* [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb @ 2024-06-26 1:30 syzbot 2024-06-26 14:03 ` Alan Stern 0 siblings, 1 reply; 7+ messages in thread From: syzbot @ 2024-06-26 1:30 UTC (permalink / raw) To: linux-bluetooth, linux-kernel, linux-usb, luiz.dentz, marcel, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: 66cc544fd75c Merge tag 'dmaengine-fix-6.10' of git://git.k.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=14280161980000 kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87 dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f59c82980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b955b6980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/b4d37fd1f3c8/disk-66cc544f.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/04c8b576cea2/vmlinux-66cc544f.xz kernel image: https://storage.googleapis.com/syzbot-assets/05e217dc3c31/bzImage-66cc544f.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 4491 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 Modules linked in: CPU: 0 PID: 4491 Comm: kworker/u9:1 Not tainted 6.10.0-rc4-syzkaller-00164-g66cc544fd75c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Workqueue: hci0 hci_power_on RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 Code: f8 48 c1 e8 03 0f b6 04 18 84 c0 0f 85 b1 08 00 00 45 8b 07 48 c7 c7 40 90 6d 8c 48 8b 34 24 4c 89 e2 89 e9 e8 23 9a 3c fa 90 <0f> 0b 90 90 48 8b 5c 24 30 41 89 dc 4c 89 e7 48 c7 c6 b0 4b f2 8e RSP: 0018:ffffc9000d817798 EFLAGS: 00010246 RAX: 6d750bdfc6b7f400 RBX: dffffc0000000000 RCX: ffff888030053c00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 0000000000000001 R08: ffffffff81585822 R09: fffffbfff1c39994 R10: dffffc0000000000 R11: fffffbfff1c39994 R12: ffff88801c2e7560 R13: ffff88801a2af400 R14: 0000000000000001 R15: ffffffff8c6d8e28 FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000559f0e1c6bd8 CR3: 000000002e10e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btusb_submit_intr_urb+0x3dd/0x7b0 drivers/bluetooth/btusb.c:1409 btusb_open+0x1a1/0x770 drivers/bluetooth/btusb.c:1865 hci_dev_open_sync+0x2cc/0x2b40 net/bluetooth/hci_sync.c:4889 hci_dev_do_open net/bluetooth/hci_core.c:485 [inline] hci_power_on+0x1c7/0x6b0 net/bluetooth/hci_core.c:1012 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb 2024-06-26 1:30 [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb syzbot @ 2024-06-26 14:03 ` Alan Stern 2024-06-26 16:44 ` syzbot 0 siblings, 1 reply; 7+ messages in thread From: Alan Stern @ 2024-06-26 14:03 UTC (permalink / raw) To: syzbot Cc: linux-bluetooth, linux-kernel, linux-usb, luiz.dentz, marcel, syzkaller-bugs On Tue, Jun 25, 2024 at 06:30:22PM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 66cc544fd75c Merge tag 'dmaengine-fix-6.10' of git://git.k.. > git tree: upstream > console+strace: https://syzkaller.appspot.com/x/log.txt?x=14280161980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87 > dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f59c82980000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b955b6980000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/b4d37fd1f3c8/disk-66cc544f.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/04c8b576cea2/vmlinux-66cc544f.xz > kernel image: https://storage.googleapis.com/syzbot-assets/05e217dc3c31/bzImage-66cc544f.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com > > ------------[ cut here ]------------ > usb 1-1: BOGUS urb xfer, pipe 1 != type 3 > WARNING: CPU: 0 PID: 4491 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 > Modules linked in: > CPU: 0 PID: 4491 Comm: kworker/u9:1 Not tainted 6.10.0-rc4-syzkaller-00164-g66cc544fd75c #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 > Workqueue: hci0 hci_power_on > RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 > Code: f8 48 c1 e8 03 0f b6 04 18 84 c0 0f 85 b1 08 00 00 45 8b 07 48 c7 c7 40 90 6d 8c 48 8b 34 24 4c 89 e2 89 e9 e8 23 9a 3c fa 90 <0f> 0b 90 90 48 8b 5c 24 30 41 89 dc 4c 89 e7 48 c7 c6 b0 4b f2 8e > RSP: 0018:ffffc9000d817798 EFLAGS: 00010246 > RAX: 6d750bdfc6b7f400 RBX: dffffc0000000000 RCX: ffff888030053c00 > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 > RBP: 0000000000000001 R08: ffffffff81585822 R09: fffffbfff1c39994 > R10: dffffc0000000000 R11: fffffbfff1c39994 R12: ffff88801c2e7560 > R13: ffff88801a2af400 R14: 0000000000000001 R15: ffffffff8c6d8e28 > FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000559f0e1c6bd8 CR3: 000000002e10e000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > btusb_submit_intr_urb+0x3dd/0x7b0 drivers/bluetooth/btusb.c:1409 This shouldn't happen. The driver takes care to verify the types of the endpoints it uses. Let's add some debugging info. Alan Stern #syz test: upstream 66cc544fd75c Index: usb-devel/drivers/bluetooth/btusb.c =================================================================== --- usb-devel.orig/drivers/bluetooth/btusb.c +++ usb-devel/drivers/bluetooth/btusb.c @@ -1398,6 +1398,7 @@ static int btusb_submit_intr_urb(struct } pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress); + dev_info(&data->intf->dev, "Pipe %x ep %p\n", pipe, data->intr_ep); usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_intr_complete, hdev, data->intr_ep->bInterval); @@ -4283,6 +4284,9 @@ static int btusb_probe(struct usb_interf if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) { data->intr_ep = ep_desc; + dev_info(&intf->dev, "Ep %p epaddr %x epattr %x\n", + ep_desc, ep_desc->bEndpointAddress, + ep_desc->bmAttributes); continue; } Index: usb-devel/drivers/usb/core/urb.c =================================================================== --- usb-devel.orig/drivers/usb/core/urb.c +++ usb-devel/drivers/usb/core/urb.c @@ -208,8 +208,11 @@ int usb_pipe_type_check(struct usb_devic ep = usb_pipe_endpoint(dev, pipe); if (!ep) return -EINVAL; - if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) + if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) { + dev_info(&dev->dev, "Error pipe %x ep %p epaddr %x\n", + pipe, &ep->desc, ep->desc.bEndpointAddress); return -EINVAL; + } return 0; } EXPORT_SYMBOL_GPL(usb_pipe_type_check); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb 2024-06-26 14:03 ` Alan Stern @ 2024-06-26 16:44 ` syzbot 2024-06-26 17:46 ` Alan Stern 0 siblings, 1 reply; 7+ messages in thread From: syzbot @ 2024-06-26 16:44 UTC (permalink / raw) To: linux-bluetooth, linux-kernel, linux-usb, luiz.dentz, marcel, stern, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: WARNING in btusb_submit_intr_urb/usb_submit_urb btusb 1-1:0.0: Pipe 404d8280 ep ffff8880234bee00 usb 1-1: Error pipe 404d8280 ep ffff8880234beea0 epaddr 8b ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 1 PID: 53 at drivers/usb/core/urb.c:507 usb_submit_urb+0xbfa/0x17e0 drivers/usb/core/urb.c:506 Modules linked in: CPU: 1 PID: 53 Comm: kworker/u9:0 Not tainted 6.10.0-rc4-syzkaller-00164-g66cc544fd75c-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Workqueue: hci1 hci_power_on RIP: 0010:usb_submit_urb+0xbfa/0x17e0 drivers/usb/core/urb.c:506 Code: f0 48 c1 e8 03 0f b6 04 18 84 c0 0f 85 8c 08 00 00 45 8b 06 48 c7 c7 c0 90 6d 8c 48 8b 34 24 4c 89 fa 89 e9 e8 a7 99 3c fa 90 <0f> 0b 90 90 45 89 e6 4c 89 f7 48 c7 c6 b0 4b f2 8e e8 10 6f 7a fa RSP: 0018:ffffc90000bd77a0 EFLAGS: 00010246 RAX: 7b355395d6059e00 RBX: dffffc0000000000 RCX: ffff8880157d5a00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 0000000000000001 R08: ffffffff81585822 R09: 1ffff9200017ae94 R10: dffffc0000000000 R11: fffff5200017ae95 R12: 0000000000000002 R13: ffff888018acd300 R14: ffffffff8c6d8e68 R15: ffff888023a90c60 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055da0d81ae28 CR3: 000000000e132000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btusb_submit_intr_urb+0x4a2/0x890 drivers/bluetooth/btusb.c:1410 btusb_open+0x1a1/0x770 drivers/bluetooth/btusb.c:1866 hci_dev_open_sync+0x2cc/0x2b40 net/bluetooth/hci_sync.c:4889 hci_dev_do_open net/bluetooth/hci_core.c:485 [inline] hci_power_on+0x1c7/0x6b0 net/bluetooth/hci_core.c:1012 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Tested on: commit: 66cc544f Merge tag 'dmaengine-fix-6.10' of git://git.k.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=1503e301980000 kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87 dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=13ec9e82980000 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb 2024-06-26 16:44 ` syzbot @ 2024-06-26 17:46 ` Alan Stern 2024-06-26 18:29 ` syzbot 0 siblings, 1 reply; 7+ messages in thread From: Alan Stern @ 2024-06-26 17:46 UTC (permalink / raw) To: syzbot Cc: linux-bluetooth, linux-kernel, linux-usb, luiz.dentz, marcel, syzkaller-bugs On Wed, Jun 26, 2024 at 09:44:03AM -0700, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > WARNING in btusb_submit_intr_urb/usb_submit_urb As expected. The interesting information is in the console log: [ 100.266326][ T25] btusb 1-1:0.0: Ep ffff8880234bee00 epaddr 9b epattr 67 [ 100.280938][ T53] btusb 1-1:0.0: Pipe 404d8280 ep ffff8880234bee00 [ 100.287918][ T53] usb 1-1: Error pipe 404d8280 ep ffff8880234beea0 epaddr 8b Notice the difference in the "ep" values (the addresses of the endpoint descriptors). The kernel thinks two different endpoints are the same. The reason is that the two descriptors have the same direction and address, but the parsing code in config.c doesn't realize they are duplicates because they differ in the value of the reserved bits in bEndpointAddress. You can see this in the epaddr values above: 0x9b versus 0x8b. Let's see what happens if we reject endpoint descriptors in which any of the reserved bits in bEndpointAddress are set. Alan Stern #syz test: upstream 66cc544fd75c Index: usb-devel/drivers/bluetooth/btusb.c =================================================================== --- usb-devel.orig/drivers/bluetooth/btusb.c +++ usb-devel/drivers/bluetooth/btusb.c @@ -1398,6 +1398,7 @@ static int btusb_submit_intr_urb(struct } pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress); + dev_info(&data->intf->dev, "Pipe %x ep %p\n", pipe, data->intr_ep); usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_intr_complete, hdev, data->intr_ep->bInterval); @@ -4283,6 +4284,9 @@ static int btusb_probe(struct usb_interf if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) { data->intr_ep = ep_desc; + dev_info(&intf->dev, "Ep %p epaddr %x epattr %x\n", + ep_desc, ep_desc->bEndpointAddress, + ep_desc->bmAttributes); continue; } Index: usb-devel/drivers/usb/core/urb.c =================================================================== --- usb-devel.orig/drivers/usb/core/urb.c +++ usb-devel/drivers/usb/core/urb.c @@ -208,8 +208,11 @@ int usb_pipe_type_check(struct usb_devic ep = usb_pipe_endpoint(dev, pipe); if (!ep) return -EINVAL; - if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) + if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) { + dev_info(&dev->dev, "Error pipe %x ep %p epaddr %x\n", + pipe, &ep->desc, ep->desc.bEndpointAddress); return -EINVAL; + } return 0; } EXPORT_SYMBOL_GPL(usb_pipe_type_check); Index: usb-devel/drivers/usb/core/config.c =================================================================== --- usb-devel.orig/drivers/usb/core/config.c +++ usb-devel/drivers/usb/core/config.c @@ -287,6 +287,13 @@ static int usb_parse_endpoint(struct dev goto skip_to_next_endpoint_or_interface_descriptor; } + if (d->bEndpointAddress & + ~(USB_ENDPOINT_DIR_MASK | USB_ENDPOINT_NUMBER_MASK)) { + dev_notice(ddev, "config %d interface %d altsetting %d has an invalid endpoint descriptor with address 0x%02x, skipping\n", + cfgno, inum, asnum, d->bEndpointAddress); + goto skip_to_next_endpoint_or_interface_descriptor; + } + /* Only store as many endpoints as we have room for */ if (ifp->desc.bNumEndpoints >= num_ep) goto skip_to_next_endpoint_or_interface_descriptor; ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb 2024-06-26 17:46 ` Alan Stern @ 2024-06-26 18:29 ` syzbot 2024-06-26 20:12 ` Alan Stern 0 siblings, 1 reply; 7+ messages in thread From: syzbot @ 2024-06-26 18:29 UTC (permalink / raw) To: linux-bluetooth, linux-kernel, linux-usb, luiz.dentz, marcel, stern, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com Tested on: commit: 66cc544f Merge tag 'dmaengine-fix-6.10' of git://git.k.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=15a59299980000 kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87 dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=169b3789980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb 2024-06-26 18:29 ` syzbot @ 2024-06-26 20:12 ` Alan Stern 2024-06-26 21:34 ` syzbot 0 siblings, 1 reply; 7+ messages in thread From: Alan Stern @ 2024-06-26 20:12 UTC (permalink / raw) To: syzbot Cc: linux-bluetooth, linux-kernel, linux-usb, luiz.dentz, marcel, syzkaller-bugs On Wed, Jun 26, 2024 at 11:29:05AM -0700, syzbot wrote: > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger any issue: > > Reported-and-tested-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com > > Tested on: > > commit: 66cc544f Merge tag 'dmaengine-fix-6.10' of git://git.k.. > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > console output: https://syzkaller.appspot.com/x/log.txt?x=15a59299980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87 > dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > patch: https://syzkaller.appspot.com/x/patch.diff?x=169b3789980000 > > Note: testing is done by a robot and is best-effort only. Somewhat different approach. Let's see if this works. Alan Stern #syz test: upstream 66cc544fd75c Index: usb-devel/drivers/usb/core/config.c =================================================================== --- usb-devel.orig/drivers/usb/core/config.c +++ usb-devel/drivers/usb/core/config.c @@ -291,6 +291,19 @@ static int usb_parse_endpoint(struct dev if (ifp->desc.bNumEndpoints >= num_ep) goto skip_to_next_endpoint_or_interface_descriptor; + /* Save a copy of the descriptor and use it instead of the original */ + endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints]; + memcpy(&endpoint->desc, d, n); + d = &endpoint->desc; + + i = d->bEndpointAddress & + (USB_ENDPOINT_DIR_MASK | USB_ENDPOINT_NUMBER_MASK); + if (i != d->bEndpointAddress) { + dev_notice(ddev, "config %d interface %d altsetting %d has an endpoint descriptor with address 0x%X, changing to 0x%X\n", + cfgno, inum, asnum, d->bEndpointAddress, i); + endpoint->desc.bEndpointAddress = i; + } + /* Check for duplicate endpoint addresses */ if (config_endpoint_is_duplicate(config, inum, asnum, d)) { dev_notice(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n", @@ -308,10 +321,8 @@ static int usb_parse_endpoint(struct dev } } - endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints]; + /* Accept this endpoint */ ++ifp->desc.bNumEndpoints; - - memcpy(&endpoint->desc, d, n); INIT_LIST_HEAD(&endpoint->urb_list); /* ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb 2024-06-26 20:12 ` Alan Stern @ 2024-06-26 21:34 ` syzbot 0 siblings, 0 replies; 7+ messages in thread From: syzbot @ 2024-06-26 21:34 UTC (permalink / raw) To: linux-bluetooth, linux-kernel, linux-usb, luiz.dentz, marcel, stern, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com Tested on: commit: 66cc544f Merge tag 'dmaengine-fix-6.10' of git://git.k.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=146c143a980000 kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87 dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=15e096c1980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-06-26 21:34 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-06-26 1:30 [syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb syzbot 2024-06-26 14:03 ` Alan Stern 2024-06-26 16:44 ` syzbot 2024-06-26 17:46 ` Alan Stern 2024-06-26 18:29 ` syzbot 2024-06-26 20:12 ` Alan Stern 2024-06-26 21:34 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox