Re: WARNING in usbhid_raw_request/usb_submit_urb (2)
From: Alan Stern
Date: Wed Jan 08 2020 - 13:18:57 EST
On Tue, 7 Jan 2020, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> WARNING in usbhid_raw_request/usb_submit_urb
Given this result, let's try again the slightly larger patch. The
difference between the patch just tested and this one is very small
indeed, although it's hard to predict how that difference will affect
the object code.
Alan Stern
#syz test: https://github.com/google/kasan.git ecdf2214
Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -205,7 +205,7 @@ int usb_urb_ep_type_check(const struct u
ep = usb_pipe_endpoint(urb->dev, urb->pipe);
if (!ep)
- return -EINVAL;
+ return -EBADF;
if (usb_pipetype(urb->pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
return -EINVAL;
return 0;
@@ -356,6 +356,7 @@ int usb_submit_urb(struct urb *urb, gfp_
struct usb_host_endpoint *ep;
int is_out;
unsigned int allowed;
+ int c;
if (!urb || !urb->complete)
return -EINVAL;
@@ -474,9 +475,10 @@ int usb_submit_urb(struct urb *urb, gfp_
*/
/* Check that the pipe's type matches the endpoint's type */
- if (usb_urb_ep_type_check(urb))
- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
- usb_pipetype(urb->pipe), pipetypes[xfertype]);
+ c = usb_urb_ep_type_check(urb);
+ if (c)
+ dev_WARN(&dev->dev, "BOGUS urb xfer %d, pipe %x != type %x\n",
+ c, usb_pipetype(urb->pipe), pipetypes[xfertype]);
/* Check against a simple/standard policy */
allowed = (URB_NO_TRANSFER_DMA_MAP | URB_NO_INTERRUPT | URB_DIR_MASK |