On Sat, Jul 10, 2021 at 04:11:15AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: ee268dee Add linux-next specific files for 20210707
> git tree: linux-next
Is this an old version of syzbot? I thought it had been fixed up to
give a real URL (one that "#syz test:" would accept) for the git
tree and a 12-digit SHA-1 abbreviation for the HEAD commit.
Apparently I forgot to fix the usbfs pathways.
Alan Stern
#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git ee268dee
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -1133,7 +1133,7 @@ static int do_proc_control(struct usb_de
"wIndex=%04x wLength=%04x\n",
ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
ctrl->wIndex, ctrl->wLength);
- if (ctrl->bRequestType & 0x80) {
+ if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) {
pipe = usb_rcvctrlpipe(dev, 0);
snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
@@ -1157,6 +1157,7 @@ static int do_proc_control(struct usb_de
goto done;
}
}
+ ctrl->bRequestType &= ~USB_DIR_IN;
pipe = usb_sndctrlpipe(dev, 0);
snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
tbuf, ctrl->wLength);
@@ -1579,6 +1580,13 @@ static int proc_do_submiturb(struct usb_
le16_to_cpu(dr->wIndex));
if (ret)
goto error;
+ snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
+ "bRequest=%02x wValue=%04x "
+ "wIndex=%04x wLength=%04x\n",
+ dr->bRequestType, dr->bRequest,
+ __le16_to_cpu(dr->wValue),
+ __le16_to_cpu(dr->wIndex),
+ __le16_to_cpu(dr->wLength));
uurb->buffer_length = le16_to_cpu(dr->wLength);
uurb->buffer += 8;
if ((dr->bRequestType & USB_DIR_IN) && uurb->buffer_length) {
@@ -1587,16 +1595,10 @@ static int proc_do_submiturb(struct usb_
} else {
is_in = false;
uurb->endpoint &= ~USB_DIR_IN;
+ dr->bRequestType &= ~USB_DIR_IN;
}
if (is_in)
allow_short = true;
- snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
- "bRequest=%02x wValue=%04x "
- "wIndex=%04x wLength=%04x\n",
- dr->bRequestType, dr->bRequest,
- __le16_to_cpu(dr->wValue),
- __le16_to_cpu(dr->wIndex),
- __le16_to_cpu(dr->wLength));
u = sizeof(struct usb_ctrlrequest);
break;