[syzbot] [usb?] [bluetooth?] WARNING in btusb_submit_intr_urb/usb_submit_urb

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 66cc544fd75c Merge tag 'dmaengine-fix-6.10' of git://git.k..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14280161980000
kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87
dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f59c82980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b955b6980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b4d37fd1f3c8/disk-66cc544f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/04c8b576cea2/vmlinux-66cc544f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/05e217dc3c31/bzImage-66cc544f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8693a0...@syzkaller.appspotmail.com

------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 4491 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 0 PID: 4491 Comm: kworker/u9:1 Not tainted 6.10.0-rc4-syzkaller-00164-g66cc544fd75c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: hci0 hci_power_on
RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503
Code: f8 48 c1 e8 03 0f b6 04 18 84 c0 0f 85 b1 08 00 00 45 8b 07 48 c7 c7 40 90 6d 8c 48 8b 34 24 4c 89 e2 89 e9 e8 23 9a 3c fa 90 <0f> 0b 90 90 48 8b 5c 24 30 41 89 dc 4c 89 e7 48 c7 c6 b0 4b f2 8e
RSP: 0018:ffffc9000d817798 EFLAGS: 00010246
RAX: 6d750bdfc6b7f400 RBX: dffffc0000000000 RCX: ffff888030053c00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff81585822 R09: fffffbfff1c39994
R10: dffffc0000000000 R11: fffffbfff1c39994 R12: ffff88801c2e7560
R13: ffff88801a2af400 R14: 0000000000000001 R15: ffffffff8c6d8e28
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559f0e1c6bd8 CR3: 000000002e10e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
btusb_submit_intr_urb+0x3dd/0x7b0 drivers/bluetooth/btusb.c:1409
btusb_open+0x1a1/0x770 drivers/bluetooth/btusb.c:1865
hci_dev_open_sync+0x2cc/0x2b40 net/bluetooth/hci_sync.c:4889
hci_dev_do_open net/bluetooth/hci_core.c:485 [inline]
hci_power_on+0x1c7/0x6b0 net/bluetooth/hci_core.c:1012
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Alan Stern]

This shouldn't happen. The driver takes care to verify the types of the
endpoints it uses. Let's add some debugging info.

Alan Stern

#syz test: upstream 66cc544fd75c

Index: usb-devel/drivers/bluetooth/btusb.c
===================================================================
--- usb-devel.orig/drivers/bluetooth/btusb.c
+++ usb-devel/drivers/bluetooth/btusb.c
@@ -1398,6 +1398,7 @@ static int btusb_submit_intr_urb(struct
}

pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
+ dev_info(&data->intf->dev, "Pipe %x ep %p\n", pipe, data->intr_ep);

usb_fill_int_urb(urb, data->udev, pipe, buf, size,
btusb_intr_complete, hdev, data->intr_ep->bInterval);
@@ -4283,6 +4284,9 @@ static int btusb_probe(struct usb_interf

if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
data->intr_ep = ep_desc;
+ dev_info(&intf->dev, "Ep %p epaddr %x epattr %x\n",
+ ep_desc, ep_desc->bEndpointAddress,
+ ep_desc->bmAttributes);
continue;
}

Index: usb-devel/drivers/usb/core/urb.c
===================================================================
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -208,8 +208,11 @@ int usb_pipe_type_check(struct usb_devic
ep = usb_pipe_endpoint(dev, pipe);
if (!ep)
return -EINVAL;
- if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
+ if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) {
+ dev_info(&dev->dev, "Error pipe %x ep %p epaddr %x\n",
+ pipe, &ep->desc, ep->desc.bEndpointAddress);
return -EINVAL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(usb_pipe_type_check);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in btusb_submit_intr_urb/usb_submit_urb

btusb 1-1:0.0: Pipe 404d8280 ep ffff8880234bee00
usb 1-1: Error pipe 404d8280 ep ffff8880234beea0 epaddr 8b

------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3

WARNING: CPU: 1 PID: 53 at drivers/usb/core/urb.c:507 usb_submit_urb+0xbfa/0x17e0 drivers/usb/core/urb.c:506
Modules linked in:
CPU: 1 PID: 53 Comm: kworker/u9:0 Not tainted 6.10.0-rc4-syzkaller-00164-g66cc544fd75c-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024

Workqueue: hci1 hci_power_on
RIP: 0010:usb_submit_urb+0xbfa/0x17e0 drivers/usb/core/urb.c:506
Code: f0 48 c1 e8 03 0f b6 04 18 84 c0 0f 85 8c 08 00 00 45 8b 06 48 c7 c7 c0 90 6d 8c 48 8b 34 24 4c 89 fa 89 e9 e8 a7 99 3c fa 90 <0f> 0b 90 90 45 89 e6 4c 89 f7 48 c7 c6 b0 4b f2 8e e8 10 6f 7a fa
RSP: 0018:ffffc90000bd77a0 EFLAGS: 00010246
RAX: 7b355395d6059e00 RBX: dffffc0000000000 RCX: ffff8880157d5a00

RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000

RBP: 0000000000000001 R08: ffffffff81585822 R09: 1ffff9200017ae94
R10: dffffc0000000000 R11: fffff5200017ae95 R12: 0000000000000002
R13: ffff888018acd300 R14: ffffffff8c6d8e68 R15: ffff888023a90c60
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055da0d81ae28 CR3: 000000000e132000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

btusb_submit_intr_urb+0x4a2/0x890 drivers/bluetooth/btusb.c:1410
btusb_open+0x1a1/0x770 drivers/bluetooth/btusb.c:1866

hci_dev_open_sync+0x2cc/0x2b40 net/bluetooth/hci_sync.c:4889
hci_dev_do_open net/bluetooth/hci_core.c:485 [inline]
hci_power_on+0x1c7/0x6b0 net/bluetooth/hci_core.c:1012
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: 66cc544f Merge tag 'dmaengine-fix-6.10' of git://git.k..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1503e301980000

kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87
dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13ec9e82980000

[Alan Stern]

On Wed, Jun 26, 2024 at 09:44:03AM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in btusb_submit_intr_urb/usb_submit_urb

As expected. The interesting information is in the console log:

[ 100.266326][ T25] btusb 1-1:0.0: Ep ffff8880234bee00 epaddr 9b epattr 67
[ 100.280938][ T53] btusb 1-1:0.0: Pipe 404d8280 ep ffff8880234bee00
[ 100.287918][ T53] usb 1-1: Error pipe 404d8280 ep ffff8880234beea0 epaddr 8b

Notice the difference in the "ep" values (the addresses of the endpoint
descriptors). The kernel thinks two different endpoints are the same.

The reason is that the two descriptors have the same direction and
address, but the parsing code in config.c doesn't realize they are
duplicates because they differ in the value of the reserved bits in
bEndpointAddress. You can see this in the epaddr values above: 0x9b
versus 0x8b.

Let's see what happens if we reject endpoint descriptors in which any of
the reserved bits in bEndpointAddress are set.

Index: usb-devel/drivers/usb/core/config.c
===================================================================
--- usb-devel.orig/drivers/usb/core/config.c
+++ usb-devel/drivers/usb/core/config.c
@@ -287,6 +287,13 @@ static int usb_parse_endpoint(struct dev
goto skip_to_next_endpoint_or_interface_descriptor;
}

+ if (d->bEndpointAddress &
+ ~(USB_ENDPOINT_DIR_MASK | USB_ENDPOINT_NUMBER_MASK)) {
+ dev_notice(ddev, "config %d interface %d altsetting %d has an invalid endpoint descriptor with address 0x%02x, skipping\n",
+ cfgno, inum, asnum, d->bEndpointAddress);
+ goto skip_to_next_endpoint_or_interface_descriptor;
+ }
+
/* Only store as many endpoints as we have room for */
if (ifp->desc.bNumEndpoints >= num_ep)
goto skip_to_next_endpoint_or_interface_descriptor;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+8693a0...@syzkaller.appspotmail.com

Tested on:

commit: 66cc544f Merge tag 'dmaengine-fix-6.10' of git://git.k..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=15a59299980000

kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87
dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=169b3789980000

Note: testing is done by a robot and is best-effort only.

[Alan Stern]

Somewhat different approach. Let's see if this works.

Alan Stern

#syz test: upstream 66cc544fd75c

Index: usb-devel/drivers/usb/core/config.c
===================================================================
--- usb-devel.orig/drivers/usb/core/config.c
+++ usb-devel/drivers/usb/core/config.c

@@ -291,6 +291,19 @@ static int usb_parse_endpoint(struct dev

if (ifp->desc.bNumEndpoints >= num_ep)
goto skip_to_next_endpoint_or_interface_descriptor;

+ /* Save a copy of the descriptor and use it instead of the original */
+ endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
+ memcpy(&endpoint->desc, d, n);
+ d = &endpoint->desc;
+
+ i = d->bEndpointAddress &
+ (USB_ENDPOINT_DIR_MASK | USB_ENDPOINT_NUMBER_MASK);
+ if (i != d->bEndpointAddress) {
+ dev_notice(ddev, "config %d interface %d altsetting %d has an endpoint descriptor with address 0x%X, changing to 0x%X\n",
+ cfgno, inum, asnum, d->bEndpointAddress, i);
+ endpoint->desc.bEndpointAddress = i;
+ }
+
/* Check for duplicate endpoint addresses */
if (config_endpoint_is_duplicate(config, inum, asnum, d)) {
dev_notice(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
@@ -308,10 +321,8 @@ static int usb_parse_endpoint(struct dev
}
}

- endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
+ /* Accept this endpoint */
++ifp->desc.bNumEndpoints;
-
- memcpy(&endpoint->desc, d, n);
INIT_LIST_HEAD(&endpoint->urb_list);

/*

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+8693a0...@syzkaller.appspotmail.com

Tested on:

commit: 66cc544f Merge tag 'dmaengine-fix-6.10' of git://git.k..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=146c143a980000

kernel config: https://syzkaller.appspot.com/x/.config?x=3f7b9f99610e0e87
dashboard link: https://syzkaller.appspot.com/bug?extid=8693a0bb9c10b554272a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15e096c1980000