Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp87304ybz; Fri, 24 Apr 2020 12:16:09 -0700 (PDT) X-Google-Smtp-Source: APiQypLv97TuSiYrXb/9e2v3syhDyfmdP8GcMTVuAoRcBOXihDGnPQxQY83Uc/hhBx+rfHyrHxHT X-Received: by 2002:aa7:c40c:: with SMTP id j12mr8527303edq.169.1587755769209; Fri, 24 Apr 2020 12:16:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587755769; cv=none; d=google.com; s=arc-20160816; b=gjpN3XEI0ZQ34A130n4MTKAcGxIUwB5a9YjDKGlphAi/wN6GISzF5ygBS8AzzH+up3 Ieqf/gT9GNu2ozry2ILWDrzjHzcYwTQFE6r7zKwh+sek1+EZ3SN05+M0R3fRkur3fOc8 4702TAqyowV7fxR71x9HhR2/b4OJfL53K7Qy/TyYuDEHe61VGdlv2YGS6r4xLUdbQV1W M1mKeUVW9K0yy2nF2zzJbeXl79OM1SeJ5II2s61IzUojpJ4zOBMd3mjaqIibZDKt6xc7 f3l5PX/ljDuXvvhM5T2f6wHoALaopdQLXEUce7AqkbzwJZ5p4b03n1Y9w/YtIoah6ZEo GVzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=BeGu82ZQUOMWhfhYnGtah4ZjaHRQ43TUsJu8DYK1kBE=; b=ITP0EmxxxEWV9WHtoPWelRQw1CnLnO08msv+h222BIqvAFxdWtsSRaXGS0hi5myjtt mrFtpPTXXjWQQORQslZvw+8r11ve5a0Pf45hCvEwTxFcfGvLb2H9Usi5kYB5oAuH4TKc wBZu/Ipkw6j8H5W+oSzxdMPwr2/dzgofZTR9zxnnAAmVVqYNSjq8p1EQ7sB0WUFPFxAM I1DDZgrKG1dSMpnEZnbLYshDpSwO39yFTJIneSF3fbnPSjTF7qDRprHyzMZ9oZVS/Udl mNMRgCpgIqIpTXz5B4QRjqK0T08bUOlcF+Eh++rb9fwV3tVJEaFK2CO6Az8BETQ8LqcY 9O5Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id va12si3462998ejb.227.2020.04.24.12.15.45; Fri, 24 Apr 2020 12:16:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729147AbgDXTOQ (ORCPT + 99 others); Fri, 24 Apr 2020 15:14:16 -0400 Received: from netrider.rowland.org ([192.131.102.5]:39615 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1727021AbgDXTOQ (ORCPT ); Fri, 24 Apr 2020 15:14:16 -0400 Received: (qmail 24942 invoked by uid 500); 24 Apr 2020 15:14:15 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Apr 2020 15:14:15 -0400 Date: Fri, 24 Apr 2020 15:14:15 -0400 (EDT) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: syzbot cc: andreyknvl@google.com, , , Kernel development list , USB list , Subject: Re: WARNING in usbhid_raw_request/usb_submit_urb (3) In-Reply-To: <000000000000535b2805a40b1847@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 24 Apr 2020, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered crash: > INFO: task hung in usb_disable_device That wasn't what I expected. Still, the important information was present: The reset was instigated by hid_io_error(), because of some sort of communication error. Note that the hid_submit_out, hid_submit_ctrl, and so on don't test the RESET_PENDING flag. At least, not with any proper synchronization. That's why we got an URB submitted while the device was being reset. Nevertheless, the USB core should be able to handle such things without a big WARNing, particularly for ep0. The patch below tries to do this. Alan Stern #syz test: https://github.com/google/kasan.git 0fa84af8 Index: usb-devel/drivers/usb/core/urb.c =================================================================== --- usb-devel.orig/drivers/usb/core/urb.c +++ usb-devel/drivers/usb/core/urb.c @@ -204,8 +204,17 @@ int usb_urb_ep_type_check(const struct u const struct usb_host_endpoint *ep; ep = usb_pipe_endpoint(urb->dev, urb->pipe); - if (!ep) - return -EINVAL; + if (!ep) { + /* + * Special case: The pointers for ep0 are temporarily cleared + * during device resets. We won't count this as an error; + * drivers can reasonably expect that ep0 always exists. + */ + if (usb_pipeendpoint(urb->pipe) == 0) + ep = &urb->dev->ep0; + else + return -EINVAL; + } if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) return -EINVAL; return 0;