From: Kalle Valo <kvalo@codeaurora.org>
To: Zekun Shen <bruceshenzk@gmail.com>
Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
Ganapathi Bhat <ganapathi017@gmail.com>,
Sharvari Harisangam <sharvari.harisangam@nxp.com>,
Xinming Hu <huxinming820@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, brendandg@nyu.edu
Subject: Re: [PATCH] mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv
Date: Mon, 01 Nov 2021 16:07:59 +0200 [thread overview]
Message-ID: <87pmrk0y0w.fsf@codeaurora.org> (raw)
In-Reply-To: <YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home> (Zekun Shen's message of "Sat, 30 Oct 2021 22:42:50 -0400")
Zekun Shen <bruceshenzk@gmail.com> writes:
> Currently, with an unknown recv_type, mwifiex_usb_recv
> just return -1 without restoring the skb. Next time
> mwifiex_usb_rx_complete is invoked with the same skb,
> calling skb_put causes skb_over_panic.
>
> The bug is triggerable with a compromised/malfunctioning
> usb device. After applying the patch, skb_over_panic
> no longer shows up with the same input.
>
> Attached is the panic report from fuzzing.
> skbuff: skb_over_panic: text:000000003bf1b5fa
> len:2048 put:4 head:00000000dd6a115b data:000000000a9445d8
> tail:0x844 end:0x840 dev:<NULL>
> kernel BUG at net/core/skbuff.c:109!
> invalid opcode: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 PID: 198 Comm: in:imklog Not tainted 5.6.0 #60
> RIP: 0010:skb_panic+0x15f/0x161
> Call Trace:
> <IRQ>
> ? mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb]
> skb_put.cold+0x24/0x24
> mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb]
> __usb_hcd_giveback_urb+0x1e4/0x380
> usb_giveback_urb_bh+0x241/0x4f0
> ? __hrtimer_run_queues+0x316/0x740
> ? __usb_hcd_giveback_urb+0x380/0x380
> tasklet_action_common.isra.0+0x135/0x330
> __do_softirq+0x18c/0x634
> irq_exit+0x114/0x140
> smp_apic_timer_interrupt+0xde/0x380
> apic_timer_interrupt+0xf/0x20
> </IRQ>
>
> Reported-by: Zekun Shen <bruceshenzk@gmail.com>
You are the author, no need to have your name in Reported-by.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2021-11-01 14:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-31 2:42 [PATCH] mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv Zekun Shen
2021-11-01 14:07 ` Kalle Valo [this message]
2021-11-26 16:29 ` mwifiex: Fix skb_over_panic in mwifiex_usb_recv() Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pmrk0y0w.fsf@codeaurora.org \
--to=kvalo@codeaurora.org \
--cc=amitkarwar@gmail.com \
--cc=brendandg@nyu.edu \
--cc=bruceshenzk@gmail.com \
--cc=davem@davemloft.net \
--cc=ganapathi017@gmail.com \
--cc=huxinming820@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sharvari.harisangam@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.