Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4081048yba;
        Wed, 17 Apr 2019 04:18:01 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzBiK7rAZokPr/ReeUbEBXJTKsyOJfwR/SjGJeXEk737UicC9DKFcxF2qL0cS3y8rTR2eq2
X-Received: by 2002:a63:a04c:: with SMTP id u12mr83084611pgn.131.1555499881005;
        Wed, 17 Apr 2019 04:18:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555499880; cv=none;
        d=google.com; s=arc-20160816;
        b=zth0x174ifVeX+x8L6w0ta4aBMQw+ggOo8sl7q82zlTiIiMpAk10wJbcz4mroHWkwv
         VZ41kd8cdCE73wN/W1q2ub+RP6oyUWjq98yp4Edb9sUlkb0JM7amp0/1eAYHA2kOMqiR
         jSi80rJMbXdouidjFO/8ez94gYYLpE+O5LEK5p+kT2ygMF9pZMsX2woWMeTWe1IZ2xY/
         rzEZeeQbn16cqBa39ajoMZPzEoxvL5vjc4nn7nrwucPVZeaayaF+1RRLDzQcyQtCikEw
         oiqPVq3ANENQDlhMmWhLRefL12Tre5d7t+GGt5gyco3w0vUu1RyZlMjSXLC0uBQv3QFP
         2jXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=DAhaUckrpoxHtyYXB6W9rqZ88dFeqr0QxEv6Qcjpc7E=;
        b=EZoRzx4866PxoEcN/Z6H1zF+GNyru7LagJv48d9/qIxH4gIgYlwpYWOn5pSb+EIWiJ
         sCtpKeOE2bXinE6DRjokqZgtAqts0+PkH6ZCetaj8lpA5dnS00ofhmP95UPi3mzmdzgo
         hzz77yV61A5KdPX6PgMSZDfzOplNnhEPpKcBykzykMY0U7PWR6eV04RBCxceE/PgthBU
         F+54co2QhHro7Kf1dnuE33IzRHcsiTBAZ6TEcxI93GiAZmOYOYE9lqQ69vVYZ7DMJHX/
         80xy2NblwacIgibUa9wB8T392Fn/NR7fh1t6fBPy9CfVv7sLGrdOGwyzdvmyB5q9bFOb
         tZ6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=n4nsODDN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m10si50076273pgi.417.2019.04.17.04.17.45;
        Wed, 17 Apr 2019 04:18:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=n4nsODDN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731906AbfDQLQl (ORCPT <rfc822;linux.htchiang@gmail.com>
        + 99 others); Wed, 17 Apr 2019 07:16:41 -0400
Received: from mail-pg1-f194.google.com ([209.85.215.194]:37361 "EHLO
        mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731337AbfDQLQl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Apr 2019 07:16:41 -0400
Received: by mail-pg1-f194.google.com with SMTP id e6so11868968pgc.4
        for <linux-kernel@vger.kernel.org>; Wed, 17 Apr 2019 04:16:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=DAhaUckrpoxHtyYXB6W9rqZ88dFeqr0QxEv6Qcjpc7E=;
        b=n4nsODDNdeTbJBwTDUwqHsjg7tTq1wDovUzp/3Ps5JJOHsmgB8vvaD3CJGB8FXP5oS
         ekWMPIBa4yITCfzNikroyOxKK8HO1837Q/RfZpkgbDdOA1efgGEREisUJlFdZs3gnQtT
         5IJFZ/Zh/23n/wj1TqS/PjaDOpmHhR3HqF+I9SiLBWoFiK4xb9MgPzU8Mwt7IKQ/AyS0
         o8mDLtHbNPGBVBLjW5zbdpp+qfz0bP1qK6c5J/816zmc8R1jf98SRLWlvZkHlPi1sXPA
         9GlYTJvpLmkt2vv/2WSjQgyb3CjmbwqX2v2j4F+yqoDyW82UTBPwePjYupe+aXXFfTOV
         Mq6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=DAhaUckrpoxHtyYXB6W9rqZ88dFeqr0QxEv6Qcjpc7E=;
        b=XAZCc+t9i9u5E+nzn6f0LfaFYCkb2PHF1f9bqXtuCg/70HC80ghkthC9FaOCoFCQNT
         xjxXsJt59SCkHXGysnUyGVg0tow79AJ4WmLoNT6g4m0Leoo2hsai8nwkYERpMLpUDDHA
         YZij2ReWSk8HrqBRwDSqCjqkLiEkwOcf7VRD7NlXRf2w5ckBoLMAtPhwRSluDL7wiASf
         e4nP+CvsVBrVQZVb0/btLhT8jNLy0rupcERS8P7r/eCjq0BbLl7CzNgxGtgqrJNVAGBH
         IpHkd1URtqiXlSsVJsP2GjOYWVs+/4x34V0Jg77HbIGCw8U2qslkyZQDHmVbXho+cCmb
         4hPQ==
X-Gm-Message-State: APjAAAX+jofL/f4Tkki7i6upY9osRlledYu32c3qku8z6VtXuxrAUWug
        fTenOPUW7qNDh5dgwwp2alriVxySCnAMsTPajoiFxg==
X-Received: by 2002:a63:cf0d:: with SMTP id j13mr82112417pgg.34.1555499799534;
 Wed, 17 Apr 2019 04:16:39 -0700 (PDT)
MIME-Version: 1.0
References: <0000000000007380f90586a82005@google.com> <Pine.LNX.4.44L0.1904161421530.1605-100000@iolanthe.rowland.org>
In-Reply-To: <Pine.LNX.4.44L0.1904161421530.1605-100000@iolanthe.rowland.org>
From:   Andrey Konovalov <andreyknvl@google.com>
Date:   Wed, 17 Apr 2019 13:16:27 +0200
Message-ID: <CAAeHK+zCwXpAb02vaPuanStYCp_x8g92HDEvm_LTN_F+Y_wOfQ@mail.gmail.com>
Subject: Re: INFO: task hung in usb_kill_urb
To:     Alan Stern <stern@rowland.harvard.edu>
Cc:     syzbot <syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com>,
        Andrey Konovalov <andreyknvl@google.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
        LKML <linux-kernel@vger.kernel.org>,
        USB list <linux-usb@vger.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 16, 2019 at 8:25 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Tue, 16 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > INFO: task hung in usb_kill_urb
>
> Okay, I think I found the problem.  dummy-hcd doesn't check for
> unsupported speeds until it is too late.  Andrey, what values does your
> usb-fuzzer gadget driver set for its max_speed field?

It's passed from userspace without any validation :( I'll fix this!
Thanks for looking into it!

I wonder why other people saw this hang as well, they didn't use the
dummy hcd module for sure. I guess there are might be other reasons.

>
> Anyway, if I'm right then this patch should fix the bug.
>
> Alan Stern
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer
>
> --- a/drivers/usb/gadget/udc/dummy_hcd.c
> +++ b/drivers/usb/gadget/udc/dummy_hcd.c
> @@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga
>         struct dummy_hcd        *dum_hcd = gadget_to_dummy_hcd(g);
>         struct dummy            *dum = dum_hcd->dum;
>
> -       if (driver->max_speed == USB_SPEED_UNKNOWN)
> +       switch (driver->max_speed) {
> +       /* All the speeds we support */
> +       case USB_SPEED_LOW:
> +       case USB_SPEED_FULL:
> +       case USB_SPEED_HIGH:
> +       case USB_SPEED_SUPER:
> +               break;
> +       default:
> +               dev_err(dummy_dev(dum_hcd), "bogus driver max_speed %d\n",
> +                               driver->max_speed);
>                 return -EINVAL;
> +       }
>
>         /*
>          * SLAVE side init ... the layer above hardware, which
> @@ -1785,7 +1795,8 @@ static void dummy_timer(struct timer_lis
>                 total = 490000;
>                 break;
>         default:
> -               dev_err(dummy_dev(dum_hcd), "bogus device speed\n");
> +               dev_err(dummy_dev(dum_hcd), "bogus device speed %d\n",
> +                               dum->gadget.speed);
>                 return;
>         }
>
>
>