Re: WARNING in usbhid_raw_request/usb_submit_urb (3)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 24 Apr 2020, syzbot wrote:

> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered crash:
> INFO: task hung in usb_disable_device

That wasn't what I expected.  Still, the important information was
present: The reset was instigated by hid_io_error(), because of some 
sort of communication error.

Note that the hid_submit_out, hid_submit_ctrl, and so on don't test the
RESET_PENDING flag.  At least, not with any proper synchronization.  
That's why we got an URB submitted while the device was being reset.

Nevertheless, the USB core should be able to handle such things without 
a big WARNing, particularly for ep0.  The patch below tries to do this.

Alan Stern

#syz test: https://github.com/google/kasan.git 0fa84af8

Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -204,8 +204,17 @@ int usb_urb_ep_type_check(const struct u
 	const struct usb_host_endpoint *ep;
 
 	ep = usb_pipe_endpoint(urb->dev, urb->pipe);
-	if (!ep)
-		return -EINVAL;
+	if (!ep) {
+		/*
+		 * Special case: The pointers for ep0 are temporarily cleared
+		 * during device resets.  We won't count this as an error;
+		 * drivers can reasonably expect that ep0 always exists.
+		 */
+		if (usb_pipeendpoint(urb->pipe) == 0)
+			ep = &urb->dev->ep0;
+		else
+			return -EINVAL;
+	}
 	if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
 		return -EINVAL;
 	return 0;




[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux