Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers
History
Nikita Zhandarovich e6ef3a870b wifi: ar5523: enable proper endpoint verification 
[ Upstream commit e120b6388d7d88635d67dcae6483f39c37111850 ]

Syzkaller reports [1] hitting a warning about an endpoint in use
not having an expected type to it.

Fix the issue by checking for the existence of all proper
endpoints with their according types intact.

Sadly, this patch has not been tested on real hardware.

[1] Syzkaller report:
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
...
Call Trace:
 <TASK>
 ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275
 ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline]
 ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline]
 ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655
 usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:560 [inline]
 really_probe+0x249/0xb90 drivers/base/dd.c:639
 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936
 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427
 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008
 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487
 device_add+0xbd9/0x1e90 drivers/base/core.c:3517
 usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:560 [inline]
 really_probe+0x249/0xb90 drivers/base/dd.c:639
 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808
 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936
 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427
 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008
 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487
 device_add+0xbd9/0x1e90 drivers/base/core.c:3517
 usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573
 hub_port_connect drivers/usb/core/hub.c:5353 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
 port_event drivers/usb/core/hub.c:5653 [inline]
 hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x669/0x1090 kernel/workqueue.c:2436
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Reported-and-tested-by: syzbot+1bc2c2afd44f820a669f@syzkaller.appspotmail.com
Fixes: b7d572e1871d ("ar5523: Add new driver")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://msgid.link/20240408121425.29392-1-n.zhandarovich@fintech.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-19 12:26:56 +01:00
..
accessibility speakup: Fix sizeof() vs ARRAY_SIZE() bug 2024-11-19 12:26:51 +01:00
acpi ACPI: disable -Wstringop-truncation 2024-11-19 12:26:54 +01:00
amba
android binder: check offset alignment in binder_get_object() 2024-11-19 11:32:22 +01:00
ata ata: sata_gemini: Check clk_enable() result 2024-11-19 11:32:44 +01:00
atm atm: idt77252: fix a memleak in open_card_ubr0 2024-11-18 12:13:24 +01:00
auxdisplay
base x86/rfds: Mitigate Register File Data Sampling (RFDS) 2024-11-19 09:22:40 +01:00
battery drivers: battery_v2: sec_battery: export {CURRENT/VOLTAGE}_MAX to sysfs 2024-11-17 17:43:14 +01:00
bcma
block null_blk: Fix missing mutex_destroy() at module removal 2024-11-19 12:26:52 +01:00
bluetooth Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 2024-11-19 11:32:38 +01:00
bts
bus bus: tegra-aconnect: Update dependency to ARCH_TEGRA 2024-11-19 08:44:45 +01:00
cdrom
char hwrng: core - Fix page fault dead lock on mmap-ed hwrng 2024-11-18 12:12:55 +01:00
clk clk: Don't hold prepare_lock when calling kref_put() 2024-11-19 11:32:45 +01:00
clocksource clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware 2024-11-18 11:43:12 +01:00
connector
counter counter: microchip-tcb-capture: Fix the use of internal GCLK logic 2024-11-08 11:25:51 +01:00
cpufreq cpufreq: exit() callback is optional 2024-11-19 12:26:54 +01:00
cpuidle
crypto crypto: ccp - drop platform ifdef checks 2024-11-19 12:26:52 +01:00
dax
dca
devfreq PM / devfreq: Fix buffer overflow in trans_stat_show 2024-11-19 11:32:38 +01:00
dio
dma dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state" 2024-11-19 11:32:41 +01:00
dma-buf
edac EDAC/thunderx: Fix possible out-of-bounds string access 2024-11-18 12:12:19 +01:00
eisa
extcon
fingerprint
firewire firewire: nosy: ensure user_length is taken into account when fetching packet contents 2024-11-19 11:32:46 +01:00
firmware firmware: raspberrypi: Use correct device for DMA mappings 2024-11-19 12:26:52 +01:00
fpga
fsi
gnss
gpio gpio: crystalcove: Use -ENOTSUPP consistently 2024-11-19 11:32:45 +01:00
gpu drm/amdkfd: Flush the process wq before creating a kfd_process 2024-11-19 12:26:52 +01:00
greybus
gud
hid HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up 2024-11-19 11:32:40 +01:00
hsi
hv Drivers: hv: vmbus: Drop error message when 'No request id available' 2024-11-18 23:19:53 +01:00
hwmon hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us 2024-11-19 11:32:49 +01:00
hwspinlock
hwtracing coresight: etm4x: Fix width of CCITMIN field 2024-11-18 12:12:19 +01:00
i2c i2c: smbus: fix NULL function pointer dereference 2024-11-19 11:32:40 +01:00
i3c i3c: master: cdns: Update maximum prescaler value for i2c clock 2024-11-18 12:13:19 +01:00
ide
idle
ifconn
iio iio: accel: mxc4005: Interrupt handling fixes 2024-11-19 11:32:48 +01:00
infiniband RDMA/mlx5: Fix port number for counter query in multi-port configuration 2024-11-19 11:32:21 +01:00
input Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails 2024-11-19 09:23:14 +01:00
interconnect interconnect: Treat xlate() returning NULL node as an error 2024-11-18 12:12:00 +01:00
iommu iommu/vt-d: Allocate local memory for page request queue 2024-11-19 11:32:20 +01:00
ipack
irqchip irqchip/loongson-pch-msi: Fix off-by-one on allocation error path 2024-11-19 12:26:54 +01:00
isdn
kperfmon Kperfmon: add xyunbound version 2024-06-15 16:28:49 -03:00
kq/mesh
leds leds: sgm3140: Add missing timer cleanup and flash gpio control 2024-11-19 08:44:56 +01:00
lightnvm
macintosh macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" 2024-11-19 12:26:55 +01:00
mailbox mailbox: imx: fix suspend failue 2024-11-19 11:32:20 +01:00
mcb mcb: fix error handling for different scenarios when parsing 2024-11-18 11:43:25 +01:00
md md: fix resync softlockup when bitmap size is less than array size 2024-11-19 12:26:53 +01:00
media media: cec: core: remove length check of Timer Status 2024-11-19 11:32:19 +01:00
memory
memstick
message
mfd mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a ref 2024-11-19 08:44:54 +01:00
misc mei: me: add lunar lake point M DID 2024-11-19 11:32:49 +01:00
mmc mmc: core: Avoid negative index with array access 2024-11-19 09:22:42 +01:00
most
mtd mtd: diskonchip: work around ubsan link failure 2024-11-19 11:32:40 +01:00
muic
mux
net wifi: ar5523: enable proper endpoint verification 2024-11-19 12:26:56 +01:00
nfc NFC: trf7970a: disable all regulators on removal 2024-11-19 11:32:37 +01:00
ntb
nubus
nvdimm nd_btt: Make BTT lanes preemptible 2024-11-18 11:43:03 +01:00
nvme nvme: find numa distance only if controller has valid numa id 2024-11-19 12:26:52 +01:00
nvmem nvmem: meson-efuse: fix function pointer type mismatch 2024-11-19 09:22:34 +01:00
of of: dynamic: Synchronize of_changeset_destroy() with the devlink removals 2024-11-19 09:23:10 +01:00
opp OPP: debugfs: Fix warning around icc_get_name() 2024-11-19 08:44:49 +01:00
oprofile
parisc
parport parport: parport_serial: Add Brainboxes device IDs and geometry 2024-11-18 12:12:19 +01:00
pci Manual Revert: PCI/ASPM: Make Intel DG2 L1 acceptable latency unlimited 2024-11-19 10:37:22 +01:00
pcmcia pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() 2024-11-18 11:43:06 +01:00
perf perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 2024-11-08 11:24:52 +01:00
phy phy: tegra: xusb: Add API to retrieve the port number of phy 2024-11-19 09:22:34 +01:00
pinctrl pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() 2024-11-19 12:26:38 +01:00
platform platform/x86: touchscreen_dmi: Add an extra entry for a variant of the Chuwi Vi8 tablet 2024-11-19 09:23:14 +01:00
pnp PNP: ACPI: fix fortify warning 2024-11-18 12:13:09 +01:00
power power: rt9455: hide unused rt9455_boost_voltage_values 2024-11-19 11:32:42 +01:00
powercap
pps
ps3
ptp ptp: annotate data-race around q->head and q->tail 2024-11-18 11:43:19 +01:00
pwm pwm: jz4740: Don't use dev_err_probe() in .request() 2024-11-18 12:12:47 +01:00
rapidio
ras
regulator regulator: vqmmc-ipq4019: fix module autoloading 2024-11-19 12:26:51 +01:00
remoteproc remoteproc: stm32: fix phys_addr_t format string 2024-11-19 08:45:00 +01:00
reset reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning 2024-11-18 12:12:16 +01:00
rpmsg rpmsg: virtio: Free driver_override when rpmsg_remove() 2024-11-18 12:12:56 +01:00
rtc rtc: mt6397: select IRQ_DOMAIN instead of depending on it 2024-11-19 08:44:58 +01:00
s390 s390/cio: fix tracepoint subchannel type field 2024-11-19 12:26:52 +01:00
samsung Fix clang 16 errors treewide 2024-06-15 16:28:48 -03:00
sbus
scsi scsi: hpsa: Fix allocation size for Scsi_Host private data 2024-11-19 12:26:55 +01:00
sensorhub treewide: fix build errors 2024-06-15 16:21:17 -03:00
sensors
sfi
sh
siox
slimbus slimbus: core: Remove usage of the deprecated ida_simple_xx() API 2024-11-19 09:22:34 +01:00
soc soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE 2024-11-19 12:26:52 +01:00
soundwire soundwire: stream: fix NULL pointer dereference for multi_link 2024-11-18 12:11:57 +01:00
spi spi: spi-mt65xx: Fix NULL pointer access in interrupt handler 2024-11-19 08:45:00 +01:00
spmi
spu_verify
ssb
staging comedi: vmk80xx: fix incomplete endpoint checking 2024-11-19 11:32:22 +01:00
sti
target scsi: target: Fix SELinux error when systemd-modules loads the target module 2024-11-19 11:32:44 +01:00
tc
tee tee: optee: Fix kernel panic caused by incorrect error handling 2024-11-19 09:22:39 +01:00
thermal thermal: core: prevent potential string overflow 2024-11-18 11:42:50 +01:00
thunderbolt thunderbolt: Fix wake configurations after device unplug 2024-11-19 11:32:22 +01:00
tty tty: n_gsm: fix possible out-of-bounds in gsm0_receive() 2024-11-19 12:26:51 +01:00
uh
uio uio: Fix use-after-free in uio_open 2024-11-18 12:12:19 +01:00
usb usb: typec: ucsi: displayport: Fix potential deadlock 2024-11-19 12:26:50 +01:00
vdpa
vfio vfio/fsl-mc: Block calling interrupt handler without trigger 2024-11-19 09:22:45 +01:00
vhost vhost: Add smp_rmb() in vhost_vq_avail_empty() 2024-11-19 11:32:20 +01:00
vibrator
video fbmon: prevent division by zero in fb_videomode_from_videomode() 2024-11-19 09:23:15 +01:00
virt
virtio virtio: reenable config if freezing device failed 2024-11-19 09:23:15 +01:00
vision
vision3
visorbus
vlynq
vme
w1
watchdog watchdog: stm32_iwdg: initialize default timeout 2024-11-19 08:44:57 +01:00
xen xen/events: close evtchn after mapping cleanup 2024-11-19 09:22:39 +01:00
zorro
Kconfig drivers: add stub kperfmon 2024-06-15 16:28:49 -03:00
Kconfig.variant1
Makefile drivers: add stub kperfmon 2024-06-15 16:28:49 -03:00
Makefile.variant1