Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp442870rwe; Fri, 26 Aug 2022 07:50:49 -0700 (PDT) X-Google-Smtp-Source: AA6agR4wXTyQWob8dYs1mqR98Mor0Ze3jNAE1ndE5xHCScoyQEqtrXrzPxFMjm6RTv7vId8o3bzB X-Received: by 2002:a05:6a00:4acc:b0:536:46c4:d084 with SMTP id ds12-20020a056a004acc00b0053646c4d084mr4185284pfb.71.1661525449091; Fri, 26 Aug 2022 07:50:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661525449; cv=none; d=google.com; s=arc-20160816; b=vaIzIoK+GyG8SxtczDqmvPC8D7URUXPI4wM48VkYlylvPmaXBeI63jZON84KnDUceU 37TjG+xuU4uS0VcXt2lrXi6uszDH6Gy4WtLtl8Pxp1wR/puoH0sYykjoXjix7IdjYF8P d0XijBdItunaRxPUnRjaixvrlptYL0z9Kj5lvfFKT2+CVjHdn3kr54uUKzr+FXwP+w3Z BXCjNvhwTjIBF53yAaxeBBFT8OkvKMKOKKZBnZEZ2FuNKuD7DEToXBJaj3pIsRoGFE4A 1fbYapLjkbJzEa6Qbny9y1MaXH6PhhCO79Aa4wdtXMDj7bWFhgH4zZ18aky05eIAX9yG 2OHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=9v12K8ZJdopRgFJcJek0Eu2I+8Y8Sri9kNK+Ta8ood4=; b=IvySnkZzdiZk+AqEkOQj1lTzngF19upPSF5UYOKGJE5aNmW1gpE3gNPzJXkxwwGEck W6G7PuTNTudXG2K0Tto4JIvQPovdSf4x7vvbxwWEoaIO1u2bVoktXd7oNFvZP2Hf86hs lssstvksFdw7tQyaMfP3hpGL83wYaW63IbINESHxPJdJcIbwlaaoPIk6isjFhYXPws16 SGpx7l9I/2tkYLmghpiWaAWrVgAT5eNqT1RRawnlG+KEJp/PkK0oaaurWZbIdIKx3jmD cZYzGXQWsgnAF0sTzxopTDmMkX5UIXPjXcHKzQTjOWpaxtTTeMTh/DInUWxMIgdY3Hx6 JeGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e1-20020a656bc1000000b0042b329f2ff7si1935714pgw.388.2022.08.26.07.50.33; Fri, 26 Aug 2022 07:50:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245365AbiHZOpV (ORCPT + 64 others); Fri, 26 Aug 2022 10:45:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245076AbiHZOpU (ORCPT ); Fri, 26 Aug 2022 10:45:20 -0400 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id D185E2C655 for ; Fri, 26 Aug 2022 07:45:17 -0700 (PDT) Received: (qmail 39829 invoked by uid 1000); 26 Aug 2022 10:45:16 -0400 Date: Fri, 26 Aug 2022 10:45:16 -0400 From: Alan Stern To: Fedor Pchelkin Cc: Alexey Khoroshilov , ath9k-devel@qca.qualcomm.com, ldv-project@linuxtesting.org, eli.billauer@gmail.com, Greg Kroah-Hartman , andreyknvl@google.com, gustavoars@kernel.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, oneukum@suse.com, tiwai@suse.de, syzkaller-bugs@googlegroups.com Subject: Re: WARNING in hif_usb_alloc_rx_urbs/usb_submit_urb Message-ID: References: <09fbc5ed-d67e-8308-1e49-2de6f2cea7dd@ispras.ru> <9ebc80d0-1b16-642c-e66b-2de52c673334@ispras.ru> <5dce2e1c-fa65-2fb3-08ad-65122f7e495d@ispras.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5dce2e1c-fa65-2fb3-08ad-65122f7e495d@ispras.ru> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Fri, Aug 26, 2022 at 04:14:48PM +0300, Fedor Pchelkin wrote: > Sat, 10 Oct 2020 at 04:08:19 UTC+3, Alan Stern wrote: > > Index: usb-devel/drivers/net/wireless/ath/ath9k/hif_usb.c > > =================================================================== > > --- usb-devel.orig/drivers/net/wireless/ath/ath9k/hif_usb.c > > +++ usb-devel/drivers/net/wireless/ath/ath9k/hif_usb.c > > @@ -1307,6 +1307,20 @@ static int ath9k_hif_usb_probe(struct us > > struct usb_device *udev = interface_to_usbdev(interface); > > struct hif_device_usb *hif_dev; > > int ret = 0; > > + struct usb_host_interface *alt; > > + struct usb_endpoint_descriptor *epd; > > + > > + /* Verify the expected endpoints are present */ > > + alt = interface->cur_altsetting; > > + if (!usb_find_int_in_endpoint(alt, &epd) || > > + usb_endpoint_num(epd) != USB_REG_IN_PIPE || > > + !usb_find_int_out_endpoint(alt, &epd) || > > + usb_endpoint_num(epd) != USB_REG_OUT_PIPE || > > + !usb_find_bulk_in_endpoint(alt, &epd) || > > + usb_endpoint_num(epd) != USB_WLAN_RX_PIPE || > > + !usb_find_bulk_out_endpoint(alt, &epd) || > > + usb_endpoint_num(epd) != USB_WLAN_TX_PIPE) > > + return -ENODEV; > > > > if (id->driver_info == STORAGE_DEVICE) > > return send_eject_command(interface); > > We've tested the suggested patch and found a null-ptr-deref. The thing > is that usb_find_{...}_endpoint() returns zero in normal case, and > non-zero value (-ENXIO) when failed (in current patch version it is > supposed to be just opposite and sometimes a NULL epd is dereferenced). Whoops, you're right. Silly mistake. > To fix it the negation signs before usb_find_{...}_endpoint() should be > removed. Actually, I would change it to "< 0", which will emphasize to readers that it's testing for an error return value. > And we also think usb_find_common_endpoints(...) should be used directly > as all the scanned usb_endpoint_descriptors will be passed to it and > returned in just one call. Good idea. > If you wish, I may prepare the patch myself. Please do; I have more than enough other things going on and little time to work on them. Alan Stern