On Mon, Dec 14, 2020 at 04:06:49PM +0100, Andrey Konovalov wrote:
On Mon, Dec 14, 2020 at 4:02 PM Johan Hovold johan@kernel.org wrote:
On Mon, Dec 14, 2020 at 06:48:03AM -0800, syzbot wrote:
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue: WARNING in yurex_write/usb_submit_urb
It appears syzbot never tested the patch from the thread. Probably using it's mail interface incorrectly, I don't know and I don't have time to investigate. The patch itself is correct.
Hi Johan,
I wasn't CCed on the testing request, so I can't say what exactly was wrong.
Here's the patch and the "syz test" command in a reply:
https://lore.kernel.org/r/20201214104444.28386-1-johan@kernel.org
Probably needs to go in the same mail, right?
How about including the command needed to test a patch in the syzbot report mail to assist the casual user of its interfaces? I had to browse the web page you link to and still got it wrong apparently.
Could you send me the patch you were trying to test?
Does this work better:
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
Johan
From 3bb77b2ac604d70b06f45a850e326dda9c99c9cd Mon Sep 17 00:00:00 2001
From: Johan Hovold johan@kernel.org Date: Mon, 14 Dec 2020 11:30:53 +0100 Subject: [PATCH] USB: yurex: fix control-URB timeout handling
Make sure to always cancel the control URB in write() so that it can be reused after a timeout or spurious CMD_ACK.
Currently any further write requests after a timeout would fail after triggering a WARN() in usb_submit_urb() when attempting to submit the already active URB.
Reported-by: syzbot+e87ebe0f7913f71f2ea5@syzkaller.appspotmail.com Fixes: 6bc235a2e24a ("USB: add driver for Meywa-Denki & Kayac YUREX") Cc: stable stable@vger.kernel.org # 2.6.37 Signed-off-by: Johan Hovold johan@kernel.org --- drivers/usb/misc/yurex.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 73ebfa6e9715..c640f98d20c5 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -496,6 +496,9 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, timeout = schedule_timeout(YUREX_WRITE_TIMEOUT); finish_wait(&dev->waitq, &wait);
+ /* make sure URB is idle after timeout or (spurious) CMD_ACK */ + usb_kill_urb(dev->cntl_urb); + mutex_unlock(&dev->io_mutex);
if (retval < 0) {