Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1142079ybl;
        Wed, 8 Jan 2020 11:46:29 -0800 (PST)
X-Google-Smtp-Source: APXvYqzL6IGaoYSVU3D7EPEna4WWfeFzzWSphXDlIeKt9X7qaOlyJhSoHNBDb5PAjLDHSw7qJhaA
X-Received: by 2002:a9d:6301:: with SMTP id q1mr5277874otk.70.1578512789168;
        Wed, 08 Jan 2020 11:46:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578512789; cv=none;
        d=google.com; s=arc-20160816;
        b=YmJ4rAg1kFV2INTPuL6JVztyj/XlLBxOHFs8UHrsA2ikxMKJEUugAo3v03TrqLd2Nq
         moj/3KDn0t6zqEENwH4DLE6msj3PXn45l3y+0f2ybwfSjqm7apzj9kmPZ5NXzbnmo+zK
         O2JC/76Cfnf2r0+mhIbvoYQTrd8bE33xov6ILHmt7YSI+BlB5Fab7HbyjSQTBdpjl4wi
         GAWwVXf104EG+uKloRv+eGZi1FpvrnZRj8+6pYhT85i7YdOCJxMhi+0RVw3dNe0thw0B
         1Z7tfVdEtn0k65h9xo6Lsh+18NHQhMnZG6WxojVKa5/TmUzrCMmiYWNSUCFw2H6QWXn9
         cK/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=RzaUplDAgfw3Wtl3ayysGhIp6cR6Fj0Xj1CnIBH93+I=;
        b=ZCESXlzPxY1CVgevoCgmpNbnNdyhp47rkmg6V3VAS/s1NF/Zwjb/I6jY6s8/pyw4Zj
         EkFOT1LrXwjK1hIJPoAF6WXxmf9j1QvEdPxq9DBdFh6Wmm8mI/hroNRCDs04YlFji+yX
         ERJ2No7F8r72JTeXakTXYNM///514/LsM46H6Z+eksyA+lmwG/Y0NfTv9JQNvROItWYT
         y3DDBKsAeEf9dhdn+hEjyWdilo8eZgAaPuTgCFUjA6mlGd+rtZD68Y5T2M3Om6RMX3Yc
         lWNxd5cy1jWC4uk6z3riHbtfnXG2MAm5zeSHZ2bhO1MAYJvj7USdZgdpsnueDMHH3pGb
         qysw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m25si2347566otn.208.2020.01.08.11.46.15;
        Wed, 08 Jan 2020 11:46:29 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730155AbgAHSSz (ORCPT <rfc822;epontan@gmail.com> + 99 others);
        Wed, 8 Jan 2020 13:18:55 -0500
Received: from iolanthe.rowland.org ([192.131.102.54]:49288 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1727225AbgAHSSz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 8 Jan 2020 13:18:55 -0500
Received: (qmail 5455 invoked by uid 2102); 8 Jan 2020 13:18:54 -0500
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 8 Jan 2020 13:18:54 -0500
Date:   Wed, 8 Jan 2020 13:18:54 -0500 (EST)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     syzbot <syzbot+10e5f68920f13587ab12@syzkaller.appspotmail.com>
cc:     andreyknvl@google.com, <gregkh@linuxfoundation.org>,
        <gustavo@embeddedor.com>, <ingrassia@epigenesys.com>,
        <linux-kernel@vger.kernel.org>, <linux-usb@vger.kernel.org>,
        <syzkaller-bugs@googlegroups.com>
Subject: Re: WARNING in usbhid_raw_request/usb_submit_urb (2)
In-Reply-To: <000000000000b962af059b9429bd@google.com>
Message-ID: <Pine.LNX.4.44L0.2001081314471.1468-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 7 Jan 2020, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> WARNING in usbhid_raw_request/usb_submit_urb

Given this result, let's try again the slightly larger patch.  The
difference between the patch just tested and this one is very small
indeed, although it's hard to predict how that difference will affect
the object code.

Alan Stern

#syz test: https://github.com/google/kasan.git ecdf2214

Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u
 
 	ep = usb_pipe_endpoint(urb->dev, urb->pipe);
 	if (!ep)
-		return -EINVAL;
+		return -EBADF;
 	if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
 		return -EINVAL;
 	return 0;
@@ -356,6 +356,7 @@ int usb_submit_urb(struct urb *urb, gfp_
 	struct usb_host_endpoint	*ep;
 	int				is_out;
 	unsigned int			allowed;
+	int				c;
 
 	if (!urb || !urb->complete)
 		return -EINVAL;
@@ -474,9 +475,10 @@ int usb_submit_urb(struct urb *urb, gfp_
 	 */
 
 	/* Check that the pipe's type matches the endpoint's type */
-	if (usb_urb_ep_type_check(urb))
-		dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
-			usb_pipetype(urb->pipe), pipetypes[xfertype]);
+	c = usb_urb_ep_type_check(urb);
+	if (c)
+		dev_WARN(&dev->dev, "BOGUS urb xfer %d, pipe %x != type %x\n",
+			c, usb_pipetype(urb->pipe), pipetypes[xfertype]);
 
 	/* Check against a simple/standard policy */
 	allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |