mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 05:48:40 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/net/usb
History
Alan Stern 5e1627cb43 net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb 
The syzbot fuzzer identified a problem in the usbnet driver:

usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc9000463f568 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001
RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453
 __netdev_start_xmit include/linux/netdevice.h:4918 [inline]
 netdev_start_xmit include/linux/netdevice.h:4932 [inline]
 xmit_one net/core/dev.c:3578 [inline]
 dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594
...

This bug is caused by the fact that usbnet trusts the bulk endpoint
addresses its probe routine receives in the driver_info structure, and
it does not check to see that these endpoints actually exist and have
the expected type and directions.

The fix is simply to add such a check.

Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/000000000000a56e9105d0cec021@google.com/
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/ea152b6d-44df-4f8a-95c6-4db51143dcc1@rowland.harvard.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-07-13 20:37:23 -07:00
..
aqc111.c net: move from strlcpy with unused retval to strscpy 2022-08-31 14:11:07 -07:00
aqc111.h
asix.h net: asix: ax88772: migrate to phylink 2022-08-26 10:00:52 +01:00
asix_common.c net: move from strlcpy with unused retval to strscpy 2022-08-31 14:11:07 -07:00
asix_devices.c net: asix: fix modprobe "sysfs: cannot create duplicate filename" 2023-03-22 22:04:04 -07:00
ax88172a.c
ax88179_178a.c Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" 2022-08-10 09:28:56 +01:00
catc.c net: move from strlcpy with unused retval to strscpy 2022-08-31 14:11:07 -07:00
cdc-phonet.c
cdc_eem.c cdc-eem: always use BIT 2022-07-01 13:39:03 +01:00
cdc_ether.c net: usb: cdc_ether: add u-blox 0x1313 composition. 2023-07-01 13:15:58 +01:00
cdc_mbim.c net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 2023-03-07 15:27:01 +01:00
cdc_ncm.c net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize 2023-05-18 19:56:17 -07:00
cdc_subset.c net: usb: delete extra space and tab in blank line 2022-07-28 21:48:20 -07:00
ch9200.c
cx82310_eth.c
dm9601.c
gl620a.c
hso.c tty: Make ->set_termios() old ktermios const 2022-08-30 14:22:35 +02:00
huawei_cdc_ncm.c
int51x1.c
ipheth.c usbnet: ipheth: add CDC NCM support 2023-06-09 10:26:57 +01:00
kalmia.c net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path 2023-02-13 09:41:14 +00:00
kaweth.c net: usb: delete extra space and tab in blank line 2022-07-28 21:48:20 -07:00
Kconfig usbnet: ipheth: update Kconfig description 2023-06-09 10:26:57 +01:00
lan78xx.c net: usb: lan78xx: Limit packet length to skb->len 2023-03-20 10:15:15 +00:00
lan78xx.h
lg-vl600.c
Makefile
mcs7830.c
net1080.c
pegasus.c net: move from strlcpy with unused retval to strscpy 2022-08-31 14:11:07 -07:00
pegasus.h
plusb.c usb: plusb: remove unused pl_clear_QuickLink_features function 2023-03-20 10:16:27 +00:00
qmi_wwan.c net: usb: qmi_wwan: add u-blox 0x1312 composition 2023-06-27 15:52:15 +02:00
r8152.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
r8153_ecm.c
rndis_host.c usb: rndis_host: Secure rndis_query check against int overflow 2023-01-03 09:24:41 +00:00
rtl8150.c net: move from strlcpy with unused retval to strscpy 2022-08-31 14:11:07 -07:00
sierra_net.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
smsc75xx.c net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull 2023-03-16 17:27:56 -07:00
smsc75xx.h
smsc95xx.c net: usb: smsc95xx: Limit packet length to skb->len 2023-03-17 21:58:26 -07:00
smsc95xx.h
sr9700.c net: usb: sr9700: Handle negative len 2023-01-17 11:50:42 +01:00
sr9700.h
sr9800.c
sr9800.h
usbnet.c net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb 2023-07-13 20:37:23 -07:00
zaurus.c