Re: [PATCH RFT] ieee802154: atusb: move to new USB API

From: Stefan Schmidt
Date: Wed Jan 05 2022 - 04:02:03 EST

Next message: Miaoqian Lin: "[PATCH] phy: ti: Add missing pm_runtime_disable() in probe function"
Previous message: Wen Gu: "Re: [PATCH net v3] net/smc: Reset conn->lgr when link group registration fails"
In reply to: Greg KH: "Re: [PATCH RFT] ieee802154: atusb: move to new USB API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

On 05.01.22 09:08, Greg KH wrote:

On Tue, Jan 04, 2022 at 08:41:23PM +0100, Stefan Schmidt wrote:

Hello.

On 03.01.22 16:35, Alexander Aring wrote:

Hi,

On Mon, 3 Jan 2022 at 08:03, Greg KH <greg@xxxxxxxxx> wrote:

On Sun, Jan 02, 2022 at 08:19:43PM +0300, Pavel Skripkin wrote:

Alexander reported a use of uninitialized value in
atusb_set_extended_addr(), that is caused by reading 0 bytes via
usb_control_msg().

Since there is an API, that cannot read less bytes, than was requested,
let's move atusb driver to use it. It will fix all potintial bugs with
uninit values and make code more modern

Fail log:

BUG: KASAN: uninit-cmp in ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
BUG: KASAN: uninit-cmp in atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
BUG: KASAN: uninit-cmp in atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
Uninit value used in comparison: 311daa649a2003bd stack handle: 000000009a2003bd
ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396

Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver")
Cc: stable@xxxxxxxxxxxxxxx # 5.9
Reported-by: Alexander Potapenko <glider@xxxxxxxxxx>
Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
---
drivers/net/ieee802154/atusb.c | 61 +++++++++++++++++++++-------------
1 file changed, 38 insertions(+), 23 deletions(-)

diff --git a/drivers/net/ieee802154/atusb.c b/drivers/net/ieee802154/atusb.c
index 23ee0b14cbfa..43befea0110f 100644
--- a/drivers/net/ieee802154/atusb.c
+++ b/drivers/net/ieee802154/atusb.c
@@ -80,10 +80,9 @@ struct atusb_chip_data {
* in atusb->err and reject all subsequent requests until the error is cleared.
*/

-static int atusb_control_msg(struct atusb *atusb, unsigned int pipe,
- __u8 request, __u8 requesttype,
- __u16 value, __u16 index,
- void *data, __u16 size, int timeout)
+static int atusb_control_msg_recv(struct atusb *atusb, __u8 request, __u8 requesttype,
+ __u16 value, __u16 index,
+ void *data, __u16 size, int timeout)

Why do you need a wrapper function at all? Why not just call the real
usb functions instead?

...

I would recommend just moving to use the real USB functions and no
wrapper function at all like this, it will make things more obvious and
easier to understand over time.

okay.

With the small fix handle the actual KASAN report applied now

It was? What is the git commit id?

I applied it to my wpan tree from where it will go to the net tree with my next pull request.

https://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan.git/commit/?id=754e4382354f7908923a1949d8dc8d05f82f09cb

regards
Stefan Schmidt

Next message: Miaoqian Lin: "[PATCH] phy: ti: Add missing pm_runtime_disable() in probe function"
Previous message: Wen Gu: "Re: [PATCH net v3] net/smc: Reset conn->lgr when link group registration fails"
In reply to: Greg KH: "Re: [PATCH RFT] ieee802154: atusb: move to new USB API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]