[syzbot] WARNING in usbnet_start_xmit/usb_submit_urb

[syzbot] WARNING in usbnet_start_xmit/usb_submit_urb

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel...
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3
dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com

------------[ cut here ]------------
usb 5-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 0 PID: 1291 Comm: kworker/0:3 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Code: 7c 24 18 e8 40 2b aa fd 48 8b 7c 24 18 e8 c6 23 1a ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 40 c0 85 86 e8 e5 66 03 02 <0f> 0b e9 58 f8 ff ff e8 12 2b aa fd 48 81 c5 80 06 00 00 e9 84 f7
RSP: 0018:ffffc90000f0f580 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888108599c00 RSI: ffffffff812bae18 RDI: fffff520001e1ea2
RBP: ffff88810b887b00 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff812b4bfe R11: 0000000000000000 R12: 0000000000000003
R13: ffff8881067d9dc0 R14: 0000000000000003 R15: ffff88810d2dd700
FS:  0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3815d25ff8 CR3: 000000010bdba000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 usbnet_start_xmit+0x5ed/0x1f70 drivers/net/usb/usbnet.c:1460
 __netdev_start_xmit include/linux/netdevice.h:4987 [inline]
 netdev_start_xmit include/linux/netdevice.h:5001 [inline]
 xmit_one net/core/dev.c:3590 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3606
 sch_direct_xmit+0x25b/0x790 net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3817 [inline]
 __dev_queue_xmit+0x11bf/0x31d0 net/core/dev.c:4194
 neigh_resolve_output net/core/neighbour.c:1523 [inline]
 neigh_resolve_output+0x50e/0x820 net/core/neighbour.c:1503
 neigh_output include/net/neighbour.h:527 [inline]
 ip6_finish_output2+0xb49/0x1af0 net/ipv6/ip6_output.c:126
 __ip6_finish_output.part.0+0x387/0xbb0 net/ipv6/ip6_output.c:191
 __ip6_finish_output include/linux/skbuff.h:986 [inline]
 ip6_finish_output net/ipv6/ip6_output.c:201 [inline]
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x3d2/0x810 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 mld_sendpack+0x96d/0xe00 net/ipv6/mcast.c:1826
 mld_send_cr net/ipv6/mcast.c:2127 [inline]
 mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2659
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x40b/0x500 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb

[Oliver Neukum]

On 15.11.21 08:28, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel...
> git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3
> dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> usb 5-1: BOGUS urb xfer, pipe 3 != type 1
> WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502

Hi,

here I understand what is happening, but not why it can happen. Usbnet
checks the endpoint type.

May I request an addition to syzbot? Could you include the output of
"lsusb -v" at the time
of the error condition for USB bugs?

    Regards
        Oliver

Re: [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb

[Dmitry Vyukov]

On Mon, 15 Nov 2021 at 15:31, 'Oliver Neukum' via syzkaller-bugs
<syzkaller-bugs@googlegroups.com> wrote:
>
>
> On 15.11.21 08:28, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel...
> > git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3
> > dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > usb 5-1: BOGUS urb xfer, pipe 3 != type 1
> > WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
>
> Hi,
>
> here I understand what is happening, but not why it can happen. Usbnet
> checks the endpoint type.
>
> May I request an addition to syzbot? Could you include the output of
> "lsusb -v" at the time
> of the error condition for USB bugs?

Hi Oliver,

Aleksandr filed https://github.com/google/syzkaller/issues/2889 for
this request.
But so far we did not find a good solution. syzbot collects some info
about the machine after boot, but that's obviously wrong moment. After
the bug it's also too late -- the kernel is dead/corrupted. It's also
unclear what exactly is "usb bug".
It may be easier to do from the kernel by hooking into panic. Would
also benefit all other kernel testing as this is not really
syzbot-specific, so better belongs to kernel. Is it possible to do it
from the kernel? If not, maybe the kernel could at least log
connect/disconnect events to the console.

Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb

[syzbot]

syzbot has bisected this issue to:

commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Tue Jan 31 20:49:04 2023 +0000

    USB: core: Don't hold device lock while reading the "descriptors" sysfs file

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000
start commit:   692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=114b5877280000
console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000

Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb

[Alan Stern]

On Fri, Jun 23, 2023 at 06:32:22AM -0700, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065
> Author: Alan Stern <stern@rowland.harvard.edu>
> Date:   Tue Jan 31 20:49:04 2023 +0000
> 
>     USB: core: Don't hold device lock while reading the "descriptors" sysfs file
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000
> start commit:   692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g..
> git tree:       upstream
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=114b5877280000
> console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
> dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000
> 
> Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
> Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

The bisection result is wrong, but the issue still needs to be fixed.

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7

Index: usb-devel/drivers/net/usb/usbnet.c
===================================================================
--- usb-devel.orig/drivers/net/usb/usbnet.c
+++ usb-devel/drivers/net/usb/usbnet.c
@@ -1775,6 +1775,9 @@ usbnet_probe (struct usb_interface *udev
 	} else if (!info->in || !info->out)
 		status = usbnet_get_endpoints (dev, udev);
 	else {
+		u8		ep_addrs[3] = {
+			info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0};
+
 		dev->in = usb_rcvbulkpipe (xdev, info->in);
 		dev->out = usb_sndbulkpipe (xdev, info->out);
 		if (!(info->flags & FLAG_NO_SETINT))
@@ -1784,6 +1787,8 @@ usbnet_probe (struct usb_interface *udev
 		else
 			status = 0;
 
+		if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs))
+			status = -EINVAL;
 	}
 	if (status >= 0 && dev->status)
 		status = init_status (dev, udev);

Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com

Tested on:

commit:         45a3e24f Linux 6.4-rc7
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7
console output: https://syzkaller.appspot.com/x/log.txt?x=1210e557280000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14e0e557280000

Note: testing is done by a robot and is best-effort only.