Re: [PATCH net] net: usb: rtl8150: enable basic endpoint checking

From: Petko Manolov
Date: Thu Jan 23 2025 - 04:50:18 EST


On 25-01-22 10:59:33, Alan Stern wrote:
> On Wed, Jan 22, 2025 at 05:20:12AM -0800, Nikita Zhandarovich wrote:
> > Hi,
> >
> > On 1/22/25 04:43, Petko Manolov wrote:
> > > On 25-01-22 02:42:46, Nikita Zhandarovich wrote:
> > >> Syzkaller reports [1] encountering a common issue of utilizing a wrong usb
> > >> endpoint type during URB submitting stage. This, in turn, triggers a warning
> > >> shown below.
> > >
> > > If these endpoints were of the wrong type the driver simply wouldn't work.
>
> Better not to bind at all than to bind in a non-working way. Especially when
> we can tell by a simple check that the device isn't what the driver expects.
>
> > > The proposed change in the patch doesn't do much in terms of fixing the
> > > issue (pipe 3 != type 1) and if usb_check_bulk_endpoints() fails, the
> > > driver will just not probe successfully. I don't see how this is an
> > > improvement to the current situation.
>
> It fixes the issue by preventing the driver from submitting an interrupt URB
> to a bulk endpoint or vice versa.

I always thought that once DID/VID is verified, there's no much room for that to
happen.

> > > We should either spend some time fixing the "BOGUS urb xfer, pipe 3 !=
> > > type 1" for real or not touch anything.
> > >
> > >
> > > Petko
> > >
> > >
> >
> > Thank you for your answer, I had a couple thoughts though.
> >
> > If I understand correctly (which may not be the case, of course), since the
> > driver currently does not have any sanity checks for endpoints and URBs'
> > pipes are initialized essentially by fixed constants (as is often the case),
> > once again without any testing, then a virtual, weirdly constructed device,
> > like the one made up by Syzkaller, could provide endpoints with contents
> > that may cause that exact warning.
> >
> > Real-life devices (with appropriate eps) would still work well and are in no
> > danger, with or without the patch. And even if that warning is triggered, I
> > am not certain the consequences are that severe, maybe on kernels with
> > 'panic_on_warn' set, and that's another conversation. However, it seems that
> > the change won't hurt either. Failing probe() in such situations looks to be
> > the standard.
> >
> > If my approach is flawed, I'd really appreciate some hints on how you would
> > address that issue and I'd like to tackle it. I'd also ask if other
> > recipients could provide some of their views on the issue, even if just to
> > prove me wrong.
>
> I agree with this approach; it seems like the best way to address this issue.

Alright then. I'd recommend following Fedor Pchelkin's advise about moving
those declarations to the beginning of probe(), though.


Petko