Received: by 10.223.164.202 with SMTP id h10csp364002wrb; Thu, 9 Nov 2017 07:31:43 -0800 (PST) X-Google-Smtp-Source: ABhQp+TUeue0tF4Ds8HUByCBGMjUzp9Lna4gSfWA/qp8Gg/JCzaPTiM4Ze7S4y4VrkfnOYrEjkrS X-Received: by 10.98.18.79 with SMTP id a76mr871265pfj.204.1510241503404; Thu, 09 Nov 2017 07:31:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510241503; cv=none; d=google.com; s=arc-20160816; b=0HcVexv/xoOyiayfb6HhubaY5UUOTtUihJ+w3a3TmwBj+8DINJg3nc6O+2eya8+sh5 Z2kVbMly6Ffh7e9qUPZDDOHT1u+Oby3nOaEw5iRQ3xx6FEPq/9la+1VMJXU8+kueKP54 tDUB1Vi3KXZMDJju6kH5gR/OsDL7L0UeIgzIMaKPRoFXK+Htz2j1pJuzk3yv/IlXMDsg 91SYPzfqmqnvJFDi6ShHKOv2CwAksvIDclpVcjgjNnSKL9nn+lFJLKVDUFlI9rulgIXr cQgDZ/Ptt4pL/6mRhVdHOoevgrSaotqIRsNhn5BhZTvi5eTcBiJdJYORbzUypvi8MK9e 1dcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date:arc-authentication-results; bh=nNXFObyjdmmCkAUbXSgAw85pYEyqOVNRbJODK3IuxJ4=; b=0ZWJME+dfM/VpcVh8d3ntELUpr63HjFleYX0PaD5S8QVe+7AMNjrDmYDRBFwoekRQT 5vvfmkC64Bk1eK6HQuQgrqtpIFplZTLrHNrnxH7uHrXWlfyPlWUmE8rj65VpJ2eNEujJ Dwf2GxzS8mDVZcVO9QCM6JcV38vro+nRoBx4XzKfzdbHz/ScYcHHOXrYTcgFuzaKKIE/ QPmd6iYl/SvNQlzbT1stqJqyd7d8Ytg7E+i662v3GfWZkjEZ+7KpzQKUowkEJTp7qTVI PMiw7hdNKwVhRhL8XZGUG9KphybNk5G9GsBbFve7HoLh7sXfrDoFcW23hyVrEydJ36w6 7+CQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k15si6639260pln.223.2017.11.09.07.31.30; Thu, 09 Nov 2017 07:31:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752629AbdKIPaf (ORCPT + 80 others); Thu, 9 Nov 2017 10:30:35 -0500 Received: from iolanthe.rowland.org ([192.131.102.54]:55148 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1751348AbdKIPae (ORCPT ); Thu, 9 Nov 2017 10:30:34 -0500 Received: (qmail 3062 invoked by uid 2102); 9 Nov 2017 10:30:33 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Nov 2017 10:30:33 -0500 Date: Thu, 9 Nov 2017 10:30:33 -0500 (EST) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Oliver Neukum cc: Andrey Konovalov , , , , Felipe Balbi , Greg KH , Takashi Iwai , syzbot , LKML , USB list Subject: Re: WARNING in usb_submit_urb In-Reply-To: <1510233974.2975.20.camel@suse.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 9 Nov 2017, Oliver Neukum wrote: > Am Donnerstag, den 09.11.2017, 13:19 +0100 schrieb Andrey Konovalov: > > > > This isn't the "BOGUS urb xfer" warning, this is "BOGUS urb flags". So > > 2 means the URB_ISO_ASAP flag, which is passed in urb->transfer_flags > > but not allowed. And as far as I understand, it gets set because uurb > > (which is passed from user space) has USBDEVFS_URB_ISO_ASAP flag set > > when passed to proc_do_submiturb(). > > Hi, > > yes we should filter better. > Could you test? > > Regards > Oliver > Subject: [PATCH] USB: usbfs: Filter flags passed in from user space > > USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints. > Improve sanity checking. > > Signed-off-by: Oliver Neukum > --- > drivers/usb/core/devio.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c > index c3aaafc25a04..abe6457516a2 100644 > --- a/drivers/usb/core/devio.c > +++ b/drivers/usb/core/devio.c > @@ -1473,6 +1473,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb > case USBDEVFS_URB_TYPE_CONTROL: > if (!usb_endpoint_xfer_control(&ep->desc)) > return -EINVAL; > + if (uurb->flags & USBDEVFS_URB_ISO_ASAP) > + return -EINVAL; > /* min 8 byte setup packet */ > if (uurb->buffer_length < 8) > return -EINVAL; > @@ -1511,6 +1513,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb > break; > > case USBDEVFS_URB_TYPE_BULK: > + if (uurb->flags & USBDEVFS_URB_ISO_ASAP) > + return -EINVAL; > switch (usb_endpoint_type(&ep->desc)) { > case USB_ENDPOINT_XFER_CONTROL: > case USB_ENDPOINT_XFER_ISOC: You need to check interrupt URBs also. It would be best to have a single test before the big "switch" statement: if ((uurb->flags & USBDEVFS_URB_ISO_ASAP) && uurb->type != USBDEVFS_URB_TYPE_ISOCHRONOUS) return -EINVAL; Alan Stern From 1583595523931605268@xxx Thu Nov 09 13:32:58 +0000 2017 X-GM-THRID: 1583459420844146869 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread