Hello,
syzbot found the following crash on:
HEAD commit: 22be26f7 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=17f794c4e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=387eccb7ac68ec5
dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
usb 5-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 12230 at drivers/usb/core/urb.c:477
usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 12230 Comm: syz-executor.4 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
panic+0x2aa/0x6e1 kernel/panic.c:221
__warn.cold+0x2f/0x33 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:477
Code: 4d 85 ed 74 2c e8 48 59 ec fd 4c 89 f7 e8 00 7f 1c ff 41 89 d8 44 89
e1 4c 89 ea 48 89 c6 48 c7 c7 20 45 18 86 e8 0d 02 c2 fd <0f> 0b e9 20 f4
ff ff e8 1c 59 ec fd 4c 89 f2 48 b8 00 00 00 00 00
RSP: 0018:ffff8881c1f27b30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 000000000000432b RSI: ffffffff8128bcbd RDI: ffffed10383e4f58
RBP: 0000000000000000 R08: ffff8881d02a3000 R09: fffffbfff11b23b7
R10: fffffbfff11b23b6 R11: ffffffff88d91db7 R12: 0000000000000002
R13: ffff8881d18b54b0 R14: ffff8881b02230a0 R15: ffff8881c9354800
usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
hid_hw_raw_request include/linux/hid.h:1079 [inline]
hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
hidraw_write+0x34/0x50 drivers/hid/hidraw.c:164
__vfs_write+0x76/0x100 fs/read_write.c:494
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459cd9
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4bf97b0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459cd9
RDX: 0000000000000085 RSI: 0000000020000200 RDI: 0000000000000007
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4bf97b16d4
R13: 00000000004ca1e5 R14: 00000000004e20b0 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot has found a reproducer for the following crash on:
HEAD commit: ecdf2214 usb: gadget: add raw-gadget interface
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=17416885e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13598885e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 2388 at drivers/usb/core/urb.c:478
usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:478
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 2388 Comm: syz-executor.0 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
panic+0x2aa/0x6e1 kernel/panic.c:221
__warn.cold+0x2f/0x30 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
fixup_bug arch/x86/kernel/traps.c:169 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:478
Code: 4d 85 ed 74 2c e8 78 90 e7 fd 4c 89 f7 e8 70 2c 1d ff 41 89 d8 44 89
e1 4c 89 ea 48 89 c6 48 c7 c7 80 59 15 86 e8 20 ad bc fd <0f> 0b e9 20 f4
ff ff e8 4c 90 e7 fd 4c 89 f2 48 b8 00 00 00 00 00
RSP: 0018:ffff8881cf197b30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81295dad RDI: ffffed1039e32f58
RBP: 0000000000000000 R08: ffff8881cfe6b100 R09: fffffbfff11f1ebe
R10: fffffbfff11f1ebd R11: ffffffff88f8f5ef R12: 0000000000000002
R13: ffff8881da370d80 R14: ffff8881d01e90a0 R15: ffff8881cfe18e00
usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
hid_hw_raw_request include/linux/hid.h:1079 [inline]
hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
hidraw_write+0x34/0x50 drivers/hid/hidraw.c:164
__vfs_write+0x76/0x100 fs/read_write.c:494
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xb6/0x5c0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a919
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f181187dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
RDX: 0000000000000002 RSI: 0000000020000040 RDI: 0000000000000007
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f181187e6d4
R13: 00000000004cbe90 R14: 00000000004e5ce0 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..
On Sun, 29 Dec 2019, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit: ecdf2214 usb: gadget: add raw-gadget interface
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=17416885e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
> dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13598885e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
>
> ------------[ cut here ]------------
> usb 1-1: BOGUS urb xfer, pipe 2 != type 2
> WARNING: CPU: 0 PID: 2388 at drivers/usb/core/urb.c:478
> usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:478
That's a strange diagnostic. Let's see what's really going on.
Alan Stern
#syz test: https://github.com/google/kasan.git ecdf2214
Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -204,10 +204,14 @@ int usb_urb_ep_type_check(const struct u
const struct usb_host_endpoint *ep;
ep = usb_pipe_endpoint(urb->dev, urb->pipe);
- if (!ep)
+ if (!ep) {
+ dev_info(&urb->dev->dev, "Pipe 0x%x, no ep\n", urb->pipe);
return -EINVAL;
- if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
+ }
+ if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) {
+ dev_info(&urb->dev->dev, "Pipe/ep type mismatch\n");
return -EINVAL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(usb_urb_ep_type_check);
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
[email protected]
Tested on:
commit: ecdf2214 usb: gadget: add raw-gadget interface
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=177f06e1e00000
Note: testing is done by a robot and is best-effort only.
On Fri, 3 Jan 2020, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> [email protected]
>
> Tested on:
>
> commit: ecdf2214 usb: gadget: add raw-gadget interface
> git tree: https://github.com/google/kasan.git
> kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
> dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> patch: https://syzkaller.appspot.com/x/patch.diff?x=177f06e1e00000
>
> Note: testing is done by a robot and is best-effort only.
Andrey:
Clearly something strange is going on here. First, the patch should
not have changed the behavior; all it did was add some log messages.
Second, I don't see how the warning could have been triggered at all --
it seems to be complaining that 2 != 2.
Does the reproducer really work?
Alan Stern
On Fri, Jan 3, 2020 at 6:01 PM Alan Stern <[email protected]> wrote:
>
> On Fri, 3 Jan 2020, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch and the reproducer did not trigger
> > crash:
> >
> > Reported-and-tested-by:
> > [email protected]
> >
> > Tested on:
> >
> > commit: ecdf2214 usb: gadget: add raw-gadget interface
> > git tree: https://github.com/google/kasan.git
> > kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
> > dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > patch: https://syzkaller.appspot.com/x/patch.diff?x=177f06e1e00000
> >
> > Note: testing is done by a robot and is best-effort only.
>
> Andrey:
>
> Clearly something strange is going on here. First, the patch should
> not have changed the behavior; all it did was add some log messages.
> Second, I don't see how the warning could have been triggered at all --
> it seems to be complaining that 2 != 2.
Hi Alan,
It looks like some kind of race in involved here.
There are a few indications of that: 1. there's no C reproducer
generated for this crash (usually happens because of timing
differences when executing syz repro vs C repro), 2. syz repro has
threaded, collide and repeat flags turned on (which means it gets
executed many times with some syscalls scheduled asynchronously).
This also explains the weirdness around the 2 != 2 check being failed.
First the comparison failed, then another thread updated one of the
numbers being compared, and then the printk statement got executed.
>
> Does the reproducer really work?
Yes, it worked for syzbot at the very least. It looks like your patch
introduced some delays which made the bug untriggerable by the same
reproducer. Since this is a race it might be quite difficult to
reproduce this manually (due to timing differences caused by a
different environment setup) as well unfortunately.
Perhaps giving a less invasive patch (that minimizes timing changes
introduced to the code that is suspected of being racy) to syzbot
could be used to debug this.
Thanks!
On Tue, 7 Jan 2020, Andrey Konovalov wrote:
> On Fri, Jan 3, 2020 at 6:01 PM Alan Stern <[email protected]> wrote:
> >
> > On Fri, 3 Jan 2020, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch and the reproducer did not trigger
> > > crash:
> > >
> > > Reported-and-tested-by:
> > > [email protected]
> > >
> > > Tested on:
> > >
> > > commit: ecdf2214 usb: gadget: add raw-gadget interface
> > > git tree: https://github.com/google/kasan.git
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > patch: https://syzkaller.appspot.com/x/patch.diff?x=177f06e1e00000
> > >
> > > Note: testing is done by a robot and is best-effort only.
> >
> > Andrey:
> >
> > Clearly something strange is going on here. First, the patch should
> > not have changed the behavior; all it did was add some log messages.
> > Second, I don't see how the warning could have been triggered at all --
> > it seems to be complaining that 2 != 2.
>
> Hi Alan,
>
> It looks like some kind of race in involved here.
>
> There are a few indications of that: 1. there's no C reproducer
> generated for this crash (usually happens because of timing
> differences when executing syz repro vs C repro), 2. syz repro has
> threaded, collide and repeat flags turned on (which means it gets
> executed many times with some syscalls scheduled asynchronously).
>
> This also explains the weirdness around the 2 != 2 check being failed.
> First the comparison failed, then another thread updated one of the
> numbers being compared, and then the printk statement got executed.
Okay, that's kind of what I thought.
> > Does the reproducer really work?
>
> Yes, it worked for syzbot at the very least. It looks like your patch
> introduced some delays which made the bug untriggerable by the same
> reproducer. Since this is a race it might be quite difficult to
> reproduce this manually (due to timing differences caused by a
> different environment setup) as well unfortunately.
>
> Perhaps giving a less invasive patch (that minimizes timing changes
> introduced to the code that is suspected of being racy) to syzbot
> could be used to debug this.
Maybe this patch will work better. The timing change in the critical
path should be extremely small.
Alan Stern
#syz test: https://github.com/google/kasan.git ecdf2214
Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u
ep = usb_pipe_endpoint(urb->dev, urb->pipe);
if (!ep)
- return -EINVAL;
+ return -EBADF;
if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
return -EINVAL;
return 0;
@@ -356,6 +356,7 @@ int usb_submit_urb(struct urb *urb, gfp_
struct usb_host_endpoint *ep;
int is_out;
unsigned int allowed;
+ int c;
if (!urb || !urb->complete)
return -EINVAL;
@@ -474,9 +475,10 @@ int usb_submit_urb(struct urb *urb, gfp_
*/
/* Check that the pipe's type matches the endpoint's type */
- if (usb_urb_ep_type_check(urb))
- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
- usb_pipetype(urb->pipe), pipetypes[xfertype]);
+ c = usb_urb_ep_type_check(urb);
+ if (c)
+ dev_WARN(&dev->dev, "BOGUS urb xfer %d, pipe %x != type %x\n",
+ c, usb_pipetype(urb->pipe), pipetypes[xfertype]);
/* Check against a simple/standard policy */
allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
[email protected]
Tested on:
commit: ecdf2214 usb: gadget: add raw-gadget interface
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11543656e00000
Note: testing is done by a robot and is best-effort only.
On Tue, 7 Jan 2020, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> [email protected]
>
> Tested on:
>
> commit: ecdf2214 usb: gadget: add raw-gadget interface
> git tree: https://github.com/google/kasan.git
> kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
> dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> patch: https://syzkaller.appspot.com/x/patch.diff?x=11543656e00000
>
> Note: testing is done by a robot and is best-effort only.
Not very informative. I wonder just how elusive this race is. The
patch below doesn't change anything; let's see what happens.
Alan Stern
#syz test: https://github.com/google/kasan.git ecdf2214
Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u
ep = usb_pipe_endpoint(urb->dev, urb->pipe);
if (!ep)
- return -EINVAL;
+ return -EINVAL;
if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
return -EINVAL;
return 0;
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in usbhid_raw_request/usb_submit_urb
------------[ cut here ]------------
usb 2-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 4746 at drivers/usb/core/urb.c:478
usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:478
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 4746 Comm: syz-executor.1 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
panic+0x2aa/0x6e1 kernel/panic.c:221
__warn.cold+0x2f/0x30 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
fixup_bug arch/x86/kernel/traps.c:169 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:478
Code: 4d 85 ed 74 2c e8 78 90 e7 fd 4c 89 f7 e8 70 2c 1d ff 41 89 d8 44 89
e1 4c 89 ea 48 89 c6 48 c7 c7 80 59 15 86 e8 20 ad bc fd <0f> 0b e9 20 f4
ff ff e8 4c 90 e7 fd 4c 89 f2 48 b8 00 00 00 00 00
RSP: 0018:ffff8881cf2ffb30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81295dad RDI: ffffed1039e5ff58
RBP: 0000000000000000 R08: ffff8881d2208000 R09: fffffbfff11f1ec0
R10: fffffbfff11f1ebf R11: ffffffff88f8f5ff R12: 0000000000000002
R13: ffff8881cae463f0 R14: ffff8881c9e380a0 R15: ffff8881d4d79500
usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
hid_hw_raw_request include/linux/hid.h:1079 [inline]
hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
hidraw_write+0x34/0x50 drivers/hid/hidraw.c:164
__vfs_write+0x76/0x100 fs/read_write.c:494
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xb6/0x5c0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a919
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f481814bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
RDX: 0000000000000002 RSI: 0000000020000040 RDI: 0000000000000007
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f481814c6d4
R13: 00000000004cbe90 R14: 00000000004e5ce0 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
commit: ecdf2214 usb: gadget: add raw-gadget interface
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11ce1469e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11bca915e00000
On Tue, 7 Jan 2020, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> WARNING in usbhid_raw_request/usb_submit_urb
All right, now for a slightly larger change.
Alan Stern
#syz test: https://github.com/google/kasan.git ecdf2214
Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u
ep = usb_pipe_endpoint(urb->dev, urb->pipe);
if (!ep)
- return -EINVAL;
+ return -EBADF;
if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
return -EINVAL;
return 0;
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in usbhid_raw_request/usb_submit_urb
------------[ cut here ]------------
usb 4-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 4185 at drivers/usb/core/urb.c:478
usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:478
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 4185 Comm: syz-executor.3 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
panic+0x2aa/0x6e1 kernel/panic.c:221
__warn.cold+0x2f/0x30 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
fixup_bug arch/x86/kernel/traps.c:169 [inline]
do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:usb_submit_urb+0x1188/0x13b0 drivers/usb/core/urb.c:478
Code: 4d 85 ed 74 2c e8 68 90 e7 fd 4c 89 f7 e8 60 2c 1d ff 41 89 d8 44 89
e1 4c 89 ea 48 89 c6 48 c7 c7 80 59 15 86 e8 10 ad bc fd <0f> 0b e9 20 f4
ff ff e8 3c 90 e7 fd 4c 89 f2 48 b8 00 00 00 00 00
RSP: 0018:ffff8881c0017b30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81295dad RDI: ffffed1038002f58
RBP: 0000000000000000 R08: ffff8881cf3b6200 R09: fffffbfff11f1ec0
R10: fffffbfff11f1ebf R11: ffffffff88f8f5ff R12: 0000000000000002
R13: ffff8881d884d0a8 R14: ffff8881da3c70a0 R15: ffff8881ca8f1c00
usb_start_wait_urb+0x108/0x2b0 drivers/usb/core/message.c:57
usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:152
usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:917 [inline]
usbhid_raw_request+0x21f/0x640 drivers/hid/usbhid/hid-core.c:1265
hid_hw_raw_request include/linux/hid.h:1079 [inline]
hidraw_send_report+0x296/0x500 drivers/hid/hidraw.c:151
hidraw_write+0x34/0x50 drivers/hid/hidraw.c:164
__vfs_write+0x76/0x100 fs/read_write.c:494
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xb6/0x5c0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a919
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f996c966c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
RDX: 0000000000000002 RSI: 0000000020000040 RDI: 0000000000000007
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f996c9676d4
R13: 00000000004cbe90 R14: 00000000004e5ce0 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..
Tested on:
commit: ecdf2214 usb: gadget: add raw-gadget interface
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12b2e656e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=16c162aee00000
On Tue, 7 Jan 2020, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> WARNING in usbhid_raw_request/usb_submit_urb
Given this result, let's try again the slightly larger patch. The
difference between the patch just tested and this one is very small
indeed, although it's hard to predict how that difference will affect
the object code.
Alan Stern
#syz test: https://github.com/google/kasan.git ecdf2214
Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u
ep = usb_pipe_endpoint(urb->dev, urb->pipe);
if (!ep)
- return -EINVAL;
+ return -EBADF;
if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
return -EINVAL;
return 0;
@@ -356,6 +356,7 @@ int usb_submit_urb(struct urb *urb, gfp_
struct usb_host_endpoint *ep;
int is_out;
unsigned int allowed;
+ int c;
if (!urb || !urb->complete)
return -EINVAL;
@@ -474,9 +475,10 @@ int usb_submit_urb(struct urb *urb, gfp_
*/
/* Check that the pipe's type matches the endpoint's type */
- if (usb_urb_ep_type_check(urb))
- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
- usb_pipetype(urb->pipe), pipetypes[xfertype]);
+ c = usb_urb_ep_type_check(urb);
+ if (c)
+ dev_WARN(&dev->dev, "BOGUS urb xfer %d, pipe %x != type %x\n",
+ c, usb_pipetype(urb->pipe), pipetypes[xfertype]);
/* Check against a simple/standard policy */
allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
[email protected]
Tested on:
commit: ecdf2214 usb: gadget: add raw-gadget interface
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1583963ee00000
Note: testing is done by a robot and is best-effort only.
On Wed, 8 Jan 2020, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> [email protected]
>
> Tested on:
>
> commit: ecdf2214 usb: gadget: add raw-gadget interface
> git tree: https://github.com/google/kasan.git
> kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
> dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> patch: https://syzkaller.appspot.com/x/patch.diff?x=1583963ee00000
>
> Note: testing is done by a robot and is best-effort only.
I'm at a loss for a way to track this down any farther. The difference
between this patch and the previous was very small and almost entirely
confined to actions that take place _after_ the bug condition has been
detected.
If this is indeed caused by a race, it would be nice to know that the
two racing threads are doing. One of them we can see in the log output
(it's calling usb_control_msg) but the other is a mystery.
Alan Stern
On Thu, Jan 9, 2020 at 5:46 PM Alan Stern <[email protected]> wrote:
>
> On Wed, 8 Jan 2020, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch and the reproducer did not trigger
> > crash:
> >
> > Reported-and-tested-by:
> > [email protected]
> >
> > Tested on:
> >
> > commit: ecdf2214 usb: gadget: add raw-gadget interface
> > git tree: https://github.com/google/kasan.git
> > kernel config: https://syzkaller.appspot.com/x/.config?x=b06a019075333661
> > dashboard link: https://syzkaller.appspot.com/bug?extid=10e5f68920f13587ab12
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > patch: https://syzkaller.appspot.com/x/patch.diff?x=1583963ee00000
> >
> > Note: testing is done by a robot and is best-effort only.
>
> I'm at a loss for a way to track this down any farther. The difference
> between this patch and the previous was very small and almost entirely
> confined to actions that take place _after_ the bug condition has been
> detected.
>
> If this is indeed caused by a race, it would be nice to know that the
> two racing threads are doing. One of them we can see in the log output
> (it's calling usb_control_msg) but the other is a mystery.
I've tried to reproduce this manually, but failed :( I don't think
there's anything else we can do with this. Let's close this bug,
there's a chance syzbot comes up with a better reproducer.
#syz invalid