Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3444822yba;
        Tue, 16 Apr 2019 11:26:46 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyHYGAegxP+TNMcAmhgII8w7qfWOpUUrdps0OaGq0Oe/jtMuvzjX/PLfoFKU/b4RPK8LIn8
X-Received: by 2002:a17:902:201:: with SMTP id 1mr84291186plc.89.1555439206722;
        Tue, 16 Apr 2019 11:26:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555439206; cv=none;
        d=google.com; s=arc-20160816;
        b=s+5ODbHqbfk5AMqoiSSisuuiYSYEy7f8pKzJmrUhI3rx/TmoFPv7P+y0VVEIH/P+4+
         xXB4Xxgho6qNXJKDw+YwFvBMX7wam4t94WGL377CWZ2+cWKqMDkzjcI1W1m8iHw902MN
         0ajqLX94t12SSXJcZRccJTZSG5Q0DnEzqZwhNJT6BFt+q6TpRotCjsEPHE1wKnEvfpsu
         TOK84Sa4Qyfdk3gvlpWmMT3/bwgA3dT9fOYsiqK34S01H1rKpGB73ggLRI+TFiJdEPsL
         QUpoNX0nrzfqncJWgcEjoky+UlGEsEaqRIatg6g8zYtlUzCCTdoL931GALq5sYc7MCS7
         6tUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=g1ooNM82BeWsL491QVCXYilZ4czDpaj9t1RCSlRfFKY=;
        b=oprx3bG24zonardBtZshaX5pNhNwDyjVaicLyDX3TauPNzGQYx1tNEwoIjez2DXbju
         ICRALBzUREyZgpwhkZS4gCPfWMIg76b3HXwqgXhszpafjZz98TcBfVTsAeIEmhlHUEzy
         tTob48TSSDtq4Prh9/EROA6CnXOelU0bYAdyO2An4liMsfcdOETSSn2/fx1Tfu3P7h7J
         vKUDdFe237NcpTtnG06ZI1lqqch2RSqnD09i4+IoTGnt1HcHcNbPoM4ORpO5MHnPUB04
         C/TnX5+kiZcLKgihkS2ayd3IcYEiWpI6p5jAkARoX8SIDrkflywuNJICB3j/qBkOKsmb
         8h1w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z20si45958888pgu.43.2019.04.16.11.26.30;
        Tue, 16 Apr 2019 11:26:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729912AbfDPSZw (ORCPT <rfc822;rruigrok1@gmail.com> + 99 others);
        Tue, 16 Apr 2019 14:25:52 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:43456 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1728032AbfDPSZw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 16 Apr 2019 14:25:52 -0400
Received: (qmail 10000 invoked by uid 2102); 16 Apr 2019 14:25:51 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 16 Apr 2019 14:25:51 -0400
Date:   Tue, 16 Apr 2019 14:25:51 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     syzbot <syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com>
cc:     andreyknvl@google.com, <gregkh@linuxfoundation.org>,
        <gustavo@embeddedor.com>, <linux-kernel@vger.kernel.org>,
        <linux-usb@vger.kernel.org>, <syzkaller-bugs@googlegroups.com>
Subject: Re: INFO: task hung in usb_kill_urb
In-Reply-To: <0000000000007380f90586a82005@google.com>
Message-ID: <Pine.LNX.4.44L0.1904161421530.1605-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 16 Apr 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> INFO: task hung in usb_kill_urb

Okay, I think I found the problem.  dummy-hcd doesn't check for
unsupported speeds until it is too late.  Andrey, what values does your
usb-fuzzer gadget driver set for its max_speed field?

Anyway, if I'm right then this patch should fix the bug.

Alan Stern

#syz test: https://github.com/google/kasan.git usb-fuzzer

--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga
 	struct dummy_hcd	*dum_hcd = gadget_to_dummy_hcd(g);
 	struct dummy		*dum = dum_hcd->dum;
 
-	if (driver->max_speed == USB_SPEED_UNKNOWN)
+	switch (driver->max_speed) {
+	/* All the speeds we support */
+	case USB_SPEED_LOW:
+	case USB_SPEED_FULL:
+	case USB_SPEED_HIGH:
+	case USB_SPEED_SUPER:
+		break;
+	default:
+		dev_err(dummy_dev(dum_hcd), "bogus driver max_speed %d\n",
+				driver->max_speed);
 		return -EINVAL;
+	}
 
 	/*
 	 * SLAVE side init ... the layer above hardware, which
@@ -1785,7 +1795,8 @@ static void dummy_timer(struct timer_lis
 		total = 490000;
 		break;
 	default:
-		dev_err(dummy_dev(dum_hcd), "bogus device speed\n");
+		dev_err(dummy_dev(dum_hcd), "bogus device speed %d\n",
+				dum->gadget.speed);
 		return;
 	}