Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2043904ybb; Thu, 2 Apr 2020 12:00:49 -0700 (PDT) X-Google-Smtp-Source: APiQypJXe7N2/BFtE38ZJXzsn/uxBmQ+3cYIz657dIo2M83Bf3wXqFTF+p0wmziER6E+K3xppkzq X-Received: by 2002:a9d:24a4:: with SMTP id z33mr3633731ota.105.1585854049735; Thu, 02 Apr 2020 12:00:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585854049; cv=none; d=google.com; s=arc-20160816; b=JCce6sByvOF3z8S90gHLYUZQQY+9a/jS90xVgfbzG7QQ7HwYTb2X52/tabyvL/ppge yOE5j5S7QhBtGRKU24udAzHCivL1WvX2wu8KnP9zciG3ADGMsRUMdTyA9eKEiGr4tNJR WFjshyd48hxUSdRrkFfNc9s1Q7A7ySIpyNAa91af3tBjukdGE0ijbEByGCDRRrzYySfQ i2Ja0eE9uj9fEHRAbC8LI3OaPznKXZn5DOZt19BanOKj3FlL5dpzOwZSQyi4Or8vRUiz xga9sG8uXB3AlK2zMFAD3XbMlMhhp1V+S2KpvqBEB2dveGu1zSgcmkpse3sn+03bIEq3 Sx5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=66B5N/bKozkyuoHktIzta9oxJDLnLtINFE4mvcBgLIk=; b=1G5RjVM/jfK/H5wSZTKqPMmnUfLaB3wfMmz3PK0AfBUmEkrlGqXINBf9TS1SV5dien jVaR+jFHbcvXtoTTIB5J6CZf7SX6L+Oyt7MxwSUnHV65atlBbtcHlHVCTAAbov5sCmfZ bWYiCQfomidUUbOzarZHZjQl1oB6iA+CT0Owf1L7cG5ZfyWmJMZYIfs/714xfEZS69qz 7zuvUc6TmXj4GZZ3pm6hJ3c6enHzebdA9dj9dLudS+v1fHMcZ+d84bYG/eLo8OhODTi9 cbwUw7SvyLqutxHdmvcoYRz9LzWM98DeShH3tX/X9NkFSpic9HYukgKyHirzFFb3rVAF 084Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t71si2636216oif.84.2020.04.02.12.00.35; Thu, 02 Apr 2020 12:00:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389916AbgDBTAE (ORCPT + 99 others); Thu, 2 Apr 2020 15:00:04 -0400 Received: from netrider.rowland.org ([192.131.102.5]:44597 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S2388843AbgDBTAE (ORCPT ); Thu, 2 Apr 2020 15:00:04 -0400 Received: (qmail 4070 invoked by uid 500); 2 Apr 2020 15:00:03 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Apr 2020 15:00:03 -0400 Date: Thu, 2 Apr 2020 15:00:03 -0400 (EDT) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: syzbot cc: andreyknvl@google.com, , , , , Subject: Re: WARNING in usbhid_raw_request/usb_submit_urb (3) In-Reply-To: <0000000000000e8b8005a2520af1@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2 Apr 2020, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered crash: > WARNING in usbhid_raw_request/usb_submit_urb > > ------------[ cut here ]------------ > usb 3-1: BOGUS urb xfer, pipe 2 != type 2, ep addr 0x00, pipe 0x80001a00, xfertype 0 Not much help, I'm afraid. The pipe value decodes to: Direction: OUT Device address: 26 (which agrees with the console output) Endpoint: 0 Pipe type: Control (which is appropriate for ep 0 and agrees with xfertype) Unfortunately, the values printed here need not be the same as the values checked by usb_urb_ep_type_check(), if either the URB or the descriptor is modified concurrently by another thread. Let's try a different approach. Since this modifies the code before the test, it may not trigger the warning. But it's worth a try. Alan Stern #syz test: https://github.com/google/kasan.git 0fa84af8 Index: usb-devel/drivers/usb/core/urb.c =================================================================== --- usb-devel.orig/drivers/usb/core/urb.c +++ usb-devel/drivers/usb/core/urb.c @@ -199,15 +199,27 @@ static const int pipetypes[4] = { * given urb. It returns 0 if the urb contains a valid endpoint, otherwise * a negative error code. */ +unsigned int alan_pipe, alan_epaddr, alan_epattr; int usb_urb_ep_type_check(const struct urb *urb) { const struct usb_host_endpoint *ep; + unsigned int pipe, epattr; - ep = usb_pipe_endpoint(urb->dev, urb->pipe); - if (!ep) + pipe = READ_ONCE(urb->pipe); + ep = usb_pipe_endpoint(urb->dev, pipe); + if (!ep) { + alan_pipe = pipe; + alan_epattr = 0; + alan_epaddr = 0xff; return -EINVAL; - if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) + } + epattr = READ_ONCE(ep->desc.bmAttributes); + if (usb_pipetype(pipe) != pipetypes[epattr & USB_ENDPOINT_XFERTYPE_MASK]) { + alan_pipe = pipe; + alan_epattr = epattr; + alan_epaddr = ep->desc.bEndpointAddress; return -EINVAL; + } return 0; } EXPORT_SYMBOL_GPL(usb_urb_ep_type_check); @@ -475,8 +487,9 @@ int usb_submit_urb(struct urb *urb, gfp_ /* Check that the pipe's type matches the endpoint's type */ if (usb_urb_ep_type_check(urb)) - dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", - usb_pipetype(urb->pipe), pipetypes[xfertype]); + dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x, pipe 0x%x, ep attr 0x%02x, ep addr 0x%02x\n", + usb_pipetype(urb->pipe), pipetypes[xfertype], + alan_pipe, alan_epattr, alan_epaddr); /* Check against a simple/standard policy */ allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |