Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2470904lqt; Mon, 22 Apr 2024 11:35:17 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVbvnSY9j/ACwRq6KhtiKK/ctomRMUf73uzKT5sjdbDHthH+Wx3vFCQRAF5hPx0QDXbI/b6BgtSLrwpGzqHRVwJ9laKx0MzsRfbk5Bk7Q== X-Google-Smtp-Source: AGHT+IEPKXwWlIBz6bobEIE/as9dGeZx1XqyrwjpdXCQ+PMJ4pkiY9pALbhK07pKlWyZKBNzxyAc X-Received: by 2002:a05:6a21:8803:b0:1ad:746:b15a with SMTP id ta3-20020a056a21880300b001ad0746b15amr5839165pzc.47.1713810917030; Mon, 22 Apr 2024 11:35:17 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713810917; cv=pass; d=google.com; s=arc-20160816; b=l+nROkJtgXKtdOOq4FlVb2rgfCkAkc92hwHiecTGV1O+jXTnMC329dHHDgHRSd1WGl EUB5keyQYzExFU4Jp6Q9VjIGZYBOr9CSUVlpVrCAZsLxRdBtuwOgDt6aW8pg/Yo8r7mp cCg0JIo+HEuYx3Hbw3xQMLoABasIpDcvNX3F3ncdyOK5yma832vIVIkqJzDUh2VNJkJ4 7j3ENu/z5MZSmRAbH/i1ARfLGvLpidB6UMYi1laewb2r3Rj00778PFEacxS58PiFl6J7 ErpNgH4944hzp9lOtbvHm5XdBdmWbTHH99ul9+HSLilqoo+S2taejnQkvJEiBhAG/Kn2 0W2g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=bhTzaDEWpOqgi8BBY3bDZnmbQGc1C8yOexxpsaH4AXY=; fh=N9q192t0PLpvV5V6RzMhNuZcfbuPGnnCVv9gGtnpaeI=; b=WIl8MzSd6WnwKruJ8NkhMGEfjh+Sca468eZYI6vEWgrRCtxsFHFQye00Ko1/RSYP0F sLVM67eidNcfpqvZ2ollO/8CFbTa0qj4i2Vf/Nj9gOZlxEg9VTSHdPovujJtVSk3SOkF 0LIi7qSFvcr7Xfa9vYDwq3CYDznav+uZD6gQv+jRRr4ap2BRQcWPo5huMRIoRfXCcXs0 6SzHdsnBZltLdKlDgByajAYpPmADzrMR9URixbpX2Zgu2f9f/pP+eO4hILUiy3tCbyFS 6dPp25SgKgInq6Y84oWwTj2HYYvCsBm7WRp2GV5lHRYVzSKhBo4eOGz66z9r5GP1KvSE 2bMw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=fintech.ru); spf=pass (google.com: domain of linux-wireless+bounces-6691-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-6691-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id i136-20020a636d8e000000b005fcff8b8616si3596831pgc.562.2024.04.22.11.35.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 11:35:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless+bounces-6691-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=fintech.ru); spf=pass (google.com: domain of linux-wireless+bounces-6691-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-6691-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id A18BD28176C for ; Mon, 22 Apr 2024 18:35:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 33298153BFE; Mon, 22 Apr 2024 18:35:15 +0000 (UTC) X-Original-To: linux-wireless@vger.kernel.org Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7EF0A1514D5; Mon, 22 Apr 2024 18:35:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.54.195.159 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713810915; cv=none; b=V++pmeAZ0ORmpQIgJ/b0EtKDIw6oqhzvG5xpFPeG1HOrKUdx+de+paANWUrn8xNjEmVCt+oIiVLvd8INj1wehlt2OWMAYIIu5ADkQkpIVmLHYwKwHu5YbpASEeZrTSbWg+5P8tq+4IohcOiiN0hRgM96AXyXcbDGqvl/P5iTT9M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713810915; c=relaxed/simple; bh=1EN9NA6lTTFiwyx4d7mtczgfP4E+SMVfghI94AIVNJw=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=CK+SZwhBE41rNuyKSkGPUdjOkLfpI4U6y8bafkubXu6yNe3pSlZYjwJmqXySY1XPGK7Wn2jY6vIQGRBeEGB5oTS0JlpCMha+tRlcs9fndFx1+NYTFd2M1TOIvAtmXBCzBHG3nUJPCDzNTOxpnUE90KVNNG8s10FocTcjylBeXsQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru; spf=pass smtp.mailfrom=fintech.ru; arc=none smtp.client-ip=195.54.195.159 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fintech.ru Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.159) with Microsoft SMTP Server (TLS) id 14.3.498.0; Mon, 22 Apr 2024 21:33:59 +0300 Received: from localhost (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Mon, 22 Apr 2024 21:33:58 +0300 From: Nikita Zhandarovich To: Christian Lamparter , Kalle Valo CC: Nikita Zhandarovich , , , , , Subject: [PATCH v2] wifi: carl9170: add a proper sanity check for endpoints Date: Mon, 22 Apr 2024 11:33:55 -0700 Message-ID: <20240422183355.3785-1-n.zhandarovich@fintech.ru> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru (10.0.10.18) Syzkaller reports [1] hitting a warning which is caused by presence of a wrong endpoint type at the URB sumbitting stage. While there was a check for a specific 4th endpoint, since it can switch types between bulk and interrupt, other endpoints are trusted implicitly. Similar warning is triggered in a couple of other syzbot issues [2]. Fix the issue by doing a comprehensive check of all endpoints taking into account difference between high- and full-speed configuration. This patch has not been tested on real hardware. [1] Syzkaller report: ... WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 [2] Related syzkaller crashes: Link: https://syzkaller.appspot.com/bug?extid=e394db78ae0b0032cb4d Link: https://syzkaller.appspot.com/bug?extid=9468df99cb63a4a4c4e1 Reported-and-tested-by: syzbot+0ae4804973be759fa420@syzkaller.appspotmail.com Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: Nikita Zhandarovich --- v2: as Christian Lamparter was kind to point out, before returning with error, make sure to free previously allocated 'ar' with carl9170_free(ar). drivers/net/wireless/ath/carl9170/usb.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c index c4edf8355941..a3e03580cd9f 100644 --- a/drivers/net/wireless/ath/carl9170/usb.c +++ b/drivers/net/wireless/ath/carl9170/usb.c @@ -1069,6 +1069,38 @@ static int carl9170_usb_probe(struct usb_interface *intf, ar->usb_ep_cmd_is_bulk = true; } + /* Verify that all expected endpoints are present */ + if (ar->usb_ep_cmd_is_bulk) { + u8 bulk_ep_addr[] = { + AR9170_USB_EP_RX | USB_DIR_IN, + AR9170_USB_EP_TX | USB_DIR_OUT, + AR9170_USB_EP_CMD | USB_DIR_OUT, + 0}; + u8 int_ep_addr[] = { + AR9170_USB_EP_IRQ | USB_DIR_IN, + 0}; + if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || + !usb_check_int_endpoints(intf, int_ep_addr)) + err = -ENODEV; + } else { + u8 bulk_ep_addr[] = { + AR9170_USB_EP_RX | USB_DIR_IN, + AR9170_USB_EP_TX | USB_DIR_OUT, + 0}; + u8 int_ep_addr[] = { + AR9170_USB_EP_IRQ | USB_DIR_IN, + AR9170_USB_EP_CMD | USB_DIR_OUT, + 0}; + if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || + !usb_check_int_endpoints(intf, int_ep_addr)) + err = -ENODEV; + } + + if (err) { + carl9170_free(ar); + return err; + } + usb_set_intfdata(intf, ar); SET_IEEE80211_DEV(ar->hw, &intf->dev);