Received: by 10.223.164.202 with SMTP id h10csp946559wrb;
        Tue, 7 Nov 2017 18:12:39 -0800 (PST)
X-Google-Smtp-Source: ABhQp+T2Iw1n1YN5n0eHc2VeUOu+0egViTeQ7WdXx1NPkWohre2qcskOEXcBPe82q8cZ3yqbdTBE
X-Received: by 10.99.190.6 with SMTP id l6mr685442pgf.288.1510107159053;
        Tue, 07 Nov 2017 18:12:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510107158; cv=none;
        d=google.com; s=arc-20160816;
        b=QIOwRletf4CHxSlWvi/uuQOHwK0DKvv5RqrxE8ra5IMcFAEy++lSizNc2s2yAAXDHO
         jPmr6/APtmyDgigiK47Dx66hFiQlfkghJDSxf7BKXo9kYLq7JRBQUHR1yEkMY2MGZcCe
         OHVwcb/vebaF9jwdGJim+buuLzuhFF5I85jM1N433LN8bIXf2mAQapI8W5+vvq7CcLQx
         07OJ56NNmvSmiT2hBVAQkcGxHbE67L121jQgez1eA3n3BKcyQd1mTVwt6I/Bzvs7Ooxl
         lvJZh8zx9y+WZkjL2RznDjgQsQXjb3StQgrdpjZn/VyxFP+HL41jEI7+zEytoyBQX6db
         A5WA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date:arc-authentication-results;
        bh=13Qnon5dFQYjFLBJN9ZXnSnkCWNqjFF/HECOI1Rwp9Y=;
        b=lMuFtWHWc0ssEmIrkzVlXvpF9vbHcb35HGOYN2uRD24wimgDb/7d/z/fJQaK0qmOU4
         41GSpgeXhwtlaJV9uPpsfjAGcM8Dmne5p/ZEUTmvbHtEgsFazRKAw/f5BMQb3OCZu1XL
         DuEdeJZxDRuVmOvxrMVEoVwOHZ9lmuHNAiY/3SsX/glCdY6a5QPVjZxNzmu1/hcSMKwq
         aQm8EAQO4bWK/4H6XwvmEKcTEoxsERr1JgRuKolqUdDH+OPTCDTbIsFCGrcKIujd4kzC
         v9QFn8sFHnLsG7jWeNj4BnYOEzoFJ0c6ouXELO2ZOCHgNJ6THfGmoM6dZeCbPXF2wJjP
         pOuw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l12si2635236pfd.342.2017.11.07.18.12.25;
        Tue, 07 Nov 2017 18:12:38 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=harvard.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932340AbdKGR7B (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 91 others); Tue, 7 Nov 2017 12:59:01 -0500
Received: from iolanthe.rowland.org ([192.131.102.54]:33300 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S932187AbdKGR64 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Nov 2017 12:58:56 -0500
Received: (qmail 4179 invoked by uid 2102); 7 Nov 2017 12:58:55 -0500
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 7 Nov 2017 12:58:55 -0500
Date:   Tue, 7 Nov 2017 12:58:55 -0500 (EST)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     Greg KH <gregkh@linuxfoundation.org>
cc:     syzbot 
        <bot+50d191d34989b5aa28596b0a2cb20c96f3ca4650@syzkaller.appspotmail.com>,
        <felipe.balbi@linux.intel.com>, <krinkin.m.u@gmail.com>,
        <linux-kernel@vger.kernel.org>, <linux-usb@vger.kernel.org>,
        <syzkaller-bugs@googlegroups.com>, <tiwai@suse.de>,
        <vskrishn@codeaurora.org>
Subject: Re: WARNING in usb_submit_urb
In-Reply-To: <20171107163556.GA13964@kroah.com>
Message-ID: <Pine.LNX.4.44L0.1711071252170.1395-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 7 Nov 2017, Greg KH wrote:

> On Tue, Nov 07, 2017 at 08:11:13AM -0800, syzbot wrote:
> > Hello,
> > 
> > syzkaller hit the following crash on
> > 36ef71cae353f88fd6e095e2aaa3e5953af1685d
> > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> > compiler: gcc (GCC) 7.1.1 20170620
> > .config is attached
> > Raw console output is attached.
> > C reproducer is attached
> > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > for information about syzkaller reproducers
> 
> This is not a crash, you are doing a panic-on-warning, and you send
> invalid data to the kernel and it warned about it properly and kept on
> working :)
> 
> Perhaps maybe not a full WARN_ON() is to be done here?

I don't understand how this could have happened.  The raw log explains 
the problem:

> [   15.138822] usb usb1: BOGUS urb flags, 2 --> 0
> [   15.139498] ------------[ cut here ]------------
> [   15.139955] WARNING: CPU: 3 PID: 2986 at drivers/usb/core/urb.c:498 usb_submit_urb+0xeb9/0x10f0
...
> [   15.150280] RIP: 0010:usb_submit_urb+0xeb9/0x10f0
...
> [   15.155166]  proc_do_submiturb+0x1f53/0x3860

The "2 --> 0" means that proc_do_submiturb() tried to submit a control
URB (2 = PIPE_CONTROL) to an isochronous endpoint (0 = PIPE_ISOCHRONOUS).
But right near the start of the routine we have:

	switch (uurb->type) {
	case USBDEVFS_URB_TYPE_CONTROL:
		if (!usb_endpoint_xfer_control(&ep->desc))
			return -EINVAL;

So how was the warning triggered?

Alan Stern


From 1583460078035974129@xxx Wed Nov 08 01:40:07 +0000 2017
X-GM-THRID: 1583459420844146869
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread