Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp174867imd; Wed, 31 Oct 2018 16:49:49 -0700 (PDT) X-Google-Smtp-Source: AJdET5fXSgu4lnLvxRfmYREkdHJGwN/puIIS+Xp/Ie+tFIceN0DG8HTKCBOqwe08ISkRJR4bW9Ji X-Received: by 2002:a17:902:b206:: with SMTP id t6-v6mr5505023plr.228.1541029789321; Wed, 31 Oct 2018 16:49:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541029789; cv=none; d=google.com; s=arc-20160816; b=muUzTL4cIvnsUInvIAKNrRt6YK83gBS0rMUCtq/VpMQ0QFF+DoBHGSaE2J7sZIJQKJ QLiEx6Tokr5LPySVc3u9Tp2/g/peIFtxCAvrq2pTKypRQFVJ/hVfMCsS+HP8QVvaXUZZ gL1OdRzNk0+snJ7LTbDXCpIKh3K6usqlDoTmN74h+eCrwuxuGxmsbWQPkR8hae9Ixm5z M4aJMPMcHOZuAUJIIqJ+ED+X4PEsdHNIcb3CRpPLPREaPw0ldWGiPsxqtAFDBm6wI8oG 1/9PpViayHopQWh8GEX2u78PL2I3/CyjXbVDYgPcJrNnUjS9pOOewCvyqJJbH3FdZ9Y7 uSkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=mr/VtEsao2+ZMPgjj7xMl+6uzsb4PXC4gnUXwkSH/J8=; b=XUe1J9al8PCTnmvHVUSEBmfhXIaCt1p4WFx6iCcs+EQ5yysnKImgNNge5gxmtH8Qz/ n6GRMRVPbG7IZrpCpMix8lxRBdy+7/xvWNFgUEoeBKxYkYcwUp/u6X6JD3ypVlpuknxp YvlIaD68a8V3fal6RPfWdk4cHq+I/DaCMOMVZghQXBBDHi6qqHMdO0l6/NKreU+5JoLO 5+kf57/qIKfzOvVdDqv0nJS08LSzlE/chon/lRXhUe5Ws3B5gAgOTgzVVOrdebbFZIrC G94JXYLJrSJ1zYXZzoov7+5UkHZ+g7VG44cyBde4WNKfZSEuQEwJS/ZnDUNW0GCkYymu ginw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eJyqRfo1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g38-v6si24681780pgl.248.2018.10.31.16.49.34; Wed, 31 Oct 2018 16:49:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eJyqRfo1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728529AbeKAIHC (ORCPT + 99 others); Thu, 1 Nov 2018 04:07:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:54416 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728478AbeKAIHB (ORCPT ); Thu, 1 Nov 2018 04:07:01 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 148B220848; Wed, 31 Oct 2018 23:06:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541027210; bh=E2OMCKMfVhRIKtFxynpOnneKF+5vqYFrnG9sD+0tH1Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eJyqRfo1repqradKMME75KEcCp3+W0zX1oeYVzDhCu7pTw+6CwOMNniQdQsNp4G4q +uQCXyr/KoeccRrZF0wxw49cUv0H42Sey47SDF/iMwDrByL+W659e47YF4cD9ceQ11 RBB4vDmyCL+5jBEDVVr7Zc54f/ebZ6EY2+EwmeM4= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Siva Rebbagondla , Kalle Valo , Sasha Levin Subject: [PATCH AUTOSEL 4.19 074/146] rsi: fix memory alignment issue in ARM32 platforms Date: Wed, 31 Oct 2018 19:04:29 -0400 Message-Id: <20181031230541.28822-74-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181031230541.28822-1-sashal@kernel.org> References: <20181031230541.28822-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Siva Rebbagondla [ Upstream commit baa8caf4ab7af2d9e84b566b99fe919a4e9e7562 ] During testing in ARM32 platforms, observed below kernel panic, as driver accessing data beyond the allocated memory while submitting URB to USB. Fix: Resolved this by specifying correct length by considering 64 bit alignment. so that, USB bus driver will access only allocated memory. Unit-test: Tested and confirm that driver bring up and scanning, connection and data transfer works fine with this fix. ...skipping... [ 25.389450] Unable to handle kernel paging request at virtual address 5aa11422 [ 25.403078] Internal error: Oops: 5 [#1] SMP ARM [ 25.407703] Modules linked in: rsi_usb [ 25.411473] CPU: 1 PID: 317 Comm: RX-Thread Not tainted 4.18.0-rc7 #1 [ 25.419221] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 25.425764] PC is at skb_release_data+0x90/0x168 [ 25.430393] LR is at skb_release_all+0x28/0x2c [ 25.434842] pc : [<807435b0>] lr : [<80742ba0>] psr: 200e0013 5aa1141e [ 25.464633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 25.477524] Process RX-Thread (pid: 317, stack limit = 0x(ptrval)) [ 25.483709] Stack: (0xedf69ed8 to 0xedf6a000) [ 25.569907] Backtrace: [ 25.572368] [<80743520>] (skb_release_data) from [<80742ba0>] (skb_release_all+0x28/0x2c) [ 25.580555] r9:7f00258c r8:00000001 r7:ee355000 r6:eddab0d0 r5:eddab000 r4:eddbb840 [ 25.588308] [<80742b78>] (skb_release_all) from [<807432cc>] (consume_skb+0x30/0x50) [ 25.596055] r5:eddab000 r4:eddbb840 [ 25.599648] [<8074329c>] (consume_skb) from [<7f00117c>] (rsi_usb_rx_thread+0x64/0x12c [rsi_usb]) [ 25.608524] r5:eddab000 r4:eddbb840 [ 25.612116] [<7f001118>] (rsi_usb_rx_thread [rsi_usb]) from [<80142750>] (kthread+0x11c/0x15c) [ 25.620735] r10:ee9ff9e0 r9:edcde3b8 r8:ee355000 r7:edf68000 r6:edd3a780 r5:00000000 [ 25.628567] r4:edcde380 [ 25.631110] [<80142634>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c) [ 25.638336] Exception stack(0xedf69fb0 to 0xedf69ff8) [ 25.682929] ---[ end trace 8236a5496f5b5d3b ]--- Signed-off-by: Siva Rebbagondla Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/rsi/rsi_91x_usb.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c index c0a163e40402..f360690396dd 100644 --- a/drivers/net/wireless/rsi/rsi_91x_usb.c +++ b/drivers/net/wireless/rsi/rsi_91x_usb.c @@ -266,15 +266,17 @@ static void rsi_rx_done_handler(struct urb *urb) if (urb->status) goto out; - if (urb->actual_length <= 0) { - rsi_dbg(INFO_ZONE, "%s: Zero length packet\n", __func__); + if (urb->actual_length <= 0 || + urb->actual_length > rx_cb->rx_skb->len) { + rsi_dbg(INFO_ZONE, "%s: Invalid packet length = %d\n", + __func__, urb->actual_length); goto out; } if (skb_queue_len(&dev->rx_q) >= RSI_MAX_RX_PKTS) { rsi_dbg(INFO_ZONE, "Max RX packets reached\n"); goto out; } - skb_put(rx_cb->rx_skb, urb->actual_length); + skb_trim(rx_cb->rx_skb, urb->actual_length); skb_queue_tail(&dev->rx_q, rx_cb->rx_skb); rsi_set_event(&dev->rx_thread.event); @@ -308,6 +310,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) if (!skb) return -ENOMEM; skb_reserve(skb, MAX_DWORD_ALIGN_BYTES); + skb_put(skb, RSI_MAX_RX_USB_PKT_SIZE - MAX_DWORD_ALIGN_BYTES); dword_align_bytes = (unsigned long)skb->data & 0x3f; if (dword_align_bytes > 0) skb_push(skb, dword_align_bytes); @@ -319,7 +322,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) usb_rcvbulkpipe(dev->usbdev, dev->bulkin_endpoint_addr[ep_num - 1]), urb->transfer_buffer, - RSI_MAX_RX_USB_PKT_SIZE, + skb->len, rsi_rx_done_handler, rx_cb); -- 2.17.1