On Mon, Oct 05, 2020 at 05:08:11PM +0200, Andrey Konovalov wrote: > Dear USB and USB/IP maintainers, > > While fuzzing the USB/IP stack with syzkaller we've stumbled upon an issue. > > Currently kcov (the subsystem that is used for coverage collection) > USB-related callbacks assume that usb_hcd_giveback_urb() can only be > called from interrupt context, as indicated by the comment before the > function definition. The primary reason for this restriction (as far as I'm aware) is because the routine uses spin_lock/spin_unlock rather than the _irqsave/_irqrestore variants. There's also a small efficiency issue: In the vast majority of cases involving real host controllers, the routine _will_ be called in interrupt context. So we optimized for that case. > In the USB/IP code, however, it's called from the > task context (see the stack trace below). > > Is this something that is allowed and we need to fix kcov? Or is this > a bug in USB/IP? It's a bug in USB/IP. Interrupts should be disabled when it calls usb_hcd_giveback_urb(). Alan Stern
