On Wed, 17 Apr 2019, Andrey Konovalov wrote: > On Tue, Apr 16, 2019 at 8:25 PM Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: > > > > On Tue, 16 Apr 2019, syzbot wrote: > > > > > Hello, > > > > > > syzbot has tested the proposed patch but the reproducer still triggered > > > crash: > > > INFO: task hung in usb_kill_urb > > > > Okay, I think I found the problem. dummy-hcd doesn't check for > > unsupported speeds until it is too late. Andrey, what values does your > > usb-fuzzer gadget driver set for its max_speed field? > > It's passed from userspace without any validation :( I'll fix this! > Thanks for looking into it! > > I wonder why other people saw this hang as well, they didn't use the > dummy hcd module for sure. I guess there are might be other reasons. Unquestionably it would be for other reasons. usb_kill_urb() is a host-side routine, not used by gadget drivers. If it fails, the reason lies in host controller driver. And if people aren't using dummy-hcd then they must be using a different host controller driver. Is there any chance you could get hold of a USB device controller for more fuzzing tests? With it, you could test other parts of the USB stack: the UDC driver for whatever hardware you get, and the host controller driver for whatever you plug the UDC into. I don't know what types of UDC are readily available for the type of computer syzkaller uses. Perhaps Felipe or other people on the mailing list will have some suggestions. Alan Stern
