1cf9631d83
Syzbot reports [1] a warning in usb_submit_urb() triggered by
inconsistencies between expected and actually present endpoints
in gl620a driver. Since genelink_bind() does not properly
verify whether specified eps are in fact provided by the device,
in this case, an artificially manufactured one, one may get a
mismatch.
Fix the issue by resorting to a usbnet utility function
usbnet_get_endpoints(), usually reserved for this very problem.
Check for endpoints and return early before proceeding further if
any are missing.
[1] Syzbot report:
usb 5-1: Manufacturer: syz
usb 5-1: SerialNumber: syz
usb 5-1: config 0 descriptor??
gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ...
------------[ cut here ]------------
usb 5-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
...
Call Trace:
<TASK>
usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467
__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
netdev_start_xmit include/linux/netdevice.h:5011 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606
sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343
__dev_xmit_skb net/core/dev.c:3827 [inline]
__dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400
dev_queue_xmit include/linux/netdevice.h:3168 [inline]
neigh_resolve_output net/core/neighbour.c:1514 [inline]
neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494
neigh_output include/net/neighbour.h:539 [inline]
ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141
__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819
mld_send_cr net/ipv6/mcast.c:2120 [inline]
mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Reported-by: syzbot+d693c07c6f647e0388d3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d693c07c6f647e0388d3
Fixes: 47ee3051c8 ("[PATCH] USB: usbnet (5/9) module for genesys gl620a cables")
Cc: stable@vger.kernel.org
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20250224172919.1220522-1-n.zhandarovich@fintech.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
227 lines
5.8 KiB
C
227 lines
5.8 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* GeneSys GL620USB-A based links
|
|
* Copyright (C) 2001 by Jiun-Jie Huang <huangjj@genesyslogic.com.tw>
|
|
* Copyright (C) 2001 by Stanislav Brabec <utx@penguin.cz>
|
|
*/
|
|
|
|
// #define DEBUG // error path messages, extra info
|
|
// #define VERBOSE // more; success messages
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/etherdevice.h>
|
|
#include <linux/ethtool.h>
|
|
#include <linux/workqueue.h>
|
|
#include <linux/mii.h>
|
|
#include <linux/usb.h>
|
|
#include <linux/usb/usbnet.h>
|
|
#include <linux/gfp.h>
|
|
|
|
|
|
/*
|
|
* GeneSys GL620USB-A (www.genesyslogic.com.tw)
|
|
*
|
|
* ... should partially interop with the Win32 driver for this hardware.
|
|
* The GeneSys docs imply there's some NDIS issue motivating this framing.
|
|
*
|
|
* Some info from GeneSys:
|
|
* - GL620USB-A is full duplex; GL620USB is only half duplex for bulk.
|
|
* (Some cables, like the BAFO-100c, use the half duplex version.)
|
|
* - For the full duplex model, the low bit of the version code says
|
|
* which side is which ("left/right").
|
|
* - For the half duplex type, a control/interrupt handshake settles
|
|
* the transfer direction. (That's disabled here, partially coded.)
|
|
* A control URB would block until other side writes an interrupt.
|
|
*
|
|
* Original code from Jiun-Jie Huang <huangjj@genesyslogic.com.tw>
|
|
* and merged into "usbnet" by Stanislav Brabec <utx@penguin.cz>.
|
|
*/
|
|
|
|
// control msg write command
|
|
#define GENELINK_CONNECT_WRITE 0xF0
|
|
// interrupt pipe index
|
|
#define GENELINK_INTERRUPT_PIPE 0x03
|
|
// interrupt read buffer size
|
|
#define INTERRUPT_BUFSIZE 0x08
|
|
// interrupt pipe interval value
|
|
#define GENELINK_INTERRUPT_INTERVAL 0x10
|
|
// max transmit packet number per transmit
|
|
#define GL_MAX_TRANSMIT_PACKETS 32
|
|
// max packet length
|
|
#define GL_MAX_PACKET_LEN 1514
|
|
// max receive buffer size
|
|
#define GL_RCV_BUF_SIZE \
|
|
(((GL_MAX_PACKET_LEN + 4) * GL_MAX_TRANSMIT_PACKETS) + 4)
|
|
|
|
struct gl_packet {
|
|
__le32 packet_length;
|
|
char packet_data[];
|
|
};
|
|
|
|
struct gl_header {
|
|
__le32 packet_count;
|
|
struct gl_packet packets;
|
|
};
|
|
|
|
static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
|
|
{
|
|
struct gl_header *header;
|
|
struct gl_packet *packet;
|
|
struct sk_buff *gl_skb;
|
|
u32 size;
|
|
u32 count;
|
|
|
|
/* This check is no longer done by usbnet */
|
|
if (skb->len < dev->net->hard_header_len)
|
|
return 0;
|
|
|
|
header = (struct gl_header *) skb->data;
|
|
|
|
// get the packet count of the received skb
|
|
count = le32_to_cpu(header->packet_count);
|
|
if (count > GL_MAX_TRANSMIT_PACKETS) {
|
|
netdev_dbg(dev->net,
|
|
"genelink: invalid received packet count %u\n",
|
|
count);
|
|
return 0;
|
|
}
|
|
|
|
// set the current packet pointer to the first packet
|
|
packet = &header->packets;
|
|
|
|
// decrement the length for the packet count size 4 bytes
|
|
skb_pull(skb, 4);
|
|
|
|
while (count > 1) {
|
|
// get the packet length
|
|
size = le32_to_cpu(packet->packet_length);
|
|
|
|
// this may be a broken packet
|
|
if (size > GL_MAX_PACKET_LEN) {
|
|
netdev_dbg(dev->net, "genelink: invalid rx length %d\n",
|
|
size);
|
|
return 0;
|
|
}
|
|
|
|
// allocate the skb for the individual packet
|
|
gl_skb = alloc_skb(size, GFP_ATOMIC);
|
|
if (gl_skb) {
|
|
|
|
// copy the packet data to the new skb
|
|
skb_put_data(gl_skb, packet->packet_data, size);
|
|
usbnet_skb_return(dev, gl_skb);
|
|
}
|
|
|
|
// advance to the next packet
|
|
packet = (struct gl_packet *)&packet->packet_data[size];
|
|
count--;
|
|
|
|
// shift the data pointer to the next gl_packet
|
|
skb_pull(skb, size + 4);
|
|
}
|
|
|
|
// skip the packet length field 4 bytes
|
|
skb_pull(skb, 4);
|
|
|
|
if (skb->len > GL_MAX_PACKET_LEN) {
|
|
netdev_dbg(dev->net, "genelink: invalid rx length %d\n",
|
|
skb->len);
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
static struct sk_buff *
|
|
genelink_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags)
|
|
{
|
|
int padlen;
|
|
int length = skb->len;
|
|
int headroom = skb_headroom(skb);
|
|
int tailroom = skb_tailroom(skb);
|
|
__le32 *packet_count;
|
|
__le32 *packet_len;
|
|
|
|
// FIXME: magic numbers, bleech
|
|
padlen = ((skb->len + (4 + 4*1)) % 64) ? 0 : 1;
|
|
|
|
if ((!skb_cloned(skb))
|
|
&& ((headroom + tailroom) >= (padlen + (4 + 4*1)))) {
|
|
if ((headroom < (4 + 4*1)) || (tailroom < padlen)) {
|
|
skb->data = memmove(skb->head + (4 + 4*1),
|
|
skb->data, skb->len);
|
|
skb_set_tail_pointer(skb, skb->len);
|
|
}
|
|
} else {
|
|
struct sk_buff *skb2;
|
|
skb2 = skb_copy_expand(skb, (4 + 4*1) , padlen, flags);
|
|
dev_kfree_skb_any(skb);
|
|
skb = skb2;
|
|
if (!skb)
|
|
return NULL;
|
|
}
|
|
|
|
// attach the packet count to the header
|
|
packet_count = skb_push(skb, (4 + 4 * 1));
|
|
packet_len = packet_count + 1;
|
|
|
|
*packet_count = cpu_to_le32(1);
|
|
*packet_len = cpu_to_le32(length);
|
|
|
|
// add padding byte
|
|
if ((skb->len % dev->maxpacket) == 0)
|
|
skb_put(skb, 1);
|
|
|
|
return skb;
|
|
}
|
|
|
|
static int genelink_bind(struct usbnet *dev, struct usb_interface *intf)
|
|
{
|
|
dev->hard_mtu = GL_RCV_BUF_SIZE;
|
|
dev->net->hard_header_len += 4;
|
|
return usbnet_get_endpoints(dev, intf);
|
|
}
|
|
|
|
static const struct driver_info genelink_info = {
|
|
.description = "Genesys GeneLink",
|
|
.flags = FLAG_POINTTOPOINT | FLAG_FRAMING_GL | FLAG_NO_SETINT,
|
|
.bind = genelink_bind,
|
|
.rx_fixup = genelink_rx_fixup,
|
|
.tx_fixup = genelink_tx_fixup,
|
|
|
|
.in = 1, .out = 2,
|
|
|
|
#ifdef GENELINK_ACK
|
|
.check_connect =genelink_check_connect,
|
|
#endif
|
|
};
|
|
|
|
static const struct usb_device_id products [] = {
|
|
|
|
{
|
|
USB_DEVICE(0x05e3, 0x0502), // GL620USB-A
|
|
.driver_info = (unsigned long) &genelink_info,
|
|
},
|
|
/* NOT: USB_DEVICE(0x05e3, 0x0501), // GL620USB
|
|
* that's half duplex, not currently supported
|
|
*/
|
|
{ }, // END
|
|
};
|
|
MODULE_DEVICE_TABLE(usb, products);
|
|
|
|
static struct usb_driver gl620a_driver = {
|
|
.name = "gl620a",
|
|
.id_table = products,
|
|
.probe = usbnet_probe,
|
|
.disconnect = usbnet_disconnect,
|
|
.suspend = usbnet_suspend,
|
|
.resume = usbnet_resume,
|
|
.disable_hub_initiated_lpm = 1,
|
|
};
|
|
|
|
module_usb_driver(gl620a_driver);
|
|
|
|
MODULE_AUTHOR("Jiun-Jie Huang");
|
|
MODULE_DESCRIPTION("GL620-USB-A Host-to-Host Link cables");
|
|
MODULE_LICENSE("GPL");
|
|
|