Received: by 2002:a17:90a:c8b:0:0:0:0 with SMTP id v11csp2304321pja;
        Fri, 19 Apr 2019 11:38:19 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwBdxkz7UEBK8YFo8dggcvd53lANfEw7IflOsDWSQl0GxMo1RJroQH9ymNHcTTxGhGR2SH7
X-Received: by 2002:a63:90c3:: with SMTP id a186mr5319055pge.306.1555699099353;
        Fri, 19 Apr 2019 11:38:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555699099; cv=none;
        d=google.com; s=arc-20160816;
        b=yToPoELwlmMnKQYNliuYw9ax+pXccHjMMRzW8+BrT96LLktugFSbWnfzUH762SF8+Z
         oP6Prf40v5QvPTD9GlDW4vsqsxijR0QAav4g9olRfTQM6kdQ69AHML+EsII8bTNQdil0
         8QkT1B8gtZ9qjbYK9XUmrKRA7VfPiKkbDJ+AaZO7T/1boA+BpU6ibFPEQVWGw4r43mZL
         n0SkJHalTm1tij3adjRnM9iKItioSrWT2NiOoPO1bQytnDD0cBfl+UBNYll2sMYGaoc/
         lLa043E01B0kMK9LA2SeIZ/jmZoIALDVrQ3aIXua+4aVyhQ+KqQf1MThrv7oqgx9By3j
         tNHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=E7bcB+yZnmwK7cKswMf+Wr2XxxCdIV/NxU4INzeoEFA=;
        b=woyF46kb74907MnqswcG8r68EuRuWmn9GKwTpMls4TSwnXRISEgdSbk/cn8bIq6E81
         v5mlIHWERwguUGJoauoqhFNmMu81RiPIQfC7zxDZHPfSkn4yfy/DMWoZ7sG74togRBhB
         CjDTDgJxY08+83ZTEA26beXRheldTY1yQIf9hSxjZgrRMHAHIfkHo0sBVQ6DVntQeH/v
         U+NtfOR2o8goi4RUL/2ZElSmkf+2fekEOG86KBBIomJ6UqOWLqi5s9pSfyFaGm6WNg6n
         tUnpQL6OkdsQG546KSIO28hcGmc+C3qw03HKaqyH9b8n8/kyqlmbb8vLJXgOcnSj8uhs
         Om4g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f20si5204306pgj.278.2019.04.19.11.38.04;
        Fri, 19 Apr 2019 11:38:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728303AbfDSSgn (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Fri, 19 Apr 2019 14:36:43 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:60902 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1727338AbfDSSgj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Apr 2019 14:36:39 -0400
Received: (qmail 7714 invoked by uid 2102); 19 Apr 2019 14:36:38 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 19 Apr 2019 14:36:38 -0400
Date:   Fri, 19 Apr 2019 14:36:38 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     Andrey Konovalov <andreyknvl@google.com>,
        Felipe Balbi <felipe.balbi@linux.intel.com>
cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        USB list <linux-usb@vger.kernel.org>
Subject: UDC hardware for fuzzing [was: Re: INFO: task hung in usb_kill_urb]
In-Reply-To: <CAAeHK+zCwXpAb02vaPuanStYCp_x8g92HDEvm_LTN_F+Y_wOfQ@mail.gmail.com>
Message-ID: <Pine.LNX.4.44L0.1904191429230.1406-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 17 Apr 2019, Andrey Konovalov wrote:

> On Tue, Apr 16, 2019 at 8:25 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Tue, 16 Apr 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer still triggered
> > > crash:
> > > INFO: task hung in usb_kill_urb
> >
> > Okay, I think I found the problem.  dummy-hcd doesn't check for
> > unsupported speeds until it is too late.  Andrey, what values does your
> > usb-fuzzer gadget driver set for its max_speed field?
> 
> It's passed from userspace without any validation :( I'll fix this!
> Thanks for looking into it!
> 
> I wonder why other people saw this hang as well, they didn't use the
> dummy hcd module for sure. I guess there are might be other reasons.

Unquestionably it would be for other reasons.  usb_kill_urb() is a 
host-side routine, not used by gadget drivers.  If it fails, the reason 
lies in host controller driver.  And if people aren't using dummy-hcd 
then they must be using a different host controller driver.

Is there any chance you could get hold of a USB device controller for 
more fuzzing tests?  With it, you could test other parts of the USB 
stack: the UDC driver for whatever hardware you get, and the host 
controller driver for whatever you plug the UDC into.

I don't know what types of UDC are readily available for the type of
computer syzkaller uses.  Perhaps Felipe or other people on the mailing
list will have some suggestions.

Alan Stern