Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4470902yba; Wed, 17 Apr 2019 12:11:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqxZd+V5N+RyRFmlwIA3mjx7BtTx67S2Z8Ntd6Jk3ZDaJ7ylu9W2160Avn5oD6IJ4eYrzkfb X-Received: by 2002:a63:4620:: with SMTP id t32mr83459132pga.363.1555528283629; Wed, 17 Apr 2019 12:11:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555528283; cv=none; d=google.com; s=arc-20160816; b=lykyGoEbXFBh+w/wIuaxpVwDskL3VSQbd/5KLHbVv8GwVuuKPRa2tikm/BE37vE6U7 6XcdDBScCZXP6lngooPx3jWL7IPvYsZ1gmhSja86fTjve/pnjpJe9rda0Zmt+M5I6uIJ JIj0rgeiVV9zRbiQV2DIWPBSfRqz/NM31H/dhRZffG3+uMscckKs5d/BGFjg6MPjY/zm Bh88iVHTii5uBCFjEgPiJYkG9Y6Y69MQrFxCtuveGhAZJHNA+oUJk2b90RH25Zz8x4ef E1Tx5qD7szHVPtL5mL/E5fbOeLxJG++dS9pHKYrEjEAYSKEs8wBmudSmhOPv4vPxAgG4 cK7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=0gC3dxqqnerudvJsBYvmGmuhmxZyKuRQEIPbL69BTo4=; b=AQlKQIY1f/2L+eYcbTA+r7+NrEIsZss439BsJTyKn1omPICxWO3rFPV+qIrI7eEZgS Ns9TS/axrdJ6FjFqdySYU1Vroi8n/g5QSRcgvjiSQ+PLCC+mE5GcDTLMc4NlI8cRnMUq BYKeHQ5g0KdYSS3ACwAiQHLnN0lubYTlx9vlSyUKcr0E1oAWZoPQYbbuawv/jTrEfNrY XY5Ie5WWQ/ezcBu1SKwx1Um47+aWfb/0MuGbO4alh8THIDlcQmGeTKJ5U9Iemf56zVqK cSDlyWI/9otWSJvq4F3xJ4eOZsW6PsT+WKbsVqAOCSw2R2+seAqbCsMoG7pVd9DjAQ9G uwbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d5si48678767pgh.516.2019.04.17.12.11.08; Wed, 17 Apr 2019 12:11:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733150AbfDQTJp (ORCPT + 99 others); Wed, 17 Apr 2019 15:09:45 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:59196 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1732596AbfDQTJp (ORCPT ); Wed, 17 Apr 2019 15:09:45 -0400 Received: (qmail 4087 invoked by uid 2102); 17 Apr 2019 15:09:44 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Apr 2019 15:09:44 -0400 Date: Wed, 17 Apr 2019 15:09:44 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: syzbot cc: andreyknvl@google.com, , , , , Subject: Re: INFO: task hung in usb_kill_urb In-Reply-To: <000000000000edf1630586acca2b@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 16 Apr 2019, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > INFO: task hung in usb_kill_urb That's surprising. This patch was awfully similar to the previous one, which did prevent the crash earlier. > Tested on: > > commit: 9a33b369 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=10b5e057200000 > kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > patch: https://syzkaller.appspot.com/x/patch.diff?x=131dca6b200000 Andrey, is there any way to increase the console output buffer size? The link above doesn't go all the way back to the beginning of the test (it starts at timestamp 486.614697). Also, here's a slightly revised patch for testing. Alan Stern #syz test: https://github.com/google/kasan.git usb-fuzzer --- a/drivers/usb/gadget/udc/dummy_hcd.c +++ b/drivers/usb/gadget/udc/dummy_hcd.c @@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga struct dummy_hcd *dum_hcd = gadget_to_dummy_hcd(g); struct dummy *dum = dum_hcd->dum; - if (driver->max_speed == USB_SPEED_UNKNOWN) + switch (g->speed) { + /* All the speeds we support */ + case USB_SPEED_LOW: + case USB_SPEED_FULL: + case USB_SPEED_HIGH: + case USB_SPEED_SUPER: + break; + default: + dev_err(dummy_dev(dum_hcd), "Unsupported driver max speed %d\n", + driver->max_speed); return -EINVAL; + } /* * SLAVE side init ... the layer above hardware, which @@ -1784,9 +1794,10 @@ static void dummy_timer(struct timer_lis /* Bus speed is 500000 bytes/ms, so use a little less */ total = 490000; break; - default: + default: /* Can't happen */ dev_err(dummy_dev(dum_hcd), "bogus device speed\n"); - return; + total = 0; + break; } /* FIXME if HZ != 1000 this will probably misbehave ... */ @@ -1828,7 +1839,7 @@ restart: /* Used up this frame's bandwidth? */ if (total <= 0) - break; + continue; /* find the gadget's ep for this request (if configured) */ address = usb_pipeendpoint (urb->pipe);