From: Takashi Iwai <tiwai@suse.de>
To: "Zhang, Qiang" <Qiang.Zhang@windriver.com>
Cc: syzbot <syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"alsa-devel@alsa-project.org" <alsa-devel@alsa-project.org>,
"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"perex@perex.cz" <perex@perex.cz>,
"tiwai@suse.com" <tiwai@suse.com>,
"anarsoul@gmail.com" <anarsoul@gmail.com>,
"pavel@denx.de" <pavel@denx.de>,
Alan Stern <stern@rowland.harvard.edu>
Subject: Re: 回复: WARNING in submit_audio_out_urb/usb_submit_urb
Date: Fri, 10 Jul 2020 15:33:51 +0200 [thread overview]
Message-ID: <s5hv9iv4hq8.wl-tiwai@suse.de> (raw)
In-Reply-To: <s5h8sfr69yw.wl-tiwai@suse.de>
On Fri, 10 Jul 2020 10:38:31 +0200,
Takashi Iwai wrote:
>
> On Fri, 10 Jul 2020 10:12:43 +0200,
> Zhang, Qiang wrote:
> >
> >
> >
> > ________________________________________
> > 发件人: linux-kernel-owner@vger.kernel.org <linux-kernel-owner@vger.kernel.org> 代表 syzbot <syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com>
> > 发送时间: 2020年7月9日 21:34
> > 收件人: andreyknvl@google.com; gregkh@linuxfoundation.org; ingrassia@epigenesys.com; linux-kernel@vger.kernel.org; linux-usb@vger.kernel.org; syzkaller-bugs@googlegroups.com
> > 主题: WARNING in submit_audio_out_urb/usb_submit_urb
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 768a0741 usb: dwc2: gadget: Remove assigned but never used..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1568d11f100000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=999be4eb2478ffa5
> > dashboard link: https://syzkaller.appspot.com/bug?extid=c190f6858a04ea7fbc52
> > compiler: gcc (GCC) 10.1.0-syz 20200507
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=123aa2fb100000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com
> >
> > usb 1-1: send failed (error -32)
> > snd_usb_toneport 1-1:0.0: Line 6 TonePort GX now attached
> > ------------[ cut here ]------------
> > usb 1-1: BOGUS urb xfer, pipe 0 != type 3
> > WARNING: CPU: 0 PID: 12 at drivers/usb/core/urb.c:478 usb_submit_urb+0xa17/0x13e0 drivers/usb/core/urb.c:478
> > Kernel panic - not syncing: panic_on_warn set ...
> > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc3-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: events line6_startup_work
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xf6/0x16e lib/dump_stack.c:118
> > panic+0x2aa/0x6e1 kernel/panic.c:231
> > __warn.cold+0x20/0x50 kernel/panic.c:600
> > report_bug+0x1bd/0x210 lib/bug.c:198
> > handle_bug+0x41/0x80 arch/x86/kernel/traps.c:235
> > exc_invalid_op+0x13/0x40 arch/x86/kernel/traps.c:255
> > asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:563
> > RIP: 0010:usb_submit_urb+0xa17/0x13e0 drivers/usb/core/urb.c:478
> > Code: 84 e7 04 00 00 e8 a9 10 ca fd 4c 89 ef e8 41 79 12 ff 41 89 d8 44 89 e1 4c 89 f2 48 89 c6 48 c7 c7 80 a0 5d 86 e8 db 77 9e fd <0f> 0b e8 82 10 ca fd 0f b6 6c 24 08 48 c7 c6 e0 a1 5d 86 48 89 ef
> > RSP: 0018:ffff8881da227b10 EFLAGS: 00010086
> > RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
> > RDX: ffff8881da211900 RSI: ffffffff8129b4e3 RDI: ffffed103b444f54
> > RBP: 0000000000000030 R08: 0000000000000001 R09: ffff8881db21fe8b
> > R10: 0000000000000000 R11: 0000000000000004 R12: 0000000000000000
> > R13: ffff8881d6ecd0a0 R14: ffff8881d3d8c690 R15: ffff8881d54c4000
> > submit_audio_out_urb+0x6d6/0x1a00 sound/usb/line6/playback.c:271
> > line6_submit_audio_out_all_urbs+0xc9/0x120 sound/usb/line6/playback.c:291
> > line6_stream_start+0x187/0x230 sound/usb/line6/pcm.c:195
> > line6_pcm_acquire+0x137/0x210 sound/usb/line6/pcm.c:318
> > line6_startup_work+0x42/0x50 sound/usb/line6/driver.c:734
> > process_one_work+0x94c/0x15f0 kernel/workqueue.c:2269
> > worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
> > kthread+0x392/0x470 kernel/kthread.c:291
> > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
> >
> > It's like Alan Stern's reply to the email titled "KASAN: use-after-free Read in line6_submit_audio_in_all_urbs." It's also like a problem with asynchronous operations. can replace "cancel_delayed_work" with" cancel_delayed_work_sync"
> > in "line6_disconnect" func?
>
> No, this looks a different problem. It's just a matter of the missing
> URB type check that leads to a USB warning. A typical issue with the
> USB fuzzing.
>
> I'll check it later.
... and below is the fix patch.
Takashi
-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: line6: Perform sanity check for each URB creation
LINE6 drivers create stream URBs with a fixed pipe without checking
its validity, and this may lead to a kernel WARNING at the submission
when a malformed USB descriptor is passed.
For avoiding the kernel warning, perform the similar sanity checks for
each pipe type at creating a URB.
Reported-by: syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/usb/line6/capture.c | 2 ++
sound/usb/line6/playback.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/sound/usb/line6/capture.c b/sound/usb/line6/capture.c
index 663d608c4287..970c9bdce0b2 100644
--- a/sound/usb/line6/capture.c
+++ b/sound/usb/line6/capture.c
@@ -286,6 +286,8 @@ int line6_create_audio_in_urbs(struct snd_line6_pcm *line6pcm)
urb->interval = LINE6_ISO_INTERVAL;
urb->error_count = 0;
urb->complete = audio_in_callback;
+ if (usb_urb_ep_type_check(urb))
+ return -EINVAL;
}
return 0;
diff --git a/sound/usb/line6/playback.c b/sound/usb/line6/playback.c
index 01930ce7bd75..8233c61e23f1 100644
--- a/sound/usb/line6/playback.c
+++ b/sound/usb/line6/playback.c
@@ -431,6 +431,8 @@ int line6_create_audio_out_urbs(struct snd_line6_pcm *line6pcm)
urb->interval = LINE6_ISO_INTERVAL;
urb->error_count = 0;
urb->complete = audio_out_callback;
+ if (usb_urb_ep_type_check(urb))
+ return -EINVAL;
}
return 0;
--
2.16.4
WARNING: multiple messages have this Message-ID (diff)
From: Takashi Iwai <tiwai@suse.de>
To: "Zhang, Qiang" <Qiang.Zhang@windriver.com>
Cc: "alsa-devel@alsa-project.org" <alsa-devel@alsa-project.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"anarsoul@gmail.com" <anarsoul@gmail.com>,
Alan Stern <stern@rowland.harvard.edu>,
"pavel@denx.de" <pavel@denx.de>,
"tiwai@suse.com" <tiwai@suse.com>,
syzbot <syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com>
Subject: Re: 回复: WARNING in submit_audio_out_urb/usb_submit_urb
Date: Fri, 10 Jul 2020 15:33:51 +0200 [thread overview]
Message-ID: <s5hv9iv4hq8.wl-tiwai@suse.de> (raw)
In-Reply-To: <s5h8sfr69yw.wl-tiwai@suse.de>
On Fri, 10 Jul 2020 10:38:31 +0200,
Takashi Iwai wrote:
>
> On Fri, 10 Jul 2020 10:12:43 +0200,
> Zhang, Qiang wrote:
> >
> >
> >
> > ________________________________________
> > 发件人: linux-kernel-owner@vger.kernel.org <linux-kernel-owner@vger.kernel.org> 代表 syzbot <syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com>
> > 发送时间: 2020年7月9日 21:34
> > 收件人: andreyknvl@google.com; gregkh@linuxfoundation.org; ingrassia@epigenesys.com; linux-kernel@vger.kernel.org; linux-usb@vger.kernel.org; syzkaller-bugs@googlegroups.com
> > 主题: WARNING in submit_audio_out_urb/usb_submit_urb
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 768a0741 usb: dwc2: gadget: Remove assigned but never used..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1568d11f100000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=999be4eb2478ffa5
> > dashboard link: https://syzkaller.appspot.com/bug?extid=c190f6858a04ea7fbc52
> > compiler: gcc (GCC) 10.1.0-syz 20200507
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=123aa2fb100000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com
> >
> > usb 1-1: send failed (error -32)
> > snd_usb_toneport 1-1:0.0: Line 6 TonePort GX now attached
> > ------------[ cut here ]------------
> > usb 1-1: BOGUS urb xfer, pipe 0 != type 3
> > WARNING: CPU: 0 PID: 12 at drivers/usb/core/urb.c:478 usb_submit_urb+0xa17/0x13e0 drivers/usb/core/urb.c:478
> > Kernel panic - not syncing: panic_on_warn set ...
> > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc3-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: events line6_startup_work
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xf6/0x16e lib/dump_stack.c:118
> > panic+0x2aa/0x6e1 kernel/panic.c:231
> > __warn.cold+0x20/0x50 kernel/panic.c:600
> > report_bug+0x1bd/0x210 lib/bug.c:198
> > handle_bug+0x41/0x80 arch/x86/kernel/traps.c:235
> > exc_invalid_op+0x13/0x40 arch/x86/kernel/traps.c:255
> > asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:563
> > RIP: 0010:usb_submit_urb+0xa17/0x13e0 drivers/usb/core/urb.c:478
> > Code: 84 e7 04 00 00 e8 a9 10 ca fd 4c 89 ef e8 41 79 12 ff 41 89 d8 44 89 e1 4c 89 f2 48 89 c6 48 c7 c7 80 a0 5d 86 e8 db 77 9e fd <0f> 0b e8 82 10 ca fd 0f b6 6c 24 08 48 c7 c6 e0 a1 5d 86 48 89 ef
> > RSP: 0018:ffff8881da227b10 EFLAGS: 00010086
> > RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
> > RDX: ffff8881da211900 RSI: ffffffff8129b4e3 RDI: ffffed103b444f54
> > RBP: 0000000000000030 R08: 0000000000000001 R09: ffff8881db21fe8b
> > R10: 0000000000000000 R11: 0000000000000004 R12: 0000000000000000
> > R13: ffff8881d6ecd0a0 R14: ffff8881d3d8c690 R15: ffff8881d54c4000
> > submit_audio_out_urb+0x6d6/0x1a00 sound/usb/line6/playback.c:271
> > line6_submit_audio_out_all_urbs+0xc9/0x120 sound/usb/line6/playback.c:291
> > line6_stream_start+0x187/0x230 sound/usb/line6/pcm.c:195
> > line6_pcm_acquire+0x137/0x210 sound/usb/line6/pcm.c:318
> > line6_startup_work+0x42/0x50 sound/usb/line6/driver.c:734
> > process_one_work+0x94c/0x15f0 kernel/workqueue.c:2269
> > worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
> > kthread+0x392/0x470 kernel/kthread.c:291
> > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
> >
> > It's like Alan Stern's reply to the email titled "KASAN: use-after-free Read in line6_submit_audio_in_all_urbs." It's also like a problem with asynchronous operations. can replace "cancel_delayed_work" with" cancel_delayed_work_sync"
> > in "line6_disconnect" func?
>
> No, this looks a different problem. It's just a matter of the missing
> URB type check that leads to a USB warning. A typical issue with the
> USB fuzzing.
>
> I'll check it later.
... and below is the fix patch.
Takashi
-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: line6: Perform sanity check for each URB creation
LINE6 drivers create stream URBs with a fixed pipe without checking
its validity, and this may lead to a kernel WARNING at the submission
when a malformed USB descriptor is passed.
For avoiding the kernel warning, perform the similar sanity checks for
each pipe type at creating a URB.
Reported-by: syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/usb/line6/capture.c | 2 ++
sound/usb/line6/playback.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/sound/usb/line6/capture.c b/sound/usb/line6/capture.c
index 663d608c4287..970c9bdce0b2 100644
--- a/sound/usb/line6/capture.c
+++ b/sound/usb/line6/capture.c
@@ -286,6 +286,8 @@ int line6_create_audio_in_urbs(struct snd_line6_pcm *line6pcm)
urb->interval = LINE6_ISO_INTERVAL;
urb->error_count = 0;
urb->complete = audio_in_callback;
+ if (usb_urb_ep_type_check(urb))
+ return -EINVAL;
}
return 0;
diff --git a/sound/usb/line6/playback.c b/sound/usb/line6/playback.c
index 01930ce7bd75..8233c61e23f1 100644
--- a/sound/usb/line6/playback.c
+++ b/sound/usb/line6/playback.c
@@ -431,6 +431,8 @@ int line6_create_audio_out_urbs(struct snd_line6_pcm *line6pcm)
urb->interval = LINE6_ISO_INTERVAL;
urb->error_count = 0;
urb->complete = audio_out_callback;
+ if (usb_urb_ep_type_check(urb))
+ return -EINVAL;
}
return 0;
--
2.16.4
next prev parent reply other threads:[~2020-07-10 13:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 13:34 WARNING in submit_audio_out_urb/usb_submit_urb syzbot
2020-07-10 8:12 ` 回复: " Zhang, Qiang
2020-07-10 8:38 ` Takashi Iwai
2020-07-10 8:38 ` Takashi Iwai
2020-07-10 13:33 ` Takashi Iwai [this message]
2020-07-10 13:33 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s5hv9iv4hq8.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=Qiang.Zhang@windriver.com \
--cc=alsa-devel@alsa-project.org \
--cc=anarsoul@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=pavel@denx.de \
--cc=perex@perex.cz \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.