stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, "Qiujun Huang" <hqjagain@gmail.com>,
	"Kalle Valo" <kvalo@codeaurora.org>,
	"Viktor Jägersküpper" <viktor_jaegerskuepper@freenet.de>,
	syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
Subject: [PATCH 4.9 44/61] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
Date: Thu, 30 Jul 2020 10:05:02 +0200	[thread overview]
Message-ID: <20200730074422.973073199@linuxfoundation.org> (raw)
In-Reply-To: <20200730074420.811058810@linuxfoundation.org>

From: Qiujun Huang <hqjagain@gmail.com>

commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream.

In ath9k_hif_usb_rx_cb interface number is assumed to be 0.
usb_ifnum_to_if(urb->dev, 0)
But it isn't always true.

The case reported by syzbot:
https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com
usb 2-1: new high-speed USB device number 2 using dummy_hcd
usb 2-1: config 1 has an invalid interface number: 2 but max is 0
usb 2-1: config 1 has no interface number 0
usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice=
1.08
usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
general protection fault, probably for non-canonical address
0xdffffc0000000015: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0

Call Trace
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829

Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com
Cc: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath9k/hif_usb.c |   48 +++++++++++++++++++++++--------
 drivers/net/wireless/ath/ath9k/hif_usb.h |    5 +++
 2 files changed, 42 insertions(+), 11 deletions(-)

--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -641,9 +641,9 @@ err:
 
 static void ath9k_hif_usb_rx_cb(struct urb *urb)
 {
-	struct sk_buff *skb = (struct sk_buff *) urb->context;
-	struct hif_device_usb *hif_dev =
-		usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0));
+	struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
+	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
+	struct sk_buff *skb = rx_buf->skb;
 	int ret;
 
 	if (!skb)
@@ -683,14 +683,15 @@ resubmit:
 	return;
 free:
 	kfree_skb(skb);
+	kfree(rx_buf);
 }
 
 static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 {
-	struct sk_buff *skb = (struct sk_buff *) urb->context;
+	struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
+	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
+	struct sk_buff *skb = rx_buf->skb;
 	struct sk_buff *nskb;
-	struct hif_device_usb *hif_dev =
-		usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0));
 	int ret;
 
 	if (!skb)
@@ -748,6 +749,7 @@ resubmit:
 	return;
 free:
 	kfree_skb(skb);
+	kfree(rx_buf);
 	urb->context = NULL;
 }
 
@@ -793,7 +795,7 @@ static int ath9k_hif_usb_alloc_tx_urbs(s
 	init_usb_anchor(&hif_dev->mgmt_submitted);
 
 	for (i = 0; i < MAX_TX_URB_NUM; i++) {
-		tx_buf = kzalloc(sizeof(struct tx_buf), GFP_KERNEL);
+		tx_buf = kzalloc(sizeof(*tx_buf), GFP_KERNEL);
 		if (!tx_buf)
 			goto err;
 
@@ -830,8 +832,9 @@ static void ath9k_hif_usb_dealloc_rx_urb
 
 static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev)
 {
-	struct urb *urb = NULL;
+	struct rx_buf *rx_buf = NULL;
 	struct sk_buff *skb = NULL;
+	struct urb *urb = NULL;
 	int i, ret;
 
 	init_usb_anchor(&hif_dev->rx_submitted);
@@ -839,6 +842,12 @@ static int ath9k_hif_usb_alloc_rx_urbs(s
 
 	for (i = 0; i < MAX_RX_URB_NUM; i++) {
 
+		rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL);
+		if (!rx_buf) {
+			ret = -ENOMEM;
+			goto err_rxb;
+		}
+
 		/* Allocate URB */
 		urb = usb_alloc_urb(0, GFP_KERNEL);
 		if (urb == NULL) {
@@ -853,11 +862,14 @@ static int ath9k_hif_usb_alloc_rx_urbs(s
 			goto err_skb;
 		}
 
+		rx_buf->hif_dev = hif_dev;
+		rx_buf->skb = skb;
+
 		usb_fill_bulk_urb(urb, hif_dev->udev,
 				  usb_rcvbulkpipe(hif_dev->udev,
 						  USB_WLAN_RX_PIPE),
 				  skb->data, MAX_RX_BUF_SIZE,
-				  ath9k_hif_usb_rx_cb, skb);
+				  ath9k_hif_usb_rx_cb, rx_buf);
 
 		/* Anchor URB */
 		usb_anchor_urb(urb, &hif_dev->rx_submitted);
@@ -883,6 +895,8 @@ err_submit:
 err_skb:
 	usb_free_urb(urb);
 err_urb:
+	kfree(rx_buf);
+err_rxb:
 	ath9k_hif_usb_dealloc_rx_urbs(hif_dev);
 	return ret;
 }
@@ -894,14 +908,21 @@ static void ath9k_hif_usb_dealloc_reg_in
 
 static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev)
 {
-	struct urb *urb = NULL;
+	struct rx_buf *rx_buf = NULL;
 	struct sk_buff *skb = NULL;
+	struct urb *urb = NULL;
 	int i, ret;
 
 	init_usb_anchor(&hif_dev->reg_in_submitted);
 
 	for (i = 0; i < MAX_REG_IN_URB_NUM; i++) {
 
+		rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL);
+		if (!rx_buf) {
+			ret = -ENOMEM;
+			goto err_rxb;
+		}
+
 		/* Allocate URB */
 		urb = usb_alloc_urb(0, GFP_KERNEL);
 		if (urb == NULL) {
@@ -916,11 +937,14 @@ static int ath9k_hif_usb_alloc_reg_in_ur
 			goto err_skb;
 		}
 
+		rx_buf->hif_dev = hif_dev;
+		rx_buf->skb = skb;
+
 		usb_fill_int_urb(urb, hif_dev->udev,
 				  usb_rcvintpipe(hif_dev->udev,
 						  USB_REG_IN_PIPE),
 				  skb->data, MAX_REG_IN_BUF_SIZE,
-				  ath9k_hif_usb_reg_in_cb, skb, 1);
+				  ath9k_hif_usb_reg_in_cb, rx_buf, 1);
 
 		/* Anchor URB */
 		usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
@@ -946,6 +970,8 @@ err_submit:
 err_skb:
 	usb_free_urb(urb);
 err_urb:
+	kfree(rx_buf);
+err_rxb:
 	ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev);
 	return ret;
 }
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -84,6 +84,11 @@ struct tx_buf {
 	struct list_head list;
 };
 
+struct rx_buf {
+	struct sk_buff *skb;
+	struct hif_device_usb *hif_dev;
+};
+
 #define HIF_USB_TX_STOP  BIT(0)
 #define HIF_USB_TX_FLUSH BIT(1)
 



  parent reply	other threads:[~2020-07-30  8:17 UTC|newest]

Thread overview: 65+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-30  8:04 [PATCH 4.9 00/61] 4.9.232-rc1 review Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 01/61] pinctrl: amd: fix npins for uart0 in kerncz_groups Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 02/61] mac80211: allow rx of mesh eapol frames with default rx key Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 03/61] scsi: scsi_transport_spi: Fix function pointer check Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 04/61] xtensa: fix __sync_fetch_and_{and,or}_4 declarations Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 05/61] xtensa: update *pos in cpuinfo_op.next Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 06/61] drivers/net/wan/lapbether: Fixed the value of hard_header_len Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 07/61] net: sky2: initialize return of gm_phy_read Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 08/61] drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 09/61] SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO compeletion") Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 10/61] uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix GDB regression Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 11/61] ALSA: info: Drop WARN_ON() from buffer NULL sanity check Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 12/61] ASoC: rt5670: Correct RT5670_LDO_SEL_MASK Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 13/61] btrfs: fix double free on ulist after backref resolution failure Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 14/61] btrfs: fix mount failure caused by race with umount Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 15/61] bnxt_en: Fix race when modifying pause settings Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 16/61] hippi: Fix a size used in a pci_free_consistent() in an error handling path Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 17/61] ax88172a: fix ax88172a_unbind() failures Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 18/61] net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual configuration Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 19/61] net: smc91x: Fix possible memory leak in smc_drv_probe() Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 20/61] scripts/decode_stacktrace: strip basepath from all paths Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 21/61] HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 22/61] HID: apple: Disable Fn-key key-re-mapping on clone keyboards Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 23/61] dmaengine: tegra210-adma: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 24/61] regmap: dev_get_regmap_match(): fix string comparison Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 25/61] dmaengine: ioat setting ioat timeout as module parameter Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 26/61] usb: gadget: udc: gr_udc: fix memleak on error handling path in gr_ep_init() Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 27/61] arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 28/61] x86: math-emu: Fix up cmp insn for clang ias Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 29/61] usb: xhci-mtk: fix the failure of bandwidth allocation Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 30/61] usb: xhci: Fix ASM2142/ASM3142 DMA addressing Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 31/61] Revert "cifs: Fix the target file was deleted when rename failed." Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 32/61] staging: wlan-ng: properly check endpoint types Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 33/61] staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 34/61] staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 35/61] staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 36/61] staging: comedi: addi_apci_1564: " Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 37/61] serial: 8250: fix null-ptr-deref in serial8250_start_tx() Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 38/61] serial: 8250_mtk: Fix high-speed baud rates clamping Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 39/61] vt: Reject zero-sized screen buffer size Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 40/61] Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation Greg Kroah-Hartman
2020-07-30  8:04 ` [PATCH 4.9 41/61] mm/memcg: fix refcount error while moving and swapping Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 42/61] io-mapping: indicate mapping failure Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 43/61] parisc: Add atomic64_set_release() define to avoid CPU soft lockups Greg Kroah-Hartman
2020-07-30  8:05 ` Greg Kroah-Hartman [this message]
2020-07-30  8:05 ` [PATCH 4.9 45/61] ath9k: Fix regression with Atheros 9271 Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 46/61] AX.25: Fix out-of-bounds read in ax25_connect() Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 47/61] AX.25: Prevent out-of-bounds read in ax25_sendmsg() Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 48/61] dev: Defer free of skbs in flush_backlog Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 49/61] net-sysfs: add a newline when printing tx_timeout by sysfs Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 50/61] net: udp: Fix wrong clean up for IS_UDPLITE macro Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 51/61] rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 52/61] AX.25: Prevent integer overflows in connect and sendmsg Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 53/61] tcp: allow at most one TLP probe per flight Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 54/61] ip6_gre: fix null-ptr-deref in ip6gre_init_net() Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 55/61] drivers/net/wan/x25_asy: Fix to make it work Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 56/61] regmap: debugfs: check count when read regmap file Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 57/61] xfs: set format back to extents if xfs_bmap_extents_to_btree Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 58/61] perf probe: Fix to check blacklist address correctly Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 59/61] perf annotate: Use asprintf when formatting objdump command line Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 60/61] perf tools: Fix snprint warnings for gcc 8 Greg Kroah-Hartman
2020-07-30  8:05 ` [PATCH 4.9 61/61] perf: Make perf able to build with latest libbfd Greg Kroah-Hartman
2020-07-30 16:46 ` [PATCH 4.9 00/61] 4.9.232-rc1 review Guenter Roeck
2020-07-31 12:41 ` Jon Hunter
2020-07-31 12:43 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200730074422.973073199@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=hqjagain@gmail.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com \
    --cc=viktor_jaegerskuepper@freenet.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).