shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-03-24 19:40:21 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
295ef44a2abaf97d7a594b1d4c60d4be3738191f
linux/drivers
History
Alan Stern 1bebbd9b80 net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb 
commit 5e1627cb43 upstream.

The syzbot fuzzer identified a problem in the usbnet driver:

usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc9000463f568 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001
RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453
 __netdev_start_xmit include/linux/netdevice.h:4918 [inline]
 netdev_start_xmit include/linux/netdevice.h:4932 [inline]
 xmit_one net/core/dev.c:3578 [inline]
 dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594
...

This bug is caused by the fact that usbnet trusts the bulk endpoint
addresses its probe routine receives in the driver_info structure, and
it does not check to see that these endpoints actually exist and have
the expected type and directions.

The fix is simply to add such a check.

Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/000000000000a56e9105d0cec021@google.com/
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/ea152b6d-44df-4f8a-95c6-4db51143dcc1@rowland.harvard.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-08-11 12:08:24 +02:00
..
accessibility
tty: fix possible null-ptr-defer in spk_ttyio_release
2023-01-24 07:24:37 +01:00
acpi
ACPI: processor: perflib: Avoid updating frequency QoS unnecessarily
2023-08-03 10:24:18 +02:00
amba
android
binder: fix UAF of alloc->vma in race with munmap()
2023-05-30 14:03:19 +01:00
ata
ata: pata_ns87415: mark ns87560_tf_read static
2023-08-03 10:24:07 +02:00
atm
atm: idt77252: fix kmemleak when rmmod idt77252
2023-03-30 12:49:09 +02:00
auxdisplay
auxdisplay: hd44780: Fix potential memory leak in hd44780_remove()
2023-03-11 13:55:16 +01:00
base
x86/srso: Add a Speculative RAS Overflow mitigation
2023-08-08 20:03:50 +02:00
bcma
Merge tag 'irq-core-2022-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2022-10-12 10:23:24 -07:00
block
rbd: prevent busy loop when requesting exclusive lock
2023-08-11 12:08:21 +02:00
bluetooth
Bluetooth: hci_qca: fix debugfs registration
2023-06-14 11:15:28 +02:00
bus
bus: ixp4xx: fix IXP4XX_EXP_T1_MASK
2023-07-23 13:49:43 +02:00
cdrom
char
tpm_tis: Explicitly check for error code
2023-08-03 10:24:14 +02:00
clk
clk: imx93: Propagate correct error in imx93_clocks_probe()
2023-08-11 12:08:22 +02:00
clocksource
clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
2023-07-19 16:20:59 +02:00
comedi
comedi: adv_pci1760: Fix PWM instruction handling
2023-01-24 07:24:35 +01:00
connector
counter
counter: 104-quad-8: Fix Synapse action reported for Index signals
2023-04-13 16:55:31 +02:00
cpufreq
cpufreq: intel_pstate: Drop ACPI _PSS states table patching
2023-08-03 10:24:18 +02:00
cpuidle
RISC-V: Align SBI probe implementation with spec
2023-05-11 23:03:04 +09:00
crypto
crypto: qat - unmap buffers before free for RSA
2023-07-19 16:21:42 +02:00
cxl
cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws()
2023-08-03 10:24:04 +02:00
dax
dax/kmem: Pass valid argument to memory_group_register_static
2023-07-19 16:21:43 +02:00
dca
devfreq
PM/devfreq: governor: Add a private governor_data for governor
2023-01-07 11:11:40 +01:00
dio
drivers: dio: fix possible memory leak in dio_init()
2022-12-31 13:32:38 +01:00
dma
dmaengine: pl330: rename _start to prevent build error
2023-06-09 10:34:00 +02:00
dma-buf
dma-buf: fix an error pointer vs NULL bug
2023-08-03 10:24:19 +02:00
edac
EDAC/qcom: Get rid of hardcoded register offsets
2023-06-21 16:00:51 +02:00
eisa
extcon
extcon: usbc-tusb320: Unregister typec port on driver removal
2023-07-19 16:22:08 +02:00
firewire
firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region
2023-02-09 11:27:59 +01:00
firmware
firmware: arm_scmi: Drop OF node reference in the transport channel setup
2023-08-11 12:08:19 +02:00
fpga
fpga: bridge: fix kernel-doc parameter description
2023-05-11 23:03:27 +09:00
fsi
use less confusing names for iov_iter direction initializers
2023-02-09 11:28:04 +01:00
gnss
gpio
gpio: mvebu: fix irq domain leak
2023-08-03 10:23:49 +02:00
gpu
drm/i915/gt: Cleanup aux invalidation registers
2023-08-11 12:08:22 +02:00
greybus
hid
HID: add quirk for 03f0:464a HP Elite Presenter Mouse
2023-07-27 08:50:32 +02:00
hsi
HSI: omap_ssi_core: Fix error handling in ssi_init()
2022-12-31 13:32:45 +01:00
hte
hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id()
2023-05-11 23:03:38 +09:00
hv
Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs
2023-06-28 11:12:23 +02:00
hwmon
hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled
2023-08-03 10:24:12 +02:00
hwspinlock
hwtracing
hwtracing: hisi_ptt: Fix potential sleep in atomic context
2023-07-19 16:21:58 +02:00
i2c
i2c: nomadik: Remove a useless call in the remove function
2023-08-03 10:23:50 +02:00
i3c
i3c: master: svc: fix cpu schedule in spin lock
2023-07-19 16:21:54 +02:00
idle
Revert "cpuidle, intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE *again*"
2023-04-06 12:10:58 +02:00
iio
meson saradc: fix clock divider mask length
2023-07-23 13:49:42 +02:00
infiniband
RDMA/irdma: Report correct WC error
2023-08-03 10:24:06 +02:00
input
Input: pm8941-powerkey - fix debounce on gen2+ PMICs
2023-07-19 16:21:26 +02:00
interconnect
interconnect: qcom: rpm: drop bogus pm domain attach
2023-05-11 23:03:28 +09:00
iommu
iommu/arm-smmu-v3: Document nesting-related errata
2023-08-11 12:08:09 +02:00
ipack
Merge tag 'char-misc-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2022-10-08 08:56:37 -07:00
irqchip
irqchip/gic-v4.1: Properly lock VPEs when doing a directLPI invalidation
2023-08-03 10:24:14 +02:00
isdn
mISDN: hfcpci: Fix potential deadlock on &hc->lock
2023-08-11 12:08:13 +02:00
leds
leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename
2023-07-19 16:22:15 +02:00
macintosh
macintosh: via-pmu-led: requires ATA to be set
2023-05-11 23:03:31 +09:00
mailbox
mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
2023-07-19 16:22:03 +02:00
mcb
mcb-pci: Reallocate memory region to avoid memory overlapping
2023-05-24 17:32:41 +01:00
md
dm cache policy smq: ensure IO doesn't prevent cleaner policy progress
2023-08-03 10:24:17 +02:00
media
media: amphion: Fix firmware path to match linux-firmware
2023-08-03 10:23:57 +02:00
memory
memory: brcmstb_dpfe: fix testing array offset after use
2023-07-19 16:21:24 +02:00
memstick
memstick r592: make memstick_debug_get_tpc_name() static
2023-07-19 16:21:08 +02:00
message
scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
2023-05-24 17:32:37 +01:00
mfd
mfd: pm8008: Fix module autoloading
2023-07-23 13:49:37 +02:00
misc
misc: pci_endpoint_test: Re-init completion for every test
2023-07-23 13:49:37 +02:00
mmc
mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used.
2023-07-19 16:22:09 +02:00
most
mtd
mtd: rawnand: meson: fix OOB available bytes for ECC
2023-08-11 12:08:20 +02:00
mux
net
net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
2023-08-11 12:08:24 +02:00
nfc
nfcsim.c: Fix error checking for debugfs_create_dir
2023-06-28 11:12:36 +02:00
ntb
NTB: ntb_tool: Add check for devm_kcalloc
2023-07-23 13:49:24 +02:00
nubus
nubus: Partially revert proc_create_single_data() conversion
2023-07-05 18:27:37 +01:00
nvdimm
cxl/pmem: Fix nvdimm registration races
2023-03-10 09:34:20 +01:00
nvme
nvme: don't reject probe due to duplicate IDs for single-ported PCIe devices
2023-07-23 13:49:43 +02:00
nvmem
nvmem: rmem: Use NVMEM_DEVID_AUTO
2023-07-19 16:21:57 +02:00
of
of: Preserve "of-display" device name for compatibility
2023-07-27 08:50:26 +02:00
opp
opp: Fix use-after-free in lazy_opp_tables after probe deferral
2023-07-23 13:49:42 +02:00
parisc
parisc: Replace regular spinlock with spin_trylock on panic path
2023-05-24 17:32:42 +01:00
parport
parport_pc: Avoid FIFO port location truncation
2022-11-09 15:40:32 +01:00
pci
PCI: rockchip: Don't advertise MSI-X in PCIe capabilities
2023-08-03 10:23:51 +02:00
pcmcia
peci
perf
perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start()
2023-07-23 13:49:44 +02:00
phy
phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe()
2023-08-03 10:23:59 +02:00
pinctrl
pinctrl: renesas: rzg2l: Handle non-unique subnode names
2023-07-27 08:50:38 +02:00
platform
platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100
2023-08-03 10:24:01 +02:00
pnp
PNP: fix name memory leak in pnp_alloc_dev()
2022-12-31 13:31:56 +01:00
power
power: supply: Fix logic checking if system is running from battery
2023-06-21 16:00:52 +02:00
powercap
powercap: RAPL: Fix CONFIG_IOSF_MBI dependency
2023-07-19 16:21:00 +02:00
pps
ps3
ptp
ptp_qoriq: fix memory leak in probe()
2023-04-06 12:10:44 +02:00
pwm
pwm: meson: fix handling of period/duty if greater than UINT_MAX
2023-07-23 13:49:46 +02:00
rapidio
rapidio: devices: fix missing put_device in mport_cdev_open
2022-12-31 13:32:00 +01:00
ras
regulator
regulator: tps65219: Fix matching interrupts for their regulators
2023-07-19 16:22:14 +02:00
remoteproc
remoteproc: imx_dsp_rproc: Fix kernel test robot sparse warning
2023-05-24 17:32:53 +01:00
reset
reset: uniphier-glue: Fix possible null-ptr-deref
2023-02-01 08:34:05 +01:00
rpmsg
rpmsg: glink: Propagate TX failures in intentless mode as well
2023-05-11 23:03:16 +09:00
rtc
rtc: st-lpc: Release some resources in st_rtc_probe() in case of error
2023-07-19 16:21:59 +02:00
s390
scsi: zfcp: Defer fc_rport blocking until after ADISC response
2023-08-11 12:08:19 +02:00
sbus
scsi
scsi: storvsc: Limit max_sectors for virtual Fibre Channel devices
2023-08-11 12:08:19 +02:00
sh
siox
siox: fix possible memory leak in siox_device_add()
2022-11-09 15:40:14 +01:00
slimbus
slimbus: qcom-ngd: Fix build error when CONFIG_SLIM_QCOM_NGD_CTRL=y && CONFIG_QCOM_RPROC_COMMON=m
2022-11-10 18:45:40 +01:00
soc
soc: qcom: mdt_loader: Fix unconditional call to scm_pas_mem_setup
2023-07-23 13:49:34 +02:00
soundwire
soundwire: fix enumeration completion
2023-08-03 10:24:15 +02:00
spi
spi: dw: Remove misleading comment for Mount Evans SoC
2023-07-27 08:50:50 +02:00
spmi
spmi: Add a check for remove callback when removing a SPMI driver
2023-05-11 23:03:31 +09:00
ssb
staging
staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
2023-08-03 10:24:12 +02:00
target
scsi: target: iscsi: Prevent login threads from racing between each other
2023-06-28 11:12:35 +02:00
tc
tee
tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta'
2023-06-14 11:15:28 +02:00
thermal
thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe()
2023-07-19 16:21:01 +02:00
thunderbolt
thunderbolt: Mask ring interrupt on Intel hardware as well
2023-06-21 16:00:56 +02:00
tty
tty: n_gsm: fix UAF in gsm_cleanup_mux
2023-08-03 10:24:12 +02:00
ufs
scsi: ufs: ufs-mediatek: Add dependency for RESET_CONTROLLER
2023-07-23 13:49:21 +02:00
uio
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
2022-12-31 13:32:38 +01:00
usb
Revert "xhci: add quirk for host controllers that don't update endpoint DCS"
2023-08-03 10:24:12 +02:00
vdpa
vduse: avoid empty string for dev name
2023-06-14 11:15:32 +02:00
vfio
vfio/mdev: Move the compat_class initialization to module init
2023-07-19 16:21:41 +02:00
vhost
vhost_net: revert upend_idx only on retriable error
2023-06-28 11:12:40 +02:00
video
fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe
2023-07-27 08:50:45 +02:00
virt
virt: sevguest: Add CONFIG_CRYPTO dependency
2023-07-19 16:20:55 +02:00
virtio
virtio_ring: don't update event idx on get_buf
2023-05-11 23:03:31 +09:00
vlynq
w1
w1: fix loop in w1_fini()
2023-07-19 16:21:48 +02:00
watchdog
watchdog: menz069_wdt: fix watchdog initialisation
2023-06-09 10:34:07 +02:00
xen
xen: speed up grant-table reclaim
2023-08-03 10:24:14 +02:00
zorro
Kconfig
Makefile