Re: [syzbot] [usb?] WARNING in usbnet_status_start

[Oliver Neukum <oneukum@suse.com>]

[-- Attachment #1: Type: text/plain, Size: 5274 bytes --]



On 08.07.25 19:51, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    d1b07cc0868f arm64: dts: s32g: Add USB device tree informa..
> git tree:https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output:https://syzkaller.appspot.com/x/log.txt?x=1554d582580000
> kernel config:https://syzkaller.appspot.com/x/.config?x=28729dff5d03ad1
> dashboard link:https://syzkaller.appspot.com/bug?extid=3f89ec3d1d0842e95d50
> compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:https://syzkaller.appspot.com/x/repro.syz?x=11680a8c580000
> C reproducer:https://syzkaller.appspot.com/x/repro.c?x=14c9abd4580000
> 
> Downloadable assets:
> disk image:https://storage.googleapis.com/syzbot-assets/3eab0cb43ae2/disk-d1b07cc0.raw.xz
> vmlinux:https://storage.googleapis.com/syzbot-assets/934d59614ed5/vmlinux-d1b07cc0.xz
> kernel image:https://storage.googleapis.com/syzbot-assets/4b24078bc227/bzImage-d1b07cc0.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by:syzbot+3f89ec3d1d0842e95d50@syzkaller.appspotmail.com
> 
> sierra_net 4-1:0.11 wwan0: register 'sierra_net' at usb-dummy_hcd.3-1, Sierra Wireless USB-to-WWAN Modem, 00:00:00:00:01:0b
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 37 at drivers/net/usb/usbnet.c:266 usbnet_status_start+0x189/0x1e0 drivers/net/usb/usbnet.c:266
> Modules linked in:
> CPU: 1 UID: 0 PID: 37 Comm: kworker/1:1 Not tainted 6.16.0-rc4-syzkaller-00311-gd1b07cc0868f #0 PREEMPT(voluntary)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usbnet_status_start+0x189/0x1e0 drivers/net/usb/usbnet.c:266
> Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 4e 48 8b bb 70 03 00 00 89 ee e8 25 95 0c 00 41 89 c5 e9 36 ff ff ff e8 a8 3f ec fc 90 <0f> 0b 90 45 31 ed e9 39 ff ff ff 4c 89 ff e8 d4 41 49 fd e9 e9 fe
> RSP: 0018:ffffc90000277098 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffff888100f80d00 RCX: ffffffff84930727
> RDX: ffff888105693a00 RSI: ffffffff84919188 RDI: ffff888100f80d00
> RBP: 0000000000000cc0 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000001 R12: ffff888100f81070
> R13: ffffffff89be8f70 R14: ffff88811da1f028 R15: ffff88811da1f024
> FS:  0000000000000000(0000) GS:ffff888269262000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffd6ab63358 CR3: 0000000116716000 CR4: 00000000003506f0
> Call Trace:
>   <TASK>
>   sierra_net_probe drivers/net/usb/sierra_net.c:929 [inline]
>   sierra_net_probe+0x70/0xb0 drivers/net/usb/sierra_net.c:921
>   usb_probe_interface+0x303/0x9c0 drivers/usb/core/driver.c:396
>   call_driver_probe drivers/base/dd.c:579 [inline]
>   really_probe+0x23e/0xa90 drivers/base/dd.c:657
>   __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799
>   driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829
>   __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957
>   bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462
>   __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029
>   bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
>   device_add+0x1148/0x1a70 drivers/base/core.c:3692
>   usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
>   usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
>   usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
>   call_driver_probe drivers/base/dd.c:579 [inline]
>   really_probe+0x23e/0xa90 drivers/base/dd.c:657
>   __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799
>   driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829
>   __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957
>   bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462
>   __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029
>   bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
>   device_add+0x1148/0x1a70 drivers/base/core.c:3692
>   usb_new_device+0xd07/0x1a20 drivers/usb/core/hub.c:2694
>   hub_port_connect drivers/usb/core/hub.c:5566 [inline]
>   hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
>   port_event drivers/usb/core/hub.c:5866 [inline]
>   hub_event+0x2f85/0x5030 drivers/usb/core/hub.c:5948
>   process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
>   process_scheduled_works kernel/workqueue.c:3321 [inline]
>   worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
>   kthread+0x3c2/0x780 kernel/kthread.c:464
>   ret_from_fork+0x5b3/0x6c0 arch/x86/kernel/process.c:148
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>   </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> Seehttps://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached atsyzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git d1b07cc0868f


[-- Attachment #2: 0001-usb-net-sierra-check-for-no-status-endpoint.patch --]
[-- Type: text/x-patch, Size: 1021 bytes --]

From aad1765fc6d4d8036fc5a9978f193147b18004dd Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 10 Jul 2025 19:30:35 +0200
Subject: [PATCH] usb: net: sierra: check for no status endpoint

The driver checks for having three endpoints and
having bulk in and out endpoints, but not that
the third endpoint is interrupt input.
Rectify the omission.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/net/usb/sierra_net.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
index c30ca415d1d3..36c73db44f77 100644
--- a/drivers/net/usb/sierra_net.c
+++ b/drivers/net/usb/sierra_net.c
@@ -689,6 +689,10 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
 			status);
 		return -ENODEV;
 	}
+	if (!dev->status) {
+		dev_err(&dev->udev->dev, "No status endpoint found");
+		return -ENODEV;
+	}
 	/* Initialize sierra private data */
 	priv = kzalloc(sizeof *priv, GFP_KERNEL);
 	if (!priv)
-- 
2.50.0