Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <4ff1bba5-3645-97b3-da66-8d413b8db2e1@gmx.de>
Date:   Thu, 24 Mar 2022 07:41:02 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.2
Subject: Re: [PATCH] fbdev: udlfb: properly check endpoint type
Content-Language: en-US
To:     Pavel Skripkin <paskripkin@gmail.com>, bernie@plugable.com
Cc:     linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org,
        linux-kernel@vger.kernel.org,
        syzbot+53ce4a4246d0fe0fee34@syzkaller.appspotmail.com
References: <20220322200438.17998-1-paskripkin@gmail.com>
From:   Helge Deller <deller@gmx.de>
In-Reply-To: <20220322200438.17998-1-paskripkin@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

On 3/22/22 21:04, Pavel Skripkin wrote:
> syzbot reported warning in usb_submit_urb, which is caused by wrong
> endpoint type.
>
> This driver uses out bulk endpoint for communication, so
> let's check if this endpoint is present and bail out early if not.
>
> Fail log:
>
> usb 1-1: BOGUS urb xfer, pipe 3 !=3D type 1
> WARNING: CPU: 0 PID: 4822 at drivers/usb/core/urb.c:493 usb_submit_urb+0=
xd27/0x1540 drivers/usb/core/urb.c:493
> Modules linked in:
> CPU: 0 PID: 4822 Comm: kworker/0:3 Tainted: G        W         5.13.0-sy=
zkaller #0
> ...
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usb_submit_urb+0xd27/0x1540 drivers/usb/core/urb.c:493
> ...
> Call Trace:
>  dlfb_submit_urb+0x89/0x160 drivers/video/fbdev/udlfb.c:1969
>  dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315
>  dlfb_ops_set_par+0x2a3/0x840 drivers/video/fbdev/udlfb.c:1110
>  dlfb_usb_probe.cold+0x113e/0x1f4a drivers/video/fbdev/udlfb.c:1732
>  usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
>
> Fixes: 88e58b1a42f8 ("Staging: add udlfb driver")
> Reported-and-tested-by: syzbot+53ce4a4246d0fe0fee34@syzkaller.appspotmai=
l.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>

applied.

Thanks,
Helge

> ---
>  drivers/video/fbdev/udlfb.c | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
> index b9cdd02c1000..2343c7955747 100644
> --- a/drivers/video/fbdev/udlfb.c
> +++ b/drivers/video/fbdev/udlfb.c
> @@ -1649,8 +1649,9 @@ static int dlfb_usb_probe(struct usb_interface *in=
tf,
>  	const struct device_attribute *attr;
>  	struct dlfb_data *dlfb;
>  	struct fb_info *info;
> -	int retval =3D -ENOMEM;
> +	int retval;
>  	struct usb_device *usbdev =3D interface_to_usbdev(intf);
> +	struct usb_endpoint_descriptor *out;
>
>  	/* usb initialization */
>  	dlfb =3D kzalloc(sizeof(*dlfb), GFP_KERNEL);
> @@ -1664,6 +1665,12 @@ static int dlfb_usb_probe(struct usb_interface *i=
ntf,
>  	dlfb->udev =3D usb_get_dev(usbdev);
>  	usb_set_intfdata(intf, dlfb);
>
> +	retval =3D usb_find_common_endpoints(intf->cur_altsetting, NULL, &out,=
 NULL, NULL);
> +	if (retval) {
> +		dev_err(&intf->dev, "Device should have at lease 1 bulk endpoint!\n")=
;
> +		goto error;
> +	}
> +
>  	dev_dbg(&intf->dev, "console enable=3D%d\n", console);
>  	dev_dbg(&intf->dev, "fb_defio enable=3D%d\n", fb_defio);
>  	dev_dbg(&intf->dev, "shadow enable=3D%d\n", shadow);
> @@ -1673,6 +1680,7 @@ static int dlfb_usb_probe(struct usb_interface *in=
tf,
>  	if (!dlfb_parse_vendor_descriptor(dlfb, intf)) {
>  		dev_err(&intf->dev,
>  			"firmware not recognized, incompatible device?\n");
> +		retval =3D -ENODEV;
>  		goto error;
>  	}
>
> @@ -1686,8 +1694,10 @@ static int dlfb_usb_probe(struct usb_interface *i=
ntf,
>
>  	/* allocates framebuffer driver structure, not framebuffer memory */
>  	info =3D framebuffer_alloc(0, &dlfb->udev->dev);
> -	if (!info)
> +	if (!info) {
> +		retval =3D -ENOMEM;
>  		goto error;
> +	}
>
>  	dlfb->info =3D info;
>  	info->par =3D dlfb;