UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers/net
History
Qiujun Huang 2bbcaaee1f ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb 
In ath9k_hif_usb_rx_cb interface number is assumed to be 0.
usb_ifnum_to_if(urb->dev, 0)
But it isn't always true.

The case reported by syzbot:
https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com
usb 2-1: new high-speed USB device number 2 using dummy_hcd
usb 2-1: config 1 has an invalid interface number: 2 but max is 0
usb 2-1: config 1 has no interface number 0
usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice=
1.08
usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
general protection fault, probably for non-canonical address
0xdffffc0000000015: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0

Call Trace
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829

Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com
 		2020-04-07 07:57:26 +03:00
..
appletalk
arcnet
bonding Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
caif
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
dsa net: dsa: sja1105: configure the PTP_CLK pin as EXT_TS or PER_OUT 2020-03-23 22:15:07 -07:00
ethernet net: axienet: Allow DMA to beyond 4GB 2020-03-24 16:33:05 -07:00
fddi net: skfp: use new constant PCI_STATUS_ERROR_BITS 2020-03-04 14:21:00 -08:00
fjes Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-01-28 16:02:33 -08:00
hamradio
hippi
hyperv net/ethtool: Introduce link_ksettings API for virtual network devices 2020-02-29 21:48:55 -08:00
ieee802154 net: ieee802154: ca8210: Use new structure for SPI transfer delays 2020-02-29 14:39:08 +01:00
ipa soc: qcom: ipa: kill IPA_RX_BUFFER_ORDER 2020-03-21 19:46:43 -07:00
ipvlan ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() 2020-03-09 18:32:03 -07:00
netdevsim devlink: Only pass packet trap group identifier in trap structure 2020-03-23 21:40:40 -07:00
phy net: phy: mscc: consolidate a common RGMII delay implementation 2020-03-24 16:36:37 -07:00
plip
ppp pptp: support sockets bound to an interface 2020-01-15 23:13:09 +01:00
slip Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
team team: add missing attribute validation for array index 2020-03-03 13:28:48 -08:00
usb cdc_ncm: Fix the build warning 2020-03-15 00:41:29 -07:00
vmxnet3 vmxnet3: let core reject the unsupported coalescing parameters 2020-03-06 22:45:55 -08:00
wan WAN: Replace zero-length array with flexible-array member 2020-02-27 12:06:55 -08:00
wimax
wireguard wireguard: socket: remove extra call to synchronize_net 2020-02-16 19:21:56 -08:00
wireless ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb 2020-04-07 07:57:26 +03:00
xen-netback net: xen-netback: hash.c: Use built-in RCU list checking 2020-01-17 10:57:22 +01:00
Kconfig soc: qcom: ipa: support build of IPA code 2020-03-08 22:07:10 -07:00
LICENSE.SRC
Makefile soc: qcom: ipa: support build of IPA code 2020-03-08 22:07:10 -07:00
Space.c
bareudp.c bareudp: Fixed bareudp receive handling 2020-03-11 22:54:27 -07:00
dummy.c net/dummy: Ditch driver and module versions 2020-02-24 11:23:36 -08:00
eql.c
geneve.c
gtp.c gtp: use icmp_ndo_send helper 2020-02-13 14:19:00 -08:00
ifb.c
loopback.c
macsec.c macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw) 2020-03-16 01:42:31 -07:00
macvlan.c macvlan: add cond_resched() during multicast processing 2020-03-09 18:02:19 -07:00
macvtap.c
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c tun: reject unsupported coalescing params 2020-03-06 22:45:55 -08:00
veth.c veth: remove atomic64_add from veth_xdp_xmit hotpath 2020-03-19 21:24:59 -07:00
virtio_net.c virtio_net: reject unsupported coalescing params 2020-03-05 12:12:35 -08:00
vrf.c Remove DST_HOST 2020-03-23 21:57:44 -07:00
vsockmon.c
vxlan.c
xen-netfront.c