Re: [syzbot] WARNING in usb_tx_block/usb_submit_urb

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Fabio M. De Francesco" <fmdefrancesco@gmail.com>
To: syzbot <syzbot+355c68b459d1d96c4d06@syzkaller.appspotmail.com>,
	syzkaller-bugs@googlegroups.com, Hillf Danton <hdanton@sina.com>
Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] WARNING in usb_tx_block/usb_submit_urb
Date: Thu, 16 Feb 2023 07:54:08 +0100	[thread overview]
Message-ID: <2136128.irdbgypaU6@suse> (raw)
In-Reply-To: <20230215110515.3833-1-hdanton@sina.com>

On mercoledì 15 febbraio 2023 12:05:15 CET Hillf Danton wrote:
> On Tue, 14 Feb 2023 23:00:47 -0800
> 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    f87b564686ee dt-bindings: usb: amlogic,meson-g12a-usb-
ctrl..
> > git tree:      
> > https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1670f2b3480000
> Kill urb in flight after submitting it.
> 
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 
> f87b564686ee
> 
> --- x/drivers/net/wireless/marvell/libertas/if_usb.c
> +++ y/drivers/net/wireless/marvell/libertas/if_usb.c
> @@ -763,9 +763,7 @@ static int if_usb_issue_boot_command(str
>  	memset(bootcmd->pad, 0, sizeof(bootcmd->pad));
> 
>  	/* Issue command */
> -	usb_tx_block(cardp, cardp->ep_out_buf, sizeof(*bootcmd));
> -
> -	return 0;
> +	return usb_tx_block(cardp, cardp->ep_out_buf, sizeof(*bootcmd));
>  }
> 
> 
> @@ -853,10 +851,12 @@ restart:
>  	}

> 
>  	cardp->bootcmdresp = 0;
> +	ret = if_usb_issue_boot_command(cardp, BOOT_CMD_FW_BY_USB);
> +	if (ret)
> +		goto done;

I think that you are changing the logic here (please read below)...

>  	do {
>  		int j = 0;
>  		i++;
> -		if_usb_issue_boot_command(cardp, BOOT_CMD_FW_BY_USB);

Don't we need to call if_usb_issue_boot_command() in a loop in order to retry 
the command?

>  		/* wait for command response */
>  		do {
>  			j++;
> @@ -864,6 +864,8 @@ restart:
>  		} while (cardp->bootcmdresp == 0 && j < 10);
>  	} while (cardp->bootcmdresp == 0 && i < 5);
> 
> +	usb_kill_urb(cardp->tx_urb);
> +

I'm not an expert in the USB core, anyway calling usb_kill_urb() looks good to 
me, but I think we should call it after each call of 
if_usb_issue_boot_command() in the above outer loop.

>  	if (cardp->bootcmdresp == BOOT_CMD_RESP_NOT_SUPPORTED) {
>  		/* Return to normal operation */
>  		ret = -EOPNOTSUPP;
> --

Can the following work?

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 
f87b564686ee

diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/
wireless/marvell/libertas/if_usb.c
index 20436a289d5c..626357d0c7b0 100644
--- a/drivers/net/wireless/marvell/libertas/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas/if_usb.c
@@ -859,6 +859,7 @@ static void if_usb_prog_firmware(struct lbs_private *priv, 
int ret,
                        j++;
                        msleep_interruptible(100);
                } while (cardp->bootcmdresp == 0 && j < 10);
+               usb_kill_urb(cardp->tx_urb):
        } while (cardp->bootcmdresp == 0 && i < 5);
 
        if (cardp->bootcmdresp == BOOT_CMD_RESP_NOT_SUPPORTED) {
--

Thanks,

Fabio

next prev parent reply	other threads:[~2023-02-16  6:54 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20230215110515.3833-1-hdanton@sina.com>
2023-02-15 11:57 ` [syzbot] WARNING in usb_tx_block/usb_submit_urb syzbot
2023-02-16  6:54 ` Fabio M. De Francesco [this message]
2023-02-16  7:44   ` syzbot
2023-02-16  8:26     ` Fabio M. De Francesco
2023-02-16  8:48       ` syzbot
     [not found] ` <20230216081834.1432-1-hdanton@sina.com>
2023-02-16  9:21   ` Fabio M. De Francesco
2023-02-15  7:00 syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:20436a289d5 dfblob:626357d0c7b )
 OR (
bs:"Re: [syzbot] WARNING in usb_tx_block/usb_submit_urb" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2136128.irdbgypaU6@suse \
    --to=fmdefrancesco@gmail.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+355c68b459d1d96c4d06@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox