On Tue, 7 Jan 2020, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > WARNING in usbhid_raw_request/usb_submit_urb Given this result, let's try again the slightly larger patch. The difference between the patch just tested and this one is very small indeed, although it's hard to predict how that difference will affect the object code. Alan Stern #syz test: https://github.com/google/kasan.git ecdf2214 Index: usb-devel/drivers/usb/core/urb.c =================================================================== --- usb-devel.orig/drivers/usb/core/urb.c +++ usb-devel/drivers/usb/core/urb.c @@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u ep = usb_pipe_endpoint(urb->dev, urb->pipe); if (!ep) - return -EINVAL; + return -EBADF; if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) return -EINVAL; return 0; @@ -356,6 +356,7 @@ int usb_submit_urb(struct urb *urb, gfp_ struct usb_host_endpoint *ep; int is_out; unsigned int allowed; + int c; if (!urb || !urb->complete) return -EINVAL; @@ -474,9 +475,10 @@ int usb_submit_urb(struct urb *urb, gfp_ */ /* Check that the pipe's type matches the endpoint's type */ - if (usb_urb_ep_type_check(urb)) - dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", - usb_pipetype(urb->pipe), pipetypes[xfertype]); + c = usb_urb_ep_type_check(urb); + if (c) + dev_WARN(&dev->dev, "BOGUS urb xfer %d, pipe %x != type %x\n", + c, usb_pipetype(urb->pipe), pipetypes[xfertype]); /* Check against a simple/standard policy */ allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |
