korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-22 04:31:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
295ef44a2a
linux/drivers
History
Alan Stern 1bebbd9b80 net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb 
commit 5e1627cb43 upstream.

The syzbot fuzzer identified a problem in the usbnet driver:

usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc9000463f568 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001
RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453
 __netdev_start_xmit include/linux/netdevice.h:4918 [inline]
 netdev_start_xmit include/linux/netdevice.h:4932 [inline]
 xmit_one net/core/dev.c:3578 [inline]
 dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594
...

This bug is caused by the fact that usbnet trusts the bulk endpoint
addresses its probe routine receives in the driver_info structure, and
it does not check to see that these endpoints actually exist and have
the expected type and directions.

The fix is simply to add such a check.

Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/000000000000a56e9105d0cec021@google.com/
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/ea152b6d-44df-4f8a-95c6-4db51143dcc1@rowland.harvard.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-08-11 12:08:24 +02:00
..
accessibility
acpi ACPI: processor: perflib: Avoid updating frequency QoS unnecessarily 2023-08-03 10:24:18 +02:00
amba
android binder: fix UAF of alloc->vma in race with munmap() 2023-05-30 14:03:19 +01:00
ata ata: pata_ns87415: mark ns87560_tf_read static 2023-08-03 10:24:07 +02:00
atm atm: idt77252: fix kmemleak when rmmod idt77252 2023-03-30 12:49:09 +02:00
auxdisplay
base x86/srso: Add a Speculative RAS Overflow mitigation 2023-08-08 20:03:50 +02:00
bcma
block rbd: prevent busy loop when requesting exclusive lock 2023-08-11 12:08:21 +02:00
bluetooth Bluetooth: hci_qca: fix debugfs registration 2023-06-14 11:15:28 +02:00
bus bus: ixp4xx: fix IXP4XX_EXP_T1_MASK 2023-07-23 13:49:43 +02:00
cdrom
char tpm_tis: Explicitly check for error code 2023-08-03 10:24:14 +02:00
clk clk: imx93: Propagate correct error in imx93_clocks_probe() 2023-08-11 12:08:22 +02:00
clocksource clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe 2023-07-19 16:20:59 +02:00
comedi
connector
counter counter: 104-quad-8: Fix Synapse action reported for Index signals 2023-04-13 16:55:31 +02:00
cpufreq cpufreq: intel_pstate: Drop ACPI _PSS states table patching 2023-08-03 10:24:18 +02:00
cpuidle RISC-V: Align SBI probe implementation with spec 2023-05-11 23:03:04 +09:00
crypto crypto: qat - unmap buffers before free for RSA 2023-07-19 16:21:42 +02:00
cxl cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws() 2023-08-03 10:24:04 +02:00
dax dax/kmem: Pass valid argument to memory_group_register_static 2023-07-19 16:21:43 +02:00
dca
devfreq
dio
dma dmaengine: pl330: rename _start to prevent build error 2023-06-09 10:34:00 +02:00
dma-buf dma-buf: fix an error pointer vs NULL bug 2023-08-03 10:24:19 +02:00
edac EDAC/qcom: Get rid of hardcoded register offsets 2023-06-21 16:00:51 +02:00
eisa
extcon extcon: usbc-tusb320: Unregister typec port on driver removal 2023-07-19 16:22:08 +02:00
firewire
firmware firmware: arm_scmi: Drop OF node reference in the transport channel setup 2023-08-11 12:08:19 +02:00
fpga fpga: bridge: fix kernel-doc parameter description 2023-05-11 23:03:27 +09:00
fsi
gnss
gpio gpio: mvebu: fix irq domain leak 2023-08-03 10:23:49 +02:00
gpu drm/i915/gt: Cleanup aux invalidation registers 2023-08-11 12:08:22 +02:00
greybus
hid HID: add quirk for 03f0:464a HP Elite Presenter Mouse 2023-07-27 08:50:32 +02:00
hsi
hte hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id() 2023-05-11 23:03:38 +09:00
hv Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs 2023-06-28 11:12:23 +02:00
hwmon hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled 2023-08-03 10:24:12 +02:00
hwspinlock
hwtracing hwtracing: hisi_ptt: Fix potential sleep in atomic context 2023-07-19 16:21:58 +02:00
i2c i2c: nomadik: Remove a useless call in the remove function 2023-08-03 10:23:50 +02:00
i3c i3c: master: svc: fix cpu schedule in spin lock 2023-07-19 16:21:54 +02:00
idle Revert "cpuidle, intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE *again*" 2023-04-06 12:10:58 +02:00
iio meson saradc: fix clock divider mask length 2023-07-23 13:49:42 +02:00
infiniband RDMA/irdma: Report correct WC error 2023-08-03 10:24:06 +02:00
input Input: pm8941-powerkey - fix debounce on gen2+ PMICs 2023-07-19 16:21:26 +02:00
interconnect interconnect: qcom: rpm: drop bogus pm domain attach 2023-05-11 23:03:28 +09:00
iommu iommu/arm-smmu-v3: Document nesting-related errata 2023-08-11 12:08:09 +02:00
ipack
irqchip irqchip/gic-v4.1: Properly lock VPEs when doing a directLPI invalidation 2023-08-03 10:24:14 +02:00
isdn mISDN: hfcpci: Fix potential deadlock on &hc->lock 2023-08-11 12:08:13 +02:00
leds leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename 2023-07-19 16:22:15 +02:00
macintosh macintosh: via-pmu-led: requires ATA to be set 2023-05-11 23:03:31 +09:00
mailbox mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 2023-07-19 16:22:03 +02:00
mcb mcb-pci: Reallocate memory region to avoid memory overlapping 2023-05-24 17:32:41 +01:00
md dm cache policy smq: ensure IO doesn't prevent cleaner policy progress 2023-08-03 10:24:17 +02:00
media media: amphion: Fix firmware path to match linux-firmware 2023-08-03 10:23:57 +02:00
memory memory: brcmstb_dpfe: fix testing array offset after use 2023-07-19 16:21:24 +02:00
memstick memstick r592: make memstick_debug_get_tpc_name() static 2023-07-19 16:21:08 +02:00
message scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition 2023-05-24 17:32:37 +01:00
mfd mfd: pm8008: Fix module autoloading 2023-07-23 13:49:37 +02:00
misc misc: pci_endpoint_test: Re-init completion for every test 2023-07-23 13:49:37 +02:00
mmc mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. 2023-07-19 16:22:09 +02:00
most
mtd mtd: rawnand: meson: fix OOB available bytes for ECC 2023-08-11 12:08:20 +02:00
mux
net net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb 2023-08-11 12:08:24 +02:00
nfc nfcsim.c: Fix error checking for debugfs_create_dir 2023-06-28 11:12:36 +02:00
ntb NTB: ntb_tool: Add check for devm_kcalloc 2023-07-23 13:49:24 +02:00
nubus nubus: Partially revert proc_create_single_data() conversion 2023-07-05 18:27:37 +01:00
nvdimm
nvme nvme: don't reject probe due to duplicate IDs for single-ported PCIe devices 2023-07-23 13:49:43 +02:00
nvmem nvmem: rmem: Use NVMEM_DEVID_AUTO 2023-07-19 16:21:57 +02:00
of of: Preserve "of-display" device name for compatibility 2023-07-27 08:50:26 +02:00
opp opp: Fix use-after-free in lazy_opp_tables after probe deferral 2023-07-23 13:49:42 +02:00
parisc parisc: Replace regular spinlock with spin_trylock on panic path 2023-05-24 17:32:42 +01:00
parport
pci PCI: rockchip: Don't advertise MSI-X in PCIe capabilities 2023-08-03 10:23:51 +02:00
pcmcia
peci
perf perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start() 2023-07-23 13:49:44 +02:00
phy phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() 2023-08-03 10:23:59 +02:00
pinctrl pinctrl: renesas: rzg2l: Handle non-unique subnode names 2023-07-27 08:50:38 +02:00
platform platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 2023-08-03 10:24:01 +02:00
pnp
power power: supply: Fix logic checking if system is running from battery 2023-06-21 16:00:52 +02:00
powercap powercap: RAPL: Fix CONFIG_IOSF_MBI dependency 2023-07-19 16:21:00 +02:00
pps
ps3
ptp ptp_qoriq: fix memory leak in probe() 2023-04-06 12:10:44 +02:00
pwm pwm: meson: fix handling of period/duty if greater than UINT_MAX 2023-07-23 13:49:46 +02:00
rapidio
ras
regulator regulator: tps65219: Fix matching interrupts for their regulators 2023-07-19 16:22:14 +02:00
remoteproc remoteproc: imx_dsp_rproc: Fix kernel test robot sparse warning 2023-05-24 17:32:53 +01:00
reset
rpmsg rpmsg: glink: Propagate TX failures in intentless mode as well 2023-05-11 23:03:16 +09:00
rtc rtc: st-lpc: Release some resources in st_rtc_probe() in case of error 2023-07-19 16:21:59 +02:00
s390 scsi: zfcp: Defer fc_rport blocking until after ADISC response 2023-08-11 12:08:19 +02:00
sbus
scsi scsi: storvsc: Limit max_sectors for virtual Fibre Channel devices 2023-08-11 12:08:19 +02:00
sh
siox
slimbus
soc soc: qcom: mdt_loader: Fix unconditional call to scm_pas_mem_setup 2023-07-23 13:49:34 +02:00
soundwire soundwire: fix enumeration completion 2023-08-03 10:24:15 +02:00
spi spi: dw: Remove misleading comment for Mount Evans SoC 2023-07-27 08:50:50 +02:00
spmi spmi: Add a check for remove callback when removing a SPMI driver 2023-05-11 23:03:31 +09:00
ssb
staging staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() 2023-08-03 10:24:12 +02:00
target scsi: target: iscsi: Prevent login threads from racing between each other 2023-06-28 11:12:35 +02:00
tc
tee tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta' 2023-06-14 11:15:28 +02:00
thermal thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe() 2023-07-19 16:21:01 +02:00
thunderbolt thunderbolt: Mask ring interrupt on Intel hardware as well 2023-06-21 16:00:56 +02:00
tty tty: n_gsm: fix UAF in gsm_cleanup_mux 2023-08-03 10:24:12 +02:00
ufs scsi: ufs: ufs-mediatek: Add dependency for RESET_CONTROLLER 2023-07-23 13:49:21 +02:00
uio
usb Revert "xhci: add quirk for host controllers that don't update endpoint DCS" 2023-08-03 10:24:12 +02:00
vdpa vduse: avoid empty string for dev name 2023-06-14 11:15:32 +02:00
vfio vfio/mdev: Move the compat_class initialization to module init 2023-07-19 16:21:41 +02:00
vhost vhost_net: revert upend_idx only on retriable error 2023-06-28 11:12:40 +02:00
video fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe 2023-07-27 08:50:45 +02:00
virt virt: sevguest: Add CONFIG_CRYPTO dependency 2023-07-19 16:20:55 +02:00
virtio virtio_ring: don't update event idx on get_buf 2023-05-11 23:03:31 +09:00
vlynq
w1 w1: fix loop in w1_fini() 2023-07-19 16:21:48 +02:00
watchdog watchdog: menz069_wdt: fix watchdog initialisation 2023-06-09 10:34:07 +02:00
xen xen: speed up grant-table reclaim 2023-08-03 10:24:14 +02:00
zorro
Kconfig
Makefile