Re: [PATCH 5/5] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Qiujun Huang <hqjagain@gmail.com>
Cc: kvalo@codeaurora.org, ath9k-devel@qca.qualcomm.com,
	davem@davemloft.net, linux-wireless@vger.kernel.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	anenbupt@gmail.com, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH 5/5] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
Date: Tue, 7 Apr 2020 15:50:10 +0300	[thread overview]
Message-ID: <20200407125010.GJ2001@kadam> (raw)
In-Reply-To: <20200404041838.10426-6-hqjagain@gmail.com>

On Sat, Apr 04, 2020 at 12:18:38PM +0800, Qiujun Huang wrote:
> In ath9k_hif_usb_rx_cb interface number is assumed to be 0.
> usb_ifnum_to_if(urb->dev, 0)
> But it isn't always true.
> 
> The case reported by syzbot:
> https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com
> usb 2-1: new high-speed USB device number 2 using dummy_hcd
> usb 2-1: config 1 has an invalid interface number: 2 but max is 0
> usb 2-1: config 1 has no interface number 0
> usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice=
> 1.08
> usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
> general protection fault, probably for non-canonical address
> 0xdffffc0000000015: 0000 [#1] SMP KASAN
> KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
> 
> Call Trace
> __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> expire_timers kernel/time/timer.c:1449 [inline]
> __run_timers kernel/time/timer.c:1773 [inline]
> __run_timers kernel/time/timer.c:1740 [inline]
> run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> __do_softirq+0x21e/0x950 kernel/softirq.c:292
> invoke_softirq kernel/softirq.c:373 [inline]
> irq_exit+0x178/0x1a0 kernel/softirq.c:413
> exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> 
> Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
> Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
> ---
>  drivers/net/wireless/ath/ath9k/hif_usb.c | 48 ++++++++++++++++++------
>  drivers/net/wireless/ath/ath9k/hif_usb.h |  5 +++
>  2 files changed, 42 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
> index 6049d3766c64..4ed21dad6a8e 100644
> --- a/drivers/net/wireless/ath/ath9k/hif_usb.c
> +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
> @@ -643,9 +643,9 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev,
>  
>  static void ath9k_hif_usb_rx_cb(struct urb *urb)
>  {
> -	struct sk_buff *skb = (struct sk_buff *) urb->context;
> -	struct hif_device_usb *hif_dev =
> -		usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0));
> +	struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
> +	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
> +	struct sk_buff *skb = rx_buf->skb;
>  	int ret;
>  
>  	if (!skb)

This "if (!skb)" error path returns directly and leaks "rx_buf".
Of course, it's an impossible condition.  We should just delete the
check.

> @@ -685,14 +685,15 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
>  	return;
>  free:
>  	kfree_skb(skb);
> +	kfree(rx_buf);
>  }
>  
>  static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
>  {
> -	struct sk_buff *skb = (struct sk_buff *) urb->context;
> +	struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
> +	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
> +	struct sk_buff *skb = rx_buf->skb;
>  	struct sk_buff *nskb;
> -	struct hif_device_usb *hif_dev =
> -		usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0));
>  	int ret;
>  
>  	if (!skb)

Same.

> @@ -750,6 +751,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
>  	return;
>  free:
>  	kfree_skb(skb);
> +	kfree(rx_buf);
>  	urb->context = NULL;
>  }
>  

regards,
dan carpenter

next prev parent reply	other threads:[~2020-04-07 12:50 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-04  4:18 [PATCH 0/5] ath9k: bug fixes Qiujun Huang
2020-04-04  4:18 ` [PATCH 1/5] ath9k: Fix use-after-free Read in htc_connect_service Qiujun Huang
2020-04-07  5:01   ` Kalle Valo
2020-04-07 10:51   ` Dan Carpenter
2020-04-04  4:18 ` [PATCH 2/5] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx Qiujun Huang
2020-04-04  4:18 ` [PATCH 3/5] ath9k: Fix use-after-free Write in ath9k_htc_rx_msg Qiujun Huang
2020-04-04  4:18 ` [PATCH 4/5 resend] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb Qiujun Huang
2020-04-04  4:18 ` [PATCH 5/5] ath9k: Fix general protection fault " Qiujun Huang
2020-04-07 12:50   ` Dan Carpenter [this message]
2020-06-20 21:04   ` [BISECTED REGRESSION] " Roman Mamedov
2020-06-22 14:36     ` Kalle Valo
2020-07-01 15:53       ` [PATCH] Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" Viktor Jägersküpper
2020-07-01 19:56         ` Roman Mamedov
2020-07-01 21:32           ` [PATCH v2] " Viktor Jägersküpper
2020-07-02  6:43         ` [PATCH] " Kalle Valo
2020-07-09 14:36           ` Viktor Jägersküpper
2020-07-13 14:26             ` Kalle Valo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200407125010.GJ2001@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=anenbupt@gmail.com \
    --cc=ath9k-devel@qca.qualcomm.com \
    --cc=davem@davemloft.net \
    --cc=hqjagain@gmail.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.