Re: WARNING in usb_submit_urb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Oliver Neukum <oneukum@suse.com>
To: Andrey Konovalov <andreyknvl@google.com>,
	Alan Stern <stern@rowland.harvard.edu>
Cc: vskrishn@codeaurora.org, krinkin.m.u@gmail.com,
	syzkaller-bugs@googlegroups.com,
	Felipe Balbi <felipe.balbi@linux.intel.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	Takashi Iwai <tiwai@suse.de>,
	syzbot 
	<bot+50d191d34989b5aa28596b0a2cb20c96f3ca4650@syzkaller.appspotmail.com>,
	LKML <linux-kernel@vger.kernel.org>,
	USB list <linux-usb@vger.kernel.org>
Subject: Re: WARNING in usb_submit_urb
Date: Thu, 09 Nov 2017 14:26:14 +0100	[thread overview]
Message-ID: <1510233974.2975.20.camel@suse.com> (raw)
In-Reply-To: <CAAeHK+zqC7W6CrwHDe1SqvznSRj+Tg2Bu5_PnYCG+a_eRk9NOQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

Am Donnerstag, den 09.11.2017, 13:19 +0100 schrieb Andrey Konovalov:
> 
> This isn't the "BOGUS urb xfer" warning, this is "BOGUS urb flags". So
> 2 means the URB_ISO_ASAP flag, which is passed in urb->transfer_flags
> but not allowed. And as far as I understand, it gets set because uurb
> (which is passed from user space) has USBDEVFS_URB_ISO_ASAP flag set
> when passed to proc_do_submiturb().

Hi,

yes we should filter better.
Could you test?

	Regards
		Oliver

[-- Attachment #2: 0001-USB-usbfs-Filter-flags-passed-in-from-user-space.patch --]
[-- Type: text/x-patch, Size: 1277 bytes --]

From 6026435970e0d34def0abc71879bbd6fea6e8ec1 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 9 Nov 2017 14:18:32 +0100
Subject: [PATCH] USB: usbfs: Filter flags passed in from user space

USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints.
Improve sanity checking.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/core/devio.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index c3aaafc25a04..abe6457516a2 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1473,6 +1473,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
 	case USBDEVFS_URB_TYPE_CONTROL:
 		if (!usb_endpoint_xfer_control(&ep->desc))
 			return -EINVAL;
+		if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
+			return -EINVAL;
 		/* min 8 byte setup packet */
 		if (uurb->buffer_length < 8)
 			return -EINVAL;
@@ -1511,6 +1513,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
 		break;
 
 	case USBDEVFS_URB_TYPE_BULK:
+		if (uurb->flags & USBDEVFS_URB_ISO_ASAP)
+			return -EINVAL;
 		switch (usb_endpoint_type(&ep->desc)) {
 		case USB_ENDPOINT_XFER_CONTROL:
 		case USB_ENDPOINT_XFER_ISOC:
-- 
2.13.6

next prev parent reply	other threads:[~2017-11-09 13:30 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-07 16:11 WARNING in usb_submit_urb syzbot
2017-11-07 16:35 ` Greg KH
2017-11-07 17:58   ` Alan Stern
2017-11-08  8:26     ` Dmitry Vyukov
2017-11-08 17:06       ` Alan Stern
2017-11-09 12:19     ` Andrey Konovalov
2017-11-09 13:26       ` Oliver Neukum [this message]
2017-11-09 15:30         ` Alan Stern
2018-02-02  0:21 ` Eric Biggers

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c3aaafc25a0 dfblob:abe6457516a )
 OR (
bs:"USB: usbfs: Filter flags passed in from user space" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1510233974.2975.20.camel@suse.com \
    --to=oneukum@suse.com \
    --cc=andreyknvl@google.com \
    --cc=bot+50d191d34989b5aa28596b0a2cb20c96f3ca4650@syzkaller.appspotmail.com \
    --cc=felipe.balbi@linux.intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=krinkin.m.u@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tiwai@suse.de \
    --cc=vskrishn@codeaurora.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.