On Fri, Jun 23, 2023 at 06:32:22AM -0700, syzbot wrote: > syzbot has bisected this issue to: > > commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 > Author: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > Date: Tue Jan 31 20:49:04 2023 +0000 > > USB: core: Don't hold device lock while reading the "descriptors" sysfs file > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000 > start commit: 692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g.. > git tree: upstream > final oops: https://syzkaller.appspot.com/x/report.txt?x=114b5877280000 > console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140 > dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000 > > Reported-by: syzbot+63ee658b9a100ffadbe2@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection The bisection result is wrong, but the issue still needs to be fixed. Alan Stern #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7 Index: usb-devel/drivers/net/usb/usbnet.c =================================================================== --- usb-devel.orig/drivers/net/usb/usbnet.c +++ usb-devel/drivers/net/usb/usbnet.c @@ -1775,6 +1775,9 @@ usbnet_probe (struct usb_interface *udev } else if (!info->in || !info->out) status = usbnet_get_endpoints (dev, udev); else { + u8 ep_addrs[3] = { + info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0}; + dev->in = usb_rcvbulkpipe (xdev, info->in); dev->out = usb_sndbulkpipe (xdev, info->out); if (!(info->flags & FLAG_NO_SETINT)) @@ -1784,6 +1787,8 @@ usbnet_probe (struct usb_interface *udev else status = 0; + if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs)) + status = -EINVAL; } if (status >= 0 && dev->status) status = init_status (dev, udev);
