Re: [syzbot] WARNING in sisusb_send_bulk_msg/usb_submit_urb

[Alan Stern <stern@rowland.harvard.edu>]

Reference: https://syzkaller.appspot.com/bug?extid=23be03b56c5259385d79

The sisusbvga driver just assumes that the endpoints it uses will be 
present, without checking.  I don't know anything about this driver, so 
the fix below may not be entirely correct.

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.2

--- usb-devel.orig/drivers/usb/misc/sisusbvga/sisusbvga.c
+++ usb-devel/drivers/usb/misc/sisusbvga/sisusbvga.c
@@ -2772,6 +2772,24 @@ static struct usb_class_driver usb_sisus
 	.minor_base =	SISUSB_MINOR
 };
 
+/*
+ * Check whether the current altsetting for intf contains a bulk endpoint
+ * with the specified address (number and direction).
+ */
+static int check_bulk_ep(struct usb_interface *intf, unsigned int ep_addr)
+{
+	int n, i;
+	const struct usb_endpoint_descriptor *epd;
+
+	n = intf->cur_altsetting->desc.bNumEndpoints;
+	for (i = 0; i < n; ++i) {
+		epd = &intf->cur_altsetting->endpoint[i].desc;
+		if (epd->bEndpointAddress == ep_addr)
+			return usb_endpoint_xfer_bulk(epd);
+	}
+	return 0;
+}
+
 static int sisusb_probe(struct usb_interface *intf,
 		const struct usb_device_id *id)
 {
@@ -2779,6 +2797,17 @@ static int sisusb_probe(struct usb_inter
 	struct sisusb_usb_data *sisusb;
 	int retval = 0, i;
 
+	/* Are the expected endpoints present? */
+	if (!check_bulk_ep(intf, SISUSB_EP_GFX_IN | USB_DIR_IN) ||
+	    !check_bulk_ep(intf, SISUSB_EP_GFX_OUT | USB_DIR_OUT) ||
+	    !check_bulk_ep(intf, SISUSB_EP_GFX_BULK_OUT | USB_DIR_OUT) ||
+	    !check_bulk_ep(intf, SISUSB_EP_GFX_LBULK_OUT | USB_DIR_OUT) ||
+	    !check_bulk_ep(intf, SISUSB_EP_BRIDGE_IN | USB_DIR_IN) ||
+	    !check_bulk_ep(intf, SISUSB_EP_BRIDGE_OUT | USB_DIR_OUT)) {
+		dev_err(&dev->dev, "Invalid USB2VGA device\n");
+		return -EINVAL;
+	}
+
 	dev_info(&dev->dev, "USB2VGA dongle found at address %d\n",
 			dev->devnum);