Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4470902yba;
        Wed, 17 Apr 2019 12:11:23 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxZd+V5N+RyRFmlwIA3mjx7BtTx67S2Z8Ntd6Jk3ZDaJ7ylu9W2160Avn5oD6IJ4eYrzkfb
X-Received: by 2002:a63:4620:: with SMTP id t32mr83459132pga.363.1555528283629;
        Wed, 17 Apr 2019 12:11:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555528283; cv=none;
        d=google.com; s=arc-20160816;
        b=lykyGoEbXFBh+w/wIuaxpVwDskL3VSQbd/5KLHbVv8GwVuuKPRa2tikm/BE37vE6U7
         6XcdDBScCZXP6lngooPx3jWL7IPvYsZ1gmhSja86fTjve/pnjpJe9rda0Zmt+M5I6uIJ
         JIj0rgeiVV9zRbiQV2DIWPBSfRqz/NM31H/dhRZffG3+uMscckKs5d/BGFjg6MPjY/zm
         Bh88iVHTii5uBCFjEgPiJYkG9Y6Y69MQrFxCtuveGhAZJHNA+oUJk2b90RH25Zz8x4ef
         E1Tx5qD7szHVPtL5mL/E5fbOeLxJG++dS9pHKYrEjEAYSKEs8wBmudSmhOPv4vPxAgG4
         cK7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=0gC3dxqqnerudvJsBYvmGmuhmxZyKuRQEIPbL69BTo4=;
        b=AQlKQIY1f/2L+eYcbTA+r7+NrEIsZss439BsJTyKn1omPICxWO3rFPV+qIrI7eEZgS
         Ns9TS/axrdJ6FjFqdySYU1Vroi8n/g5QSRcgvjiSQ+PLCC+mE5GcDTLMc4NlI8cRnMUq
         BYKeHQ5g0KdYSS3ACwAiQHLnN0lubYTlx9vlSyUKcr0E1oAWZoPQYbbuawv/jTrEfNrY
         XY5Ie5WWQ/ezcBu1SKwx1Um47+aWfb/0MuGbO4alh8THIDlcQmGeTKJ5U9Iemf56zVqK
         cSDlyWI/9otWSJvq4F3xJ4eOZsW6PsT+WKbsVqAOCSw2R2+seAqbCsMoG7pVd9DjAQ9G
         uwbw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d5si48678767pgh.516.2019.04.17.12.11.08;
        Wed, 17 Apr 2019 12:11:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1733150AbfDQTJp (ORCPT <rfc822;linux.htchiang@gmail.com>
        + 99 others); Wed, 17 Apr 2019 15:09:45 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:59196 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1732596AbfDQTJp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Apr 2019 15:09:45 -0400
Received: (qmail 4087 invoked by uid 2102); 17 Apr 2019 15:09:44 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 17 Apr 2019 15:09:44 -0400
Date:   Wed, 17 Apr 2019 15:09:44 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     syzbot <syzbot+d919b0f29d7b5a4994b9@syzkaller.appspotmail.com>
cc:     andreyknvl@google.com, <gregkh@linuxfoundation.org>,
        <gustavo@embeddedor.com>, <linux-kernel@vger.kernel.org>,
        <linux-usb@vger.kernel.org>, <syzkaller-bugs@googlegroups.com>
Subject: Re: INFO: task hung in usb_kill_urb
In-Reply-To: <000000000000edf1630586acca2b@google.com>
Message-ID: <Pine.LNX.4.44L0.1904171503410.1400-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 16 Apr 2019, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> INFO: task hung in usb_kill_urb

That's surprising.  This patch was awfully similar to the previous one,
which did prevent the crash earlier.

> Tested on:
> 
> commit:         9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan/tree/usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b5e057200000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=131dca6b200000

Andrey, is there any way to increase the console output buffer size?  
The link above doesn't go all the way back to the beginning of the test
(it starts at timestamp 486.614697).

Also, here's a slightly revised patch for testing.

Alan Stern


#syz test: https://github.com/google/kasan.git usb-fuzzer

--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -979,8 +979,18 @@ static int dummy_udc_start(struct usb_ga
 	struct dummy_hcd	*dum_hcd = gadget_to_dummy_hcd(g);
 	struct dummy		*dum = dum_hcd->dum;
 
-	if (driver->max_speed == USB_SPEED_UNKNOWN)
+	switch (g->speed) {
+	/* All the speeds we support */
+	case USB_SPEED_LOW:
+	case USB_SPEED_FULL:
+	case USB_SPEED_HIGH:
+	case USB_SPEED_SUPER:
+		break;
+	default:
+		dev_err(dummy_dev(dum_hcd), "Unsupported driver max speed %d\n",
+				driver->max_speed);
 		return -EINVAL;
+	}
 
 	/*
 	 * SLAVE side init ... the layer above hardware, which
@@ -1784,9 +1794,10 @@ static void dummy_timer(struct timer_lis
 		/* Bus speed is 500000 bytes/ms, so use a little less */
 		total = 490000;
 		break;
-	default:
+	default:	/* Can't happen */
 		dev_err(dummy_dev(dum_hcd), "bogus device speed\n");
-		return;
+		total = 0;
+		break;
 	}
 
 	/* FIXME if HZ != 1000 this will probably misbehave ... */
@@ -1828,7 +1839,7 @@ restart:
 
 		/* Used up this frame's bandwidth? */
 		if (total <= 0)
-			break;
+			continue;
 
 		/* find the gadget's ep for this request (if configured) */
 		address = usb_pipeendpoint (urb->pipe);