From patchwork Mon Aug 26 13:44:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Edward Adam Davis X-Patchwork-Id: 13777948 Received: from out162-62-57-49.mail.qq.com (out162-62-57-49.mail.qq.com [162.62.57.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CA1D17C989; Mon, 26 Aug 2024 13:57:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.57.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724680671; cv=none; b=lmOTAVBGcRJXmIqUm5UTYK7B/jMpRnX/EQ2gTnf/mI9LKS7iNlypHDsdVqXkT0zOShRL+Z08rQ1zB+hG0zZdezYmXFY12AfuNeNFcAXMGKrnN+SZ9+WvNHOAs+SW8KhMGuNrkzL3mUgAihmRL6H1fFMx7kFyuVenZLyq0yEqNhE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724680671; c=relaxed/simple; bh=vr7oofwZgZfct6HqlKWNzT6ycYxBI0n+s7zmMjcpi4M=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=hU85ou+HtI5Ge9fIU/jIuBsIBuw3uZcnAC5oVqiWRIv8D9LQ1EbDJ3MxXkgEp5xL8cvX0Ta7UyjMR6iIpcfvPZajT3eCkDTjQtWfzHcny5bxRqsIRoVb19ma2313i5XR2ODwKNMi/Tq+NBlcP0RM2IJgqin+LNKowH8en+zvKmU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=ejKdB4G1; arc=none smtp.client-ip=162.62.57.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="ejKdB4G1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1724680663; bh=OHgRLzSenWLbC5JQpgLz4xtY6cHLHbUrK3U66N3AWaM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ejKdB4G13RzIjs6bAOrBphKmkZ7gSfgleilYyM6Gb+gbeKk3YcrbUApIQ0MJb2EMm DFWsL+Ra5pCravZJVExP85JwZRqForjuNl99DVmved16gW3H/bseB4+I2yvMf6+lOi 8Q5FYS19zd+iVr2Cy3fYABm+2I3mBCZ6NDVSZcwM= Received: from pek-lxu-l1.wrs.com ([111.198.225.4]) by newxmesmtplogicsvrszb16-1.qq.com (NewEsmtp) with SMTP id B12B340A; Mon, 26 Aug 2024 21:44:18 +0800 X-QQ-mid: xmsmtpt1724679858tld28qu36 Message-ID: X-QQ-XMAILINFO: MW5hkHoBpWXyI09Aq4gwR2uQtgcCQR4idHhfNGBGz3Iiy0PEFTPLCT8Ve7kUlB J3emttFsrfj7eSzFRWc8gbM+fXuFNF1fRgMwh+qRAysAxuLsLDgJl2XSsRxhA5UreLLdPTujQtXV nQijk9n1Jv8PFDio6NTz7dS15so4EvTpfB9HOryeWKqx+n0hmx7HjOh7FP1vz+M1n7gDFZ8HC7B4 M4eyRY9Bu9PZggcntTYT4+Vo/3IfUYgxfsZ+n4h2ue+ZYhR5LyNH8/il0QMdGXbmd9cXc8F5DY0a MR/dHTGlYL/qqlAful5Z9j4XNaPglB/nNJQrXbtaGxYA1j4mLY4UMpfVa5i90q8YtYUE3S5kta7D VCWCaZFdgMkHYfJaCNXQ4pQnP4LlAs9zAUxvSaDflmbFpkPeuZPmCG3Akj1LXVKwtFWNiEmVfmBY 4GjVepYFiXcaAXrRFtGxmldhUzETVALTZIonuq20fDXEQxVqWF9L07uETBjWLjg21PF/6huGeovl AgXxxl6h5NwQcCbRZUZJIFMNC01Ui/p+BX2AKBZzEnoGmoQezqE/fPsPJGecRmSNyzPDzWywwKwM VmEzy8rPWvlSw3Hp4USDlJ7MOh03emUzN0uLVlbje52AqBNNLnzW5S/SDnz71OCf0ndC4C1YdRK/ 0Ll8vtcCrMniWesPuNnikOAJtLmxn89PABDzGL6PimrsZCQSx0wwvS4nnxefIyzt0EH++pipNtwa CL0CjK2Qploo6tLYinew63Es0FP8uYpIeVyuI2dn99KYr3H+SPzQneDQxQKe2txtSGga3XpSachX GBC/5dMqWcj8ip+wnWh3oVB0j2JQl92HM8oDjWvFRFE75eTPJ7AzUoUXMFHTpm4pM30+tNvppjdS VyPmT4TutSaXMNKynOz5lb3YdfNFL3MVUc4a6Tf6mar17Yy5GsCOdS0jqJQPeENF2s5+eFKfnMz8 DAXPWcalud/1iyQESt4Xk6DiDEoY3pIjHZBdywSmEbAJnlKDeHMecTubXR+ePo X-QQ-XMRINFO: MSVp+SPm3vtS1Vd6Y4Mggwc= From: Edward Adam Davis To: gregkh@linuxfoundation.org Cc: eadavis@qq.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, sergei.shtylyov@gmail.com, syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: [PATCH V5 1/2] wifi: ath6kl: Replace ath6kl_usb_submit_ctrl_in with usb_control_msg_recv Date: Mon, 26 Aug 2024 21:44:19 +0800 X-OQ-MSGID: <20240826134418.2744882-3-eadavis@qq.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <2024082607-foothold-boss-c693@gregkh> References: <2024082607-foothold-boss-c693@gregkh> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 ath6kl_usb_submit_ctrl_in() did not take into account the situation where the length of the data read from the device is not equal to the len, and such missing judgments will result in subsequent code using incorrect data. usb_control_msg_recv() handles the abnormal length of the returned data, so using it directly can fix "target's targ_info doesn't match the host's targ_info" warning in ath6kl_bmi_get_target_info. Reported-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis --- V1: If the data length returned by the device is 0 return failure V2: Directly using USB functions V3: Adjust indentation style V4: Adjust indentation style V5: Update comments, add warning info drivers/net/wireless/ath/ath6kl/usb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c index 5220809841a6..0458b5a078e1 100644 --- a/drivers/net/wireless/ath/ath6kl/usb.c +++ b/drivers/net/wireless/ath/ath6kl/usb.c @@ -1027,9 +1027,10 @@ static int ath6kl_usb_bmi_read(struct ath6kl *ar, u8 *buf, u32 len) int ret; /* get response */ - ret = ath6kl_usb_submit_ctrl_in(ar_usb, - ATH6KL_USB_CONTROL_REQ_RECV_BMI_RESP, - 0, 0, buf, len); + ret = usb_control_msg_recv(ar_usb->udev, 0, + ATH6KL_USB_CONTROL_REQ_RECV_BMI_RESP, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, 0, buf, len, 2000, GFP_KERNEL); if (ret) { ath6kl_err("Unable to read the bmi data from the device: %d\n", ret); From patchwork Mon Aug 26 13:44:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Edward Adam Davis X-Patchwork-Id: 13777947 Received: from out162-62-57-252.mail.qq.com (out162-62-57-252.mail.qq.com [162.62.57.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 58DB118755F; Mon, 26 Aug 2024 13:55:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.57.252 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724680552; cv=none; b=kvImmmRaDxTo2QWYG/HESJB/2gmOf9KnWozTawmm/6w9VNqM13Nn79YkDyzhj7b5xQ2E/2a66nWB/3SG008Tp1ZSv/wVW8rMD8TBhwE5KNXPbmiFLB5ykP7Egk9FJoc1gyDtj+7LvE/hCioxRqNAWg8+aXdQmnk8Qmh9yWu8/Lo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724680552; c=relaxed/simple; bh=NATgpsff2H3ZQ8S3GdgP7lJSfrRhEUnOzap5J7BLiek=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=s63211xGNV46Uwo0ZlY0bmqtyS3etitShWpxf5WnVDh1FRsSu2pPAf/U3ZbLSCXsvCitee5HPTzE7Fk+nmBYmbYzdsbfV22WBIf2lS+SxEIwN+byn1nZZKvm+zFN5fW6TsGeQZRLhuJ2UNJQwkxrQVDM8dFVw640xHofTpE1SSs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=yxLKXy8T; arc=none smtp.client-ip=162.62.57.252 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="yxLKXy8T" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1724680244; bh=FSL0sS5dQKb2f7iPwim4nCmugDqsEvcGTMYmGhj9qDM=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=yxLKXy8TPHsmvWjAXcQfbJ+hf5sg1x9g+VSEUWFrpdSEIr7rw/Lf7FkeLeV5he2Ze rJrvctC9VPR+OUHNVJLU5ZMk0koNwXObE15TKFdTMLgnguw1WXo0snrwiTXIv7sWd1 d6IP6ttQT0LbUZKZGecPEiqTzRyMdfp6YnvtjZuU= Received: from pek-lxu-l1.wrs.com ([111.198.225.4]) by newxmesmtplogicsvrszb16-1.qq.com (NewEsmtp) with SMTP id B12B340A; Mon, 26 Aug 2024 21:44:18 +0800 X-QQ-mid: xmsmtpt1724679862tuqv3rd6h Message-ID: X-QQ-XMAILINFO: N2bAIxLK0elndbABOvoA5K6JOD11oPBkICuZ0Z6fRM/bTt584GnqK1BE5Zh53F 2gF8ZGteJRE1Ycd5n2U0UKoXI0Sq4RWUZ4iYz6oCKe+Uf8LxnTBJKx+7AZmWTcvSbfMhrvQ055ND qgqifAIdvJ7mvIPLvVGgPx8Z13dUIsV28k0mQ0GeM7jVubyYdXvphDJ7BhSomy6HxcMVLfB14nKE FxlKl8+kJEcqQPn0jk193Vs7ESWv5LGANUhK9Y7g8vG5y36scQZLIfSj2fUD/SNKF4RR0+rsN+5F A2xXhdwTOPfGTqqK1drLhBvsg6akuiHiukgzyAUflFERn2s+E254lz6oRcbKU3L9yZXm8YvnFOY2 DsjYOQrG8SHa9Ix3UanYrP4IlRntRJ6dGXzSsnLaumMHM52DlnKYvd538xDq+yme9UH8dTGkOKpw YKiZntSgcy9s325u18JlBjlFLlVzQp8nirPjgvZSag0L2S2YO9P9Cgd7vn0UGAHA7+ZpGA1z8AR6 /SrnGTfG8oxXhqOj3hmNo4chu7m4gJg6sTQW6FhbKMuPIxAjWcIJ9k7pCbbMbQgVP8RFdA88HqTb 0Clq6MJcYeyZqjuvK+a34f0DWefoDiWhQ/uC3yg2jDqB+3M0doigAd8OW1S5PQUvGXBMpB7N+Ra2 7HHy1opZRozkcSQdnY2u1wjQVQUSubq3GCSDS/pn0ohA7fCTVCNoQGioxMyL1fTJ5ySEp8kXn0BI sNrNFEefISfJJ0IQ5wPDRe/lOosVphVBopethX2UKO4YAjxje31aQ9zV4KCOM8crt0hlWzIwFsws Ndl4BcsvaR/dyq9RhYPT0ijUr/OqQlXAK1tfHgb7pfxF0wzD51s3x5G6BL5lpuXtrsTGVv8oIUMJ zxL1jhyCKdiy7R49Kphy3BNTZPh5+Ub/Vw+K7zXWXJLWijwDMIpsfTZHGEQbIc8mDgOGqAP7ur84 XHOdy36pVvkqX7JfV4LCYj3O8+azvNdCzPiAYj30etG8vbNFKo8l19m/MSad+vrZ13J1WqHReYGS ukoyLQpqAorCWQeILy X-QQ-XMRINFO: OWPUhxQsoeAVDbp3OJHYyFg= From: Edward Adam Davis To: gregkh@linuxfoundation.org Cc: eadavis@qq.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, sergei.shtylyov@gmail.com, syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: [PATCH V5 2/2] wifi: ath6kl: remove ath6kl_usb_submit_ctrl_in Date: Mon, 26 Aug 2024 21:44:20 +0800 X-OQ-MSGID: <20240826134418.2744882-4-eadavis@qq.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240826134418.2744882-3-eadavis@qq.com> References: <2024082607-foothold-boss-c693@gregkh> <20240826134418.2744882-3-eadavis@qq.com> Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 ath6kl_usb_submit_ctrl_in() did not take into account the situation where the length of the data read from the device is not equal to the len, and such missing judgments will result in subsequent code using incorrect data. usb_control_msg_recv() handles the abnormal length of the returned data, so using it directly. Suggested-by: Greg Kroah-Hartman Signed-off-by: Edward Adam Davis --- drivers/net/wireless/ath/ath6kl/usb.c | 39 +++------------------------ 1 file changed, 3 insertions(+), 36 deletions(-) diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c index 0458b5a078e1..1a5fb2561fef 100644 --- a/drivers/net/wireless/ath/ath6kl/usb.c +++ b/drivers/net/wireless/ath/ath6kl/usb.c @@ -901,40 +901,6 @@ static int ath6kl_usb_submit_ctrl_out(struct ath6kl_usb *ar_usb, return 0; } -static int ath6kl_usb_submit_ctrl_in(struct ath6kl_usb *ar_usb, - u8 req, u16 value, u16 index, void *data, - u32 size) -{ - u8 *buf = NULL; - int ret; - - if (size > 0) { - buf = kmalloc(size, GFP_KERNEL); - if (buf == NULL) - return -ENOMEM; - } - - /* note: if successful returns number of bytes transfered */ - ret = usb_control_msg(ar_usb->udev, - usb_rcvctrlpipe(ar_usb->udev, 0), - req, - USB_DIR_IN | USB_TYPE_VENDOR | - USB_RECIP_DEVICE, value, index, buf, - size, 2000); - - if (ret < 0) { - ath6kl_warn("Failed to read usb control message: %d\n", ret); - kfree(buf); - return ret; - } - - memcpy((u8 *) data, buf, size); - - kfree(buf); - - return 0; -} - static int ath6kl_usb_ctrl_msg_exchange(struct ath6kl_usb *ar_usb, u8 req_val, u8 *req_buf, u32 req_len, u8 resp_val, u8 *resp_buf, u32 *resp_len) @@ -954,8 +920,9 @@ static int ath6kl_usb_ctrl_msg_exchange(struct ath6kl_usb *ar_usb, } /* get response */ - ret = ath6kl_usb_submit_ctrl_in(ar_usb, resp_val, 0, 0, - resp_buf, *resp_len); + ret = usb_control_msg_recv(ar_usb->udev, 0, resp_val, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, 0, resp_buf, *resp_len, 2000, GFP_KERNEL); return ret; }