From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B14B9C33CA2 for ; Wed, 8 Jan 2020 18:18:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 94B1920678 for ; Wed, 8 Jan 2020 18:18:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730178AbgAHSSz (ORCPT ); Wed, 8 Jan 2020 13:18:55 -0500 Received: from iolanthe.rowland.org ([192.131.102.54]:49288 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1727225AbgAHSSz (ORCPT ); Wed, 8 Jan 2020 13:18:55 -0500 Received: (qmail 5455 invoked by uid 2102); 8 Jan 2020 13:18:54 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Jan 2020 13:18:54 -0500 Date: Wed, 8 Jan 2020 13:18:54 -0500 (EST) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: syzbot cc: andreyknvl@google.com, , , , , , Subject: Re: WARNING in usbhid_raw_request/usb_submit_urb (2) In-Reply-To: <000000000000b962af059b9429bd@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 7 Jan 2020, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > WARNING in usbhid_raw_request/usb_submit_urb Given this result, let's try again the slightly larger patch. The difference between the patch just tested and this one is very small indeed, although it's hard to predict how that difference will affect the object code. Alan Stern #syz test: https://github.com/google/kasan.git ecdf2214 Index: usb-devel/drivers/usb/core/urb.c =================================================================== --- usb-devel.orig/drivers/usb/core/urb.c +++ usb-devel/drivers/usb/core/urb.c @@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u ep = usb_pipe_endpoint(urb->dev, urb->pipe); if (!ep) - return -EINVAL; + return -EBADF; if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) return -EINVAL; return 0; @@ -356,6 +356,7 @@ int usb_submit_urb(struct urb *urb, gfp_ struct usb_host_endpoint *ep; int is_out; unsigned int allowed; + int c; if (!urb || !urb->complete) return -EINVAL; @@ -474,9 +475,10 @@ int usb_submit_urb(struct urb *urb, gfp_ */ /* Check that the pipe's type matches the endpoint's type */ - if (usb_urb_ep_type_check(urb)) - dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", - usb_pipetype(urb->pipe), pipetypes[xfertype]); + c = usb_urb_ep_type_check(urb); + if (c) + dev_WARN(&dev->dev, "BOGUS urb xfer %d, pipe %x != type %x\n", + c, usb_pipetype(urb->pipe), pipetypes[xfertype]); /* Check against a simple/standard policy */ allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |