kernel v5.19 warn in usb_ep_queue

From: Rondreis
Date: Wed Aug 10 2022 - 22:12:23 EST

Next message: John Stultz: "Re: [RFC][PATCH 1/2] sched: Avoid placing RT threads on cores handling long softirqs"
Previous message: Randy Dunlap: "Re: [RFC][PATCH 1/2] sched: Avoid placing RT threads on cores handling long softirqs"
Next in thread: Alan Stern: "Re: kernel v5.19 warn in usb_ep_queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

When fuzzing the Linux kernel driver 5.19.0-rc4-00208-g69cb6c6556ad,
the following crash was triggered.

HEAD commit: 4b0986a3613c92f4ec1bdc7f60ec66fea135991f (HEAD, tag: v5.18)
git tree: upstream

kernel config: https://pastebin.com/KecL2gaG
C reproducer: https://pastebin.com/wLDJ9cnP
console output: https://pastebin.com/t0r8EwTw

Basically, in the c reproducer, we use the gadget module to emulate
the process of attaching a usb device (vendor id: 0xbaf, product id:
0x121, with function: midi and ms_null).
To reproduce this crash, we utilize a third-party library to emulate
the attaching process: https://github.com/linux-usb-gadgets/libusbgx.
Just clone this repository, make install it, and compile the c
reproducer with ``` gcc crash.c -lusbgx -o crash ``` will do the
trick.

It seems that an error state in struct usb_ep trigger such kernel warning.

The crash report is as follow:

```
------------[ cut here ]------------
------------[ cut here ]------------
WARNING: CPU: 3 PID: 3442 at drivers/usb/gadget/udc/core.c:283
usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283
Modules linked in:
CPU: 3 PID: 3442 Comm: file-storage Not tainted
5.19.0-rc4-00208-g69cb6c6556ad #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:usb_ep_queue+0x16b/0x3b0 drivers/usb/gadget/udc/core.c:283
Code: 46 05 0f 92 c3 31 ff 89 de e8 f1 e9 49 fd 84 db 0f 85 16 01 00
00 e8 c4 e8 49 fd 44 89 e0 5b 5d 41 5c 41 5d c3 e8 b5 e8 49 fd <0f> 0b
41 bc 94 ff ff ff e9 73 ff ff ff e8 a3 e8 49 fd 65 8b 1d cc
RSP: 0018:ffffc9000490fd00 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff888110e0d580
RDX: 0000000000000000 RSI: ffff888110e0d580 RDI: 0000000000000002
RBP: ffff88810ae84158 R08: ffffffff83fb31eb R09: 0000000000000000
R10: 0000000000000001 R11: ffffed10221c1ab0 R12: 0000000000000cc0
R13: ffff888111843f10 R14: ffff888111843f10 R15: ffff88811084e000
FS: 0000000000000000(0000) GS:ffff88811a980000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f841985e020 CR3: 000000010d19a000 CR4: 0000000000350ee0
Call Trace:
<TASK>
start_transfer.isra.0+0x26/0x100
drivers/usb/gadget/function/f_mass_storage.c:527
start_out_transfer.isra.0+0xf0/0x1b0
drivers/usb/gadget/function/f_mass_storage.c:560
get_next_command drivers/usb/gadget/function/f_mass_storage.c:2249 [inline]
fsg_main_thread+0x377/0x6fc0 drivers/usb/gadget/function/f_mass_storage.c:2572
kthread+0x2ef/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
</TASK>

```

Next message: John Stultz: "Re: [RFC][PATCH 1/2] sched: Avoid placing RT threads on cores handling long softirqs"
Previous message: Randy Dunlap: "Re: [RFC][PATCH 1/2] sched: Avoid placing RT threads on cores handling long softirqs"
Next in thread: Alan Stern: "Re: kernel v5.19 warn in usb_ep_queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]