Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2286838rwd; Fri, 19 May 2023 03:47:47 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6+D7cjmtEncqE8u0omKUKpDN+eokHQ+XedvtWZ239BO5wTFRZfDKM2VzG7k8EhNE1q75kK X-Received: by 2002:a17:90b:1050:b0:24e:507:7408 with SMTP id gq16-20020a17090b105000b0024e05077408mr1626491pjb.37.1684493266983; Fri, 19 May 2023 03:47:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684493266; cv=none; d=google.com; s=arc-20160816; b=LADJHYKXPNqIlHZeSn6rmaxgwJ2mI2GuVV4zO82GbaPGJl6HEieHjevB8DH6pAwl9i 3C+clMxBiQd4Qz1bJEN/upaTVk75hDE4k5eERYi84KWRvqd877saGdLSt5u40AshgVWi Pvt0y9AXuHq6Evu+GdCnDaoIvheB1LGyXUD3U6mTNNKujDmd6xA2pMoOJirqUp5bEBA8 +w/4jRJ0J8zwV5IScwlDdMiIpi0vHJbTqrxZhnXAvb9Zq0hl/JtQBbRTKT4nZ+MkzGfS 3XdpAyJbBZVIbnsCp79TkdsHoT6+IPVALeAfZLfdhPZ+O/LoOhUKO67GdrZEb2K6TUt2 xhAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:ui-outboundreport:content-transfer-encoding :in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=XqnmUm6N8fk1CXFVor7qgq/sTojB+gm2cAZIsfZVg10=; b=zqSAO4Uefz0ccrcM3lERso7TEDi3qSJO8NAgw38j0+DEhCL+BO2L4y7VNZmED2Uv+r DpjtXMLdZc1fcVv2JUMjJxIA49QC5835CCuvNjlvXvDlQTr6EHhP1G7W3j7HL96h6i8/ Jg2NHAy04M8ojUyUM34fNC4mvvKuzsdVfUrL8YIVMdgYqUVzeJ08sM4OsMpDymqmG2V9 LH26EcqeYsoKKFvOUbrt24SxctnVg4Kr8yqhPx/132ZU1223nVBaYZw9JxGN1iuwloEf DQmp8KiQkg+px4bRp21KTBHOYNSuueKD34smotqZqtZcnH27j9z21F+UJWF+yXH1RCP+ ylCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.de header.s=s31663417 header.b=T02R7bIG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmx.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f10-20020a63de0a000000b0053015cf8216si3079378pgg.401.2023.05.19.03.47.34; Fri, 19 May 2023 03:47:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.de header.s=s31663417 header.b=T02R7bIG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmx.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229970AbjESKkQ (ORCPT + 99 others); Fri, 19 May 2023 06:40:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231281AbjESKkO (ORCPT ); Fri, 19 May 2023 06:40:14 -0400 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 261BCE7F; Fri, 19 May 2023 03:39:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1684492696; i=deller@gmx.de; bh=ms3RDIelSxdWVnz+v+z9XPddozX1qPFluv8VIGAgkDE=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=T02R7bIGOTjrA0+bwrttwkuIhtYTzk0tJZNRAXFCIz+zOaqee8vviwJSA95WJs7qc xNxYASFkiRIf8V6K1R439W0HsdShTw4Tt3L7JgQ5/gCSro9OfW1rS7KCykCXmhudt2 by3Q/pwiHvN/faSpC0j6lT8pOSRG11vi7rIT0XD6U/QjZmKH6CRKS7xzowreF9KG3y 2PvYYHR/DOS3pqT7La7ok4tNegNa3iRduGEwQPewcF93UeM3eiLPQrXjp1HxY+DPNb X3OqUUPmyOtUajxkkhJeIFDyW9hVBu0iwx9S3hKzXPLGHAgcf7HMlLWPsRC4LOj52E cLOWRHqKIRA5w== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.20.60] ([94.134.152.232]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N0XCw-1qKuey0oT6-00wT8I; Fri, 19 May 2023 12:38:16 +0200 Message-ID: <6e93305a-2d70-d411-3e36-c536449295dd@gmx.de> Date: Fri, 19 May 2023 12:38:15 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [syzbot] [fbdev?] [usb?] WARNING in dlfb_submit_urb/usb_submit_urb (2) Content-Language: en-US To: Alan Stern Cc: linux-kernel@vger.kernel.org, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, syzbot , bernie@plugable.com, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <0000000000004a222005fbf00461@google.com> <4cd17511-2b60-4c37-baf3-c477cf6d1761@rowland.harvard.edu> <2905a85f-4a3b-4a4f-b8fb-a4d037d6c591@rowland.harvard.edu> From: Helge Deller In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:ZXXu5QJebCOL1y2vAej2hv25kqaBHNpllfPqeQk61VVfGfN0uxj rDbNuPXhmZwoO8Bh77jibdYml7o85GpkNC7HYIrxf/4FEbTPQVnh1opEZf98chq3X+aR6ev LkejgSggZvP+FjMllSTwWbL8ZouKcGtCaN/sWsDCnzz/Yp1NXMqrBrpSPVwidXHKOHdCBiS 8+iqe/D/ZWJug/U5YVTNQ== UI-OutboundReport: notjunk:1;M01:P0:uqAs2hR1cdI=;axiGn9AtPsyxX55BDtk41QN+dea aio/2fcCaOf+DcmhcJkyiQ7+En7Aq3W1TAU2aqDa/wrP+J+JpisZwaqQdi44sstBvclOwdbi2 zb4vKVdGG15AZktv2D1hv2Zw/ouNMD71FMYhyUsXXrMta409xPlNvaE0pIN5npEfnB01rkhmL 4ixo1Gcz0242fgSwcj7KQlGEMr/TBnWdlDc9H57rAfK6jFEy+IiHa9yDUtySZ2LvyP8VyywRu dFsiMAgapHiKB90cPBTXUPVJboVMnr11qtHxmb6Ku7NZk1pYbExcMUOG5BvY6U481sruYSZDJ WBOiRRA5MJtcNmahBpSOnzZePkABldMJ8LPBVhl7RX1Zwn/LKRqy+pdKs+Qevivjz3d8hqpsG nj1PlPXZLT09NEuUks9eCGhVJEHciuszQL+NJ5h9E0IL1l6j8ceYby2XnS48YTp2MNlr99GnH zcx9WFG9cu5OAv5PvHggwg+1YnktKRvyKAbOwQFsgSSBE6gqh8wPAnaFZiu1ltII9QPKskHqn Nb7Rf4Wm22JRCEb5w/FP77CmvrEKAkUmXdAmM5YXwhPtAZbK2XcUoy83WNKTbNv+nwDUpYnvY 42Zw/A4aGCw75ea2kNfVN8XvSuvKhh72SxwGvFI4e2bs6QEl7G8U93JRqXzIywyMpyne/kjxs QoSXyNK8RMwxQWdv626drSD3A5pGfyvsS29i9MxoKRhhszX1bANb58P4WsrI+YZoxXVHx/inU Zu6YB6LVTKZstsPyC6F0eTUtKiolPMwXqjpLhZN2DQ4HQWNa5tKJ31x/gVUSmQTRr7ge+mI76 y66ip4z5emYhIaJ7iVKkxPuKd59KfjzYM1sZTEmu0AP0fjZi5baPCC+ciNQJjZEdTAEw+88R/ bpMsCjIv5pKW0IbkcX7obAGJz7WOds8IG8Os1lSVsZNG3yyLI+PYFcDna6uBtPXW6fBFCrDo+ ioeVbg== X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/18/23 22:35, Alan Stern wrote: > On Thu, May 18, 2023 at 09:06:12PM +0200, Helge Deller wrote: >> * Alan Stern : >>> On Thu, May 18, 2023 at 04:16:33PM +0200, Helge Deller wrote: >>>> On 5/18/23 15:54, Alan Stern wrote: >>>>> In this case it looks like dlfb_usb_probe() or one of the routines i= t >>>>> calls is wrong; it assumes that an endpoint has the expected type >>>>> without checking. More precisely, it thinks an endpoint is BULK whe= n >>>>> actually it is INTERRUPT. That's what needs to be fixed. >>>> >>>> Maybe usb_submit_urb() should return an error so that drivers can >>>> react on it, instead of adding the same kind of checks to all drivers= ? >>> >>> Feel free to submit a patch doing this. >> >> As you wrote above, this may break other drivers too, so I'd leave that >> discussion & decision to the USB maintainers (like you). >> >>> But the checks should be added >>> in any case; without them the drivers are simply wrong. >> >> I pushed the hackish patch below through the syz tests which gives this= log: >> (see https://syzkaller.appspot.com/text?tag=3DCrashLog&x=3D160b75092800= 00) >> [ 77.559566][ T9] usb 1-1: Unable to get valid EDID from device/di= splay >> [ 77.587021][ T9] WARNING: BOGUS urb xfer, pipe 3 !=3D type 1 (fix= driver to choose correct endpoint) >> [ 77.596448][ T9] usb 1-1: dlfb_urb_completion - nonzero write bul= k status received: -115 >> [ 77.605308][ T9] usb 1-1: submit urb error: -22 >> [ 77.613225][ T9] udlfb: probe of 1-1:0.52 failed with error -22 >> >> So, basically there is no urgent fix needed for the dlfb fbdev driver, >> as it will gracefully fail as is (which is correct). >> >> What do you suggest we should do with this syzkaller-bug ? >> I'd rate it as false-alarm, but it will continue to complain because of >> the dev_WARN() in urb.c > > Let's try this patch instead. It might contain a stupid error because I > haven't even tried to compile it, but it ought to fix the real problem. Patch looks good and survived the test. Will you send a proper patch to the fbdev mailing list, so that I can include it? Helge > > #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.gi= t a4422ff22142 > > Index: usb-devel/drivers/video/fbdev/udlfb.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- usb-devel.orig/drivers/video/fbdev/udlfb.c > +++ usb-devel/drivers/video/fbdev/udlfb.c > @@ -1652,7 +1652,7 @@ static int dlfb_usb_probe(struct usb_int > struct fb_info *info; > int retval; > struct usb_device *usbdev =3D interface_to_usbdev(intf); > - struct usb_endpoint_descriptor *out; > + static u8 out_ep[] =3D {1 + USB_DIR_OUT, 0}; > > /* usb initialization */ > dlfb =3D kzalloc(sizeof(*dlfb), GFP_KERNEL); > @@ -1666,9 +1666,9 @@ static int dlfb_usb_probe(struct usb_int > dlfb->udev =3D usb_get_dev(usbdev); > usb_set_intfdata(intf, dlfb); > > - retval =3D usb_find_common_endpoints(intf->cur_altsetting, NULL, &out,= NULL, NULL); > - if (retval) { > - dev_err(&intf->dev, "Device should have at lease 1 bulk endpoint!\n")= ; > + if (!usb_check_bulk_endpoints(intf, out_ep)) { > + dev_err(&intf->dev, "Invalid DisplayLink device!\n"); > + retval =3D -EINVAL; > goto error; > } >