Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1858883ybb;
        Thu, 2 Apr 2020 08:36:38 -0700 (PDT)
X-Google-Smtp-Source: APiQypJgLGfS/6C+yUtdlhB49QHTkdqgnkVebNzcEgHqTE/5AoVv0l8KLhRVGtWPVYHbV+smqZss
X-Received: by 2002:aca:b382:: with SMTP id c124mr2545231oif.64.1585841797264;
        Thu, 02 Apr 2020 08:36:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585841797; cv=none;
        d=google.com; s=arc-20160816;
        b=WjWjp8E6frNL8aTjtHKpQW/SUwdDz+v70H4FAuxvni3ZfsL7oUVA6fG6U1ws6PLvJp
         T1vlYrAZVg78631SIYhbvKrFSJOVTUljivW3g54CopwQeh+uYKv+u+K9VqugD07M1VVN
         SMcAG5L7KlKjVvJ71tOe69y+CtWJjkLeQGsqZofIgRxqWyV/lI1g/R8mxAC2J45GFvTd
         ZOsrXuMHS8fmogZXpQRM4qc4DZ4td/D99l7iWRGuZ7Y9CuNlLYHOpdpemBhOcPnhtJYr
         SwFbMn80UaXRDfhUgMYB63H/ZDtFi8e1a98hmkb4j/xkm8N4mbr1cfRDUN2gtqCpAaK9
         yKEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=FTRXviJlKEe6nr+H8WWpCcyIq4UEhcTh8+vIeziWjI0=;
        b=MiFA4HxkshQli6K5Q0r1K2zYxYJlAMyzpN4NWsz+t0HkrU23jPG7YZaV2q9NFXLd/d
         PpXEaK4A+xg9A7wgzRGmC73u5XuF+tUHcQGGa46EBNwLcchasZpxyKiGmKKBfMSVwiSc
         kVDkw7o7U3YQYQfZ/6GuK7ypA/JnVlfanvxEP2WKJmjKR4PAq/PV5Jz5T2AmGEjP6uVd
         Da26SpJRNob+ySyo8xQgc8M1vgr7tEBIK6v2VBGK1ZABKsvngM6pcYfUmgI/Z+kQEy86
         x4IIXQ6zrlzl1YaBZRD9L9ikQAYYc6h1vx16KEXPp4IA5m9oKSsWbG0SBAYA6iOCyKJz
         8rNA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c9si3367758ots.110.2020.04.02.08.36.23;
        Thu, 02 Apr 2020 08:36:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389337AbgDBPfZ (ORCPT <rfc822;bowenwang.tinker@gmail.com>
        + 99 others); Thu, 2 Apr 2020 11:35:25 -0400
Received: from netrider.rowland.org ([192.131.102.5]:55419 "HELO
        netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S2389328AbgDBPfZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 Apr 2020 11:35:25 -0400
Received: (qmail 21183 invoked by uid 500); 2 Apr 2020 11:35:24 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 2 Apr 2020 11:35:24 -0400
Date:   Thu, 2 Apr 2020 11:35:23 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@netrider.rowland.org
To:     syzbot <syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com>
cc:     andreyknvl@google.com, <gregkh@linuxfoundation.org>,
        <ingrassia@epigenesys.com>, <linux-kernel@vger.kernel.org>,
        <linux-usb@vger.kernel.org>, <syzkaller-bugs@googlegroups.com>
Subject: Re: WARNING in usbhid_raw_request/usb_submit_urb (3)
In-Reply-To: <0000000000001873a005a240d114@google.com>
Message-ID: <Pine.LNX.4.44L0.2004021133440.13377-100000@netrider.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 1 Apr 2020, syzbot wrote:

> syzbot has found a reproducer for the following crash on:
> 
> HEAD commit:    0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
> git tree:       https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=12aa8567e00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=6b9c154b0c23aecf
> dashboard link: https://syzkaller.appspot.com/bug?extid=db339689b2101f6f6071
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1342740be00000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> usb 2-1: BOGUS urb xfer, pipe 2 != type 2
> WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478 usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478

At last!  Let's get some more information about this...

Alan Stern

#syz test: https://github.com/google/kasan.git 0fa84af8

Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -475,8 +475,9 @@ int usb_submit_urb(struct urb *urb, gfp_
 
 	/* Check that the pipe's type matches the endpoint's type */
 	if (usb_urb_ep_type_check(urb))
-		dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
-			usb_pipetype(urb->pipe), pipetypes[xfertype]);
+		dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x, ep addr 0x%02x, pipe 0x%x, xfertype %d\n",
+			usb_pipetype(urb->pipe), pipetypes[xfertype],
+			ep->desc.bEndpointAddress, urb->pipe, xfertype);
 
 	/* Check against a simple/standard policy */
 	allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |