From: Takashi Iwai <tiwai@suse.de>
To: "Andrey Konovalov" <andreyknvl@google.com>
Cc: <alsa-devel@alsa-project.org>, "Arnd Bergmann" <arnd@arndb.de>,
"Arvind Yadav" <arvind.yadav.cs@gmail.com>,
"Dave Jiang" <dave.jiang@intel.com>,
"Johan Hovold" <johan@kernel.org>,
"Mauro Carvalho Chehab" <mchehab@kernel.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Jaroslav Kysela" <perex@perex.cz>,
"Markus Elfring" <elfring@users.sourceforge.net>,
"LKML" <linux-kernel@vger.kernel.org>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Kostya Serebryany" <kcc@google.com>,
"syzkaller" <syzkaller@googlegroups.com>
Subject: Re: usb/sound/usx2y: WARNING in usb_stream_start
Date: Fri, 03 Nov 2017 20:52:49 +0100 [thread overview]
Message-ID: <s5hwp37ywa6.wl-tiwai@suse.de> (raw)
In-Reply-To: <CAAeHK+xoNQv3wVyqEdNEuk2hKwyoUrJ+uHFMLJ7VJVJAAuWeAQ@mail.gmail.com>
On Fri, 03 Nov 2017 15:44:59 +0100,
Andrey Konovalov wrote:
>
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
>
> Looks like there's no check for the actual endpoint types.
>
> usb 1-1: BOGUS urb xfer, pipe 0 != type 3
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:471
> usb_submit_urb+0x113e/0x1400
> Modules linked in:
> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
> 4.14.0-rc7-44290-gf28444df2601-dirty #52
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> task: ffff88006bef5c00 task.stack: ffff88006bf60000
> RIP: 0010:usb_submit_urb+0x113e/0x1400 drivers/usb/core/urb.c:470
> RSP: 0018:ffff88006bf67440 EFLAGS: 00010286
> RAX: 0000000000000029 RBX: ffff880064698c80 RCX: ffffffff812495b5
> RDX: 0000000000000000 RSI: ffffffff8124d76a RDI: 0000000000000005
> RBP: ffff88006bf674b0 R08: ffff88006bef5c00 R09: 0000000000000006
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000003 R14: ffff880069a25a20 R15: ffff880064698d04
> FS: 0000000000000000(0000) GS:ffff88006ca00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fe6fdba3000 CR3: 0000000068470000 CR4: 00000000000006f0
> Call Trace:
> usb_stream_start+0x48a/0x9f0 sound/usb/usx2y/usb_stream.c:690
> us122l_start+0x116/0x290 sound/usb/usx2y/us122l.c:365
(snip)
OK, so this looks like another typical issue.
A totally untested patch is below. Could you check whether it covers?
thanks,
Takashi
---
diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
index e229abd21652..5c4311b6afd6 100644
--- a/sound/usb/usx2y/usb_stream.c
+++ b/sound/usb/usx2y/usb_stream.c
@@ -56,7 +56,7 @@ static void playback_prep_freqn(struct usb_stream_kernel *sk, struct urb *urb)
lb, s->period_size);
}
-static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+static int init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
struct urb **urbs, char *transfer,
struct usb_device *dev, int pipe)
{
@@ -77,6 +77,8 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
urb->interval = 1;
if (usb_pipeout(pipe))
continue;
+ if (usb_urb_ep_type_check(urb))
+ return -EINVAL;
urb->transfer_buffer_length = transfer_length;
desc = urb->iso_frame_desc;
@@ -87,9 +89,11 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
desc[p].length = maxpacket;
}
}
+
+ return 0;
}
-static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+static int init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
struct usb_device *dev, int in_pipe, int out_pipe)
{
struct usb_stream *s = sk->s;
@@ -103,9 +107,13 @@ static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
sk->outurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL);
}
- init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe);
- init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
- out_pipe);
+ if (init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe))
+ return -EINVAL;
+ if (init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
+ out_pipe))
+ return -EINVAL;
+
+ return 0;
}
@@ -226,7 +234,11 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
else
sk->freqn = get_usb_high_speed_rate(sample_rate);
- init_urbs(sk, use_packsize, dev, in_pipe, out_pipe);
+ if (init_urbs(sk, use_packsize, dev, in_pipe, out_pipe) < 0) {
+ usb_stream_free(sk);
+ return NULL;
+ }
+
sk->s->state = usb_stream_stopped;
out:
return sk->s;
WARNING: multiple messages have this Message-ID (diff)
From: Takashi Iwai <tiwai@suse.de>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: alsa-devel@alsa-project.org, Arnd Bergmann <arnd@arndb.de>,
Arvind Yadav <arvind.yadav.cs@gmail.com>,
Dave Jiang <dave.jiang@intel.com>,
Johan Hovold <johan@kernel.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Jaroslav Kysela <perex@perex.cz>,
Markus Elfring <elfring@users.sourceforge.net>,
LKML <linux-kernel@vger.kernel.org>,
Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: usb/sound/usx2y: WARNING in usb_stream_start
Date: Fri, 03 Nov 2017 20:52:49 +0100 [thread overview]
Message-ID: <s5hwp37ywa6.wl-tiwai@suse.de> (raw)
In-Reply-To: <CAAeHK+xoNQv3wVyqEdNEuk2hKwyoUrJ+uHFMLJ7VJVJAAuWeAQ@mail.gmail.com>
On Fri, 03 Nov 2017 15:44:59 +0100,
Andrey Konovalov wrote:
>
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
>
> Looks like there's no check for the actual endpoint types.
>
> usb 1-1: BOGUS urb xfer, pipe 0 != type 3
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 24 at drivers/usb/core/urb.c:471
> usb_submit_urb+0x113e/0x1400
> Modules linked in:
> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
> 4.14.0-rc7-44290-gf28444df2601-dirty #52
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> task: ffff88006bef5c00 task.stack: ffff88006bf60000
> RIP: 0010:usb_submit_urb+0x113e/0x1400 drivers/usb/core/urb.c:470
> RSP: 0018:ffff88006bf67440 EFLAGS: 00010286
> RAX: 0000000000000029 RBX: ffff880064698c80 RCX: ffffffff812495b5
> RDX: 0000000000000000 RSI: ffffffff8124d76a RDI: 0000000000000005
> RBP: ffff88006bf674b0 R08: ffff88006bef5c00 R09: 0000000000000006
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000003 R14: ffff880069a25a20 R15: ffff880064698d04
> FS: 0000000000000000(0000) GS:ffff88006ca00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fe6fdba3000 CR3: 0000000068470000 CR4: 00000000000006f0
> Call Trace:
> usb_stream_start+0x48a/0x9f0 sound/usb/usx2y/usb_stream.c:690
> us122l_start+0x116/0x290 sound/usb/usx2y/us122l.c:365
(snip)
OK, so this looks like another typical issue.
A totally untested patch is below. Could you check whether it covers?
thanks,
Takashi
---
diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c
index e229abd21652..5c4311b6afd6 100644
--- a/sound/usb/usx2y/usb_stream.c
+++ b/sound/usb/usx2y/usb_stream.c
@@ -56,7 +56,7 @@ static void playback_prep_freqn(struct usb_stream_kernel *sk, struct urb *urb)
lb, s->period_size);
}
-static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+static int init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
struct urb **urbs, char *transfer,
struct usb_device *dev, int pipe)
{
@@ -77,6 +77,8 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
urb->interval = 1;
if (usb_pipeout(pipe))
continue;
+ if (usb_urb_ep_type_check(urb))
+ return -EINVAL;
urb->transfer_buffer_length = transfer_length;
desc = urb->iso_frame_desc;
@@ -87,9 +89,11 @@ static void init_pipe_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
desc[p].length = maxpacket;
}
}
+
+ return 0;
}
-static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
+static int init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
struct usb_device *dev, int in_pipe, int out_pipe)
{
struct usb_stream *s = sk->s;
@@ -103,9 +107,13 @@ static void init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize,
sk->outurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL);
}
- init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe);
- init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
- out_pipe);
+ if (init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe))
+ return -EINVAL;
+ if (init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev,
+ out_pipe))
+ return -EINVAL;
+
+ return 0;
}
@@ -226,7 +234,11 @@ struct usb_stream *usb_stream_new(struct usb_stream_kernel *sk,
else
sk->freqn = get_usb_high_speed_rate(sample_rate);
- init_urbs(sk, use_packsize, dev, in_pipe, out_pipe);
+ if (init_urbs(sk, use_packsize, dev, in_pipe, out_pipe) < 0) {
+ usb_stream_free(sk);
+ return NULL;
+ }
+
sk->s->state = usb_stream_stopped;
out:
return sk->s;
next prev parent reply other threads:[~2017-11-03 19:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-03 14:44 usb/sound/usx2y: WARNING in usb_stream_start Andrey Konovalov
2017-11-03 19:52 ` Takashi Iwai [this message]
2017-11-03 19:52 ` Takashi Iwai
2017-11-06 9:56 ` Takashi Iwai
2017-11-06 9:56 ` Takashi Iwai
2017-11-06 12:14 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s5hwp37ywa6.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alsa-devel@alsa-project.org \
--cc=andreyknvl@google.com \
--cc=arnd@arndb.de \
--cc=arvind.yadav.cs@gmail.com \
--cc=dave.jiang@intel.com \
--cc=dvyukov@google.com \
--cc=elfring@users.sourceforge.net \
--cc=johan@kernel.org \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=perex@perex.cz \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.