android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
47dc1f425a
android_kernel_xiaomi_sm8450/drivers
History
Jisoo Jang 47dc1f425a wifi: mt7601u: fix an integer underflow 
[ Upstream commit 803f3176c5df3b5582c27ea690f204abb60b19b9 ]

Fix an integer underflow that leads to a null pointer dereference in
'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet
could be manipulated, which could trigger an integer underflow of
'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently
causes the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be
bypassed, eventually leading to a dereference of the pointer 'p', which
is a null pointer.

Ensure that 'dma_len' is greater than 'min_seg_len'.

Found by a modified version of syzkaller.

KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G        W  O      5.14.0+
#139
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS:  0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 mt7601u_rx_tasklet+0xc73/0x1270
 ? mt7601u_submit_rx_buf.isra.0+0x510/0x510
 ? tasklet_action_common.isra.0+0x79/0x2f0
 tasklet_action_common.isra.0+0x206/0x2f0
 __do_softirq+0x1b5/0x880
 ? tasklet_unlock+0x30/0x30
 run_ksoftirqd+0x26/0x50
 smpboot_thread_fn+0x34f/0x7d0
 ? smpboot_register_percpu_thread+0x370/0x370
 kthread+0x3a1/0x480
 ? set_kthread_struct+0x120/0x120
 ret_from_fork+0x1f/0x30
Modules linked in: 88XXau(O) 88x2bu(O)
---[ end trace 57f34f93b4da0f9b ]---
RIP: 0010:skb_add_rx_frag+0x143/0x370
Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44
89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00
RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8
RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010
R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000
R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008
FS:  0000000000000000(0000) GS:ffff88811a800000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554

Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Acked-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221229092906.2328282-1-jisoo.jang@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-03-11 16:39:49 +01:00
..
accessibility speakup: fix a segfault caused by switching consoles 2022-11-25 17:45:50 +01:00
acpi ACPI: battery: Fix missing NUL-termination with large strings 2023-03-11 16:39:22 +01:00
amba
android file: Rename __close_fd_get_file close_fd_get_file 2023-01-04 11:39:18 +01:00
ata ata: libata: Fix sata_down_spd_limit() when no link speed is reported 2023-02-15 17:22:13 +01:00
atm atm: idt77252: fix use-after-free bugs caused by tst_timer 2022-08-25 11:38:02 +02:00
auxdisplay
base driver core: Fix test_async_probe_init saves device in wrong array 2023-02-01 08:23:15 +01:00
bcma
block nbd: fix possible overflow on 'first_minor' in nbd_dev_add() 2023-02-25 11:55:04 +01:00
bluetooth Bluetooth: hci_qca: Fixed issue during suspend 2023-01-24 07:20:01 +01:00
bus bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() 2023-02-15 17:22:10 +01:00
cdrom
char ipmi: fix use after free in _ipmi_destroy_user() 2023-01-14 10:16:35 +01:00
clk clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled() 2023-03-11 16:39:44 +01:00
clocksource clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() 2023-01-14 10:15:20 +01:00
connector
counter counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update 2023-01-14 10:15:58 +01:00
cpufreq cpufreq: armada-37xx: stop using 0 as NULL pointer 2023-02-01 08:23:17 +01:00
cpuidle cpuidle: dt: Return the correct numbers of parsed idle states 2023-01-14 10:15:15 +01:00
crypto crypto: crypto4xx - Call dma_unmap_page when done 2023-03-11 16:39:28 +01:00
dax devdax: Fix soft-reservation memory description 2022-09-28 11:10:41 +02:00
dca
devfreq PM/devfreq: governor: Add a private governor_data for governor 2023-01-14 10:16:31 +01:00
dio drivers: dio: fix possible memory leak in dio_init() 2023-01-14 10:15:54 +01:00
dma dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init 2023-02-06 07:56:15 +01:00
dma-buf dma-buf: fix racing conflict of dma_heap_add() 2022-12-02 17:40:01 +01:00
edac EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info 2023-02-01 08:23:23 +01:00
eisa
extcon extcon: Modify extcon device to be created after driver data is set 2022-06-14 18:32:43 +02:00
firewire firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region 2023-02-15 17:22:09 +01:00
firmware efi: Accept version 2 of memory attributes table 2023-02-15 17:22:17 +01:00
fpga fpga: stratix10-soc: Fix return value check in s10_ops_write_init() 2023-02-15 17:22:19 +01:00
fsi WRITE is "data source", not destination... 2023-02-15 17:22:11 +01:00
gnss
gpio gpio: vf610: connect GPIO label to dev name 2023-03-11 16:39:35 +01:00
gpu drm/amdgpu: fix enum odm_combine_mode mismatch 2023-03-11 16:39:37 +01:00
greybus
hid hid: bigben_probe(): validate report count 2023-03-11 16:39:39 +01:00
hsi HSI: omap_ssi_core: Fix error handling in ssi_init() 2023-01-14 10:16:03 +01:00
hv video: hyperv_fb: Avoid taking busy spinlock on panic path 2023-01-14 10:16:13 +01:00
hwmon hwmon: (mlxreg-fan) Return zero speed for broken fan 2023-03-11 16:39:37 +01:00
hwspinlock hwspinlock: qcom: correct MMIO max register for newer SoCs 2022-11-16 09:57:07 +01:00
hwtracing coresight: cti: Fix hang in cti_disable_hw() 2022-11-10 18:14:25 +01:00
i2c i2c: rk3x: fix a bunch of kernel-doc warnings 2023-02-15 17:22:15 +01:00
i3c
ide
idle intel_idle: Disable IBRS during long idle 2022-07-25 11:26:43 +02:00
iio iio:adc:twl6030: Enable measurement of VAC 2023-02-15 17:22:21 +01:00
infiniband IB/hfi1: Assign npages earlier 2023-03-03 11:44:51 +01:00
input Input: iqs269a - do not poll during ATI 2023-03-11 16:39:45 +01:00
interconnect interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate 2022-09-28 11:10:28 +02:00
iommu iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() 2023-01-18 11:45:00 +01:00
ipack
irqchip irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts 2023-03-11 16:39:29 +01:00
isdn mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() 2023-01-14 10:16:10 +01:00
leds leds: led-core: Fix refcount leak in of_led_get() 2023-03-11 16:39:40 +01:00
lightnvm
macintosh macintosh/macio-adb: check the return value of ioremap() 2023-01-14 10:16:06 +01:00
mailbox mailbox: zynq-ipi: fix error handling while device_register() fails 2023-01-14 10:16:12 +01:00
mcb mcb: mcb-parse: fix error handing in chameleon_parse_gdd() 2023-01-14 10:15:59 +01:00
md dm: remove flush_scheduled_work() during local_exit() 2023-03-11 16:39:38 +01:00
media media: saa7134: Use video_unregister_device for radio_dev 2023-03-11 16:39:47 +01:00
memory memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() 2023-02-01 08:23:08 +01:00
memstick memstick/ms_block: Fix a memory leak 2022-08-21 15:15:58 +02:00
message
mfd mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read() 2023-03-11 16:39:41 +01:00
misc mei: me: add meteor lake point M DID 2023-01-24 07:20:00 +01:00
mmc mmc: mmc_spi: fix error handling in mmc_spi_probe() 2023-02-22 12:55:55 +01:00
most
mtd mtd: rawnand: sunxi: Fix the size of the last OOB region 2023-03-11 16:39:41 +01:00
mux
net wifi: mt7601u: fix an integer underflow 2023-03-11 16:39:49 +01:00
nfc nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() 2023-01-18 11:44:59 +01:00
ntb NTB: ntb_tool: uninitialized heap data in tool_fn_write() 2022-08-25 11:38:01 +02:00
nubus
nvdimm nvdimm: Fix badblocks clear off-by-one error 2022-07-07 17:52:15 +02:00
nvme nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association 2023-02-22 12:55:53 +01:00
nvmem nvmem: core: fix return value 2023-02-22 12:56:00 +01:00
of of/address: Return an error when no valid dma-ranges are found 2023-02-15 17:22:22 +01:00
opp OPP: fix error checking in opp_migrate_dentry() 2023-03-11 16:39:26 +01:00
oprofile
parisc parisc: led: Fix potential null-ptr-deref in start_task() 2023-01-14 10:16:36 +01:00
parport parport_pc: Avoid FIFO port location truncation 2022-11-25 17:45:44 +01:00
pci PCI/sysfs: Fix double free in error path 2023-01-14 10:16:36 +01:00
pcmcia pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards 2022-06-14 18:32:30 +02:00
perf perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() 2023-01-14 10:15:12 +01:00
phy phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() 2023-02-01 08:23:12 +01:00
pinctrl linux/kconfig.h: replace IF_ENABLED() with PTR_IF() in <linux/kernel.h> 2023-03-11 16:39:42 +01:00
platform platform/x86: touchscreen_dmi: Add Chuwi Vi8 (CWI501) DMI match 2023-02-22 12:55:54 +01:00
pnp PNP: fix name memory leak in pnp_alloc_dev() 2023-01-14 10:15:17 +01:00
power power: supply: fix null pointer dereferencing in power_supply_get_battery_info 2023-01-14 10:16:03 +01:00
powercap powercap: fix possible name leak in powercap_register_zone() 2023-03-11 16:39:23 +01:00
pps
ps3
ptp
pwm pwm: tegra: Fix 32 bit build 2023-01-14 10:16:24 +01:00
rapidio rapidio: devices: fix missing put_device in mport_cdev_open 2023-01-14 10:15:23 +01:00
ras
regulator regulator: da9211: Use irq handler when ready 2023-01-18 11:44:58 +01:00
remoteproc remoteproc: qcom_q6v5_mss: Use a carveout to authenticate modem headers 2023-03-11 16:39:45 +01:00
reset reset: imx7: Fix the iMX8MP PCIe PHY PERST support 2022-10-05 10:38:40 +02:00
rpmsg rpmsg: glink: Avoid infinite loop on intent for missing channel 2023-03-11 16:39:47 +01:00
rtc rtc: ds1347: fix value written to century register 2023-01-14 10:16:34 +01:00
s390 s390/dasd: Fix potential memleak in dasd_eckd_init() 2023-03-11 16:39:15 +01:00
sbus
scsi scsi: aic94xx: Add missing check for dma_map_single() 2023-03-11 16:39:37 +01:00
sfi
sh
siox siox: fix possible memory leak in siox_device_add() 2022-11-25 17:45:44 +01:00
slimbus slimbus: stream: correct presence rate frequencies 2022-11-25 17:45:50 +01:00
soc PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe() 2023-02-01 08:23:11 +01:00
soundwire ASoC/SoundWire: dai: expand 'stream' concept beyond SoundWire 2023-01-14 10:16:28 +01:00
spi spi: synquacer: Fix timeout handling in synquacer_spi_transfer_one() 2023-03-11 16:39:38 +01:00
spmi spmi: pmic-arb: correct duplicate APID to PPID mapping logic 2022-10-26 13:25:39 +02:00
ssb
staging comedi: adv_pci1760: Fix PWM instruction handling 2023-01-24 07:19:59 +01:00
target scsi: target: core: Fix warning on RT kernels 2023-02-15 17:22:14 +01:00
tc
tee tee: optee: fix possible memory leak in optee_register_device() 2022-12-02 17:39:59 +01:00
thermal thermal: intel: Fix unsigned comparison with less than zero 2023-03-11 16:39:49 +01:00
thunderbolt thunderbolt: Use correct function to calculate maximum USB3 link rate 2023-01-24 07:19:59 +01:00
tty vc_screen: don't clobber return value in vcs_read 2023-03-03 11:44:51 +01:00
uio uio: uio_dmem_genirq: Fix deadlock between irq config and handling 2023-01-14 10:15:55 +01:00
usb USB: core: Don't hold device lock while reading the "descriptors" sysfs file 2023-03-03 11:44:52 +01:00
vdpa vdpa/mlx5: Don't clear mr struct on destroy MR 2023-03-11 16:39:45 +01:00
vfio vfio: platform: Do not pass return buffer to ACPI _RST method 2023-01-14 10:15:54 +01:00
vhost vhost/net: Clear the pending messages when the backend is removed 2023-02-15 17:22:11 +01:00
video fbdev: smscufx: fix error handling code in ufx_usb_probe 2023-02-15 17:22:20 +01:00
virt vboxguest: Do not use devm for irq 2022-08-25 11:38:14 +02:00
virtio virtio_mmio: Restore guest page size on resume 2022-07-21 21:20:13 +02:00
visorbus
vlynq
vme vme: Fix error not catched in fake_init() 2023-01-14 10:16:00 +01:00
w1 w1: fix WARNING after calling w1_process() 2023-02-01 08:23:15 +01:00
watchdog watchdog: diag288_wdt: fix __diag288() inline assembly 2023-02-15 17:22:17 +01:00
xen fix "direction" argument of iov_iter_kvec() 2023-02-15 17:22:12 +01:00
zorro
Kconfig
Makefile