Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp351675rwe; Fri, 26 Aug 2022 06:18:06 -0700 (PDT) X-Google-Smtp-Source: AA6agR7nouMVq8cwDFqZ33RJ0FrTwFSD8mz52eGKBtzyK4rZ2AXgpPQ5ynfpm1YhZOXBua/9Vt7E X-Received: by 2002:a17:907:75e6:b0:73d:ce68:aa83 with SMTP id jz6-20020a17090775e600b0073dce68aa83mr5409304ejc.188.1661519886303; Fri, 26 Aug 2022 06:18:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661519886; cv=none; d=google.com; s=arc-20160816; b=JCKJdYhYa7bfD3R7yDAoQL+yc2UnB/QNrG92zxh1RPBmqqAvNgVv6f68KBSUV1999R +p3iJigkRwWWGwdu7mkOMmhc8Cw3w+Uj7wmng3f0cx/SnIsc6vuLrETs8Nm+uWYtmWTn WTCTZWkT9jW4U/sLP2IM2y0xNJFzCzFcy74nDI4dK5sPihGVoQ0pMU1DUGLdkgB4LYO8 OoG9B1DLnjta7lNcg6ZJGAVFapySfM2OsA54/zwICDnQ+wcn6uIdLcfJFCmWBBXf7JaG e6sXLPGEdC2bAUO5+tehn61I6hTMHTzfMrH/JaLa4BLppBPw/iwfoG79eD6Z3+MYsDD7 t7FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-language:references:cc:to:from:subject:user-agent :mime-version:date:message-id; bh=WSxc0agtWVTsnDUu5c8EBewMEIC3Wv1qI05nf0A5ZJk=; b=dqIArSIoWn2uaCGNB9sm/JfmxLclhu0pKmOzJ/l4LDc4u1AuvdSw2OWhZ4KqasBDB4 8AwmN0neLOt1YbkrQkEMg3BtPXQ1NaTn3vM/z+MdhbTzK4gM6Vm3JxbgS5/rxaOt951z TTPLy6rRalpXTPrVkBpu1NsGmnMzPh7syPev1LNg5lG8NainVQXf+X2WCWSUj2aM4VS9 hElBiLlypewZO+8cPHTkbR1zfLdrL7ww3HvIuLCBUDY59vOmQXLZBcWJkhA9dYlV+OWf 0ucsHmf6ovEQGwDEg0ikKKkKWL1mCtL2w0BwGVBEi+9/G+vm6FPca4/7CHZnj4Aa5Im0 JZrQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a19-20020a1709065f9300b0073beb963ce6si1081600eju.345.2022.08.26.06.17.46; Fri, 26 Aug 2022 06:18:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343910AbiHZNPB (ORCPT + 64 others); Fri, 26 Aug 2022 09:15:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50406 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232629AbiHZNO7 (ORCPT ); Fri, 26 Aug 2022 09:14:59 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1579110DA; Fri, 26 Aug 2022 06:14:55 -0700 (PDT) Received: from [10.10.132.123] (unknown [83.149.199.65]) by mail.ispras.ru (Postfix) with ESMTPSA id 51A5540D403D; Fri, 26 Aug 2022 13:14:48 +0000 (UTC) Message-ID: <5dce2e1c-fa65-2fb3-08ad-65122f7e495d@ispras.ru> Date: Fri, 26 Aug 2022 16:14:48 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.0 Subject: Re: WARNING in hif_usb_alloc_rx_urbs/usb_submit_urb From: Fedor Pchelkin To: Alan Stern Cc: Alexey Khoroshilov , ath9k-devel@qca.qualcomm.com, ldv-project@linuxtesting.org, eli.billauer@gmail.com, Greg Kroah-Hartman , andreyknvl@google.com, gustavoars@kernel.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, oneukum@suse.com, tiwai@suse.de, syzkaller-bugs@googlegroups.com References: <09fbc5ed-d67e-8308-1e49-2de6f2cea7dd@ispras.ru> <9ebc80d0-1b16-642c-e66b-2de52c673334@ispras.ru> Content-Language: en-US In-Reply-To: <9ebc80d0-1b16-642c-e66b-2de52c673334@ispras.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Sat, 10 Oct 2020 at 04:08:19 UTC+3, Alan Stern wrote: > Index: usb-devel/drivers/net/wireless/ath/ath9k/hif_usb.c > =================================================================== > --- usb-devel.orig/drivers/net/wireless/ath/ath9k/hif_usb.c > +++ usb-devel/drivers/net/wireless/ath/ath9k/hif_usb.c > @@ -1307,6 +1307,20 @@ static int ath9k_hif_usb_probe(struct us > struct usb_device *udev = interface_to_usbdev(interface); > struct hif_device_usb *hif_dev; > int ret = 0; > + struct usb_host_interface *alt; > + struct usb_endpoint_descriptor *epd; > + > + /* Verify the expected endpoints are present */ > + alt = interface->cur_altsetting; > + if (!usb_find_int_in_endpoint(alt, &epd) || > + usb_endpoint_num(epd) != USB_REG_IN_PIPE || > + !usb_find_int_out_endpoint(alt, &epd) || > + usb_endpoint_num(epd) != USB_REG_OUT_PIPE || > + !usb_find_bulk_in_endpoint(alt, &epd) || > + usb_endpoint_num(epd) != USB_WLAN_RX_PIPE || > + !usb_find_bulk_out_endpoint(alt, &epd) || > + usb_endpoint_num(epd) != USB_WLAN_TX_PIPE) > + return -ENODEV; > > if (id->driver_info == STORAGE_DEVICE) > return send_eject_command(interface); We've tested the suggested patch and found a null-ptr-deref. The thing is that usb_find_{...}_endpoint() returns zero in normal case, and non-zero value (-ENXIO) when failed (in current patch version it is supposed to be just opposite and sometimes a NULL epd is dereferenced). To fix it the negation signs before usb_find_{...}_endpoint() should be removed. And we also think usb_find_common_endpoints(...) should be used directly as all the scanned usb_endpoint_descriptors will be passed to it and returned in just one call. If you wish, I may prepare the patch myself. Fedor