linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>,
	"David S. Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 16/62] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
Date: Tue, 27 Aug 2019 09:50:21 +0200	[thread overview]
Message-ID: <20190827072701.285285273@linuxfoundation.org> (raw)
In-Reply-To: <20190827072659.803647352@linuxfoundation.org>

[ Upstream commit d8a1de3d5bb881507602bc02e004904828f88711 ]

Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers.

During usb probe the driver crashes with "transfer buffer is on stack" message.

This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro
that calls "usb_control_msg" under the hood.

Kernel 4.19 backtrace:

usb_hcd_submit_urb+0x3e5/0x900
? sched_clock+0x9/0x10
? log_store+0x203/0x270
? get_random_u32+0x6f/0x90
? cache_alloc_refill+0x784/0x8a0
usb_submit_urb+0x3b4/0x550
usb_start_wait_urb+0x4e/0xd0
usb_control_msg+0xb8/0x120
hfcsusb_probe+0x6bc/0xb40 [hfcsusb]
usb_probe_interface+0xc2/0x260
really_probe+0x176/0x280
driver_probe_device+0x49/0x130
__driver_attach+0xa9/0xb0
? driver_probe_device+0x130/0x130
bus_for_each_dev+0x5a/0x90
driver_attach+0x14/0x20
? driver_probe_device+0x130/0x130
bus_add_driver+0x157/0x1e0
driver_register+0x51/0xe0
usb_register_driver+0x5d/0x120
? 0xf81ed000
hfcsusb_drv_init+0x17/0x1000 [hfcsusb]
do_one_initcall+0x44/0x190
? free_unref_page_commit+0x6a/0xd0
do_init_module+0x46/0x1c0
load_module+0x1dc1/0x2400
sys_init_module+0xed/0x120
do_fast_syscall_32+0x7a/0x200
entry_SYSENTER_32+0x6b/0xbe

Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 163bc482b2a78..87588198d68fc 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1701,13 +1701,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel)
 static int
 setup_hfcsusb(struct hfcsusb *hw)
 {
+	void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL);
 	u_char b;
+	int ret;
 
 	if (debug & DBG_HFC_CALL_TRACE)
 		printk(KERN_DEBUG "%s: %s\n", hw->name, __func__);
 
+	if (!dmabuf)
+		return -ENOMEM;
+
+	ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf);
+
+	memcpy(&b, dmabuf, sizeof(u_char));
+	kfree(dmabuf);
+
 	/* check the chip id */
-	if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) {
+	if (ret != 1) {
 		printk(KERN_DEBUG "%s: %s: cannot read chip id\n",
 		       hw->name, __func__);
 		return 1;
-- 
2.20.1




  parent reply	other threads:[~2019-08-27  7:54 UTC|newest]

Thread overview: 67+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-27  7:50 [PATCH 4.14 00/62] 4.14.141-stable review Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 01/62] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 02/62] MIPS: kernel: only use i8253 clocksource with periodic clockevent Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 03/62] mips: fix cacheinfo Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 04/62] netfilter: ebtables: fix a memory leak bug in compat Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 05/62] ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 06/62] bonding: Force slave speed check after link state recovery for 802.3ad Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 07/62] can: dev: call netif_carrier_off() in register_candev() Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 08/62] ASoC: Fail card instantiation if DAI format setup fails Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 09/62] st21nfca_connectivity_event_received: null check the allocation Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 10/62] st_nci_hci_connectivity_event_received: " Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 11/62] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 12/62] net: usb: qmi_wwan: Add the BroadMobi BM818 card Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 13/62] qed: RDMA - Fix the hw_ver returned in device attributes Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 14/62] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 15/62] netfilter: ipset: Fix rename concurrency with listing Greg Kroah-Hartman
2019-08-27  7:50 ` Greg Kroah-Hartman [this message]
2019-08-27  7:50 ` [PATCH 4.14 17/62] perf bench numa: Fix cpu0 binding Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 18/62] can: sja1000: force the string buffer NULL-terminated Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 19/62] can: peak_usb: " Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 20/62] net/ethernet/qlogic/qed: " Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 21/62] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 22/62] HID: input: fix a4tech horizontal wheel custom usage Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 23/62] SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 24/62] net: cxgb3_main: Fix a resource leak in a error path in init_one() Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 25/62] net: hisilicon: make hip04_tx_reclaim non-reentrant Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 26/62] net: hisilicon: fix hip04-xmit never return TX_BUSY Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 27/62] net: hisilicon: Fix dma_map_single failed on arm64 Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 28/62] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 29/62] libata: add SG safety checks in SFF pio transfers Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 30/62] x86/lib/cpu: Address missing prototypes warning Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 31/62] drm/vmwgfx: fix memory leak when too many retries have occurred Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 32/62] perf ftrace: Fix failure to set cpumask when only one cpu is present Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 33/62] perf cpumap: Fix writing to illegal memory in handling cpumap mask Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 34/62] perf pmu-events: Fix missing "cpu_clk_unhalted.core" event Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 35/62] selftests: kvm: Adding config fragments Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 36/62] HID: wacom: correct misreported EKR ring values Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 37/62] HID: wacom: Correct distance scale for 2nd-gen Intuos devices Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 38/62] Revert "dm bufio: fix deadlock with loop device" Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 39/62] ceph: dont try fill file_lock on unsuccessful GETFILELOCK reply Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 40/62] libceph: fix PG split vs OSD (re)connect race Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 41/62] drm/nouveau: Dont retry infinitely when receiving no data on i2c over AUX Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 42/62] gpiolib: never report open-drain/source lines as input to user-space Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 43/62] userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 44/62] x86/retpoline: Dont clobber RFLAGS during CALL_NOSPEC on i386 Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 45/62] x86/apic: Handle missing global clockevent gracefully Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 46/62] x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 47/62] x86/boot: Save fields explicitly, zero out everything else Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 48/62] x86/boot: Fix boot regression caused by bootparam sanitizing Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 49/62] dm kcopyd: always complete failed jobs Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 50/62] dm btree: fix order of block initialization in btree_split_beneath Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 51/62] dm space map metadata: fix missing store of apply_bops() return value Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 52/62] dm table: fix invalid memory accesses with too high sector number Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 53/62] dm zoned: improve error handling in reclaim Greg Kroah-Hartman
2019-08-27  7:50 ` [PATCH 4.14 54/62] dm zoned: improve error handling in i/o map code Greg Kroah-Hartman
2019-08-27  7:51 ` [PATCH 4.14 55/62] dm zoned: properly handle backing device failure Greg Kroah-Hartman
2019-08-27  7:51 ` [PATCH 4.14 56/62] genirq: Properly pair kobject_del() with kobject_add() Greg Kroah-Hartman
2019-08-27  7:51 ` [PATCH 4.14 57/62] mm, page_owner: handle THP splits correctly Greg Kroah-Hartman
2019-08-27  7:51 ` [PATCH 4.14 58/62] mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely Greg Kroah-Hartman
2019-08-27  7:51 ` [PATCH 4.14 59/62] mm/zsmalloc.c: fix race condition in zs_destroy_pool Greg Kroah-Hartman
2019-08-27  7:51 ` [PATCH 4.14 60/62] xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT Greg Kroah-Hartman
2019-08-27  7:51 ` [PATCH 4.14 61/62] dm zoned: fix potential NULL dereference in dmz_do_reclaim() Greg Kroah-Hartman
2019-08-27  7:51 ` [PATCH 4.14 62/62] powerpc: Allow flush_(inval_)dcache_range to work across ranges >4GB Greg Kroah-Hartman
2019-08-27 17:24 ` [PATCH 4.14 00/62] 4.14.141-stable review Guenter Roeck
2019-08-27 19:12 ` shuah
2019-08-28  4:17 ` kernelci.org bot
2019-08-28  4:53 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190827072701.285285273@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=juliana.rodrigueiro@intra2net.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).