Stable Archive on lore.kernel.org
 help / color / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>,
	"David S . Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 13/33] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
Date: Tue, 13 Aug 2019 22:23:03 -0400
Message-ID: <20190814022323.17111-13-sashal@kernel.org> (raw)
In-Reply-To: <20190814022323.17111-1-sashal@kernel.org>

From: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>

[ Upstream commit d8a1de3d5bb881507602bc02e004904828f88711 ]

Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers.

During usb probe the driver crashes with "transfer buffer is on stack" message.

This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro
that calls "usb_control_msg" under the hood.

Kernel 4.19 backtrace:

usb_hcd_submit_urb+0x3e5/0x900
? sched_clock+0x9/0x10
? log_store+0x203/0x270
? get_random_u32+0x6f/0x90
? cache_alloc_refill+0x784/0x8a0
usb_submit_urb+0x3b4/0x550
usb_start_wait_urb+0x4e/0xd0
usb_control_msg+0xb8/0x120
hfcsusb_probe+0x6bc/0xb40 [hfcsusb]
usb_probe_interface+0xc2/0x260
really_probe+0x176/0x280
driver_probe_device+0x49/0x130
__driver_attach+0xa9/0xb0
? driver_probe_device+0x130/0x130
bus_for_each_dev+0x5a/0x90
driver_attach+0x14/0x20
? driver_probe_device+0x130/0x130
bus_add_driver+0x157/0x1e0
driver_register+0x51/0xe0
usb_register_driver+0x5d/0x120
? 0xf81ed000
hfcsusb_drv_init+0x17/0x1000 [hfcsusb]
do_one_initcall+0x44/0x190
? free_unref_page_commit+0x6a/0xd0
do_init_module+0x46/0x1c0
load_module+0x1dc1/0x2400
sys_init_module+0xed/0x120
do_fast_syscall_32+0x7a/0x200
entry_SYSENTER_32+0x6b/0xbe

Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 6f19530ba2a93..726fba452f5f6 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1701,13 +1701,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel)
 static int
 setup_hfcsusb(struct hfcsusb *hw)
 {
+	void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL);
 	u_char b;
+	int ret;
 
 	if (debug & DBG_HFC_CALL_TRACE)
 		printk(KERN_DEBUG "%s: %s\n", hw->name, __func__);
 
+	if (!dmabuf)
+		return -ENOMEM;
+
+	ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf);
+
+	memcpy(&b, dmabuf, sizeof(u_char));
+	kfree(dmabuf);
+
 	/* check the chip id */
-	if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) {
+	if (ret != 1) {
 		printk(KERN_DEBUG "%s: %s: cannot read chip id\n",
 		       hw->name, __func__);
 		return 1;
-- 
2.20.1


  parent reply index

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-14  2:22 [PATCH AUTOSEL 4.9 01/33] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT Sasha Levin
2019-08-14  2:22 ` [PATCH AUTOSEL 4.9 02/33] MIPS: kernel: only use i8253 clocksource with periodic clockevent Sasha Levin
2019-08-14  2:22 ` [PATCH AUTOSEL 4.9 03/33] netfilter: ebtables: fix a memory leak bug in compat Sasha Levin
2019-08-14  2:22 ` [PATCH AUTOSEL 4.9 04/33] ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks Sasha Levin
2019-08-14  2:22 ` [PATCH AUTOSEL 4.9 05/33] bonding: Force slave speed check after link state recovery for 802.3ad Sasha Levin
2019-08-14  2:22 ` [PATCH AUTOSEL 4.9 06/33] can: dev: call netif_carrier_off() in register_candev() Sasha Levin
2019-08-14  2:22 ` [PATCH AUTOSEL 4.9 07/33] ASoC: Fail card instantiation if DAI format setup fails Sasha Levin
2019-08-14  2:22 ` [PATCH AUTOSEL 4.9 08/33] st21nfca_connectivity_event_received: null check the allocation Sasha Levin
2019-08-14  2:22 ` [PATCH AUTOSEL 4.9 09/33] st_nci_hci_connectivity_event_received: " Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 10/33] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 11/33] net: usb: qmi_wwan: Add the BroadMobi BM818 card Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 12/33] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Sasha Levin
2019-08-14  2:23 ` Sasha Levin [this message]
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 14/33] perf bench numa: Fix cpu0 binding Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 15/33] Input: kbtab - sanity check for endpoint type Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 16/33] net: usb: pegasus: fix improper read if get_registers() fail Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 17/33] can: sja1000: force the string buffer NULL-terminated Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 18/33] can: peak_usb: " Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 19/33] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 20/33] HID: holtek: test for sanity of intfdata Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 21/33] HID: input: fix a4tech horizontal wheel custom usage Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 22/33] HID: hiddev: avoid opening a disconnected device Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 23/33] HID: hiddev: do cleanup in failure of opening a device Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 24/33] Input: iforce - add sanity checks Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 25/33] net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 26/33] net: hisilicon: make hip04_tx_reclaim non-reentrant Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 27/33] net: hisilicon: fix hip04-xmit never return TX_BUSY Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 28/33] net: hisilicon: Fix dma_map_single failed on arm64 Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 29/33] libata: add SG safety checks in SFF pio transfers Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 30/33] x86/lib/cpu: Address missing prototypes warning Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 31/33] drm/vmwgfx: fix memory leak when too many retries have occurred Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 32/33] perf pmu-events: Fix missing "cpu_clk_unhalted.core" event Sasha Levin
2019-08-14  2:23 ` [PATCH AUTOSEL 4.9 33/33] selftests: kvm: Adding config fragments Sasha Levin

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190814022323.17111-13-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=davem@davemloft.net \
    --cc=juliana.rodrigueiro@intra2net.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org stable@archiver.kernel.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox