From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Shigeru Yoshida <syoshida@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com,
syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com
Subject: [PATCH 5.10 16/95] net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg
Date: Mon, 6 Nov 2023 14:03:44 +0100 [thread overview]
Message-ID: <20231106130305.325151516@linuxfoundation.org> (raw)
In-Reply-To: <20231106130304.678610325@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit 51a32e828109b4a209efde44505baa356b37a4ce ]
syzbot reported the following uninit-value access issue [1]:
smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32
smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD
=====================================================
BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896
smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896
smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131
usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750
usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396
really_probe+0x506/0xf40 drivers/base/dd.c:658
__driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800
driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830
__device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958
bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457
__device_attach+0x3bd/0x640 drivers/base/dd.c:1030
device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532
device_add+0x16ae/0x1f20 drivers/base/core.c:3622
usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207
usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238
usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293
really_probe+0x506/0xf40 drivers/base/dd.c:658
__driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800
driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830
__device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958
bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457
__device_attach+0x3bd/0x640 drivers/base/dd.c:1030
device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532
device_add+0x16ae/0x1f20 drivers/base/core.c:3622
usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589
hub_port_connect drivers/usb/core/hub.c:5440 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
port_event drivers/usb/core/hub.c:5740 [inline]
hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703
worker_thread+0xf45/0x1490 kernel/workqueue.c:2784
kthread+0x3e8/0x540 kernel/kthread.c:388
ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
Local variable buf.i225 created at:
smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline]
smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892
smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131
CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: usb_hub_wq hub_event
=====================================================
Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in
__smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads
less bytes than requested (zero byte in the reproducer). In this case,
'buf' is not properly filled.
This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
less bytes than requested.
sysbot reported similar uninit-value access issue [2]. The root cause is
the same as mentioned above, and this patch addresses it as well.
Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
Reported-and-tested-by: syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1]
Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/smsc95xx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
index 9297f2078fd2c..569be01700aa1 100644
--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -86,7 +86,9 @@ static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index,
ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN
| USB_TYPE_VENDOR | USB_RECIP_DEVICE,
0, index, &buf, 4);
- if (ret < 0) {
+ if (ret < 4) {
+ ret = ret < 0 ? ret : -ENODATA;
+
if (ret != -ENODEV)
netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n",
index, ret);
--
2.42.0
next prev parent reply other threads:[~2023-11-06 13:30 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:03 [PATCH 5.10 00/95] 5.10.200-rc1 review Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 01/95] selftests/ftrace: Add new test case which checks non unique symbol Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 02/95] mcb: Return actual parsed size when reading chameleon table Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 03/95] mcb-lpc: Reallocate memory region to avoid memory overlapping Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 04/95] virtio_balloon: Fix endless deflation and inflation on arm64 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 05/95] virtio-mmio: fix memory leak of vm_dev Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 06/95] mm/page_alloc: correct start page when guard page debug is enabled Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 07/95] mmc: renesas_sdhi: use custom mask for TMIO_MASK_ALL Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 08/95] drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 09/95] r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 10/95] r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 11/95] treewide: Spelling fix in comment Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 12/95] igb: Fix potential memory leak in igb_add_ethtool_nfc_entry Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 13/95] neighbour: fix various data-races Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 14/95] igc: Fix ambiguity in the ethtool advertising Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 15/95] net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() Greg Kroah-Hartman
2023-11-06 13:03 ` Greg Kroah-Hartman [this message]
2023-11-06 13:03 ` [PATCH 5.10 17/95] r8152: Increase USB control msg timeout to 5000ms as per spec Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 18/95] r8152: Run the unload routine if we have errors during probe Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 19/95] r8152: Cancel hw_phy_work if we have an error in probe Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 20/95] r8152: Release firmware " Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 21/95] tcp: fix wrong RTO timeout when received SACK reneging Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 22/95] gtp: uapi: fix GTPA_MAX Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 23/95] gtp: fix fragmentation needed check with gso Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 24/95] i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 25/95] kasan: print the original fault addr when access invalid shadow Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 26/95] iio: exynos-adc: request second interupt only when touchscreen mode is used Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 27/95] i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 28/95] i2c: muxes: i2c-mux-gpmux: " Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 29/95] i2c: muxes: i2c-demux-pinctrl: " Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 30/95] i2c: stm32f7: Fix PEC handling in case of SMBUS transfers Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.10 31/95] i2c: aspeed: Fix i2c bus hang in slave read Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 32/95] tracing/kprobes: Fix the description of variable length arguments Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 33/95] misc: fastrpc: Clean buffers on remote invocation failures Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 34/95] nvmem: imx: correct nregs for i.MX6ULL Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 35/95] nvmem: imx: correct nregs for i.MX6SLL Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 36/95] nvmem: imx: correct nregs for i.MX6UL Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 37/95] perf/core: Fix potential NULL deref Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 38/95] sparc32: fix a braino in fault handling in csum_and_copy_..._user() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 39/95] clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 40/95] iio: adc: xilinx: use helper variable for &pdev->dev Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 41/95] iio: adc: xilinx: use devm_krealloc() instead of kfree() + kcalloc() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 42/95] iio: adc: xilinx: use more devres helpers and remove remove() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 43/95] iio: adc: xilinx-xadc: Dont clobber preset voltage/temperature thresholds Greg Kroah-Hartman
2023-11-06 13:04 ` Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 44/95] x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 45/95] kobject: Fix slab-out-of-bounds in fill_kobj_path() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 46/95] smbdirect: missing rc checks while waiting for rdma events Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 47/95] f2fs: fix to do sanity check on inode type during garbage collection Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 48/95] x86/mm: Simplify RESERVE_BRK() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 49/95] x86/mm: Fix RESERVE_BRK() for older binutils Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 50/95] ext4: add two helper functions extent_logical_end() and pa_logical_end() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 51/95] ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 52/95] ext4: avoid overlapping preallocations " Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 53/95] objtool/x86: add missing embedded_insn check Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 54/95] driver: platform: Add helper for safer setting of driver_override Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 55/95] rpmsg: Constify local variable in field store macro Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 56/95] rpmsg: Fix kfree() of static memory on setting driver_override Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 57/95] rpmsg: Fix calling device_lock() on non-initialized device Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 58/95] rpmsg: glink: Release driver_override Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 59/95] rpmsg: Fix possible refcount leak in rpmsg_register_device_override() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 60/95] x86: Fix .brk attribute in linker script Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 61/95] net: sched: cls_u32: Fix allocation size in u32_init() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 62/95] irqchip/riscv-intc: Mark all INTC nodes as initialized Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 63/95] irqchip/stm32-exti: add missing DT IRQ flag translation Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 64/95] dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 65/95] Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 66/95] fbdev: atyfb: only use ioremap_uc() on i386 and ia64 Greg Kroah-Hartman
2023-11-06 13:04 ` Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 67/95] spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 68/95] netfilter: nfnetlink_log: silence bogus compiler warning Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 69/95] ASoC: rt5650: fix the wrong result of key button Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 70/95] fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 71/95] scsi: mpt3sas: Fix in error path Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 72/95] platform/mellanox: mlxbf-tmfifo: Fix a warning message Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 73/95] net: chelsio: cxgb4: add an error code check in t4_load_phy_fw Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 74/95] powerpc/mm: Fix boot crash with FLATMEM Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 75/95] perf evlist: Add evlist__add_dummy_on_all_cpus() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 76/95] perf tools: Get rid of evlist__add_on_all_cpus() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 77/95] perf evlist: Avoid frequency mode for the dummy event Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 78/95] can: isotp: change error format from decimal to symbolic error names Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 79/95] can: isotp: add symbolic error message to isotp_module_init() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 80/95] can: isotp: Add error message if txqueuelen is too small Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 81/95] can: isotp: set max PDU size to 64 kByte Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 82/95] can: isotp: isotp_bind(): return -EINVAL on incorrect CAN ID formatting Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 83/95] can: isotp: check CAN address family in isotp_bind() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 84/95] can: isotp: handle wait_event_interruptible() return values Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 85/95] can: isotp: add local echo tx processing and tx without FC Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 86/95] can: isotp: isotp_bind(): do not validate unused address information Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 87/95] can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 88/95] PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 89/95] usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 90/95] usb: raw-gadget: properly handle interrupted requests Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.10 91/95] tty: 8250: Remove UC-257 and UC-431 Greg Kroah-Hartman
2023-11-06 13:05 ` [PATCH 5.10 92/95] tty: 8250: Add support for additional Brainboxes UC cards Greg Kroah-Hartman
2023-11-06 13:05 ` [PATCH 5.10 93/95] tty: 8250: Add support for Brainboxes UP cards Greg Kroah-Hartman
2023-11-06 13:05 ` [PATCH 5.10 94/95] tty: 8250: Add support for Intashield IS-100 Greg Kroah-Hartman
2023-11-06 13:05 ` [PATCH 5.10 95/95] ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection Greg Kroah-Hartman
2023-11-06 17:37 ` [PATCH 5.10 00/95] 5.10.200-rc1 review Florian Fainelli
2023-11-07 20:22 ` Greg Kroah-Hartman
2023-11-06 17:53 ` Daniel Díaz
2023-11-06 18:14 ` Daniel Díaz
2023-11-07 20:24 ` Greg Kroah-Hartman
2023-11-06 21:30 ` Pavel Machek
2023-11-06 21:50 ` Pavel Machek
2023-11-07 11:34 ` Pavel Machek
2023-11-07 9:08 ` Dominique Martinet
2023-11-07 11:43 ` Jon Hunter
2023-11-07 15:40 ` Shuah Khan
2023-11-07 18:02 ` Naresh Kamboju
2023-11-07 18:57 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231106130305.325151516@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syoshida@redhat.com \
--cc=syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com \
--cc=syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.