Andrey Konovalov 70e743e4ce uwb: ensure that endpoint is interrupt ... hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no check for that, which results in a WARNING in USB core code, when a bad USB descriptor is provided from a device: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event task: ffff88006bdc1a00 task.stack: ffff88006bde8000 RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448 RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282 RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000 RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90 FS: 0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0 Call Trace: hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710 uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361 hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858 usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:385 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 __device_attach+0x269/0x3c0 drivers/base/dd.c:682 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 device_add+0xcf9/0x1640 drivers/base/core.c:1703 usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:385 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 __device_attach+0x269/0x3c0 drivers/base/dd.c:682 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 device_add+0xcf9/0x1640 drivers/base/core.c:1703 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4890 hub_port_connect_change drivers/usb/core/hub.c:4996 port_event drivers/usb/core/hub.c:5102 hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231 kthread+0x324/0x3f0 kernel/kthread.c:231 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425 Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89 e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f> ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6 ---[ end trace 55d741234124cfc3 ]--- Check that endpoint is interrupt. Found by syzkaller. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2017-09-18 11:28:23 +02:00
..
accessibility
acpi	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
amba
android	ANDROID: binder: don't queue async transactions to thread.	2017-09-01 09:22:50 +02:00
ata	Merge branch 'for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata	2017-09-06 22:41:21 -07:00
atm
auxdisplay
base	firmware: Restore support for built-in firmware	2017-09-16 10:58:48 -07:00
bcma
block	The highlights include:	2017-09-12 20:03:53 -07:00
bluetooth
bus	ARM: SoC driver updates for v4.14	2017-09-10 20:40:00 -07:00
cdrom
char	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
clk	The diff is dominated by the Allwinner A10/A20 SoCs getting converted to	2017-09-13 11:04:14 -07:00
clocksource	Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus	2017-09-15 20:43:33 -07:00
connector
cpufreq	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
cpuidle	Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus	2017-09-15 20:43:33 -07:00
crypto	dmaengine updates for 4.14-rc1	2017-09-07 14:03:05 -07:00
dax	- Some request-based DM core and DM multipath fixes and cleanups	2017-09-14 13:43:16 -07:00
dca
devfreq
dio
dma	dmaengine updates for 4.14-rc1	2017-09-07 14:03:05 -07:00
dma-buf
edac
eisa
extcon
firewire
firmware	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
fmc
fpga
fsi
gpio	- New Drivers	2017-09-07 13:51:13 -07:00
gpu	amd fixes pull	2017-09-15 17:52:52 -07:00
hid	media updates for v4.14-rc1	2017-09-07 12:53:14 -07:00
hsi
hv	Merge branch 'x86-platform-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2017-09-07 09:25:15 -07:00
hwmon	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
hwspinlock
hwtracing
i2c	i2c: i2c-stm32f7: add driver	2017-09-14 17:34:43 +02:00
ide	Merge branch 'for-4.14/block' of git://git.kernel.dk/linux-block	2017-09-07 11:59:42 -07:00
idle	Power management updates for v4.14-rc1	2017-09-05 12:19:08 -07:00
iio	- New Drivers	2017-09-07 13:51:13 -07:00
infiniband	IB/mlx4: fix sprintf format warning	2017-09-13 18:53:15 -07:00
input	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input	2017-09-16 11:24:26 -07:00
iommu	IOMMU Updates for Linux v4.14	2017-09-09 15:03:24 -07:00
ipack
irqchip	Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus	2017-09-15 20:43:33 -07:00
isdn	isdn: isdnloop: fix logic error in isdnloop_sendbuf	2017-09-07 20:03:54 -07:00
leds	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
lightnvm
macintosh	powerpc/macintosh: constify wf_sensor_ops structures	2017-09-01 16:42:54 +10:00
mailbox	Just behavorial changes to a controller driver:	2017-09-07 13:23:37 -07:00
mcb	Char/Misc drivers for 4.14-rc1	2017-09-05 11:08:17 -07:00
md	- Some request-based DM core and DM multipath fixes and cleanups	2017-09-14 13:43:16 -07:00
media	Merge branch 'work.set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2017-09-14 18:13:32 -07:00
memory	ARM: SoC driver updates for v4.14	2017-09-10 20:40:00 -07:00
memstick
message
mfd	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
misc	mm: treewide: remove GFP_TEMPORARY allocation flag	2017-09-13 18:53:16 -07:00
mmc	mmc: renesas_sdhi: Add r8a7743/5 support	2017-09-01 15:31:01 +02:00
mtd	This pull request contains updates for UBI:	2017-09-16 12:08:10 -07:00
mux
net	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2017-09-16 11:28:59 -07:00
nfc
ntb
nubus
nvdimm	- Some request-based DM core and DM multipath fixes and cleanups	2017-09-14 13:43:16 -07:00
nvme	nvme-pci: implement the HMB entry number and size limitations	2017-09-11 12:29:40 -04:00
nvmem
of	dma-mapping updates for 4.14:	2017-09-12 13:30:06 -07:00
oprofile
parisc
parport	Char/Misc drivers for 4.14-rc1	2017-09-05 11:08:17 -07:00
pci	Revert "PCI: Avoid race while enabling upstream bridges"	2017-09-15 01:33:51 -05:00
pcmcia
perf
phy	Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus	2017-09-15 20:43:33 -07:00
pinctrl	pinctrl/amd: save pin registers over suspend/resume	2017-09-12 15:58:45 +02:00
platform	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
pnp	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
power	power supply and reset changes for the v4.14 series	2017-09-09 14:44:39 -07:00
powercap
pps	drivers/pps: use surrounding "if PPS" to remove numerous dependency checks	2017-09-08 18:26:51 -07:00
ps3
ptp
pwm	pwm: Changes for v4.14-rc1	2017-09-11 13:04:32 -07:00
rapidio
ras
regulator	- New Drivers	2017-09-07 13:51:13 -07:00
remoteproc	rpmsg updates for v4.14	2017-09-09 14:34:38 -07:00
reset	Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus	2017-09-15 20:43:33 -07:00
rpmsg	rpmsg: glink: initialize ret to zero to ensure error status check is correct	2017-09-04 10:52:30 -07:00
rtc	RTC for 4.14	2017-09-13 10:56:00 -07:00
s390	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux	2017-09-12 06:01:59 -07:00
sbus
scsi	SCSI misc on 20170913	2017-09-13 10:47:14 -07:00
sfi
sh
sn
soc	Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus	2017-09-15 20:43:33 -07:00
spi	ACPI updates for v4.14-rc1	2017-09-05 12:45:03 -07:00
spmi
ssb
staging	Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2017-09-14 18:54:01 -07:00
target	Merge branch 'work.set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2017-09-14 18:13:32 -07:00
tc
tee
thermal	Merge branches 'thermal-core', 'thermal-soc', 'thermal-intel' and 'const-thermal-zone-structure' into next	2017-09-08 11:20:04 +08:00
thunderbolt	ACPI updates for v4.14-rc1	2017-09-05 12:45:03 -07:00
tty	dmi: Mark all struct dmi_system_id instances const	2017-09-14 11:59:30 +02:00
uio
usb	Merge branch 'work.set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2017-09-14 18:13:32 -07:00
uwb	uwb: ensure that endpoint is interrupt	2017-09-18 11:28:23 +02:00
vfio
vhost	lib/interval_tree: fast overlap detection	2017-09-08 18:26:49 -07:00
video	fbdev changes for v4.14:	2017-09-14 13:33:33 -07:00
virt
virtio	SCSI misc on 20170907	2017-09-07 21:11:05 -07:00
vlynq
vme
w1	power supply and reset changes for the v4.14 series	2017-09-09 14:44:39 -07:00
watchdog	Merge branch '4.14-features' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus	2017-09-15 20:43:33 -07:00
xen	mm: treewide: remove GFP_TEMPORARY allocation flag	2017-09-13 18:53:16 -07:00
zorro
Kconfig
Makefile