* [PATCH AUTOSEL 5.10 02/27] wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
2023-02-26 14:49 [PATCH AUTOSEL 5.10 01/27] wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() Sasha Levin
@ 2023-02-26 14:49 ` Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 06/27] wifi: ath11k: debugfs: fix to work with multiple PCI devices Sasha Levin
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-02-26 14:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jisoo Jang, Dokyung Song, Minsuk Kang, Kalle Valo, Sasha Levin,
aspriel, franky.lin, hante.meuleman, davem, edumazet, kuba,
pabeni, keescook, hdegoede, gustavoars, marcan, wsa+renesas,
pavel, linux-wireless, brcm80211-dev-list.pdl,
SHA-cyfmac-dev-list, netdev
From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
[ Upstream commit 0a06cadcc2a0044e4a117cc0e61436fc3a0dad69 ]
This patch fixes a stack-out-of-bounds read in brcmfmac that occurs
when 'buf' that is not null-terminated is passed as an argument of
strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware
version string by memcpy() in brcmf_fil_iovar_data_get().
The patch ensures buf is null-terminated.
Found by a modified version of syzkaller.
[ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3
[ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
[ 47.601565][ T1897] ==================================================================
[ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0
[ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897
[ 47.604336][ T1897]
[ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131
[ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event
[ 47.607453][ T1897] Call Trace:
[ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1
[ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334
[ 47.609009][ T1897] ? strsep+0x1b2/0x1f0
[ 47.609434][ T1897] ? strsep+0x1b2/0x1f0
[ 47.609863][ T1897] kasan_report.cold+0x83/0xdf
[ 47.610366][ T1897] ? strsep+0x1b2/0x1f0
[ 47.610882][ T1897] strsep+0x1b2/0x1f0
[ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0
[ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40
[ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100
[ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0
[ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0
[ 47.614704][ T1897] ? find_held_lock+0x2d/0x110
[ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260
[ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0
[ 47.616288][ T1897] brcmf_attach+0x246/0xd40
[ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0
[ 47.617280][ T1897] ? kmemdup+0x43/0x50
[ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690
[ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470
[ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760
[ 47.619429][ T1897] ? usb_probe_device+0x250/0x250
[ 47.619950][ T1897] really_probe+0x205/0xb70
[ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130
[ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0
[ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130
[ 47.622209][ T1897] driver_probe_device+0x4e/0x150
[ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0
[ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0
[ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30
[ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160
[ 47.625437][ T1897] __device_attach+0x23f/0x3a0
[ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0
[ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0
[ 47.627057][ T1897] bus_probe_device+0x1da/0x290
[ 47.627557][ T1897] device_add+0xb7b/0x1eb0
[ 47.628027][ T1897] ? wait_for_completion+0x290/0x290
[ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
[ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0
[ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0
[ 47.630385][ T1897] usb_probe_device+0xbb/0x250
[ 47.630927][ T1897] ? usb_suspend+0x590/0x590
[ 47.631397][ T1897] really_probe+0x205/0xb70
[ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130
[ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0
[ 47.633002][ T1897] ? usb_generic_driver_match+0x75/0x90
[ 47.633573][ T1897] ? driver_allows_async_probing+0x130/0x130
[ 47.634170][ T1897] driver_probe_device+0x4e/0x150
[ 47.634703][ T1897] __device_attach_driver+0x1cc/0x2a0
[ 47.635248][ T1897] bus_for_each_drv+0x156/0x1d0
[ 47.635748][ T1897] ? bus_rescan_devices+0x30/0x30
[ 47.636271][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 47.636881][ T1897] ? trace_hardirqs_on+0x46/0x160
[ 47.637396][ T1897] __device_attach+0x23f/0x3a0
[ 47.637904][ T1897] ? device_bind_driver+0xd0/0xd0
[ 47.638426][ T1897] ? kobject_uevent_env+0x287/0x14b0
[ 47.638985][ T1897] bus_probe_device+0x1da/0x290
[ 47.639512][ T1897] device_add+0xb7b/0x1eb0
[ 47.639977][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
[ 47.640612][ T1897] ? kfree+0x14a/0x6b0
[ 47.641055][ T1897] ? __usb_get_extra_descriptor+0x116/0x160
[ 47.641679][ T1897] usb_new_device.cold+0x49c/0x1029
[ 47.642245][ T1897] ? hub_disconnect+0x450/0x450
[ 47.642756][ T1897] ? rwlock_bug.part.0+0x90/0x90
[ 47.643273][ T1897] ? _raw_spin_unlock_irq+0x24/0x30
[ 47.643822][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 47.644445][ T1897] hub_event+0x1c98/0x3950
[ 47.644939][ T1897] ? hub_port_debounce+0x2e0/0x2e0
[ 47.645467][ T1897] ? check_irq_usage+0x861/0xf20
[ 47.645975][ T1897] ? drain_workqueue+0x280/0x360
[ 47.646506][ T1897] ? lock_release+0x640/0x640
[ 47.646994][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0
[ 47.647572][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 47.648111][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 47.648735][ T1897] process_one_work+0x92b/0x1460
[ 47.649262][ T1897] ? pwq_dec_nr_in_flight+0x330/0x330
[ 47.649816][ T1897] ? rwlock_bug.part.0+0x90/0x90
[ 47.650336][ T1897] worker_thread+0x95/0xe00
[ 47.650830][ T1897] ? __kthread_parkme+0x115/0x1e0
[ 47.651361][ T1897] ? process_one_work+0x1460/0x1460
[ 47.651904][ T1897] kthread+0x3a1/0x480
[ 47.652329][ T1897] ? set_kthread_struct+0x120/0x120
[ 47.652878][ T1897] ret_from_fork+0x1f/0x30
[ 47.653370][ T1897]
[ 47.653608][ T1897]
[ 47.653848][ T1897] addr ffffc90001f6f000 is located in stack of task kworker/0:2/1897 at offset 512 in frame:
[ 47.654891][ T1897] brcmf_c_preinit_dcmds+0x0/0xc40
[ 47.655442][ T1897]
[ 47.655690][ T1897] this frame has 4 objects:
[ 47.656151][ T1897] [48, 56) 'ptr'
[ 47.656159][ T1897] [80, 148) 'revinfo'
[ 47.656534][ T1897] [192, 210) 'eventmask'
[ 47.656953][ T1897] [256, 512) 'buf'
[ 47.657410][ T1897]
[ 47.658035][ T1897] Memory state around the buggy address:
[ 47.658743][ T1897] ffffc90001f6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 47.659577][ T1897] ffffc90001f6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 47.660394][ T1897] >ffffc90001f6f000: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
[ 47.661199][ T1897] ^
[ 47.661625][ T1897] ffffc90001f6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 47.662455][ T1897] ffffc90001f6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
[ 47.663318][ T1897] ==================================================================
[ 47.664147][ T1897] Disabling lock debugging due to kernel taint
Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221115043458.37562-1-jisoo.jang@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
index e3758bd86acf0..57bb1fbedaa87 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
@@ -264,6 +264,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp)
err);
goto done;
}
+ buf[sizeof(buf) - 1] = '\0';
ptr = (char *)buf;
strsep(&ptr, "\n");
--
2.39.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH AUTOSEL 5.10 06/27] wifi: ath11k: debugfs: fix to work with multiple PCI devices
2023-02-26 14:49 [PATCH AUTOSEL 5.10 01/27] wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 02/27] wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() Sasha Levin
@ 2023-02-26 14:49 ` Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 10/27] wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds Sasha Levin
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-02-26 14:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Kalle Valo, Robert Marko, Sasha Levin, kvalo, davem, edumazet,
kuba, pabeni, ath11k, linux-wireless, netdev
From: Kalle Valo <quic_kvalo@quicinc.com>
[ Upstream commit 323d91d4684d238f6bc3693fed93caf795378fe0 ]
ath11k fails to load if there are multiple ath11k PCI devices with same name:
ath11k_pci 0000:01:00.0: Hardware name qcn9074 hw1.0
debugfs: Directory 'ath11k' with parent '/' already present!
ath11k_pci 0000:01:00.0: failed to create ath11k debugfs
ath11k_pci 0000:01:00.0: failed to create soc core: -17
ath11k_pci 0000:01:00.0: failed to init core: -17
ath11k_pci: probe of 0000:01:00.0 failed with error -17
Fix this by creating a directory for each ath11k device using schema
<bus>-<devname>, for example "pci-0000:06:00.0". This directory created under
the top-level ath11k directory, for example /sys/kernel/debug/ath11k.
The reference to the toplevel ath11k directory is not stored anymore within ath11k, instead
it's retrieved using debugfs_lookup(). If the directory does not exist it will
be created. After the last directory from the ath11k directory is removed, for
example when doing rmmod ath11k, the empty ath11k directory is left in place,
it's a minor cosmetic issue anyway.
Here's an example hierarchy with one WCN6855:
ath11k
`-- pci-0000:06:00.0
|-- mac0
| |-- dfs_block_radar_events
| |-- dfs_simulate_radar
| |-- ext_rx_stats
| |-- ext_tx_stats
| |-- fw_dbglog_config
| |-- fw_stats
| | |-- beacon_stats
| | |-- pdev_stats
| | `-- vdev_stats
| |-- htt_stats
| |-- htt_stats_reset
| |-- htt_stats_type
| `-- pktlog_filter
|-- simulate_fw_crash
`-- soc_dp_stats
I didn't have a test setup where I could connect multiple ath11k devices to the
same the host, so I have only tested this with one device.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.9
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1
Tested-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221220121231.20120-1-kvalo@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/core.h | 1 -
drivers/net/wireless/ath/ath11k/debugfs.c | 48 +++++++++++++++++++----
2 files changed, 40 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index d2f2898d17b49..a66e275af1eb4 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -712,7 +712,6 @@ struct ath11k_base {
enum ath11k_dfs_region dfs_region;
#ifdef CONFIG_ATH11K_DEBUGFS
struct dentry *debugfs_soc;
- struct dentry *debugfs_ath11k;
#endif
struct ath11k_soc_dp_stats soc_stats;
diff --git a/drivers/net/wireless/ath/ath11k/debugfs.c b/drivers/net/wireless/ath/ath11k/debugfs.c
index 1b914e67d314d..196314ab4ff0b 100644
--- a/drivers/net/wireless/ath/ath11k/debugfs.c
+++ b/drivers/net/wireless/ath/ath11k/debugfs.c
@@ -836,10 +836,6 @@ int ath11k_debugfs_pdev_create(struct ath11k_base *ab)
if (test_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags))
return 0;
- ab->debugfs_soc = debugfs_create_dir(ab->hw_params.name, ab->debugfs_ath11k);
- if (IS_ERR(ab->debugfs_soc))
- return PTR_ERR(ab->debugfs_soc);
-
debugfs_create_file("simulate_fw_crash", 0600, ab->debugfs_soc, ab,
&fops_simulate_fw_crash);
@@ -857,15 +853,51 @@ void ath11k_debugfs_pdev_destroy(struct ath11k_base *ab)
int ath11k_debugfs_soc_create(struct ath11k_base *ab)
{
- ab->debugfs_ath11k = debugfs_create_dir("ath11k", NULL);
+ struct dentry *root;
+ bool dput_needed;
+ char name[64];
+ int ret;
+
+ root = debugfs_lookup("ath11k", NULL);
+ if (!root) {
+ root = debugfs_create_dir("ath11k", NULL);
+ if (IS_ERR_OR_NULL(root))
+ return PTR_ERR(root);
+
+ dput_needed = false;
+ } else {
+ /* a dentry from lookup() needs dput() after we don't use it */
+ dput_needed = true;
+ }
+
+ scnprintf(name, sizeof(name), "%s-%s", ath11k_bus_str(ab->hif.bus),
+ dev_name(ab->dev));
+
+ ab->debugfs_soc = debugfs_create_dir(name, root);
+ if (IS_ERR_OR_NULL(ab->debugfs_soc)) {
+ ret = PTR_ERR(ab->debugfs_soc);
+ goto out;
+ }
+
+ ret = 0;
- return PTR_ERR_OR_ZERO(ab->debugfs_ath11k);
+out:
+ if (dput_needed)
+ dput(root);
+
+ return ret;
}
void ath11k_debugfs_soc_destroy(struct ath11k_base *ab)
{
- debugfs_remove_recursive(ab->debugfs_ath11k);
- ab->debugfs_ath11k = NULL;
+ debugfs_remove_recursive(ab->debugfs_soc);
+ ab->debugfs_soc = NULL;
+
+ /* We are not removing ath11k directory on purpose, even if it
+ * would be empty. This simplifies the directory handling and it's
+ * a minor cosmetic issue to leave an empty ath11k directory to
+ * debugfs.
+ */
}
void ath11k_debugfs_fw_stats_init(struct ath11k *ar)
--
2.39.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH AUTOSEL 5.10 10/27] wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds
2023-02-26 14:49 [PATCH AUTOSEL 5.10 01/27] wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 02/27] wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 06/27] wifi: ath11k: debugfs: fix to work with multiple PCI devices Sasha Levin
@ 2023-02-26 14:49 ` Sasha Levin
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 11/27] wifi: mt7601u: fix an integer underflow Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 20/27] wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-02-26 14:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jisoo Jang, Arend van Spriel, Kalle Valo, Sasha Levin, aspriel,
franky.lin, hante.meuleman, davem, edumazet, kuba, pabeni,
keescook, hdegoede, gustavoars, wsa+renesas, marcan, pavel,
linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list,
netdev
From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
[ Upstream commit 660145d708be52f946a82e5b633c020f58f996de ]
Fix a stack-out-of-bounds read in brcmfmac that occurs
when 'buf' that is not null-terminated is passed as an argument of
strreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with
a CLM version string by memcpy() in brcmf_fil_iovar_data_get().
Ensure buf is null-terminated.
Found by a modified version of syzkaller.
[ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
[ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22
[ 33.021554][ T1896] ==================================================================
[ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110
[ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896
[ 33.023852][ T1896]
[ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
[ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event
[ 33.026581][ T1896] Call Trace:
[ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d
[ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334
[ 33.028037][ T1896] ? strreplace+0xf2/0x110
[ 33.028403][ T1896] ? strreplace+0xf2/0x110
[ 33.028807][ T1896] kasan_report.cold+0x83/0xdf
[ 33.029283][ T1896] ? strreplace+0xf2/0x110
[ 33.029666][ T1896] strreplace+0xf2/0x110
[ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40
[ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100
[ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0
[ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0
[ 33.032091][ T1896] ? find_held_lock+0x2d/0x110
[ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260
[ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0
[ 33.033582][ T1896] brcmf_attach+0x246/0xd40
[ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50
[ 33.034383][ T1896] ? kmemdup+0x30/0x40
[ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690
[ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470
[ 33.035833][ T1896] usb_probe_interface+0x25f/0x710
[ 33.036315][ T1896] really_probe+0x1be/0xa90
[ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460
[ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0
[ 33.037383][ T1896] driver_probe_device+0x49/0x120
[ 33.037790][ T1896] __device_attach_driver+0x18a/0x250
[ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120
[ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0
[ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20
[ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120
[ 33.042330][ T1896] __device_attach+0x207/0x330
[ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0
[ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0
[ 33.043515][ T1896] bus_probe_device+0x1a2/0x260
[ 33.043914][ T1896] device_add+0xa61/0x1ce0
[ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660
[ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550
[ 33.045531][ T1896] usb_set_configuration+0x984/0x1770
[ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230
[ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90
[ 33.046931][ T1896] usb_probe_device+0x9c/0x220
[ 33.047434][ T1896] really_probe+0x1be/0xa90
[ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460
[ 33.048134][ T1896] driver_probe_device+0x49/0x120
[ 33.048516][ T1896] __device_attach_driver+0x18a/0x250
[ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120
[ 33.049437][ T1896] bus_for_each_drv+0x123/0x1a0
[ 33.049814][ T1896] ? bus_rescan_devices+0x20/0x20
[ 33.050164][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 33.050579][ T1896] ? trace_hardirqs_on+0x1c/0x120
[ 33.050936][ T1896] __device_attach+0x207/0x330
[ 33.051399][ T1896] ? device_bind_driver+0xb0/0xb0
[ 33.051888][ T1896] ? kobject_uevent_env+0x230/0x12c0
[ 33.052314][ T1896] bus_probe_device+0x1a2/0x260
[ 33.052688][ T1896] device_add+0xa61/0x1ce0
[ 33.053121][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550
[ 33.053568][ T1896] usb_new_device.cold+0x463/0xf66
[ 33.053953][ T1896] ? hub_disconnect+0x400/0x400
[ 33.054313][ T1896] ? rwlock_bug.part.0+0x90/0x90
[ 33.054661][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 33.055094][ T1896] hub_event+0x10d5/0x3330
[ 33.055530][ T1896] ? hub_port_debounce+0x280/0x280
[ 33.055934][ T1896] ? __lock_acquire+0x1671/0x5790
[ 33.056387][ T1896] ? wq_calc_node_cpumask+0x170/0x2a0
[ 33.056924][ T1896] ? lock_release+0x640/0x640
[ 33.057383][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0
[ 33.057916][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 33.058402][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 33.059019][ T1896] process_one_work+0x873/0x13e0
[ 33.059488][ T1896] ? lock_release+0x640/0x640
[ 33.059932][ T1896] ? pwq_dec_nr_in_flight+0x320/0x320
[ 33.060446][ T1896] ? rwlock_bug.part.0+0x90/0x90
[ 33.060898][ T1896] worker_thread+0x8b/0xd10
[ 33.061348][ T1896] ? __kthread_parkme+0xd9/0x1d0
[ 33.061810][ T1896] ? process_one_work+0x13e0/0x13e0
[ 33.062288][ T1896] kthread+0x379/0x450
[ 33.062660][ T1896] ? _raw_spin_unlock_irq+0x24/0x30
[ 33.063148][ T1896] ? set_kthread_struct+0x100/0x100
[ 33.063606][ T1896] ret_from_fork+0x1f/0x30
[ 33.064070][ T1896]
[ 33.064313][ T1896]
[ 33.064545][ T1896] addr ffffc90001d6efc8 is located in stack of task kworker/0:2/1896 at offset 512 in frame:
[ 33.065478][ T1896] brcmf_c_preinit_dcmds+0x0/0xc40
[ 33.065973][ T1896]
[ 33.066191][ T1896] this frame has 4 objects:
[ 33.066614][ T1896] [48, 56) 'ptr'
[ 33.066618][ T1896] [80, 148) 'revinfo'
[ 33.066957][ T1896] [192, 210) 'eventmask'
[ 33.067338][ T1896] [256, 512) 'buf'
[ 33.067742][ T1896]
[ 33.068304][ T1896] Memory state around the buggy address:
[ 33.068838][ T1896] ffffc90001d6ee80: f2 00 00 02 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
[ 33.069545][ T1896] ffffc90001d6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 33.070626][ T1896] >ffffc90001d6ef80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3
[ 33.072052][ T1896] ^
[ 33.073043][ T1896] ffffc90001d6f000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 33.074230][ T1896] ffffc90001d6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 33.074914][ T1896] ==================================================================
[ 33.075713][ T1896] Disabling lock debugging due to kernel taint
Reviewed-by: Arend van Spriel<arend.vanspriel@broadcom.com>
Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221230075139.56591-1-jisoo.jang@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
index 57bb1fbedaa87..f29de630908d7 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
@@ -281,15 +281,17 @@ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp)
if (err) {
brcmf_dbg(TRACE, "retrieving clmver failed, %d\n", err);
} else {
+ buf[sizeof(buf) - 1] = '\0';
clmver = (char *)buf;
- /* store CLM version for adding it to revinfo debugfs file */
- memcpy(ifp->drvr->clmver, clmver, sizeof(ifp->drvr->clmver));
/* Replace all newline/linefeed characters with space
* character
*/
strreplace(clmver, '\n', ' ');
+ /* store CLM version for adding it to revinfo debugfs file */
+ memcpy(ifp->drvr->clmver, clmver, sizeof(ifp->drvr->clmver));
+
brcmf_dbg(INFO, "CLM version = %s\n", clmver);
}
--
2.39.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH AUTOSEL 5.10 11/27] wifi: mt7601u: fix an integer underflow
2023-02-26 14:49 [PATCH AUTOSEL 5.10 01/27] wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() Sasha Levin
` (2 preceding siblings ...)
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 10/27] wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds Sasha Levin
@ 2023-02-26 14:49 ` Sasha Levin
2023-02-26 14:50 ` [PATCH AUTOSEL 5.10 20/27] wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-02-26 14:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jisoo Jang, Jakub Kicinski, Kalle Valo, Sasha Levin, davem,
edumazet, pabeni, matthias.bgg, linux-wireless, netdev,
linux-arm-kernel, linux-mediatek
From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
[ Upstream commit 803f3176c5df3b5582c27ea690f204abb60b19b9 ]
Fix an integer underflow that leads to a null pointer dereference in
'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet
could be manipulated, which could trigger an integer underflow of
'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently
causes the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be
bypassed, eventually leading to a dereference of the pointer 'p', which
is a null pointer.
Ensure that 'dma_len' is greater than 'min_seg_len'.
Found by a modified version of syzkaller.
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+
#139
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
mt7601u_rx_tasklet+0xc73/0x1270
? mt7601u_submit_rx_buf.isra.0+0x510/0x510
? tasklet_action_common.isra.0+0x79/0x2f0
tasklet_action_common.isra.0+0x206/0x2f0
__do_softirq+0x1b5/0x880
? tasklet_unlock+0x30/0x30
run_ksoftirqd+0x26/0x50
smpboot_thread_fn+0x34f/0x7d0
? smpboot_register_percpu_thread+0x370/0x370
kthread+0x3a1/0x480
? set_kthread_struct+0x120/0x120
ret_from_fork+0x1f/0x30
Modules linked in: 88XXau(O) 88x2bu(O)
---[ end trace 57f34f93b4da0f9b ]---
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Acked-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221229092906.2328282-1-jisoo.jang@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt7601u/dma.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
index 11071519fce81..8ba291abecff8 100644
--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
+++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
@@ -118,7 +118,8 @@ static u16 mt7601u_rx_next_seg_len(u8 *data, u32 data_len)
if (data_len < min_seg_len ||
WARN_ON_ONCE(!dma_len) ||
WARN_ON_ONCE(dma_len + MT_DMA_HDRS > data_len) ||
- WARN_ON_ONCE(dma_len & 0x3))
+ WARN_ON_ONCE(dma_len & 0x3) ||
+ WARN_ON_ONCE(dma_len < min_seg_len))
return 0;
return MT_DMA_HDRS + dma_len;
--
2.39.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH AUTOSEL 5.10 20/27] wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup
2023-02-26 14:49 [PATCH AUTOSEL 5.10 01/27] wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() Sasha Levin
` (3 preceding siblings ...)
2023-02-26 14:49 ` [PATCH AUTOSEL 5.10 11/27] wifi: mt7601u: fix an integer underflow Sasha Levin
@ 2023-02-26 14:50 ` Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-02-26 14:50 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lorenzo Bianconi, Felix Fietkau, Sasha Levin, ryder.lee, kvalo,
davem, edumazet, kuba, pabeni, matthias.bgg, linux-wireless,
netdev, linux-arm-kernel, linux-mediatek
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 1b88b47e898edef0e56e3a2f4e49f052a136153d ]
Free rx_head skb in mt76_dma_rx_cleanup routine in order to avoid
possible memory leak at module unload.
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/dma.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
index f01b455783b23..7991705e9d134 100644
--- a/drivers/net/wireless/mediatek/mt76/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/dma.c
@@ -476,6 +476,7 @@ mt76_dma_rx_cleanup(struct mt76_dev *dev, struct mt76_queue *q)
bool more;
spin_lock_bh(&q->lock);
+
do {
buf = mt76_dma_dequeue(dev, q, true, NULL, NULL, &more);
if (!buf)
@@ -483,6 +484,12 @@ mt76_dma_rx_cleanup(struct mt76_dev *dev, struct mt76_queue *q)
skb_free_frag(buf);
} while (1);
+
+ if (q->rx_head) {
+ dev_kfree_skb(q->rx_head);
+ q->rx_head = NULL;
+ }
+
spin_unlock_bh(&q->lock);
if (!q->rx_page.va)
@@ -505,12 +512,6 @@ mt76_dma_rx_reset(struct mt76_dev *dev, enum mt76_rxq_id qid)
mt76_dma_rx_cleanup(dev, q);
mt76_dma_sync_idx(dev, q);
mt76_dma_rx_fill(dev, q);
-
- if (!q->rx_head)
- return;
-
- dev_kfree_skb(q->rx_head);
- q->rx_head = NULL;
}
static void
--
2.39.0
^ permalink raw reply related [flat|nested] 6+ messages in thread