Re: usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns
From: Greg Kroah-Hartman
Date: Mon Dec 12 2016 - 16:49:47 EST
On Mon, Dec 12, 2016 at 10:16:50PM +0100, Dmitry Vyukov wrote:
> On Mon, Dec 12, 2016 at 10:05 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> > On Mon, 12 Dec 2016, Andrey Konovalov wrote:
> >
> >> Hi!
> >>
> >> While running the syzkaller fuzzer I've got the following error report.
> >>
> >> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dev 2).
> >>
> >> WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
> >> gadgetfs: disconnected
> >> sysfs: cannot create duplicate filename
> >> '/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
> >> Kernel panic - not syncing: panic_on_warn set ...
> >
> > I suppose we could check for USB devices that claim to have two
> > endpoints with the same address. But is it really worthwhile? A
> > kernel warning isn't so bad when you're dealing with buggy device
> > firmware.
>
> We need a clear distinction between what is a bug in kernel source
> code and what is incorrect user-space code. Otherwise no automated
> testing is possible. WARNING means bug in kernel source code. If it is
> not a bug in kernel source code, then it must not produce a WARNING.
> If it's a condition that we absolutely need to make user-space aware
> of, then we can print a single line with an explanation to console
> (but not prefixed with "WARNING:" nor "BUG:").
Ok, this is a "bug" in kernel code so the core is telling the higher
layer that something went really wrong in that a duplicate sysfs file
was created. So this code is working properly.
And yes, this is a totally bogus "fake hardware" being fuzzed on the
kernel. It complained that something was really wrong, which is fine,
it didn't crash or do anything else bad, correct? If so, all is good,
as this is not something you will ever see with a "real" device. And
even if you make a malicious device, all you will do is have the kernel
spit out some ugly messages, which I do not think is any form of attack
vector, correct?
thanks,
greg k-h