UDC hardware for fuzzing [was: Re: INFO: task hung in usb_kill_urb]

From: Alan Stern
Date: Fri Apr 19 2019 - 14:36:46 EST


On Wed, 17 Apr 2019, Andrey Konovalov wrote:

> On Tue, Apr 16, 2019 at 8:25 PM Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Tue, 16 Apr 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer still triggered
> > > crash:
> > > INFO: task hung in usb_kill_urb
> >
> > Okay, I think I found the problem. dummy-hcd doesn't check for
> > unsupported speeds until it is too late. Andrey, what values does your
> > usb-fuzzer gadget driver set for its max_speed field?
>
> It's passed from userspace without any validation :( I'll fix this!
> Thanks for looking into it!
>
> I wonder why other people saw this hang as well, they didn't use the
> dummy hcd module for sure. I guess there are might be other reasons.

Unquestionably it would be for other reasons. usb_kill_urb() is a
host-side routine, not used by gadget drivers. If it fails, the reason
lies in host controller driver. And if people aren't using dummy-hcd
then they must be using a different host controller driver.

Is there any chance you could get hold of a USB device controller for
more fuzzing tests? With it, you could test other parts of the USB
stack: the UDC driver for whatever hardware you get, and the host
controller driver for whatever you plug the UDC into.

I don't know what types of UDC are readily available for the type of
computer syzkaller uses. Perhaps Felipe or other people on the mailing
list will have some suggestions.

Alan Stern