Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1464465ybt; Thu, 9 Jul 2020 07:41:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJws3aEWeBfQ6SH5NtngVdcWyjQddJDIZ4UXrm3eryOiW8WbYbA9r3fxGbOrtjtlaaCta+bg X-Received: by 2002:a17:906:d116:: with SMTP id b22mr32543297ejz.250.1594305710698; Thu, 09 Jul 2020 07:41:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594305710; cv=none; d=google.com; s=arc-20160816; b=FK97SJz2f1U8OG/uwqACoqBkiUdC7mR7RNsC2seHAMK+4uAxg49Q76UFCc/Ve3yf9x 55e4UzKTelafoXuz91YWAxNo78gQ4fMBBvwbJo6H9BKyCHrdYCs/SfJ8X1XPDbTdV86A vSpxKiCkDuqLfvrr94anwm5Z06ld5a69/Khejb8UDLWpeqpW4hwuQQD6ejGXJZ/phwI6 u0GGO/fKj4clr+rPaIUtajApD6KwtXQ7X/eV1OjIwCXkj4T+RpdpDSgMGZqnYlASKL/M jrtk/n3Or8/e8ikFs3Ensd+CAgR4U+x++uRagBxJEaBp3m+zIWHzT1YtIg9vsoZucsqd JigA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:date:message-id:from :references:cc:to:subject; bh=wDWVhMMRj4xLk0XueeYSfMNoFiykPvrZruXN+LaJqTg=; b=N+KTpylExR2q/WUlGR+zkgYrdsOZ/H+990/wAMcUC6SM+sgA8ue+DyN1POttW8dhsH FN2y06bjaCufEWS/c5C9NRje3sSrkeFSaVOlAkf0XOcqNMPrL41S/5A84DuzJrNdtiCN Vc5cFwWN8R1t//TIGoVb5YYXX3CFt1RL5+lmRravydp13XwW0PD6r8gHetHGWR2pn0FQ 6Uu/LeK1JqkzebopqpGqDvbdsBLih7iWBpRpgzQYV1w6lF8rsWaKFNwnzNqDXN6ptmvJ YK3vmWbZutDfU2u0SxEsojlowK6qXIamSkg7to0tjPMP/dp2McyrT80A0BTEOt6lE/Fu QN7Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i24si1840222ejb.588.2020.07.09.07.41.27; Thu, 09 Jul 2020 07:41:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726942AbgGIOjK (ORCPT + 99 others); Thu, 9 Jul 2020 10:39:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726410AbgGIOjK (ORCPT ); Thu, 9 Jul 2020 10:39:10 -0400 Received: from mout1.freenet.de (mout1.freenet.de [IPv6:2001:748:100:40::2:3]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 614EEC08C5CE; Thu, 9 Jul 2020 07:39:10 -0700 (PDT) Received: from [195.4.92.163] (helo=mjail0.freenet.de) by mout1.freenet.de with esmtpa (ID viktor.jaegerskuepper@freenet.de) (port 25) (Exim 4.92 #3) id 1jtXhY-0000fE-Jj; Thu, 09 Jul 2020 16:39:04 +0200 Received: from localhost ([::1]:43698 helo=mjail0.freenet.de) by mjail0.freenet.de with esmtpa (ID viktor.jaegerskuepper@freenet.de) (Exim 4.92 #3) id 1jtXhY-0001zB-HJ; Thu, 09 Jul 2020 16:39:04 +0200 Received: from sub4.freenet.de ([195.4.92.123]:55558) by mjail0.freenet.de with esmtpa (ID viktor.jaegerskuepper@freenet.de) (Exim 4.92 #3) id 1jtXf7-0000ot-KE; Thu, 09 Jul 2020 16:36:33 +0200 Received: from p200300e7072d05009530c91dafb9c844.dip0.t-ipconnect.de ([2003:e7:72d:500:9530:c91d:afb9:c844]:35596 helo=[127.0.0.1]) by sub4.freenet.de with esmtpsa (ID viktor.jaegerskuepper@freenet.de) (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256) (port 465) (Exim 4.92 #3) id 1jtXf7-0006kg-GW; Thu, 09 Jul 2020 16:36:33 +0200 Subject: Re: [PATCH] Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" To: Kalle Valo Cc: Roman Mamedov , Qiujun Huang , ath9k-devel@qca.qualcomm.com, davem@davemloft.net, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, anenbupt@gmail.com, syzkaller-bugs@googlegroups.com References: <20200404041838.10426-1-hqjagain@gmail.com> <20200404041838.10426-6-hqjagain@gmail.com> <20200621020428.6417d6fb@natsu> <87lfkff9qe.fsf@codeaurora.org> <53940af0-d156-3117-ac86-2f3ccaee9513@freenet.de> <87imf6beo0.fsf@codeaurora.org> From: =?UTF-8?B?VmlrdG9yIErDpGdlcnNrw7xwcGVy?= Message-ID: Date: Thu, 9 Jul 2020 16:36:24 +0200 MIME-Version: 1.0 In-Reply-To: <87imf6beo0.fsf@codeaurora.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US-large Content-Transfer-Encoding: 8bit X-Originated-At: 2003:e7:72d:500:9530:c91d:afb9:c844!35596 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Kalle Valo wrote: > Viktor Jägersküpper writes: > >> Kalle Valo writes: >>> Roman Mamedov writes: >>> >>>> On Sat, 4 Apr 2020 12:18:38 +0800 >>>> Qiujun Huang wrote: >>>> >>>>> In ath9k_hif_usb_rx_cb interface number is assumed to be 0. >>>>> usb_ifnum_to_if(urb->dev, 0) >>>>> But it isn't always true. >>>>> >>>>> The case reported by syzbot: >>>>> https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com >>>>> usb 2-1: new high-speed USB device number 2 using dummy_hcd >>>>> usb 2-1: config 1 has an invalid interface number: 2 but max is 0 >>>>> usb 2-1: config 1 has no interface number 0 >>>>> usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= >>>>> 1.08 >>>>> usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 >>>>> general protection fault, probably for non-canonical address >>>>> 0xdffffc0000000015: 0000 [#1] SMP KASAN >>>>> KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] >>>>> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0 >>>>> >>>>> Call Trace >>>>> __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 >>>>> usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 >>>>> dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 >>>>> call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 >>>>> expire_timers kernel/time/timer.c:1449 [inline] >>>>> __run_timers kernel/time/timer.c:1773 [inline] >>>>> __run_timers kernel/time/timer.c:1740 [inline] >>>>> run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 >>>>> __do_softirq+0x21e/0x950 kernel/softirq.c:292 >>>>> invoke_softirq kernel/softirq.c:373 [inline] >>>>> irq_exit+0x178/0x1a0 kernel/softirq.c:413 >>>>> exiting_irq arch/x86/include/asm/apic.h:546 [inline] >>>>> smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146 >>>>> apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 >>>>> >>>>> Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com >>>>> Signed-off-by: Qiujun Huang >>>> >>>> This causes complete breakage of ath9k operation across all the stable kernel >>>> series it got backported to, and I guess the mainline as well. Please see: >>>> https://bugzilla.kernel.org/show_bug.cgi?id=208251 >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1848631 >>> >>> So there's no fix for this? I was under impression that someone fixed >>> this, but maybe I'm mixing with something else. >>> >>> If this is not fixed can someone please submit a patch to revert the >>> offending commit (or commits) so that we get ath9k working again? >>> >> >> This reverts commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 ("ath9k: Fix general protection fault >> in ath9k_hif_usb_rx_cb") because the driver gets stuck like this: >> >> [ 5.778803] usb 1-5: Manufacturer: ATHEROS >> [ 21.697488] usb 1-5: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested >> [ 21.701377] usbcore: registered new interface driver ath9k_htc >> [ 22.053705] usb 1-5: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 >> [ 22.306182] ath9k_htc 1-5:1.0: ath9k_htc: HTC initialized with 33 credits >> [ 115.708513] ath9k_htc: Failed to initialize the device >> [ 115.708683] usb 1-5: ath9k_htc: USB layer deinitialized >> >> Reported-by: Roman Mamedov >> Ref: https://bugzilla.kernel.org/show_bug.cgi?id=208251 >> Fixes: 2bbcaaee1fcb ("ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb") >> Tested-by: Viktor Jägersküpper >> Signed-off-by: Viktor Jägersküpper >> --- >> >> I couldn't find any fix for this, so here is the patch which reverts the >> offending commit. I have tested it with 5.8.0-rc3 and with 5.7.4. >> >> Feel free to change the commit message if it is necessary or appropriate, I am >> just a user affected by this bug. > > This was badly formatted: > > https://patchwork.kernel.org/patch/11636783/ > > But v2 looks correct: > > https://patchwork.kernel.org/patch/11637341/ > > Thanks, I'll take a closer look at this as soon as I can. > Hi Kalle, it seems you didn't have time for this so far. If you don't have time at the moment, is there someone else who can fix this? Reverting the commit is just the first and easy option and fixing this properly can be done after that. Thanks, Viktor