Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1878476lqm;
        Fri, 3 May 2024 08:58:51 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCX8q8nDlgxa6QOgb2zAdH9L7VGyLECmj33hncMtzvOxLqaeSs5bGGtPBGOHQfoR/llG8Uj8e3wc89AoLbP6o/nwORH1rtuvkHjxFotPlQ==
X-Google-Smtp-Source: AGHT+IEwwy7HRnzMIxjrciWfoASXND+T0CpzcCp2cx/IjV8G46GdIaQpIVGYp2T35huDZeucaDD+
X-Received: by 2002:a05:622a:1910:b0:43a:ed55:cb78 with SMTP id w16-20020a05622a191000b0043aed55cb78mr3502711qtc.15.1714751930815;
        Fri, 03 May 2024 08:58:50 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714751930; cv=pass;
        d=google.com; s=arc-20160816;
        b=AKHMbjie5veN8XjyfBiyF35qNngofOLnAgcfWqTAVePbgMEoREcaVgHPVWY/Prz1wI
         FeNUABjIadnYXPs0RO6AgxhbJ8tO97tst5gume0nBjidYmOfu3MgUBnRU03nDHcVzhqM
         ldt6G7zDB8aFv337O2S4GpInpqMEIpJmpWk2GOgYK6b202Z7HhF78s4QggFjvPx+8vlc
         k0fxdtHCeUo1KhRjiO+3LSDDjPry8pqB0iGW/WgTn2rXtS62WST2t7nPPQAPkl7Z0TrV
         /rjB/0U5b0m/rsRAqlDURt6hoVdbpWGW2Whk2GKyk8ny3I/6kDtyBhwPPysU2adVc/Ly
         +9VQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=oG1e6KM8seyP2Xp9a7KMeGstwCWoGsuiyD8gfZGdKis=;
        fh=Z3Q0IYq+LHm3Sl6icgCDJWx4hHFYrIChXkSvslloi64=;
        b=b1dVzPup8R1SKqDEFfaP2tEW8LD4cYk6tk6F1VpUgWZzdzp5xNimPZG4QP8cIJ4W2/
         dCr3A9Wh7WYXthkqXVLBJWvRSQGkwlRtgQsD1va3Su5zhX3gaXYzAtksUuhdf/S5seMQ
         R9dDWpxXMAsLUL2xgtl7ooWDz9m/nkBJuFyXRkjfoAmXAWm9dbqZhIwouppo0bPhiycN
         ycNVcEoBLEsrJfhK+ndSdjnjHiofolR+u+n54dwg4X0rJgAIEZfVekl8/KxPco0mG7ZC
         Eb1c5Gw96fbToPSmfKeooNdxCqXnZvnBRoV56FGopZyFhrDgRTISWyoOhGFhOd03QcfY
         EzNg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=b6uXtanG;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-167862-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-167862-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-167862-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id n8-20020a05622a040800b0043c5d4d6652si3678750qtx.315.2024.05.03.08.58.50
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 03 May 2024 08:58:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-167862-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=b6uXtanG;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-167862-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-167862-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6C4C01C221FE
	for <linux.lists.archive@gmail.com>; Fri,  3 May 2024 15:58:50 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 295E5155337;
	Fri,  3 May 2024 15:58:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="b6uXtanG"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5047D4AEE5;
	Fri,  3 May 2024 15:58:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714751922; cv=none; b=b1TW29oVDzQx2tezB93T1kxcn0t3TxkwldYryq4Yh0bOcIVcUuwJscvQBdXTwCcggv7qQGWs/ETP7gKK3J9fynWGGuL0qhJNWG/yWYmZokgxna0x3vPQ3M80ZO+1qMGYdA53GZ/7s5ieqfcgYw+xLzd1K3JWqwjHrqlW5z5zK44=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714751922; c=relaxed/simple;
	bh=tjcLMcc1pXHKQ8EsF3q4E+jRwwGEPkth6eL7KXSUy1A=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=gHR4Vs5mR5bYJ/JWFiZR9jgyMyBPap2g5x577M5hKiV28NdUUnRVO7iVf1iPLHMAsoCC+G6cmAd7e8Ad0696EAwIbSLY5TxBWrKeoyxAZQmDRx2FSTgHgQJqyd8XvQS6U+4Nu14R+mBMn7kplHkHRH+vboLla2alCNdiYsevlcg=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=b6uXtanG; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9121CC116B1;
	Fri,  3 May 2024 15:58:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1714751920;
	bh=tjcLMcc1pXHKQ8EsF3q4E+jRwwGEPkth6eL7KXSUy1A=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=b6uXtanGACF3WNXDK+4E1/y+M0/Z8Dsc9Tdm9b6leLSTuF1wSbst1D3gRebUOY8ge
	 A8UtzrLJv107KY7Sq5Ctn7SI7rGOIIq/CroQd+1LAATvhbZPmyGV1j6attQddGxeVT
	 uZ0dj8h82OSjgRJvo+YUmsfGO58KqbbFquTtv38kIuH8oS8WBUTETtGc6+PxVHOtPE
	 YkNVqem6OsyjftSf+vRG1Hkfvkhi9VCB6Yom6Q0C/fFv7yDoT9lC4tI1tSQhL7neVp
	 wnaj1MNQ/36F+KwJu9gM6/xA+db9taVZfUWitMtAU+uawAE11N+eumWQDv++RXYPBH
	 9ZPa1yvgwwVTw==
Date: Fri, 3 May 2024 16:58:33 +0100
From: Mauro Carvalho Chehab <mchehab@kernel.org>
To: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>, Dongliang Mu
 <dzm91@hust.edu.cn>, Andrew Morton <akpm@linux-foundation.org>, Alan Stern
 <stern@rowland.harvard.edu>, <linux-media@vger.kernel.org>,
 <linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>,
 <syzbot+12002a39b8c60510f8fb@syzkaller.appspotmail.com>
Subject: Re: [PATCH] media: usb: siano: fix endpoint checks in
 smsusb_init_device()
Message-ID: <20240503165833.4781fb4a@sal.lan>
In-Reply-To: <20240409143634.33230-1-n.zhandarovich@fintech.ru>
References: <20240409143634.33230-1-n.zhandarovich@fintech.ru>
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-redhat-linux-gnu)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Em Tue, 9 Apr 2024 07:36:34 -0700
Nikita Zhandarovich <n.zhandarovich@fintech.ru> escreveu:

> Syzkaller reported a warning [1] in smsusb_submit_urb() which occurs
> if an attempt is made to send a bulk URB using the wrong endpoint
> type. The current approach to perform endpoint checking does not
> explicitly check if an endpoint in question has its type set to bulk.
> 
> Fix this issue by using functions usb_endpoint_is_bulk_XXX() to
> enable testing for correct ep types.
> 
> This patch has not been tested on real hardware.
> 
> [1] Syzkaller report:
> usb 1-1: string descriptor 0 read error: -71
> smsusb:smsusb_probe: board id=2, interface number 0
> smsusb:siano_media_device_register: media controller created
> ------------[ cut here ]------------
> usb 1-1: BOGUS urb xfer, pipe 3 != type 1
> WARNING: CPU: 0 PID: 3147 at drivers/usb/core/urb.c:494 usb_submit_urb+0xacd/0x1550 drivers/usb/core/urb.c:493
> ...
> Call Trace:
>  smsusb_start_streaming+0x16/0x1d0 drivers/media/usb/siano/smsusb.c:195
>  smsusb_init_device+0xd85/0x12d0 drivers/media/usb/siano/smsusb.c:475
>  smsusb_probe+0x496/0xa90 drivers/media/usb/siano/smsusb.c:566
>  usb_probe_interface+0x633/0xb40 drivers/usb/core/driver.c:396
>  really_probe+0x3cb/0x1020 drivers/base/dd.c:580
>  driver_probe_device+0x178/0x350 drivers/base/dd.c:763
> ...
>  hub_event+0x48d/0xd90 drivers/usb/core/hub.c:5644
>  process_one_work+0x833/0x10c0 kernel/workqueue.c:2276
>  worker_thread+0xac1/0x1300 kernel/workqueue.c:2422
>  kthread+0x39a/0x3c0 kernel/kthread.c:313
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> 
> Reported-and-tested-by: syzbot+12002a39b8c60510f8fb@syzkaller.appspotmail.com
> Fixes: 31e0456de5be ("media: usb: siano: Fix general protection fault in smsusb")
> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
> ---
>  drivers/media/usb/siano/smsusb.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
> index 723510520d09..daaac121c670 100644
> --- a/drivers/media/usb/siano/smsusb.c
> +++ b/drivers/media/usb/siano/smsusb.c
> @@ -405,10 +405,10 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
>  		struct usb_endpoint_descriptor *desc =
>  				&intf->cur_altsetting->endpoint[i].desc;
>  
> -		if (desc->bEndpointAddress & USB_DIR_IN) {
> +		if (usb_endpoint_is_bulk_in(desc)) {
>  			dev->in_ep = desc->bEndpointAddress;
>  			align = usb_endpoint_maxp(desc) - sizeof(struct sms_msg_hdr);
> -		} else {
> +		} else if (usb_endpoint_is_bulk_out(desc)) {

Did you test it on what devices? I'm not sure if all siano devices
are bulk. Why did you decide to use usb_endpoint_is_bulk_(in|out)
instead of usb_endpoint_dir_(in|out)?

Regards,
Mauro

>  			dev->out_ep = desc->bEndpointAddress;
>  		}
>  	}
>