From 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 1 Mar 2022 11:04:24 +0300 Subject: usb: gadget: rndis: prevent integer overflow in rndis_set_response() If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. Cc: stable@kernel.org Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20220301080424.GA17208@kili Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/function/rndis.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers') diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c index 00b3f6b3bb31..713efd9aefde 100644 --- a/drivers/usb/gadget/function/rndis.c +++ b/drivers/usb/gadget/function/rndis.c @@ -640,6 +640,7 @@ static int rndis_set_response(struct rndis_params *params, BufLength = le32_to_cpu(buf->InformationBufferLength); BufOffset = le32_to_cpu(buf->InformationBufferOffset); if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || + (BufOffset > RNDIS_MAX_TOTAL_SIZE) || (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) return -EINVAL; -- cgit v1.2.3-70-g09d2 From 239071064732bc4a30308cbba11014aa1aab550a Mon Sep 17 00:00:00 2001 From: "H. Nikolaus Schaller" Date: Tue, 8 Mar 2022 13:56:06 +0100 Subject: partially Revert "usb: musb: Set the DT node on the child device" This reverts the omap2430 changes of commit cf081d009c44 ("usb: musb: Set the DT node on the child device") Since v5.17-rc1, musb is broken on the gta04 and openpandora devices (omap3530/dm3730). BeagleBone Black (am335x) seems to work. Symptoms of this bug are a) main symptom [ 21.336517] using random host ethernet address [ 21.341430] using host ethernet address: 32:70:05:18:ff:78 [ 21.341461] using self ethernet address: 46:10:3a:b3:af:d9 [ 21.358184] usb0: HOST MAC 32:70:05:18:ff:78 [ 21.376678] usb0: MAC 46:10:3a:b3:af:d9 [ 21.388305] using random self ethernet address [ 21.393371] using random host ethernet address [ 21.398162] g_ether gadget: Ethernet Gadget, version: Memorial Day 2008 [ 21.421081] g_ether gadget: g_ether ready [ 21.492156] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 21.691345] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 21.803192] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 21.819427] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 22.124450] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 22.168518] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 22.179382] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 23.213592] musb-hdrc musb-hdrc.1.auto: pm runtime get failed in musb_gadget_queue [ 23.221832] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 23.227905] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 23.239440] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 23.401000] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 23.407073] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 23.426361] musb-hdrc musb-hdrc.1.auto: Could not enable: -22 [ 23.734466] musb-hdrc musb-hdrc.1.auto: pm runtime get failed in musb_gadget_queue [ 23.742462] musb-hdrc musb-hdrc.1.auto: pm runtime get failed in musb_gadget_queue [ 23.750396] musb-hdrc musb-hdrc.1.auto: pm runtime get failed in musb_gadget_queue ... (repeats with high frequency) This stops if the USB cable is unplugged and restarts if it is plugged in again. b) also found in the log [ 6.498107] ------------[ cut here ]------------ [ 6.502960] WARNING: CPU: 0 PID: 868 at arch/arm/mach-omap2/omap_hwmod.c:1885 _enable+0x50/0x234 [ 6.512207] omap_hwmod: usb_otg_hs: enabled state can only be entered from initialized, idle, or disabled state [ 6.522766] Modules linked in: omap2430(+) bmp280_i2c bmp280 itg3200 at24 tsc2007 leds_tca6507 bma180 hmc5843_i2c hmc5843_core industrialio_triggered_buffer lis3lv02d_i2c kfifo_buf lis3lv02d phy_twl4030_usb snd_soc_omap_mcbsp snd_soc_ti_sdma musb_hdrc snd_soc_twl4030 gnss_sirf twl4030_vibra twl4030_madc twl4030_charger twl4030_pwrbutton gnss industrialio ehci_omap omapdrm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm drm_panel_orientation_quirks cec [ 6.566436] CPU: 0 PID: 868 Comm: udevd Not tainted 5.16.0-rc5-letux+ #8251 [ 6.573730] Hardware name: Generic OMAP36xx (Flattened Device Tree) [ 6.580322] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 6.588470] [] (show_stack) from [] (dump_stack_lvl+0x40/0x4c) [ 6.596405] [] (dump_stack_lvl) from [] (__warn+0xb4/0xdc) [ 6.604003] [] (__warn) from [] (warn_slowpath_fmt+0x70/0x9c) [ 6.611846] [] (warn_slowpath_fmt) from [] (_enable+0x50/0x234) [ 6.619903] [] (_enable) from [] (omap_hwmod_enable+0x28/0x40) [ 6.627838] [] (omap_hwmod_enable) from [] (omap_device_enable+0x4c/0x78) [ 6.636779] [] (omap_device_enable) from [] (_od_runtime_resume+0x10/0x3c) [ 6.645812] [] (_od_runtime_resume) from [] (__rpm_callback+0x3c/0xf4) [ 6.654510] [] (__rpm_callback) from [] (rpm_callback+0x50/0x54) [ 6.662628] [] (rpm_callback) from [] (rpm_resume+0x448/0x4e4) [ 6.670593] [] (rpm_resume) from [] (__pm_runtime_resume+0x38/0x50) [ 6.678985] [] (__pm_runtime_resume) from [] (musb_init_controller+0x350/0xa5c [musb_hdrc]) [ 6.689727] [] (musb_init_controller [musb_hdrc]) from [] (platform_probe+0x58/0xa8) [ 6.699737] [] (platform_probe) from [] (really_probe+0x170/0x2fc) [ 6.708068] [] (really_probe) from [] (__driver_probe_device+0xc4/0xd8) [ 6.716827] [] (__driver_probe_device) from [] (driver_probe_device+0x30/0xac) [ 6.726226] [] (driver_probe_device) from [] (__device_attach_driver+0x94/0xb4) [ 6.735717] [] (__device_attach_driver) from [] (bus_for_each_drv+0xa0/0xb4) [ 6.744934] [] (bus_for_each_drv) from [] (__device_attach+0xc0/0x134) [ 6.753631] [] (__device_attach) from [] (bus_probe_device+0x28/0x80) [ 6.762207] [] (bus_probe_device) from [] (device_add+0x5fc/0x788) [ 6.770507] [] (device_add) from [] (platform_device_add+0x70/0x1bc) [ 6.779022] [] (platform_device_add) from [] (omap2430_probe+0x260/0x2d4 [omap2430]) [ 6.789001] [] (omap2430_probe [omap2430]) from [] (platform_probe+0x58/0xa8) [ 6.798309] [] (platform_probe) from [] (really_probe+0x170/0x2fc) [ 6.806610] [] (really_probe) from [] (__driver_probe_device+0xc4/0xd8) [ 6.815399] [] (__driver_probe_device) from [] (driver_probe_device+0x30/0xac) [ 6.824798] [] (driver_probe_device) from [] (__driver_attach+0xc4/0xd8) [ 6.833648] [] (__driver_attach) from [] (bus_for_each_dev+0x64/0xa0) [ 6.842224] [] (bus_for_each_dev) from [] (bus_add_driver+0x148/0x1a4) [ 6.850891] [] (bus_add_driver) from [] (driver_register+0xb4/0xf8) [ 6.859313] [] (driver_register) from [] (do_one_initcall+0x90/0x1c8) [ 6.867889] [] (do_one_initcall) from [] (do_init_module+0x4c/0x204) [ 6.876373] [] (do_init_module) from [] (load_module+0x13f0/0x1928) [ 6.884796] [] (load_module) from [] (sys_finit_module+0xa0/0xc0) [ 6.893005] [] (sys_finit_module) from [] (ret_fast_syscall+0x0/0x54) [ 6.901580] Exception stack(0xc2807fa8 to 0xc2807ff0) [ 6.906890] 7fa0: b6e517d4 00052068 00000006 b6e509f8 00000000 b6e5131c [ 6.915466] 7fc0: b6e517d4 00052068 cd718000 0000017b 00020000 00037f78 00050048 00063368 [ 6.924011] 7fe0: bed8fef0 bed8fee0 b6e4ac4b b6f55a42 [ 6.929321] ---[ end trace d715ff121b58763c ]--- c) git bisect result on testing for "musb-hdrc" in the console log: cf081d009c447647c6b36aced535ca427dbebe72 is the first bad commit commit cf081d009c447647c6b36aced535ca427dbebe72 Author: Rob Herring Date: Wed Dec 15 17:07:57 2021 -0600 usb: musb: Set the DT node on the child device The musb glue drivers just copy the glue resources to the musb child device. Instead, set the musb child device's DT node pointer to the parent device's node so that platform_get_irq_byname() can find the resources in the DT. This removes the need for statically populating the IRQ resources from the DT which has been deprecated for some time. Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20211215230756.2009115-3-robh@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/musb/am35x.c | 2 ++ drivers/usb/musb/da8xx.c | 2 ++ drivers/usb/musb/jz4740.c | 1 + drivers/usb/musb/mediatek.c | 2 ++ drivers/usb/musb/omap2430.c | 1 + drivers/usb/musb/ux500.c | 1 + 6 files changed, 9 insertions(+) Reverting this patch makes musb work again as before. Fixes: cf081d009c44 ("usb: musb: Set the DT node on the child device") Cc: Rob Herring Signed-off-by: H. Nikolaus Schaller Link: https://lore.kernel.org/r/f62f5fc11f9ecae7e57f3fd66939e051bd3b11fc.1646744166.git.hns@goldelico.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/musb/omap2430.c | 1 - 1 file changed, 1 deletion(-) (limited to 'drivers') diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c index 7d4d0713f4f0..d2b7e613eb34 100644 --- a/drivers/usb/musb/omap2430.c +++ b/drivers/usb/musb/omap2430.c @@ -327,7 +327,6 @@ static int omap2430_probe(struct platform_device *pdev) musb->dev.parent = &pdev->dev; musb->dev.dma_mask = &omap2430_dmamask; musb->dev.coherent_dma_mask = omap2430_dmamask; - device_set_of_node_from_dev(&musb->dev, &pdev->dev); glue->dev = &pdev->dev; glue->musb = musb; -- cgit v1.2.3-70-g09d2 From e9b667a82cdcfe21d590344447d65daed52b353b Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Thu, 3 Mar 2022 16:00:17 -0500 Subject: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Call Trace: usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline] The problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for all of its transfers, whether they are in or out. It's easy to fix. CC: Reported-and-tested-by: syzbot+a48e3d1a875240cab5de@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/YiEsYTPEE6lOCOA5@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/usbtmc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'drivers') diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 73f419adce61..4bb6d304eb4b 100644 --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -1919,6 +1919,7 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, struct usbtmc_ctrlrequest request; u8 *buffer = NULL; int rv; + unsigned int is_in, pipe; unsigned long res; res = copy_from_user(&request, arg, sizeof(struct usbtmc_ctrlrequest)); @@ -1928,12 +1929,14 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, if (request.req.wLength > USBTMC_BUFSIZE) return -EMSGSIZE; + is_in = request.req.bRequestType & USB_DIR_IN; + if (request.req.wLength) { buffer = kmalloc(request.req.wLength, GFP_KERNEL); if (!buffer) return -ENOMEM; - if ((request.req.bRequestType & USB_DIR_IN) == 0) { + if (!is_in) { /* Send control data to device */ res = copy_from_user(buffer, request.data, request.req.wLength); @@ -1944,8 +1947,12 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, } } + if (is_in) + pipe = usb_rcvctrlpipe(data->usb_dev, 0); + else + pipe = usb_sndctrlpipe(data->usb_dev, 0); rv = usb_control_msg(data->usb_dev, - usb_rcvctrlpipe(data->usb_dev, 0), + pipe, request.req.bRequest, request.req.bRequestType, request.req.wValue, @@ -1957,7 +1964,7 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, goto exit; } - if (rv && (request.req.bRequestType & USB_DIR_IN)) { + if (rv && is_in) { /* Read control data from device */ res = copy_to_user(request.data, buffer, rv); if (res) -- cgit v1.2.3-70-g09d2 From 16b1941eac2bd499f065a6739a40ce0011a3d740 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Sat, 5 Mar 2022 21:47:22 -0500 Subject: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320 Read of size 8 at addr ffff88802b934098 by task udevd/3689 CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 dev_uevent+0x712/0x780 drivers/base/core.c:2320 uevent_show+0x1b8/0x380 drivers/base/core.c:2391 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 Although the bug manifested in the driver core, the real cause was a race with the gadget core. dev_uevent() does: if (dev->driver) add_uevent_var(env, "DRIVER=%s", dev->driver->name); and between the test and the dereference of dev->driver, the gadget core sets dev->driver to NULL. The race wouldn't occur if the gadget core registered its devices on a real bus, using the standard synchronization techniques of the driver core. However, it's not necessary to make such a large change in order to fix this bug; all we need to do is make sure that udc->dev.driver is always NULL. In fact, there is no reason for udc->dev.driver ever to be set to anything, let alone to the value it currently gets: the address of the gadget's driver. After all, a gadget driver only knows how to manage a gadget, not how to manage a UDC. This patch simply removes the statements in the gadget core that touch udc->dev.driver. Fixes: 2ccea03a8f7e ("usb: gadget: introduce UDC Class") CC: Reported-and-tested-by: syzbot+348b571beb5eeb70a582@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/YiQgukfFFbBnwJ/9@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/udc/core.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'drivers') diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index 568534a0d17c..c109b069f511 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -1436,7 +1436,6 @@ static void usb_gadget_remove_driver(struct usb_udc *udc) usb_gadget_udc_stop(udc); udc->driver = NULL; - udc->dev.driver = NULL; udc->gadget->dev.driver = NULL; } @@ -1498,7 +1497,6 @@ static int udc_bind_to_driver(struct usb_udc *udc, struct usb_gadget_driver *dri driver->function); udc->driver = driver; - udc->dev.driver = &driver->driver; udc->gadget->dev.driver = &driver->driver; usb_gadget_udc_set_speed(udc, driver->max_speed); @@ -1521,7 +1519,6 @@ err1: dev_err(&udc->dev, "failed to start %s: %d\n", udc->driver->function, ret); udc->driver = NULL; - udc->dev.driver = NULL; udc->gadget->dev.driver = NULL; return ret; } -- cgit v1.2.3-70-g09d2