lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1d471e25-6671-4cb2-a2c9-af96c2b4e13d@rowland.harvard.edu>
Date: Wed, 9 Jul 2025 11:41:26 -0400
From: Alan Stern <stern@...land.harvard.edu>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: syzbot <syzbot+592e2ab8775dbe0bf09a@...kaller.appspotmail.com>,
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
	USB list <linux-usb@...r.kernel.org>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)

On Thu, Jul 10, 2025 at 12:33:00AM +0900, Tetsuo Handa wrote:
> On 2025/07/10 0:19, Alan Stern wrote:
> > On Wed, Jul 09, 2025 at 11:44:46PM +0900, Tetsuo Handa wrote:
> >> On 2025/07/09 23:27, Alan Stern wrote:
> >>> Which of these three BUG_ON's did you hit, and where did you hit it?
> >>
> >> kernel BUG at ./include/linux/usb.h:1990!
> >>
> >> matches the BUG_ON(endpoint > 0xF) line. The location is shown below.
> >>
> >> Call Trace:
> >>  <TASK>
> >>  hub_configure drivers/usb/core/hub.c:1717 [inline]
> >>  hub_probe+0x2300/0x3840 drivers/usb/core/hub.c:2005
> > 
> > Those line numbers are completely different from the code I have.  For 
> > example, line 2005 in hub.c is part of the hub_ioctl() function, not 
> > hub_probe().
> > 
> > Exactly what version of the kernel source are you using for your test?
> 
> It is current linux.git tree.
> 
>   https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L1717
>   https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L2005

Okay, I see what your problem is.

The bEndpointAddress field of the endpoint descriptor is not just the 
endpoint's number.  It also includes the endpoint's direction in bit 7 
(0 for OUT, 1 for IN).

__create_pipe() doesn't bother to mask out the direction bit because bit 
22 of the pipe value (where the direction bit ends up after it has been  
shifted left by 15) isn't used for anything.

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ