* [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb
@ 2021-11-15 7:28 syzbot
2021-11-15 14:31 ` Oliver Neukum
2023-06-23 13:32 ` [syzbot] [usb?] " syzbot
0 siblings, 2 replies; 10+ messages in thread
From: syzbot @ 2021-11-15 7:28 UTC (permalink / raw)
To: davem, kuba, linux-kernel, linux-usb, netdev, oneukum,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3
dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
------------[ cut here ]------------
usb 5-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 0 PID: 1291 Comm: kworker/0:3 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Code: 7c 24 18 e8 40 2b aa fd 48 8b 7c 24 18 e8 c6 23 1a ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 40 c0 85 86 e8 e5 66 03 02 <0f> 0b e9 58 f8 ff ff e8 12 2b aa fd 48 81 c5 80 06 00 00 e9 84 f7
RSP: 0018:ffffc90000f0f580 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888108599c00 RSI: ffffffff812bae18 RDI: fffff520001e1ea2
RBP: ffff88810b887b00 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff812b4bfe R11: 0000000000000000 R12: 0000000000000003
R13: ffff8881067d9dc0 R14: 0000000000000003 R15: ffff88810d2dd700
FS: 0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3815d25ff8 CR3: 000000010bdba000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usbnet_start_xmit+0x5ed/0x1f70 drivers/net/usb/usbnet.c:1460
__netdev_start_xmit include/linux/netdevice.h:4987 [inline]
netdev_start_xmit include/linux/netdevice.h:5001 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3606
sch_direct_xmit+0x25b/0x790 net/sched/sch_generic.c:342
__dev_xmit_skb net/core/dev.c:3817 [inline]
__dev_queue_xmit+0x11bf/0x31d0 net/core/dev.c:4194
neigh_resolve_output net/core/neighbour.c:1523 [inline]
neigh_resolve_output+0x50e/0x820 net/core/neighbour.c:1503
neigh_output include/net/neighbour.h:527 [inline]
ip6_finish_output2+0xb49/0x1af0 net/ipv6/ip6_output.c:126
__ip6_finish_output.part.0+0x387/0xbb0 net/ipv6/ip6_output.c:191
__ip6_finish_output include/linux/skbuff.h:986 [inline]
ip6_finish_output net/ipv6/ip6_output.c:201 [inline]
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip6_output+0x3d2/0x810 net/ipv6/ip6_output.c:224
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
mld_sendpack+0x96d/0xe00 net/ipv6/mcast.c:1826
mld_send_cr net/ipv6/mcast.c:2127 [inline]
mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2659
process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
kthread+0x40b/0x500 kernel/kthread.c:327
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb
2021-11-15 7:28 [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb syzbot
@ 2021-11-15 14:31 ` Oliver Neukum
2021-12-04 10:18 ` Dmitry Vyukov
2023-06-23 13:32 ` [syzbot] [usb?] " syzbot
1 sibling, 1 reply; 10+ messages in thread
From: Oliver Neukum @ 2021-11-15 14:31 UTC (permalink / raw)
To: syzbot, davem, kuba, linux-kernel, linux-usb, netdev, oneukum,
syzkaller-bugs
On 15.11.21 08:28, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel...
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3
> dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> usb 5-1: BOGUS urb xfer, pipe 3 != type 1
> WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Hi,
here I understand what is happening, but not why it can happen. Usbnet
checks the endpoint type.
May I request an addition to syzbot? Could you include the output of
"lsusb -v" at the time
of the error condition for USB bugs?
Regards
Oliver
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb
2021-11-15 14:31 ` Oliver Neukum
@ 2021-12-04 10:18 ` Dmitry Vyukov
0 siblings, 0 replies; 10+ messages in thread
From: Dmitry Vyukov @ 2021-12-04 10:18 UTC (permalink / raw)
To: Oliver Neukum
Cc: syzbot, davem, kuba, linux-kernel, linux-usb, netdev,
syzkaller-bugs, Aleksandr Nogikh, Andrey Konovalov
On Mon, 15 Nov 2021 at 15:31, 'Oliver Neukum' via syzkaller-bugs
<syzkaller-bugs@googlegroups.com> wrote:
>
>
> On 15.11.21 08:28, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 048ff8629e11 Merge tag 'usb-5.16-rc1' of git://git.kernel...
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1480ade1b00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=d6b387bc5d3e50f3
> > dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1313cb7cb00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a2f676b00000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > usb 5-1: BOGUS urb xfer, pipe 3 != type 1
> > WARNING: CPU: 0 PID: 1291 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
>
> Hi,
>
> here I understand what is happening, but not why it can happen. Usbnet
> checks the endpoint type.
>
> May I request an addition to syzbot? Could you include the output of
> "lsusb -v" at the time
> of the error condition for USB bugs?
Hi Oliver,
Aleksandr filed https://github.com/google/syzkaller/issues/2889 for
this request.
But so far we did not find a good solution. syzbot collects some info
about the machine after boot, but that's obviously wrong moment. After
the bug it's also too late -- the kernel is dead/corrupted. It's also
unclear what exactly is "usb bug".
It may be easier to do from the kernel by hooking into panic. Would
also benefit all other kernel testing as this is not really
syzbot-specific, so better belongs to kernel. Is it possible to do it
from the kernel? If not, maybe the kernel could at least log
connect/disconnect events to the console.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb
2021-11-15 7:28 [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb syzbot
2021-11-15 14:31 ` Oliver Neukum
@ 2023-06-23 13:32 ` syzbot
2023-06-23 15:23 ` Alan Stern
1 sibling, 1 reply; 10+ messages in thread
From: syzbot @ 2023-06-23 13:32 UTC (permalink / raw)
To: andreyknvl, davem, dvyukov, edumazet, gregkh, kbuild-all, kuba,
linux-kernel, linux-usb, lkp, netdev, nogikh, oneukum, pabeni,
stern, syzkaller-bugs, troels
syzbot has bisected this issue to:
commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065
Author: Alan Stern <stern@rowland.harvard.edu>
Date: Tue Jan 31 20:49:04 2023 +0000
USB: core: Don't hold device lock while reading the "descriptors" sysfs file
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000
start commit: 692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=114b5877280000
console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000
kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000
Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb
2023-06-23 13:32 ` [syzbot] [usb?] " syzbot
@ 2023-06-23 15:23 ` Alan Stern
2023-06-23 16:07 ` syzbot
[not found] ` <7330e6c0-eb73-499e-8699-dc1754d90cad@rowland.harvard.edu>
0 siblings, 2 replies; 10+ messages in thread
From: Alan Stern @ 2023-06-23 15:23 UTC (permalink / raw)
To: syzbot
Cc: andreyknvl, davem, dvyukov, edumazet, gregkh, kbuild-all, kuba,
linux-kernel, linux-usb, lkp, netdev, nogikh, oneukum, pabeni,
syzkaller-bugs, troels
On Fri, Jun 23, 2023 at 06:32:22AM -0700, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065
> Author: Alan Stern <stern@rowland.harvard.edu>
> Date: Tue Jan 31 20:49:04 2023 +0000
>
> USB: core: Don't hold device lock while reading the "descriptors" sysfs file
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000
> start commit: 692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g..
> git tree: upstream
> final oops: https://syzkaller.appspot.com/x/report.txt?x=114b5877280000
> console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
> dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000
>
> Reported-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
> Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
The bisection result is wrong, but the issue still needs to be fixed.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7
Index: usb-devel/drivers/net/usb/usbnet.c
===================================================================
--- usb-devel.orig/drivers/net/usb/usbnet.c
+++ usb-devel/drivers/net/usb/usbnet.c
@@ -1775,6 +1775,9 @@ usbnet_probe (struct usb_interface *udev
} else if (!info->in || !info->out)
status = usbnet_get_endpoints (dev, udev);
else {
+ u8 ep_addrs[3] = {
+ info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0};
+
dev->in = usb_rcvbulkpipe (xdev, info->in);
dev->out = usb_sndbulkpipe (xdev, info->out);
if (!(info->flags & FLAG_NO_SETINT))
@@ -1784,6 +1787,8 @@ usbnet_probe (struct usb_interface *udev
else
status = 0;
+ if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs))
+ status = -EINVAL;
}
if (status >= 0 && dev->status)
status = init_status (dev, udev);
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [usb?] WARNING in usbnet_start_xmit/usb_submit_urb
2023-06-23 15:23 ` Alan Stern
@ 2023-06-23 16:07 ` syzbot
[not found] ` <7330e6c0-eb73-499e-8699-dc1754d90cad@rowland.harvard.edu>
1 sibling, 0 replies; 10+ messages in thread
From: syzbot @ 2023-06-23 16:07 UTC (permalink / raw)
To: andreyknvl, davem, dvyukov, edumazet, gregkh, kbuild-all, kuba,
linux-kernel, linux-usb, lkp, netdev, nogikh, oneukum, pabeni,
stern, syzkaller-bugs, troels
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
Tested on:
commit: 45a3e24f Linux 6.4-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7
console output: https://syzkaller.appspot.com/x/log.txt?x=1210e557280000
kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140
dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14e0e557280000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
[not found] ` <413fb529-477c-7ac9-881e-550b4613d38c@suse.com>
@ 2023-07-11 17:38 ` Alan Stern
2023-07-11 20:12 ` Jakub Kicinski
0 siblings, 1 reply; 10+ messages in thread
From: Alan Stern @ 2023-07-11 17:38 UTC (permalink / raw)
To: David S. Miller; +Cc: Oliver Neukum, netdev, USB mailing list
The syzbot fuzzer identified a problem in the usbnet driver:
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc9000463f568 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001
RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0
Call Trace:
<TASK>
usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453
__netdev_start_xmit include/linux/netdevice.h:4918 [inline]
netdev_start_xmit include/linux/netdevice.h:4932 [inline]
xmit_one net/core/dev.c:3578 [inline]
dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594
...
This bug is caused by the fact that usbnet trusts the bulk endpoint
addresses its probe routine receives in the driver_info structure, and
it does not check to see that these endpoints actually exist and have
the expected type and directions.
The fix is simply to add such a check.
Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/000000000000a56e9105d0cec021@google.com/
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oneukum@suse.com>
---
drivers/net/usb/usbnet.c | 5 +++++
1 file changed, 5 insertions(+)
Index: usb-devel/drivers/net/usb/usbnet.c
===================================================================
--- usb-devel.orig/drivers/net/usb/usbnet.c
+++ usb-devel/drivers/net/usb/usbnet.c
@@ -1775,6 +1775,9 @@ usbnet_probe (struct usb_interface *udev
} else if (!info->in || !info->out)
status = usbnet_get_endpoints (dev, udev);
else {
+ u8 ep_addrs[3] = {
+ info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0};
+
dev->in = usb_rcvbulkpipe (xdev, info->in);
dev->out = usb_sndbulkpipe (xdev, info->out);
if (!(info->flags & FLAG_NO_SETINT))
@@ -1784,6 +1787,8 @@ usbnet_probe (struct usb_interface *udev
else
status = 0;
+ if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs))
+ status = -EINVAL;
}
if (status >= 0 && dev->status)
status = init_status (dev, udev);
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
2023-07-11 17:38 ` [PATCH] net: usbnet: Fix " Alan Stern
@ 2023-07-11 20:12 ` Jakub Kicinski
2023-07-12 14:15 ` [PATCH v2] " Alan Stern
0 siblings, 1 reply; 10+ messages in thread
From: Jakub Kicinski @ 2023-07-11 20:12 UTC (permalink / raw)
To: Alan Stern; +Cc: David S. Miller, Oliver Neukum, netdev, USB mailing list
On Tue, 11 Jul 2023 13:38:00 -0400 Alan Stern wrote:
> + u8 ep_addrs[3] = {
> + info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0};
With the two-tab indentation and the continuation line starting
half way thru.. this looks highly unusual. Can we use a more
standard kernel formatting in this case?
u8 ep_addrs[3] = {
info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0
};
--
pw-bot: cr
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v2] net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
2023-07-11 20:12 ` Jakub Kicinski
@ 2023-07-12 14:15 ` Alan Stern
2023-07-14 4:00 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 10+ messages in thread
From: Alan Stern @ 2023-07-12 14:15 UTC (permalink / raw)
To: David S. Miller; +Cc: Jakub Kicinski, Oliver Neukum, netdev, USB mailing list
The syzbot fuzzer identified a problem in the usbnet driver:
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc9000463f568 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001
RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0
Call Trace:
<TASK>
usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453
__netdev_start_xmit include/linux/netdevice.h:4918 [inline]
netdev_start_xmit include/linux/netdevice.h:4932 [inline]
xmit_one net/core/dev.c:3578 [inline]
dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594
...
This bug is caused by the fact that usbnet trusts the bulk endpoint
addresses its probe routine receives in the driver_info structure, and
it does not check to see that these endpoints actually exist and have
the expected type and directions.
The fix is simply to add such a check.
Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/000000000000a56e9105d0cec021@google.com/
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oneukum@suse.com>
---
v2: Updated the formatting of the definition of ep_addrs[].
drivers/net/usb/usbnet.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: usb-devel/drivers/net/usb/usbnet.c
===================================================================
--- usb-devel.orig/drivers/net/usb/usbnet.c
+++ usb-devel/drivers/net/usb/usbnet.c
@@ -1775,6 +1775,10 @@ usbnet_probe (struct usb_interface *udev
} else if (!info->in || !info->out)
status = usbnet_get_endpoints (dev, udev);
else {
+ u8 ep_addrs[3] = {
+ info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0
+ };
+
dev->in = usb_rcvbulkpipe (xdev, info->in);
dev->out = usb_sndbulkpipe (xdev, info->out);
if (!(info->flags & FLAG_NO_SETINT))
@@ -1784,6 +1788,8 @@ usbnet_probe (struct usb_interface *udev
else
status = 0;
+ if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs))
+ status = -EINVAL;
}
if (status >= 0 && dev->status)
status = init_status (dev, udev);
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
2023-07-12 14:15 ` [PATCH v2] " Alan Stern
@ 2023-07-14 4:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-07-14 4:00 UTC (permalink / raw)
To: Alan Stern; +Cc: davem, kuba, oneukum, netdev, linux-usb
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 12 Jul 2023 10:15:10 -0400 you wrote:
> The syzbot fuzzer identified a problem in the usbnet driver:
>
> usb 1-1: BOGUS urb xfer, pipe 3 != type 1
> WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
> Modules linked in:
> CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
> Workqueue: mld mld_ifc_work
> RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
> Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7
> RSP: 0018:ffffc9000463f568 EFLAGS: 00010086
> RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
> RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001
> RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
> R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500
> FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453
> __netdev_start_xmit include/linux/netdevice.h:4918 [inline]
> netdev_start_xmit include/linux/netdevice.h:4932 [inline]
> xmit_one net/core/dev.c:3578 [inline]
> dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594
> ...
>
> [...]
Here is the summary with links:
- [v2] net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
https://git.kernel.org/netdev/net/c/5e1627cb43dd
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-07-14 4:00 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-15 7:28 [syzbot] WARNING in usbnet_start_xmit/usb_submit_urb syzbot
2021-11-15 14:31 ` Oliver Neukum
2021-12-04 10:18 ` Dmitry Vyukov
2023-06-23 13:32 ` [syzbot] [usb?] " syzbot
2023-06-23 15:23 ` Alan Stern
2023-06-23 16:07 ` syzbot
[not found] ` <7330e6c0-eb73-499e-8699-dc1754d90cad@rowland.harvard.edu>
[not found] ` <413fb529-477c-7ac9-881e-550b4613d38c@suse.com>
2023-07-11 17:38 ` [PATCH] net: usbnet: Fix " Alan Stern
2023-07-11 20:12 ` Jakub Kicinski
2023-07-12 14:15 ` [PATCH v2] " Alan Stern
2023-07-14 4:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).