Thanks for your reply! I applied this patch in v5.19 and the reproducer just attached a composite device with network and mass storage functions. The output of the kernel is as follows: [ 1545.764824][ T29] kauditd_printk_skb: 10 callbacks suppressed [ 1557.637709][ T7391] cgroup: Unknown subsys name 'net' [ 1557.641365][ T7391] cgroup: Unknown subsys name 'rlimit' [ 1557.684875][ T29] audit: type=1800 audit(1663769132.086:80): pid=7416 uid=0 auid=0 ses=2 subj==unconfined op=collect_data cause=failed comm="executor.0" name="UDC" dev="co0 [ 1558.186936][ T29] audit: type=1800 audit(1663769132.586:81): pid=7416 uid=0 auid=0 ses=2 subj==unconfined op=collect_data cause=failed comm="executor.0" name="UDC" dev="co0 [ 1558.188217][ T29] audit: type=1800 audit(1663769132.586:82): pid=7416 uid=0 auid=0 ses=2 subj==unconfined op=collect_data cause=failed comm="executor.0" name="UDC" dev="co0 [ 1558.193766][ T7416] using random self ethernet address [ 1558.193959][ T7416] using random host ethernet address [ 1558.194319][ T7416] Mass Storage Function, version: 2009/09/11 [ 1558.194535][ T7416] LUN: removable file: (no medium) [ 1558.201875][ T7416] usb0: HOST MAC 0e:a1:b6:f7:1a:97 [ 1558.202118][ T7416] usb0: MAC ce:6c:9e:d1:14:db [ 1558.468458][ T24] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 1558.828060][ T24] usb 2-1: Dual-Role OTG device on HNP port [ 1558.848060][ T24] usb 2-1: New USB device found, idVendor=03f0, idProduct=0107, bcdDevice= 2.00 [ 1558.848620][ T24] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1558.849102][ T24] usb 2-1: Product: Bar Gadget [ 1558.849407][ T24] usb 2-1: Manufacturer: Foo Inc. [ 1558.849722][ T24] usb 2-1: SerialNumber: 12345678 [ 1558.868398][ T7423] configfs-gadget gadget.1: Enable bulk in [ 1558.868675][ T7423] configfs-gadget gadget.1: Enable bulk out [ 1558.868957][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 [ 1558.952998][ T24] cdc_eem 2-1:1.0 usb1: register 'cdc_eem' at usb-dummy_hcd.1-1, CDC EEM Device, 72:47:e4:74:0b:8e [ 1558.968402][ T24] usb-storage 2-1:1.1: USB Mass Storage device detected [ 1558.976267][ T24] scsi host2: usb-storage 2-1:1.1 [ 1560.028547][ T7470] cdc_eem 2-1:1.0 usb1: unregister 'cdc_eem' usb-dummy_hcd.1-1, CDC EEM Device [ 1560.078980][ T7470] configfs-gadget gadget.1: Bulk out complete ffff8881279f0b00 [ 1560.080226][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 [ 1560.080617][ T7470] configfs-gadget gadget.1: Disable bulk in B [ 1560.080820][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 [ 1560.081456][ T7470] configfs-gadget gadget.1: Disable bulk out B [ 1560.081950][ T7423] configfs-gadget gadget.1: Bulk out start ffff8881279f0b00 [ 1560.083056][ T7423] ------------[ cut here ]------------ [ 1560.083386][ T7423] WARNING: CPU: 0 PID: 7423 at drivers/usb/gadget/udc/core.c:283 usb_ep_queue+0x9b/0x3b0 [ 1560.083968][ T7423] Modules linked in: [ 1560.084163][ T7423] CPU: 0 PID: 7423 Comm: file-storage Not tainted 5.19.0+ #15 [ 1560.084522][ T7423] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 [ 1560.085169][ T7423] RIP: 0010:usb_ep_queue+0x9b/0x3b0 [ 1560.085512][ T7423] Code: 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 db 02 00 00 44 0f b6 6b 35 31 ff 44 89 ee e8 af 41 b2 fb 45 84 ed 74 0e e8 55 46 b2 fb <0f> 0b bd 94 ff ff ff eb0 [ 1560.086782][ T7423] RSP: 0018:ffffc900043efd00 EFLAGS: 00010293 [ 1560.087104][ T7423] RAX: 0000000000000000 RBX: ffff888110abc2c0 RCX: 0000000000000000 [ 1560.087600][ T7423] RDX: ffff88807e9f3800 RSI: ffffffff85c6d79b RDI: 0000000000000001 [ 1560.088798][ T7423] RBP: 0000000000000cc0 R08: 0000000000000001 R09: 0000000000000000 [ 1560.089461][ T7423] R10: 0000000000000007 R11: 0000000000000000 R12: ffff88811c2bcf10 [ 1560.090090][ T7423] R13: 0000000000000007 R14: ffff88812505e000 R15: dffffc0000000000 [ 1560.090721][ T7423] FS: 0000000000000000(0000) GS:ffff888128c00000(0000) knlGS:0000000000000000 [ 1560.091455][ T7423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1560.091982][ T7423] CR2: 00007f2fbc03f0c8 CR3: 000000011ee22000 CR4: 00000000000006f0 [ 1560.092632][ T7423] Call Trace: [ 1560.092914][ T7423] <TASK> [ 1560.093153][ T7423] start_transfer+0x24/0x14f [ 1560.093523][ T7423] start_out_transfer.part.0+0xf1/0x13d [ 1560.093987][ T7423] fsg_main_thread+0x385/0x1460 [ 1560.094395][ T7423] ? __kthread_parkme+0xc4/0x210 [ 1560.094810][ T7423] ? reacquire_held_locks+0x4b0/0x4b0 [ 1560.095241][ T7423] ? do_set_interface.isra.0+0x530/0x530 [ 1560.095713][ T7423] ? __kthread_parkme+0x14e/0x210 [ 1560.096136][ T7423] ? do_set_interface.isra.0+0x530/0x530 [ 1560.096590][ T7423] kthread+0x2e0/0x390 [ 1560.096929][ T7423] ? kthread_complete_and_exit+0x40/0x40 [ 1560.097404][ T7423] ret_from_fork+0x1f/0x30 [ 1560.097786][ T7423] </TASK> [ 1560.098792][ T7423] Kernel panic - not syncing: panic_on_warn set ... [ 1560.099342][ T7423] CPU: 0 PID: 7423 Comm: file-storage Not tainted 5.19.0+ #15 [ 1560.099938][ T7423] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.0-3-3 04/01/2014 [ 1560.100752][ T7423] Call Trace: [ 1560.101031][ T7423] <TASK> [ 1560.101275][ T7423] dump_stack_lvl+0xfc/0x174 [ 1560.101660][ T7423] panic+0x2cf/0x61f [ 1560.101990][ T7423] ? panic_print_sys_info.part.0+0x10b/0x10b [ 1560.102522][ T7423] ? __warn.cold+0xcd/0x2cc [ 1560.102910][ T7423] ? usb_ep_queue+0x9b/0x3b0 [ 1560.103301][ T7423] __warn.cold+0xde/0x2cc [ 1560.103661][ T7423] ? usb_ep_queue+0x9b/0x3b0 [ 1560.104044][ T7423] report_bug+0x1b7/0x240 [ 1560.104425][ T7423] handle_bug+0x3c/0x60 [ 1560.104762][ T7423] exc_invalid_op+0x13/0x40 [ 1560.105129][ T7423] asm_exc_invalid_op+0x16/0x20 [ 1560.105525][ T7423] RIP: 0010:usb_ep_queue+0x9b/0x3b0 [ 1560.105951][ T7423] Code: 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 db 02 00 00 44 0f b6 6b 35 31 ff 44 89 ee e8 af 41 b2 fb 45 84 ed 74 0e e8 55 46 b2 fb <0f> 0b bd 94 ff ff ff eb0 [ 1560.107487][ T7423] RSP: 0018:ffffc900043efd00 EFLAGS: 00010293 [ 1560.107978][ T7423] RAX: 0000000000000000 RBX: ffff888110abc2c0 RCX: 0000000000000000 [ 1560.108633][ T7423] RDX: ffff88807e9f3800 RSI: ffffffff85c6d79b RDI: 0000000000000001 [ 1560.109247][ T7423] RBP: 0000000000000cc0 R08: 0000000000000001 R09: 0000000000000000 [ 1560.109896][ T7423] R10: 0000000000000007 R11: 0000000000000000 R12: ffff88811c2bcf10 [ 1560.110538][ T7423] R13: 0000000000000007 R14: ffff88812505e000 R15: dffffc0000000000 [ 1560.111167][ T7423] ? usb_ep_queue+0x9b/0x3b0 [ 1560.111551][ T7423] start_transfer+0x24/0x14f [ 1560.111940][ T7423] start_out_transfer.part.0+0xf1/0x13d [ 1560.112406][ T7423] fsg_main_thread+0x385/0x1460 [ 1560.112800][ T7423] ? __kthread_parkme+0xc4/0x210 [ 1560.113045][ T7423] ? reacquire_held_locks+0x4b0/0x4b0 [ 1560.113303][ T7423] ? do_set_interface.isra.0+0x530/0x530 [ 1560.113586][ T7423] ? __kthread_parkme+0x14e/0x210 [ 1560.113834][ T7423] ? do_set_interface.isra.0+0x530/0x530 [ 1560.114103][ T7423] kthread+0x2e0/0x390 [ 1560.114301][ T7423] ? kthread_complete_and_exit+0x40/0x40 [ 1560.114587][ T7423] ret_from_fork+0x1f/0x30 [ 1560.114813][ T7423] </TASK> [ 1560.115078][ T7423] Kernel Offset: disabled [ 1560.115319][ T7423] Rebooting in 86400 seconds.. On Wed, Sep 21, 2022 at 2:16 AM Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: > > On Thu, Aug 11, 2022 at 10:12:04AM +0800, Rondreis wrote: > > Hello, > > > > When fuzzing the Linux kernel driver 5.19.0-rc4-00208-g69cb6c6556ad, > > the following crash was triggered. > > > > HEAD commit: 4b0986a3613c92f4ec1bdc7f60ec66fea135991f (HEAD, tag: v5.18) > > git tree: upstream > > > > kernel config: https://pastebin.com/KecL2gaG > > C reproducer: https://pastebin.com/wLDJ9cnP > > console output: https://pastebin.com/t0r8EwTw > > > > Basically, in the c reproducer, we use the gadget module to emulate > > the process of attaching a usb device (vendor id: 0xbaf, product id: > > 0x121, with function: midi and ms_null). > > To reproduce this crash, we utilize a third-party library to emulate > > the attaching process: https://github.com/linux-usb-gadgets/libusbgx. > > Just clone this repository, make install it, and compile the c > > reproducer with ``` gcc crash.c -lusbgx -o crash ``` will do the > > trick. > > > > It seems that an error state in struct usb_ep trigger such kernel warning. > > > > The crash report is as follow: > > > > ``` > > ------------[ cut here ]------------ > > ------------[ cut here ]------------ > > WARNING: CPU: 3 PID: 3442 at drivers/usb/gadget/udc/core.c:283 > > usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 > > Modules linked in: > > CPU: 3 PID: 3442 Comm: file-storage Not tainted > > 5.19.0-rc4-00208-g69cb6c6556ad #1 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > > 1.13.0-1ubuntu1.1 04/01/2014 > > RIP: 0010:usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283 > > Code: 46 05 0f 92 c3 31 ff 89 de e8 f1 e9 49 fd 84 db 0f 85 16 01 00 > > 00 e8 c4 e8 49 fd 44 89 e0 5b 5d 41 5c 41 5d c3 e8 b5 e8 49 fd <0f> 0b > > 41 bc 94 ff ff ff e9 73 ff ff ff e8 a3 e8 49 fd 65 8b 1d cc > > RSP: 0018:ffffc9000490fd00 EFLAGS: 00010246 > > RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff888110e0d580 > > RDX: 0000000000000000 RSI: ffff888110e0d580 RDI: 0000000000000002 > > RBP: ffff88810ae84158 R08: ffffffff83fb31eb R09: 0000000000000000 > > R10: 0000000000000001 R11: ffffed10221c1ab0 R12: 0000000000000cc0 > > R13: ffff888111843f10 R14: ffff888111843f10 R15: ffff88811084e000 > > FS: 0000000000000000(0000) GS:ffff88811a980000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00007f841985e020 CR3: 000000010d19a000 CR4: 0000000000350ee0 > > Call Trace: > > <TASK> > > start_transfer.isra.0+0x26/0x100 > > drivers/usb/gadget/function/f_mass_storage.c:527 > > start_out_transfer.isra.0+0xf0/0x1b0 > > drivers/usb/gadget/function/f_mass_storage.c:560 > > get_next_command drivers/usb/gadget/function/f_mass_storage.c:2249 [inline] > > fsg_main_thread+0x377/0x6fc0 drivers/usb/gadget/function/f_mass_storage.c:2572 > > kthread+0x2ef/0x3a0 kernel/kthread.c:376 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 > > </TASK> > > Can you please try to recreate this bug after applying the diagnostic > patch below? I'd like to see what output it produces in the kernel log. > > Alan Stern > > > Index: usb-devel/drivers/usb/gadget/function/f_mass_storage.c > =================================================================== > --- usb-devel.orig/drivers/usb/gadget/function/f_mass_storage.c > +++ usb-devel/drivers/usb/gadget/function/f_mass_storage.c > @@ -415,6 +415,7 @@ static void bulk_in_complete(struct usb_ > struct fsg_common *common = ep->driver_data; > struct fsg_buffhd *bh = req->context; > > + dev_info(&common->gadget->dev, "Bulk in complete %p\n", bh); > if (req->status || req->actual != req->length) > DBG(common, "%s --> %d, %u/%u\n", __func__, > req->status, req->actual, req->length); > @@ -431,6 +432,7 @@ static void bulk_out_complete(struct usb > struct fsg_common *common = ep->driver_data; > struct fsg_buffhd *bh = req->context; > > + dev_info(&common->gadget->dev, "Bulk out complete %p\n", bh); > dump_msg(common, "bulk-out", req->buf, req->actual); > if (req->status || req->actual != bh->bulk_out_intended_length) > DBG(common, "%s --> %d, %u/%u\n", __func__, > @@ -547,6 +549,7 @@ static bool start_in_transfer(struct fsg > if (!fsg_is_set(common)) > return false; > bh->state = BUF_STATE_SENDING; > + dev_info(&common->gadget->dev, "Bulk in start %p\n", bh); > if (start_transfer(common->fsg, common->fsg->bulk_in, bh->inreq)) > bh->state = BUF_STATE_EMPTY; > return true; > @@ -557,6 +560,7 @@ static bool start_out_transfer(struct fs > if (!fsg_is_set(common)) > return false; > bh->state = BUF_STATE_RECEIVING; > + dev_info(&common->gadget->dev, "Bulk out start %p\n", bh); > if (start_transfer(common->fsg, common->fsg->bulk_out, bh->outreq)) > bh->state = BUF_STATE_FULL; > return true; > @@ -2310,10 +2314,12 @@ reset: > > /* Disable the endpoints */ > if (fsg->bulk_in_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk in A\n"); > usb_ep_disable(fsg->bulk_in); > fsg->bulk_in_enabled = 0; > } > if (fsg->bulk_out_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk out A\n"); > usb_ep_disable(fsg->bulk_out); > fsg->bulk_out_enabled = 0; > } > @@ -2333,6 +2339,7 @@ reset: > rc = config_ep_by_speed(common->gadget, &(fsg->function), fsg->bulk_in); > if (rc) > goto reset; > + dev_info(&fsg->gadget->dev, "Enable bulk in\n"); > rc = usb_ep_enable(fsg->bulk_in); > if (rc) > goto reset; > @@ -2343,6 +2350,7 @@ reset: > fsg->bulk_out); > if (rc) > goto reset; > + dev_info(&fsg->gadget->dev, "Enable bulk out\n"); > rc = usb_ep_enable(fsg->bulk_out); > if (rc) > goto reset; > @@ -2392,10 +2400,12 @@ static void fsg_disable(struct usb_funct > > /* Disable the endpoints */ > if (fsg->bulk_in_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk in B\n"); > usb_ep_disable(fsg->bulk_in); > fsg->bulk_in_enabled = 0; > } > if (fsg->bulk_out_enabled) { > + dev_info(&fsg->gadget->dev, "Disable bulk out B\n"); > usb_ep_disable(fsg->bulk_out); > fsg->bulk_out_enabled = 0; > } >
