Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp12651984rwd; Fri, 23 Jun 2023 08:50:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7YUc+YA4RXSEdADqnGV8qkAPshijCGi5LZJJO4hkkDPQ3thvn9KCERpCUEJpnpUOdgNozj X-Received: by 2002:a05:6808:144c:b0:3a0:6067:8952 with SMTP id x12-20020a056808144c00b003a060678952mr6566390oiv.33.1687535454263; Fri, 23 Jun 2023 08:50:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687535454; cv=none; d=google.com; s=arc-20160816; b=BSJQ8syIUhqzWqbtCeDWy/jsgUKi253LvHCn5V7jWROedNOWjNtfe/vDVBJe4q8cbY BsvbPb/10NNzMyCFM31669jBYrMJbRhgwuMyz4enILSCM4RdUr7I1H/2A+5FSJ347rmc 0RAoPt5tJLWwG70/wUOggH62TWPowDSUxcx91dj6CD4nf/346jk6nLwtNyrZ85WkeCXN bESOkGRrwNewLyn/xbbe0+c1VhHWQ1OLL2N8k7daqMC/3E8aFz7SCujmYUnn2zGAtkNi uWpy4p2iAti8ksJ5BRbmoWATUGmwkNMetsM+Qxhsi4nIBf3oDYiArI9gdz3Kxy6ag65y Yggg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=auaaAYV9rgYAhlJA7sGStnm+uYg7Fsn1Uv2dj5Sy54E=; fh=y9ZLTEylvCzrQwAD24fpmlP1LKrNg1mjAGdaPP0opPM=; b=J6jDbtWdEnEyE9rXEQ7xW0evUj2nhQx61R0QGG3/mpq49pTTWh+/ZDgIY76IRWCnXB sK60KwSHZBVYNfGSNk58aUJtB0l2x5T9+uH4MWhStVCHV86pPF3qTchmTFZQL09Ka/cT ZQ/lB3IEmuFF3bzXVXPsUT3pd/1akmMSGBPaisoT/58tL0ESEBORBS0XjrHM6P+hnHa8 SXi+OutJ8w7Fs0PCVgxEhv+SCQFyiCIm/RyFbo0uzrwADB1UreLVrfjxhOwT7c5xdtSV RJJAzevUVS4WHuaK+upgrx/k4Eag2L6mc5qA2iJLAVZa4JyU/ehQe433mo3FLyywF9tF fmkg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g7-20020a17090adb0700b0025bdeb86c50si2024111pjv.137.2023.06.23.08.50.41; Fri, 23 Jun 2023 08:50:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232281AbjFWPX6 (ORCPT + 99 others); Fri, 23 Jun 2023 11:23:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232211AbjFWPX5 (ORCPT ); Fri, 23 Jun 2023 11:23:57 -0400 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id DD5D719B for ; Fri, 23 Jun 2023 08:23:54 -0700 (PDT) Received: (qmail 753372 invoked by uid 1000); 23 Jun 2023 11:23:53 -0400 Date: Fri, 23 Jun 2023 11:23:53 -0400 From: Alan Stern To: syzbot Cc: andreyknvl@google.com, davem@davemloft.net, dvyukov@google.com, edumazet@google.com, gregkh@linuxfoundation.org, kbuild-all@lists.01.org, kuba@kernel.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, lkp@intel.com, netdev@vger.kernel.org, nogikh@google.com, oneukum@suse.com, pabeni@redhat.com, syzkaller-bugs@googlegroups.com, troels@connectedcars.dk Subject: Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb Message-ID: <0f685f2f-06df-4cf2-9387-34f5e3c8b7b7@rowland.harvard.edu> References: <000000000000a56e9105d0cec021@google.com> <000000000000e298cd05fecc07d4@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000000000000e298cd05fecc07d4@google.com> X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,SORTED_RECIPS,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 23, 2023 at 06:32:22AM -0700, syzbot wrote: > syzbot has bisected this issue to: > > commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 > Author: Alan Stern > Date: Tue Jan 31 20:49:04 2023 +0000 > > USB: core: Don't hold device lock while reading the "descriptors" sysfs file > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000 > start commit: 692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g.. > git tree: upstream > final oops: https://syzkaller.appspot.com/x/report.txt?x=114b5877280000 > console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140 > dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000 > > Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com > Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection The bisection result is wrong, but the issue still needs to be fixed. Alan Stern #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7 Index: usb-devel/drivers/net/usb/usbnet.c =================================================================== --- usb-devel.orig/drivers/net/usb/usbnet.c +++ usb-devel/drivers/net/usb/usbnet.c @@ -1775,6 +1775,9 @@ usbnet_probe (struct usb_interface *udev } else if (!info->in || !info->out) status = usbnet_get_endpoints (dev, udev); else { + u8 ep_addrs[3] = { + info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0}; + dev->in = usb_rcvbulkpipe (xdev, info->in); dev->out = usb_sndbulkpipe (xdev, info->out); if (!(info->flags & FLAG_NO_SETINT)) @@ -1784,6 +1787,8 @@ usbnet_probe (struct usb_interface *udev else status = 0; + if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs)) + status = -EINVAL; } if (status >= 0 && dev->status) status = init_status (dev, udev);