commit: 9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan/tree/usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b5e057200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> patch: https://syzkaller.appspot.com/x/patch.diff?x=131dca6b200000
Andrey, is there any way to increase the console output buffer size?
The link above doesn't go all the way back to the beginning of the test
(it starts at timestamp 486.614697).
Also, here's a slightly revised patch for testing.
Alan Stern
#syz test: https://github.com/google/kasan.git usb-fuzzer
--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga
struct dummy_hcd *dum_hcd = gadget_to_dummy_hcd(g);
struct dummy *dum = dum_hcd->dum;
- if (driver->max_speed == USB_SPEED_UNKNOWN)
+ switch (g->speed) {
+ /* All the speeds we support */
+ case USB_SPEED_LOW:
+ case USB_SPEED_FULL:
+ case USB_SPEED_HIGH:
+ case USB_SPEED_SUPER:
+ break;
+ default:
+ dev_err(dummy_dev(dum_hcd), "Unsupported driver max speed %d\n",
+ driver->max_speed);
return -EINVAL;
+ }
/*
* SLAVE side init ... the layer above hardware, which
@@ -1784,9 +1794,10 @@ static void dummy_timer(struct timer_lis
/* Bus speed is 500000 bytes/ms, so use a little less */
total = 490000;
break;
- default:
+ default: /* Can't happen */
dev_err(dummy_dev(dum_hcd), "bogus device speed\n");
- return;
+ total = 0;
+ break;
}
/* FIXME if HZ != 1000 this will probably misbehave ... */
@@ -1828,7 +1839,7 @@ restart:
/* Used up this frame's bandwidth? */
if (total <= 0)
- break;
+ continue;
/* find the gadget's ep for this request (if configured) */
address = usb_pipeendpoint (urb->pipe);
WARNING: multiple messages have this Message-ID (diff)
From: Alan Stern <stern@rowland.harvard.edu>
To: syzbot <syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com>
Cc: andreyknvl@google.com, gregkh@linuxfoundation.org,
gustavo@embeddedor.com, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: INFO: task hung in usb_kill_urb
Date: Wed, 17 Apr 2019 15:09:44 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1904171503410.1400-100000@iolanthe.rowland.org> (raw)
On Tue, 16 Apr 2019, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> INFO: task hung in usb_kill_urb
That's surprising. This patch was awfully similar to the previous one,
which did prevent the crash earlier.
> Tested on:
>
> commit: 9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan/tree/usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b5e057200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> patch: https://syzkaller.appspot.com/x/patch.diff?x=131dca6b200000
Andrey, is there any way to increase the console output buffer size?
The link above doesn't go all the way back to the beginning of the test
(it starts at timestamp 486.614697).
Also, here's a slightly revised patch for testing.
Alan Stern
#syz test: https://github.com/google/kasan.git usb-fuzzer
--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga
struct dummy_hcd *dum_hcd = gadget_to_dummy_hcd(g);
struct dummy *dum = dum_hcd->dum;
- if (driver->max_speed == USB_SPEED_UNKNOWN)
+ switch (g->speed) {
+ /* All the speeds we support */
+ case USB_SPEED_LOW:
+ case USB_SPEED_FULL:
+ case USB_SPEED_HIGH:
+ case USB_SPEED_SUPER:
+ break;
+ default:
+ dev_err(dummy_dev(dum_hcd), "Unsupported driver max speed %d\n",
+ driver->max_speed);
return -EINVAL;
+ }
/*
* SLAVE side init ... the layer above hardware, which
@@ -1784,9 +1794,10 @@ static void dummy_timer(struct timer_lis
/* Bus speed is 500000 bytes/ms, so use a little less */
total = 490000;
break;
- default:
+ default: /* Can't happen */
dev_err(dummy_dev(dum_hcd), "bogus device speed\n");
- return;
+ total = 0;
+ break;
}
/* FIXME if HZ != 1000 this will probably misbehave ... */
@@ -1828,7 +1839,7 @@ restart:
/* Used up this frame's bandwidth? */
if (total <= 0)
- break;
+ continue;
/* find the gadget's ep for this request (if configured) */
address = usb_pipeendpoint (urb->pipe);
next prev parent reply other threads:[~2019-04-17 19:09 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAAeHK+wDEOpkuh0+OmPra3Yu8ri-8As82CyZ-1KyYC62AJkj1Q@mail.gmail.com>
2019-04-16 15:44 ` INFO: task hung in usb_kill_urb Alan Stern
2019-04-16 15:44 ` Alan Stern
2019-04-16 16:19 ` syzbot
2019-04-16 16:19 ` syzbot
2019-04-16 18:25 ` Alan Stern
2019-04-16 18:25 ` Alan Stern
2019-04-16 19:03 ` syzbot
2019-04-16 19:03 ` syzbot
2019-04-16 21:14 ` Alan Stern
2019-04-16 21:14 ` Alan Stern
2019-04-16 21:53 ` syzbot
2019-04-16 21:53 ` syzbot
2019-04-17 19:09 ` Alan Stern [this message]
2019-04-17 19:09 ` Alan Stern
2019-04-17 19:56 ` syzbot
2019-04-17 19:56 ` syzbot
2019-04-18 12:21 ` Andrey Konovalov
2019-04-18 12:21 ` Andrey Konovalov
2019-04-17 11:16 ` Andrey Konovalov
2019-04-17 11:16 ` Andrey Konovalov
2019-04-19 18:36 ` UDC hardware for fuzzing [was: Re: INFO: task hung in usb_kill_urb] Alan Stern
2019-04-19 18:36 ` INFO: task hung in usb_kill_urb Alan Stern
2019-04-23 12:44 ` UDC hardware for fuzzing [was: Re: INFO: task hung in usb_kill_urb] Andrey Konovalov
2019-04-23 12:44 ` INFO: task hung in usb_kill_urb Andrey Konovalov
2019-04-18 17:12 USB: dummy-hcd: Fix failure to give back unlinked URBs Alan Stern
2019-04-18 17:12 ` [PATCH] " Alan Stern
-- strict thread matches above, loose matches on Subject: below --
2019-04-12 11:46 INFO: task hung in usb_kill_urb syzbot
2019-04-12 19:46 ` Alan Stern
2019-04-15 17:48 ` Andrey Konovalov
2019-04-15 18:06 ` Alan Stern
2019-04-15 18:39 ` Gustavo A. R. Silva
2019-04-15 19:00 ` Greg Kroah-Hartman
2019-04-15 19:35 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1904171503410.1400-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.