Re: usb/sound/bcd2000: warning in bcd2000_init_device
From: Takashi Iwai
Date: Tue Oct 03 2017 - 03:53:03 EST
On Mon, 25 Sep 2017 14:39:51 +0200,
Andrey Konovalov wrote:
>
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
>
> It seems that there's no check of the endpoint type.
>
> usb 1-1: BOGUS urb xfer, pipe 1 != type 3
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 1846 at drivers/usb/core/urb.c:449
How is this bug triggered? As it's syzkaller with QEMU, it looks
hitting an inconsistent state the driver didn't expect (it sets the
fixed endpoint), then USB-core detects the inconsistency and spews the
kernel warning with stack trace. If so, it's no serious problem as it
appears.
Suppose my guess is right, I'm not sure what's the best way to fix
this. Certainly we can add more sanity check in the caller side.
OTOH, I find the reaction of USB core too aggressive, it's not
necessary to be dev_WARN() but a normal dev_err().
Or I might be looking at a wrong place?
Adding USB guys to Cc for hearing their comments.
thanks,
Takashi
> usb_submit_urb+0xf8a/0x11d0
> Modules linked in:
> CPU: 0 PID: 1846 Comm: kworker/0:2 Not tainted
> 4.14.0-rc2-42613-g1488251d1a98 #238
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> task: ffff880064296300 task.stack: ffff8800643b0000
> RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
> RSP: 0018:ffff8800643b6140 EFLAGS: 00010286
> RAX: 0000000000000029 RBX: ffff880063842400 RCX: 0000000000000000
> RDX: 0000000000000029 RSI: ffffffff85a58800 RDI: ffffed000c876c1a
> RBP: ffff8800643b6240 R08: 1ffff1000c876ac0 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000c876c2f
> R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006325c768
> FS: 0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa2a51c0000 CR3: 000000006acc8000 CR4: 00000000000006f0
> Call Trace:
> bcd2000_init_device sound/usb/bcd2000/bcd2000.c:289
> bcd2000_init_midi sound/usb/bcd2000/bcd2000.c:345
> bcd2000_probe+0xe64/0x19e0 sound/usb/bcd2000/bcd2000.c:406
> usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
> really_probe drivers/base/dd.c:413
> driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
> __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
> bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
> __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
> device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
> bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
> device_add+0xd0b/0x1660 drivers/base/core.c:1835
> usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
> generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
> usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
> really_probe drivers/base/dd.c:413
> driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
> __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
> bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
> __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
> device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
> bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
> device_add+0xd0b/0x1660 drivers/base/core.c:1835
> usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
> hub_port_connect drivers/usb/core/hub.c:4903
> hub_port_connect_change drivers/usb/core/hub.c:5009
> port_event drivers/usb/core/hub.c:5115
> hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
> process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
> worker_thread+0x221/0x1850 kernel/workqueue.c:2253
> kthread+0x3a1/0x470 kernel/kthread.c:231
> ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
> Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 6e 91 8b ff 45 89
> e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 c0 5a c8 85 e8 10 50 dd fd <0f>
> ff e9 9b f7 ff ff e8 ba cf 26 fe e9 80 f7 ff ff e8 a0 a5 f4
> ---[ end trace bad127706d5fe2d6 ]---
>