Re: [syzbot] WARNING in usb_tx_block/usb_submit_urb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Fabio M. De Francesco" <fmdefrancesco@gmail.com>
To: syzbot <syzbot+355c68b459d1d96c4d06@syzkaller.appspotmail.com>,
	syzkaller-bugs@googlegroups.com, Hillf Danton <hdanton@sina.com>
Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] WARNING in usb_tx_block/usb_submit_urb
Date: Thu, 16 Feb 2023 07:54:08 +0100	[thread overview]
Message-ID: <2136128.irdbgypaU6@suse> (raw)
In-Reply-To: <20230215110515.3833-1-hdanton@sina.com>

On mercoledì 15 febbraio 2023 12:05:15 CET Hillf Danton wrote:
> On Tue, 14 Feb 2023 23:00:47 -0800
> 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    f87b564686ee dt-bindings: usb: amlogic,meson-g12a-usb-
ctrl..
> > git tree:      
> > https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1670f2b3480000
> Kill urb in flight after submitting it.
> 
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 
> f87b564686ee
> 
> --- x/drivers/net/wireless/marvell/libertas/if_usb.c
> +++ y/drivers/net/wireless/marvell/libertas/if_usb.c
> @@ -763,9 +763,7 @@ static int if_usb_issue_boot_command(str
>  	memset(bootcmd->pad, 0, sizeof(bootcmd->pad));
> 
>  	/* Issue command */
> -	usb_tx_block(cardp, cardp->ep_out_buf, sizeof(*bootcmd));
> -
> -	return 0;
> +	return usb_tx_block(cardp, cardp->ep_out_buf, sizeof(*bootcmd));
>  }
> 
> 
> @@ -853,10 +851,12 @@ restart:
>  	}

> 
>  	cardp->bootcmdresp = 0;
> +	ret = if_usb_issue_boot_command(cardp, BOOT_CMD_FW_BY_USB);
> +	if (ret)
> +		goto done;

I think that you are changing the logic here (please read below)...

>  	do {
>  		int j = 0;
>  		i++;
> -		if_usb_issue_boot_command(cardp, BOOT_CMD_FW_BY_USB);

Don't we need to call if_usb_issue_boot_command() in a loop in order to retry 
the command?

>  		/* wait for command response */
>  		do {
>  			j++;
> @@ -864,6 +864,8 @@ restart:
>  		} while (cardp->bootcmdresp == 0 && j < 10);
>  	} while (cardp->bootcmdresp == 0 && i < 5);
> 
> +	usb_kill_urb(cardp->tx_urb);
> +

I'm not an expert in the USB core, anyway calling usb_kill_urb() looks good to 
me, but I think we should call it after each call of 
if_usb_issue_boot_command() in the above outer loop.

>  	if (cardp->bootcmdresp == BOOT_CMD_RESP_NOT_SUPPORTED) {
>  		/* Return to normal operation */
>  		ret = -EOPNOTSUPP;
> --

Can the following work?

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 
f87b564686ee

diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/
wireless/marvell/libertas/if_usb.c
index 20436a289d5c..626357d0c7b0 100644
--- a/drivers/net/wireless/marvell/libertas/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas/if_usb.c
@@ -859,6 +859,7 @@ static void if_usb_prog_firmware(struct lbs_private *priv, 
int ret,
                        j++;
                        msleep_interruptible(100);
                } while (cardp->bootcmdresp == 0 && j < 10);
+               usb_kill_urb(cardp->tx_urb):
        } while (cardp->bootcmdresp == 0 && i < 5);
 
        if (cardp->bootcmdresp == BOOT_CMD_RESP_NOT_SUPPORTED) {
--

Thanks,

Fabio

next prev parent reply	other threads:[~2023-02-16  6:54 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20230215110515.3833-1-hdanton@sina.com>
2023-02-15 11:57 ` [syzbot] WARNING in usb_tx_block/usb_submit_urb syzbot
2023-02-16  6:54 ` Fabio M. De Francesco [this message]
2023-02-16  7:44   ` syzbot
2023-02-16  8:26     ` Fabio M. De Francesco
2023-02-16  8:48       ` syzbot
     [not found] ` <20230216081834.1432-1-hdanton@sina.com>
2023-02-16  9:21   ` Fabio M. De Francesco
2023-02-15  7:00 syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:20436a289d5 dfblob:626357d0c7b )
 OR (
bs:"Re: [syzbot] WARNING in usb_tx_block/usb_submit_urb" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2136128.irdbgypaU6@suse \
    --to=fmdefrancesco@gmail.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+355c68b459d1d96c4d06@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.