Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4174074imm; Mon, 15 Oct 2018 10:13:46 -0700 (PDT) X-Google-Smtp-Source: ACcGV63YDviPnl66PlqDu9husVdC4UBhNXDzuY4HG7g7ycywoql9eiw+/u2xRsxNpQnVRI2ER2qr X-Received: by 2002:a62:8dcd:: with SMTP id p74-v6mr18849751pfk.217.1539623626416; Mon, 15 Oct 2018 10:13:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539623626; cv=none; d=google.com; s=arc-20160816; b=gDP7Fa6JQQZIjqhbIQyea7F/iJhN4+8pPpFaEpIFKlVYv8E/nvuwvslkk2J90TUy1A RVq+9XsTrSEMyzVpFszwbKGb0AmEUmfyRSimT1TlXOUWyn4P8GofMiK0eA+AlAkqp75J PDMuXBLdVE6N8OBbIwwmAh1O8lZYPDIaIHmTFx8IDdbSNf2rSVnFhZexdRNGJUDrafXx 03zI3WbQmR1sl0BsIm9uaZUCTrNzRgEWC5fFuI+34kzsAdNMQrjCfKFWDU9uAYxNsM1G hawnYL2O7fY5cRLWJv9KOpDiVVViUygYdvReetgRs8IREKwXmLiih2eJSeYtxAC+sXvg iaaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=SzLNcm0U1ejN3BNyMyA2vGSlRU2FiScqYO66gMEzo1w=; b=nSdq3hetD38+Ma5AB/6cXywlZDt3kLmNskEqpmLUs92B0Al0LL+NAllE3Bysw7F8KI B8S5rzWxnVZZK/KoKf0nv9znhe+RpUUsoynGO8GW1qLCKWKzx2Fw3pkqdgTRfc5Qwa4h VKGnsKNELvosOgENYdIm/zkGinFLdkvoJwTtRBzYJgRlASA8b5WKKa+syjlw5ESpwnry yaYp2zeDUixLerVKR9WQ7jj0wfshxzeKaL0ZCbQ9J16oTsTrHAECyQdGcTuXgeAd07gs T+1mQFgBY/l5h1O+u6v3bVcXq18Gv0ycdPRYMR7xSOpya5GRVotHPsqjXPKerclxBcsn zesQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o2-v6si10897763pgj.111.2018.10.15.10.13.29; Mon, 15 Oct 2018 10:13:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726955AbeJPA64 (ORCPT + 99 others); Mon, 15 Oct 2018 20:58:56 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:55700 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726593AbeJPA64 (ORCPT ); Mon, 15 Oct 2018 20:58:56 -0400 Received: (qmail 3743 invoked by uid 2102); 15 Oct 2018 13:12:49 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Oct 2018 13:12:49 -0400 Date: Mon, 15 Oct 2018 13:12:49 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Andrey Konovalov cc: syzbot , , Felipe Balbi , "Gustavo A . R . Silva" , Greg Kroah-Hartman , LKML , USB list , syzkaller-bugs , Oliver Neukum Subject: Re: WARNING in usb_submit_urb (3) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 15 Oct 2018, Andrey Konovalov wrote: > On Mon, Oct 15, 2018 at 5:22 PM, Alan Stern wrote: > > On Fri, 12 Oct 2018, syzbot wrote: > > > >> Hello, > >> > >> syzbot found the following crash on: > >> > >> HEAD commit: 9dcd936c5312 Merge tag 'for-4.19/dm-fixes-4' of git://git... > >> git tree: upstream > >> console output: https://syzkaller.appspot.com/x/log.txt?x=123b8da1400000 > >> kernel config: https://syzkaller.appspot.com/x/.config?x=88e9a8a39dc0be2d > >> dashboard link: https://syzkaller.appspot.com/bug?extid=24a30223a4b609bb802e > >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) > >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13888991400000 > >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1476e5e6400000 > >> > >> IMPORTANT: if you fix the bug, please add the following tag to the commit: > >> Reported-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com > >> > >> IPVS: ftp: loaded support on port[0] = 21 > >> ------------[ cut here ]------------ > >> usb usb7: BOGUS urb flags, 1 --> 0 > >> WARNING: CPU: 0 PID: 5828 at drivers/usb/core/urb.c:503 > >> usb_submit_urb+0x717/0x14e0 drivers/usb/core/urb.c:502 > >> Kernel panic - not syncing: panic_on_warn set ... > > > > This should have been fixed by commit 7a68d9fb8510 ("USB: usbdevfs: > > sanitize flags more"). Was that commit not present in the kernel you > > tested? > > The commit is there, AFAICT. This must be a different issue. Ah, I see the problem. In fact it is the same issue, but the commit mentioned above contains an error (is_in gets tested too soon). The fix is below; can you check it? Alan Stern Index: usb-4.x/drivers/usb/core/devio.c =================================================================== --- usb-4.x.orig/drivers/usb/core/devio.c +++ usb-4.x/drivers/usb/core/devio.c @@ -1474,8 +1474,6 @@ static int proc_do_submiturb(struct usb_ u = 0; switch (uurb->type) { case USBDEVFS_URB_TYPE_CONTROL: - if (is_in) - allow_short = true; if (!usb_endpoint_xfer_control(&ep->desc)) return -EINVAL; /* min 8 byte setup packet */ @@ -1505,6 +1503,8 @@ static int proc_do_submiturb(struct usb_ is_in = 0; uurb->endpoint &= ~USB_DIR_IN; } + if (is_in) + allow_short = true; snoop(&ps->dev->dev, "control urb: bRequestType=%02x " "bRequest=%02x wValue=%04x " "wIndex=%04x wLength=%04x\n",