Oliver: I just noticed you had posted a patch to fix this same problem: https://lore.kernel.org/linux-usb/291da1b9-9f71-0f99-45f4-a25a259c8d6d@xxxxxxxx/ Do you want to submit your patch or would you prefer that I submit the patch below? Alan Stern On Fri, Jun 23, 2023 at 11:23:53AM -0400, Alan Stern wrote: > On Fri, Jun 23, 2023 at 06:32:22AM -0700, syzbot wrote: > > syzbot has bisected this issue to: > > > > commit 45bf39f8df7f05efb83b302c65ae3b9bc92b7065 > > Author: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > > Date: Tue Jan 31 20:49:04 2023 +0000 > > > > USB: core: Don't hold device lock while reading the "descriptors" sysfs file > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=124b5877280000 > > start commit: 692b7dc87ca6 Merge tag 'hyperv-fixes-signed-20230619' of g.. > > git tree: upstream > > final oops: https://syzkaller.appspot.com/x/report.txt?x=114b5877280000 > > console output: https://syzkaller.appspot.com/x/log.txt?x=164b5877280000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=2cbd298d0aff1140 > > dashboard link: https://syzkaller.appspot.com/bug?extid=63ee658b9a100ffadbe2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1760094b280000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359cdf3280000 > > > > Reported-by: syzbot+63ee658b9a100ffadbe2@xxxxxxxxxxxxxxxxxxxxxxxxx > > Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") > > > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > The bisection result is wrong, but the issue still needs to be fixed. > > Alan Stern > > #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ v6.4-rc7 > > Index: usb-devel/drivers/net/usb/usbnet.c > =================================================================== > --- usb-devel.orig/drivers/net/usb/usbnet.c > +++ usb-devel/drivers/net/usb/usbnet.c > @@ -1775,6 +1775,9 @@ usbnet_probe (struct usb_interface *udev > } else if (!info->in || !info->out) > status = usbnet_get_endpoints (dev, udev); > else { > + u8 ep_addrs[3] = { > + info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0}; > + > dev->in = usb_rcvbulkpipe (xdev, info->in); > dev->out = usb_sndbulkpipe (xdev, info->out); > if (!(info->flags & FLAG_NO_SETINT)) > @@ -1784,6 +1787,8 @@ usbnet_probe (struct usb_interface *udev > else > status = 0; > > + if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs)) > + status = -EINVAL; > } > if (status >= 0 && dev->status) > status = init_status (dev, udev);
