[PATCH AUTOSEL 4.14 35/39] USB: core: Fix misleading driver bug report

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>,
	syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 35/39] USB: core: Fix misleading driver bug report
Date: Thu, 14 May 2020 14:54:52 -0400	[thread overview]
Message-ID: <20200514185456.21060-35-sashal@kernel.org> (raw)
In-Reply-To: <20200514185456.21060-1-sashal@kernel.org>

From: Alan Stern <stern@rowland.harvard.edu>

[ Upstream commit ac854131d9844f79e2fdcef67a7707227538d78a ]

The syzbot fuzzer found a race between URB submission to endpoint 0
and device reset.  Namely, during the reset we call usb_ep0_reinit()
because the characteristics of ep0 may have changed (if the reset
follows a firmware update, for example).  While usb_ep0_reinit() is
running there is a brief period during which the pointers stored in
udev->ep_in[0] and udev->ep_out[0] are set to NULL, and if an URB is
submitted to ep0 during that period, usb_urb_ep_type_check() will
report it as a driver bug.  In the absence of those pointers, the
routine thinks that the endpoint doesn't exist.  The log message looks
like this:

------------[ cut here ]------------
usb 2-1: BOGUS urb xfer, pipe 2 != type 2
WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478
usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478

Now, although submitting an URB while the device is being reset is a
questionable thing to do, it shouldn't count as a driver bug as severe
as submitting an URB for an endpoint that doesn't exist.  Indeed,
endpoint 0 always exists, even while the device is in its unconfigured
state.

To prevent these misleading driver bug reports, this patch updates
usb_disable_endpoint() to avoid clearing the ep_in[] and ep_out[]
pointers when the endpoint being disabled is ep0.  There's no danger
of leaving a stale pointer in place, because the usb_host_endpoint
structure being pointed to is stored permanently in udev->ep0; it
doesn't get deallocated until the entire usb_device structure does.

Reported-and-tested-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>

Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2005011558590.903-100000@netrider.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/core/message.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 00e80cfe614ce..298c91f83aeec 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1082,11 +1082,11 @@ void usb_disable_endpoint(struct usb_device *dev, unsigned int epaddr,

 	if (usb_endpoint_out(epaddr)) {
 		ep = dev->ep_out[epnum];
-		if (reset_hardware)
+		if (reset_hardware && epnum != 0)
 			dev->ep_out[epnum] = NULL;
 	} else {
 		ep = dev->ep_in[epnum];
-		if (reset_hardware)
+		if (reset_hardware && epnum != 0)
 			dev->ep_in[epnum] = NULL;
 	}
 	if (ep) {
-- 
2.20.1

next prev parent reply	other threads:[~2020-05-14 18:55 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-14 18:54 [PATCH AUTOSEL 4.14 01/39] Makefile: disallow data races on gcc-10 as well Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 02/39] gcc-common.h: Update for GCC 10 Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 03/39] HID: multitouch: add eGalaxTouch P80H84 support Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 04/39] batman-adv: fix batadv_nc_random_weight_tq Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 05/39] batman-adv: Fix refcnt leak in batadv_show_throughput_override Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 06/39] batman-adv: Fix refcnt leak in batadv_store_throughput_override Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 07/39] batman-adv: Fix refcnt leak in batadv_v_ogm_process Sasha Levin
     [not found] ` <20200514185456.21060-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2020-05-14 18:54   ` [PATCH AUTOSEL 4.14 08/39] phy: tegra: Select USB_COMMON for usb_get_maximum_speed() Sasha Levin
2020-05-14 18:54     ` Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 09/39] scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 10/39] objtool: Fix stack offset tracking for indirect CFAs Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 11/39] x86/entry/64: Fix unwind hints in register clearing code Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 12/39] x86/entry/64: Fix unwind hints in kernel exit path Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 13/39] x86/entry/64: Fix unwind hints in rewind_stack_do_exit() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 14/39] x86/unwind/orc: Don't skip the first frame for inactive tasks Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 15/39] x86/unwind/orc: Fix error path for bad ORC entry type Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 16/39] configfs: fix config_item refcnt leak in configfs_rmdir() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 17/39] vhost/vsock: fix packet delivery order to monitoring devices Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 18/39] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 19/39] net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()' Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 20/39] component: Silence bind error on -EPROBE_DEFER Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 21/39] scsi: ibmvscsi: Fix WARN_ON during event pool release Sasha Levin
2020-05-14 18:54   ` Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 22/39] net/mlx5: Fix forced completion access non initialized command entry Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 23/39] net/mlx5: Fix command entry leak in Internal Error State Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 24/39] dp83640: reverse arguments to list_add_tail Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 25/39] soc: qcom: ipa: IPA endpoints Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 26/39] net: ipa: fix a bug in ipa_endpoint_stop() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 27/39] net: macsec: preserve ingress frame ordering Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 28/39] net: moxa: Fix a potential double 'free_irq()' Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 29/39] x86/apic: Move TSC deadline timer debug printk Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 30/39] gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 31/39] virtio-blk: handle block_device_operations callbacks after hot unplug Sasha Levin
2020-05-14 18:54   ` Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 32/39] net: usb: qmi_wwan: add support for DW5816e Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 33/39] ceph: fix double unlock in handle_cap_export() Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 34/39] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Sasha Levin
2020-05-14 18:54 ` Sasha Levin [this message]
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 36/39] platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 37/39] ARM: futex: Address build warning Sasha Levin
2020-05-14 18:54   ` Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 38/39] scripts/decodecode: fix trapping instruction formatting Sasha Levin
2020-05-14 18:54 ` [PATCH AUTOSEL 4.14 39/39] crypto: xts - simplify error handling in ->create() Sasha Levin
2020-05-14 19:08   ` Eric Biggers
2020-05-15  0:55     ` Sasha Levin
2020-05-16  1:35       ` Eric Biggers

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:00e80cfe614c dfblob:298c91f83aee )
 OR (
bs:"[PATCH AUTOSEL 4.14 35/39] USB: core: Fix misleading driver bug report" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200514185456.21060-35-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.