* WARNING in usb_submit_urb (3) @ 2018-10-12 22:15 syzbot 2018-10-15 15:22 ` Alan Stern 0 siblings, 1 reply; 6+ messages in thread From: syzbot @ 2018-10-12 22:15 UTC (permalink / raw) To: Thinh.Nguyen, felipe.balbi, garsilva, gregkh, linux-kernel, linux-usb, stern, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: 9dcd936c5312 Merge tag 'for-4.19/dm-fixes-4' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=123b8da1400000 kernel config: https://syzkaller.appspot.com/x/.config?x=88e9a8a39dc0be2d dashboard link: https://syzkaller.appspot.com/bug?extid=24a30223a4b609bb802e compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13888991400000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1476e5e6400000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com IPVS: ftp: loaded support on port[0] = 21 ------------[ cut here ]------------ usb usb7: BOGUS urb flags, 1 --> 0 WARNING: CPU: 0 PID: 5828 at drivers/usb/core/urb.c:503 usb_submit_urb+0x717/0x14e0 drivers/usb/core/urb.c:502 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 5828 Comm: syz-executor149 Not tainted 4.19.0-rc7+ #278 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 panic+0x238/0x4e7 kernel/panic.c:184 __warn.cold.8+0x163/0x1ba kernel/panic.c:536 report_bug+0x254/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993 RIP: 0010:usb_submit_urb+0x717/0x14e0 drivers/usb/core/urb.c:502 Code: 83 fc 48 8b 45 d0 48 8d b8 a0 00 00 00 e8 d1 be 44 ff 45 89 e0 44 89 e9 4c 89 fa 48 89 c6 48 c7 c7 00 72 71 88 e8 09 b3 4d fc <0f> 0b e8 12 e0 83 fc 48 c7 c6 00 73 71 88 4c 89 f7 e8 53 e1 83 fc RSP: 0018:ffff8801bb42f268 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8801d754d300 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff81650405 RDI: 0000000000000005 RBP: ffff8801bb42f2d8 R08: ffff8801d8fa6200 R09: fffffbfff12720fc R10: fffffbfff12720fc R11: ffffffff893907e3 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801cdc41bc0 proc_do_submiturb+0x1b7d/0x4020 drivers/usb/core/devio.c:1781 proc_submiturb_compat+0x544/0x800 drivers/usb/core/devio.c:2015 usbdev_do_ioctl+0x19a2/0x3b50 drivers/usb/core/devio.c:2492 usbdev_ioctl+0x25/0x30 drivers/usb/core/devio.c:2569 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702 __do_sys_ioctl fs/ioctl.c:709 [inline] __se_sys_ioctl fs/ioctl.c:707 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x444769 Code: 25 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00000000007eff78 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffc1a2515c0 RCX: 0000000000444769 RDX: 0000000020000080 RSI: 00000000802c550a RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000120080522 R09: 0000000120080522 R10: 000000000000000f R11: 0000000000000213 R12: 0000000000402320 R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000000000 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in usb_submit_urb (3) 2018-10-12 22:15 WARNING in usb_submit_urb (3) syzbot @ 2018-10-15 15:22 ` Alan Stern 2018-10-15 16:20 ` Andrey Konovalov 0 siblings, 1 reply; 6+ messages in thread From: Alan Stern @ 2018-10-15 15:22 UTC (permalink / raw) To: syzbot Cc: Thinh.Nguyen, felipe.balbi, garsilva, gregkh, linux-kernel, linux-usb, syzkaller-bugs On Fri, 12 Oct 2018, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 9dcd936c5312 Merge tag 'for-4.19/dm-fixes-4' of git://git... > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=123b8da1400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=88e9a8a39dc0be2d > dashboard link: https://syzkaller.appspot.com/bug?extid=24a30223a4b609bb802e > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13888991400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1476e5e6400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com > > IPVS: ftp: loaded support on port[0] = 21 > ------------[ cut here ]------------ > usb usb7: BOGUS urb flags, 1 --> 0 > WARNING: CPU: 0 PID: 5828 at drivers/usb/core/urb.c:503 > usb_submit_urb+0x717/0x14e0 drivers/usb/core/urb.c:502 > Kernel panic - not syncing: panic_on_warn set ... This should have been fixed by commit 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more"). Was that commit not present in the kernel you tested? Alan Stern ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in usb_submit_urb (3) 2018-10-15 15:22 ` Alan Stern @ 2018-10-15 16:20 ` Andrey Konovalov 2018-10-15 17:12 ` Alan Stern 0 siblings, 1 reply; 6+ messages in thread From: Andrey Konovalov @ 2018-10-15 16:20 UTC (permalink / raw) To: Alan Stern Cc: syzbot, Thinh.Nguyen, Felipe Balbi, Gustavo A . R . Silva, Greg Kroah-Hartman, LKML, USB list, syzkaller-bugs On Mon, Oct 15, 2018 at 5:22 PM, Alan Stern <stern@rowland.harvard.edu> wrote: > On Fri, 12 Oct 2018, syzbot wrote: > >> Hello, >> >> syzbot found the following crash on: >> >> HEAD commit: 9dcd936c5312 Merge tag 'for-4.19/dm-fixes-4' of git://git... >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=123b8da1400000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=88e9a8a39dc0be2d >> dashboard link: https://syzkaller.appspot.com/bug?extid=24a30223a4b609bb802e >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13888991400000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1476e5e6400000 >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com >> >> IPVS: ftp: loaded support on port[0] = 21 >> ------------[ cut here ]------------ >> usb usb7: BOGUS urb flags, 1 --> 0 >> WARNING: CPU: 0 PID: 5828 at drivers/usb/core/urb.c:503 >> usb_submit_urb+0x717/0x14e0 drivers/usb/core/urb.c:502 >> Kernel panic - not syncing: panic_on_warn set ... > > This should have been fixed by commit 7a68d9fb8510 ("USB: usbdevfs: > sanitize flags more"). Was that commit not present in the kernel you > tested? The commit is there, AFAICT. This must be a different issue. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in usb_submit_urb (3) 2018-10-15 16:20 ` Andrey Konovalov @ 2018-10-15 17:12 ` Alan Stern 2018-10-15 17:40 ` Andrey Konovalov 0 siblings, 1 reply; 6+ messages in thread From: Alan Stern @ 2018-10-15 17:12 UTC (permalink / raw) To: Andrey Konovalov Cc: syzbot, Thinh.Nguyen, Felipe Balbi, Gustavo A . R . Silva, Greg Kroah-Hartman, LKML, USB list, syzkaller-bugs, Oliver Neukum On Mon, 15 Oct 2018, Andrey Konovalov wrote: > On Mon, Oct 15, 2018 at 5:22 PM, Alan Stern <stern@rowland.harvard.edu> wrote: > > On Fri, 12 Oct 2018, syzbot wrote: > > > >> Hello, > >> > >> syzbot found the following crash on: > >> > >> HEAD commit: 9dcd936c5312 Merge tag 'for-4.19/dm-fixes-4' of git://git... > >> git tree: upstream > >> console output: https://syzkaller.appspot.com/x/log.txt?x=123b8da1400000 > >> kernel config: https://syzkaller.appspot.com/x/.config?x=88e9a8a39dc0be2d > >> dashboard link: https://syzkaller.appspot.com/bug?extid=24a30223a4b609bb802e > >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) > >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13888991400000 > >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1476e5e6400000 > >> > >> IMPORTANT: if you fix the bug, please add the following tag to the commit: > >> Reported-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com > >> > >> IPVS: ftp: loaded support on port[0] = 21 > >> ------------[ cut here ]------------ > >> usb usb7: BOGUS urb flags, 1 --> 0 > >> WARNING: CPU: 0 PID: 5828 at drivers/usb/core/urb.c:503 > >> usb_submit_urb+0x717/0x14e0 drivers/usb/core/urb.c:502 > >> Kernel panic - not syncing: panic_on_warn set ... > > > > This should have been fixed by commit 7a68d9fb8510 ("USB: usbdevfs: > > sanitize flags more"). Was that commit not present in the kernel you > > tested? > > The commit is there, AFAICT. This must be a different issue. Ah, I see the problem. In fact it is the same issue, but the commit mentioned above contains an error (is_in gets tested too soon). The fix is below; can you check it? Alan Stern Index: usb-4.x/drivers/usb/core/devio.c =================================================================== --- usb-4.x.orig/drivers/usb/core/devio.c +++ usb-4.x/drivers/usb/core/devio.c @@ -1474,8 +1474,6 @@ static int proc_do_submiturb(struct usb_ u = 0; switch (uurb->type) { case USBDEVFS_URB_TYPE_CONTROL: - if (is_in) - allow_short = true; if (!usb_endpoint_xfer_control(&ep->desc)) return -EINVAL; /* min 8 byte setup packet */ @@ -1505,6 +1503,8 @@ static int proc_do_submiturb(struct usb_ is_in = 0; uurb->endpoint &= ~USB_DIR_IN; } + if (is_in) + allow_short = true; snoop(&ps->dev->dev, "control urb: bRequestType=%02x " "bRequest=%02x wValue=%04x " "wIndex=%04x wLength=%04x\n", ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in usb_submit_urb (3) 2018-10-15 17:12 ` Alan Stern @ 2018-10-15 17:40 ` Andrey Konovalov 2018-10-15 18:31 ` syzbot 0 siblings, 1 reply; 6+ messages in thread From: Andrey Konovalov @ 2018-10-15 17:40 UTC (permalink / raw) To: Alan Stern Cc: syzbot, Thinh.Nguyen, Felipe Balbi, Gustavo A . R . Silva, Greg Kroah-Hartman, LKML, USB list, syzkaller-bugs, Oliver Neukum [-- Attachment #1: Type: text/plain, Size: 371 bytes --] On Mon, Oct 15, 2018 at 7:12 PM, Alan Stern <stern@rowland.harvard.edu> wrote: > Ah, I see the problem. In fact it is the same issue, but the commit > mentioned above contains an error (is_in gets tested too soon). The > fix is below; can you check it? You can ask syzbot to do this: #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master [-- Attachment #2: usb_submit_urb.patch --] [-- Type: text/x-patch, Size: 795 bytes --] diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 244417d0dfd1..ffccd40ea67d 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1474,8 +1474,6 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb u = 0; switch (uurb->type) { case USBDEVFS_URB_TYPE_CONTROL: - if (is_in) - allow_short = true; if (!usb_endpoint_xfer_control(&ep->desc)) return -EINVAL; /* min 8 byte setup packet */ @@ -1505,6 +1503,8 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb is_in = 0; uurb->endpoint &= ~USB_DIR_IN; } + if (is_in) + allow_short = true; snoop(&ps->dev->dev, "control urb: bRequestType=%02x " "bRequest=%02x wValue=%04x " "wIndex=%04x wLength=%04x\n", ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: WARNING in usb_submit_urb (3) 2018-10-15 17:40 ` Andrey Konovalov @ 2018-10-15 18:31 ` syzbot 0 siblings, 0 replies; 6+ messages in thread From: syzbot @ 2018-10-15 18:31 UTC (permalink / raw) To: Thinh.Nguyen, andreyknvl, felipe.balbi, garsilva, gregkh, linux-kernel, linux-usb, oneukum, stern, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger crash: Reported-and-tested-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com Tested on: commit: f0a7d1883d9f afs: Fix clearance of reply git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=b3f55cb3dfcc6c33 compiler: gcc (GCC) 8.0.1 20180413 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=164eab91400000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-15 18:31 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-10-12 22:15 WARNING in usb_submit_urb (3) syzbot 2018-10-15 15:22 ` Alan Stern 2018-10-15 16:20 ` Andrey Konovalov 2018-10-15 17:12 ` Alan Stern 2018-10-15 17:40 ` Andrey Konovalov 2018-10-15 18:31 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox