lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <X8ZySUT4Gsi72Jfb@kroah.com>
Date:   Tue, 1 Dec 2020 17:41:45 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Hillf Danton <hdanton@...a.com>
Cc:     syzbot <syzbot+dbec6695a6565a9c6bc0@...kaller.appspotmail.com>,
        eli.billauer@...il.com, gustavoars@...nel.org,
        ingrassia@...genesys.com, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org, stern@...land.harvard.edu,
        syzkaller-bugs@...glegroups.com, tiwai@...e.de
Subject: Re: WARNING in port100_send_frame_async/usb_submit_urb

On Tue, Dec 01, 2020 at 06:36:26PM +0800, Hillf Danton wrote:
> On Tue, 1 Dec 2020 10:59:06 +0100 Greg KH wrote:
> >On Tue, Dec 01, 2020 at 05:47:02PM +0800, Hillf Danton wrote:
> >> On Tue, 01 Dec 2020 01:21:27 -0800
> >> > syzbot found the following issue on:
> >> > 
> >> > HEAD commit:    c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
> >> > git tree:       upstream
> >> > console output: https://syzkaller.appspot.com/x/log.txt?x=14a98565500000
> >> > kernel config:  https://syzkaller.appspot.com/x/.config?x=7be70951fca93701
> >> > dashboard link: https://syzkaller.appspot.com/bug?extid=dbec6695a6565a9c6bc0
> >> > compiler:       clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
> >> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17c607f1500000
> >> > 
> >> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> > Reported-by: syzbot+dbec6695a6565a9c6bc0@...kaller.appspotmail.com
> >> > 
> >> > usb 1-1: string descriptor 0 read error: -32
> >> > ------------[ cut here ]------------
> >> > URB 000000005c26bc1e submitted while active
> >> > WARNING: CPU: 0 PID: 5 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> >> > Modules linked in:
> >> > CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.0-rc5-syzkaller #0
> >> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >> > Workqueue: usb_hub_wq hub_event
> >> > RIP: 0010:usb_submit_urb+0xf57/0x1510 drivers/usb/core/urb.c:378
> >> > Code: 5c 41 5d 41 5e 41 5f 5d e9 76 5b ff ff e8 f1 e8 04 fc c6 05 25 0e 8b 07 01 48 c7 c7 a0 b7 5b 8a 4c 89 e6 31 c0 e8 89 07 d5 fb <0f> 0b e9 20 f1 ff ff e8 cd e8 04 fc eb 05 e8 c6 e8 04 fc bb a6 ff
> >> > RSP: 0018:ffffc90000ca6ec8 EFLAGS: 00010246
> >> > RAX: cf72e284cb303700 RBX: ffff888021723708 RCX: ffff888011108000
> >> > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> >> > RBP: 0000000000000cc0 R08: ffffffff815d29f2 R09: ffffed1017383ffc
> >> > R10: ffffed1017383ffc R11: 0000000000000000 R12: ffff888021723700
> >> > R13: dffffc0000000000 R14: ffff888012cfa458 R15: 1ffff1100259f489
> >> > FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> >> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> > CR2: 000056157313d160 CR3: 000000001e22c000 CR4: 00000000001506f0
> >> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >> > Call Trace:
> >> >  port100_send_frame_async+0x1ea/0x390 drivers/nfc/port100.c:780
> >> >  port100_send_cmd_async+0x6c7/0x950 drivers/nfc/port100.c:876
> >> >  port100_send_cmd_sync drivers/nfc/port100.c:916 [inline]
> >> >  port100_set_command_type drivers/nfc/port100.c:987 [inline]
> >> >  port100_probe+0xd4f/0x1600 drivers/nfc/port100.c:1567
> >> >  usb_probe_interface+0x662/0xb40 drivers/usb/core/driver.c:396
> >> >  really_probe+0x4ab/0x1380 drivers/base/dd.c:558
> >> >  driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
> >> >  bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
> >> >  __device_attach+0x2c9/0x480 drivers/base/dd.c:912
> >> >  bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
> >> >  device_add+0x1612/0x19e0 drivers/base/core.c:2936
> >> >  usb_set_configuration+0x1c17/0x2100 drivers/usb/core/message.c:2159
> >> >  usb_generic_driver_probe+0x82/0x140 drivers/usb/core/generic.c:238
> >> >  usb_probe_device+0x13a/0x260 drivers/usb/core/driver.c:293
> >> >  really_probe+0x4ab/0x1380 drivers/base/dd.c:558
> >> >  driver_probe_device+0x15b/0x310 drivers/base/dd.c:738
> >> >  bus_for_each_drv+0x108/0x170 drivers/base/bus.c:431
> >> >  __device_attach+0x2c9/0x480 drivers/base/dd.c:912
> >> >  bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:491
> >> >  device_add+0x1612/0x19e0 drivers/base/core.c:2936
> >> >  usb_new_device+0xcc3/0x1700 drivers/usb/core/hub.c:2554
> >> >  hub_port_connect+0xec7/0x2540 drivers/usb/core/hub.c:5222
> >> >  hub_port_connect_change+0x600/0xb00 drivers/usb/core/hub.c:5362
> >> >  port_event+0xae9/0x10a0 drivers/usb/core/hub.c:5508
> >> >  hub_event+0x417/0xcb0 drivers/usb/core/hub.c:5590
> >> >  process_one_work+0x789/0xfc0 kernel/workqueue.c:2272
> >> >  worker_thread+0xaa4/0x1460 kernel/workqueue.c:2418
> >> >  kthread+0x39a/0x3c0 kernel/kthread.c:292
> >> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
> >> 
> >> Clear urb before putting it in use.
> >> 
> >> --- a/drivers/nfc/port100.c
> >> +++ b/drivers/nfc/port100.c
> >> @@ -1525,7 +1525,7 @@ static int port100_probe(struct usb_inte
> >>  	}
> >>  
> >>  	dev->in_urb = usb_alloc_urb(0, GFP_KERNEL);
> >> -	dev->out_urb = usb_alloc_urb(0, GFP_KERNEL);
> >> +	dev->out_urb = usb_alloc_urb(0, GFP_KERNEL | __GFP_ZERO);
> >>  
> >>  	if (!dev->in_urb || !dev->out_urb) {
> >>  		nfc_err(&interface->dev, "Could not allocate USB URBs\n");
> >
> >How does this solve a warning in the USB core about a string descriptor
> >error?
> 
> If I dont misread your question, it makes the check at
> drivers/usb/core/urb.c:377 fail.

Ah, as Alan pointed out, I missed that the string descriptor issue was
not the real problem here.

But, as he also points out, this change will not do anything, nor should
it even if that flag worked.  The problem is that the urb is already
under control by a host controller driver and shouldn't have been
submitted again.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ