niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity
linux/drivers
History
Nikita Zhandarovich 1cf9631d83 usbnet: gl620a: fix endpoint checking in genelink_bind() 
Syzbot reports [1] a warning in usb_submit_urb() triggered by
inconsistencies between expected and actually present endpoints
in gl620a driver. Since genelink_bind() does not properly
verify whether specified eps are in fact provided by the device,
in this case, an artificially manufactured one, one may get a
mismatch.

Fix the issue by resorting to a usbnet utility function
usbnet_get_endpoints(), usually reserved for this very problem.
Check for endpoints and return early before proceeding further if
any are missing.

[1] Syzbot report:
usb 5-1: Manufacturer: syz
usb 5-1: SerialNumber: syz
usb 5-1: config 0 descriptor??
gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ...
------------[ cut here ]------------
usb 5-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
...
Call Trace:
 <TASK>
 usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467
 __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
 netdev_start_xmit include/linux/netdevice.h:5011 [inline]
 xmit_one net/core/dev.c:3590 [inline]
 dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606
 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:3827 [inline]
 __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 neigh_resolve_output net/core/neighbour.c:1514 [inline]
 neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494
 neigh_output include/net/neighbour.h:539 [inline]
 ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141
 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
 ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819
 mld_send_cr net/ipv6/mcast.c:2120 [inline]
 mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Reported-by: syzbot+d693c07c6f647e0388d3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d693c07c6f647e0388d3
Fixes: 47ee3051c8 ("[PATCH] USB: usbnet (5/9) module for genesys gl620a cables")
Cc: stable@vger.kernel.org
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20250224172919.1220522-1-n.zhandarovich@fintech.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2025-02-27 11:35:10 +01:00
..
accel A couple of fixes for ivpu to error handling, komeda for format 2025-02-07 14:47:25 +10:00
accessibility
acpi arm64 fixes for -rc3 2025-02-14 09:55:17 -08:00
amba
android Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
ata ata changes for 6.14 part2 2025-01-31 11:07:56 -08:00
atm
auxdisplay auxdisplay for v6.14-1 2025-01-24 08:03:52 -08:00
base Driver core api addition for 6.14-rc3 2025-02-16 12:54:42 -08:00
bcma
block block-6.14-20250207 2025-02-07 11:00:33 -08:00
bluetooth Bluetooth: Always allow SCO packets for user channel 2025-02-20 13:25:08 -05:00
bus genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
cache
cdrom treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
cdx
char treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
clk The various patchsets are summarized below. Plus of course many 2025-01-26 18:36:23 -08:00
clocksource
comedi
connector
counter
cpufreq amd-pstate fixes 2/6/25 2025-02-06 20:39:43 +01:00
cpuidle More power management updates for 6.14-rc1 2025-01-30 15:10:34 -08:00
crypto crypto: ccp: Add external API interface for PSP module initialization 2025-02-14 18:39:19 -05:00
cxl cxl changes for v6.14 2025-01-29 11:23:22 -08:00
dax
dca
devfreq Update devfreq next for v6.14 2025-01-13 20:48:34 +01:00
dio
dma tegra210-adma: fix 32-bit x86 build 2025-02-15 09:28:55 -08:00
dma-buf
dpll
edac - The first part of a restructuring of AMD's representation of a northbridge 2025-01-21 09:38:52 -08:00
eisa
extcon Update extcon next for v6.14 2025-01-12 13:44:27 +01:00
firewire Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
firmware EFI fixes for v6.14 #1 2025-02-14 13:56:04 -08:00
fpga
fsi
gnss
gpio gpiolib: Fix crash on error in gpiochip_get_ngpios() 2025-02-13 18:51:39 +01:00
gpu - Remove bo->clients out of bos_lock area (Tejas) 2025-02-14 12:15:59 +10:00
greybus
hid hid-for-linus-2025021001 2025-02-10 09:50:01 -08:00
hsi
hte
hv treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
hwmon Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
hwspinlock
hwtracing KVM/arm64 updates for 6.14 2025-01-28 09:01:36 -08:00
i2c Revert "i2c: Replace list-based mechanism for handling auto-detected clients" 2025-02-05 14:22:12 +01:00
i3c I3C for 6.14 2025-01-24 15:48:01 -08:00
idle Power management updates for 6.14-rc1 2025-01-22 11:16:14 -08:00
iio IIO: 2nd set of fixes for the 6.13 cycle. 2025-01-16 13:46:08 +01:00
infiniband Mainly individually changelogged singleton patches. The patch series in 2025-01-26 17:50:53 -08:00
input platform-drivers-x86 for v6.14-1 2025-01-24 07:18:39 -08:00
interconnect interconnect changes for 6.14 2025-01-16 14:01:40 +01:00
iommu ARM: 2025-02-16 10:25:12 -08:00
ipack
irqchip genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
isdn
leds Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
macintosh The various patchsets are summarized below. Plus of course many 2025-01-26 18:36:23 -08:00
mailbox mailbox: th1520: Fix memory corruption due to incorrect array size 2025-01-18 16:20:55 -06:00
mcb
md block-6.14-20250207 2025-02-07 11:00:33 -08:00
media [GIT PULL for v6.14] media updates 2025-02-01 09:15:01 -08:00
memory spi: Support DTR in spi-mem 2025-01-15 19:07:39 +01:00
memstick Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
message Merge branch '6.13/scsi-fixes' into 6.14/scsi-staging 2025-01-10 15:20:30 -05:00
mfd mfd: syscon: Restore device_node_to_regmap() for non-syscon nodes 2025-02-11 14:53:39 +00:00
misc treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
mmc mmc: mtk-sd: Fix register settings for hs400(es) mode 2025-02-03 13:34:50 +01:00
most
mtd block-6.14-20250131 2025-01-31 11:49:30 -08:00
mux
net usbnet: gl620a: fix endpoint checking in genelink_bind() 2025-02-27 11:35:10 +01:00
nfc nfc: mrvl: Don't use "proxy" headers 2025-01-18 17:10:05 -08:00
ntb PCI: Remove devres from pci_intx() 2025-01-18 14:38:49 -06:00
nubus
nvdimm
nvme nvme fixes for Linux 6.14 2025-02-03 09:19:03 -07:00
nvmem
of of: address: Add kunit test for __of_address_resource_bounds() 2025-02-02 20:59:04 -06:00
opp Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
parisc
parport
pci pci-v6.14-fixes-3 2025-02-14 16:49:07 -08:00
pcmcia
peci
perf treewide: const qualify ctl_tables where applicable 2025-01-28 13:48:37 +01:00
phy phy-for-6.14 2025-01-29 14:32:38 -08:00
pinctrl pinctrl: pinconf-generic: Print unsigned value if a format is registered 2025-02-06 10:13:15 +01:00
platform platform/x86: thinkpad_acpi: Fix registration of tpacpi platform driver 2025-02-12 13:49:37 +02:00
pmdomain pmdomain: airoha: Fix compilation error with Clang-20 and Thumb2 mode 2025-01-21 10:45:24 +01:00
pnp
power power supply and reset changes for the 6.14 series 2025-01-27 15:37:16 -08:00
powercap Merge branch 'pm-powercap' 2025-02-07 12:43:58 +01:00
pps
ps3
ptp ptp: vmclock: Remove goto-based cleanup logic 2025-02-11 10:20:52 +01:00
pwm Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
rapidio
ras
regulator regulator: core: let dt properties override driver init_data 2025-02-11 16:29:01 +00:00
remoteproc remoteproc: st: Use syscon_regmap_lookup_by_phandle_args 2025-01-15 10:04:27 -07:00
reset soc: driver updates for 6.14 2025-01-24 14:56:59 -08:00
rpmsg
rtc RTC for 6.13 2025-01-30 17:50:02 -08:00
s390 Smaller than usual with no fixes from any subtree. 2025-02-20 10:19:54 -08:00
sbus
scsi scsi: qla1280: Fix kernel oops when debug level > 2 2025-02-03 17:54:56 -05:00
sh
siox
slimbus Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
soc genirq: Remove leading space from irq_chip::irq_print_chip() callbacks 2025-02-07 08:56:01 +01:00
soundwire soundwire updates for 6.14 2025-01-29 14:38:19 -08:00
spi spi: sn-f-ospi: Fix division by zero 2025-02-06 11:33:51 +00:00
spmi spmi: hisi-spmi-controller: Drop duplicated OF node assignment in spmi_controller_probe() 2025-01-17 12:58:49 +01:00
ssb
staging Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
target Merge branch '6.14/scsi-queue' into 6.14/scsi-fixes 2025-02-03 16:28:51 -05:00
tc
tee
thermal thermal/cpufreq_cooling: Remove structure member documentation 2025-02-11 21:02:13 +01:00
thunderbolt Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
tty Serial driver fixes for 6.14-rc3 2025-02-16 12:50:44 -08:00
ufs scsi: ufs: core: Fix error return with query response 2025-02-03 17:34:24 -05:00
uio Char/Misc/IIO driver updates for 6.14-rc1 2025-01-27 16:51:51 -08:00
usb usb: typec: tcpm: PSSourceOffTimer timeout in PR_Swap enters ERROR_RECOVERY 2025-02-14 09:26:44 +01:00
vdpa virtio: features, fixes, cleanups 2025-01-27 15:26:06 -08:00
vfio VFIO updates for v6.14-rc1 2025-01-28 14:16:46 -08:00
vhost vhost/net: Set num_buffers for virtio 1.0 2025-01-27 09:39:25 -05:00
video fbdev fixes and updates for 6.14-rc1: 2025-01-24 11:32:13 -08:00
virt - A segmented Reverse Map table (RMP) is a across-nodes distributed 2025-01-21 09:00:31 -08:00
virtio virtio: features, fixes, cleanups 2025-01-27 15:26:06 -08:00
w1
watchdog linux-watchdog 6.14-rc1 tag 2025-01-25 16:19:10 -08:00
xen xen: branch for v6.14-rc3 2025-02-14 08:15:17 -08:00
zorro
Kconfig
Makefile