2bbcaaee1f
In ath9k_hif_usb_rx_cb interface number is assumed to be 0. usb_ifnum_to_if(urb->dev, 0) But it isn't always true. The case reported by syzbot: https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com usb 2-1: new high-speed USB device number 2 using dummy_hcd usb 2-1: config 1 has an invalid interface number: 2 but max is 0 usb 2-1: config 1 has no interface number 0 usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 general protection fault, probably for non-canonical address 0xdffffc0000000015: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0 Call Trace __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 __do_softirq+0x21e/0x950 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x178/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang <hqjagain@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com
144 lines
3.7 KiB
C
144 lines
3.7 KiB
C
/*
|
|
* Copyright (c) 2010-2011 Atheros Communications Inc.
|
|
*
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#ifndef HTC_USB_H
|
|
#define HTC_USB_H
|
|
|
|
/* old firmware images */
|
|
#define FIRMWARE_AR7010_1_1 "htc_7010.fw"
|
|
#define FIRMWARE_AR9271 "htc_9271.fw"
|
|
|
|
/* supported Major FW version */
|
|
#define MAJOR_VERSION_REQ 1
|
|
#define MINOR_VERSION_REQ 3
|
|
/* minimal and maximal supported Minor FW version. */
|
|
#define FIRMWARE_MINOR_IDX_MAX 4
|
|
#define FIRMWARE_MINOR_IDX_MIN 3
|
|
#define HTC_FW_PATH "ath9k_htc"
|
|
|
|
#define HTC_9271_MODULE_FW HTC_FW_PATH "/htc_9271-" \
|
|
__stringify(MAJOR_VERSION_REQ) \
|
|
"." __stringify(FIRMWARE_MINOR_IDX_MAX) ".0.fw"
|
|
#define HTC_7010_MODULE_FW HTC_FW_PATH "/htc_7010-" \
|
|
__stringify(MAJOR_VERSION_REQ) \
|
|
"." __stringify(FIRMWARE_MINOR_IDX_MAX) ".0.fw"
|
|
|
|
extern int htc_use_dev_fw;
|
|
|
|
#define IS_AR7010_DEVICE(_v) (((_v) == AR9280_USB) || ((_v) == AR9287_USB))
|
|
|
|
#define AR9271_FIRMWARE 0x501000
|
|
#define AR9271_FIRMWARE_TEXT 0x903000
|
|
#define AR7010_FIRMWARE_TEXT 0x906000
|
|
|
|
#define FIRMWARE_DOWNLOAD 0x30
|
|
#define FIRMWARE_DOWNLOAD_COMP 0x31
|
|
|
|
#define ATH_USB_RX_STREAM_MODE_TAG 0x4e00
|
|
#define ATH_USB_TX_STREAM_MODE_TAG 0x697e
|
|
|
|
/* FIXME: Verify these numbers (with Windows) */
|
|
#define MAX_TX_URB_NUM 8
|
|
#define MAX_TX_BUF_NUM 256
|
|
#define MAX_TX_BUF_SIZE 32768
|
|
#define MAX_TX_AGGR_NUM 20
|
|
|
|
#define MAX_RX_URB_NUM 8
|
|
#define MAX_RX_BUF_SIZE 16384
|
|
#define MAX_PKT_NUM_IN_TRANSFER 10
|
|
|
|
#define MAX_REG_OUT_URB_NUM 1
|
|
#define MAX_REG_IN_URB_NUM 64
|
|
|
|
#define MAX_REG_IN_BUF_SIZE 64
|
|
|
|
/* USB Endpoint definition */
|
|
#define USB_WLAN_TX_PIPE 1
|
|
#define USB_WLAN_RX_PIPE 2
|
|
#define USB_REG_IN_PIPE 3
|
|
#define USB_REG_OUT_PIPE 4
|
|
|
|
#define USB_MSG_TIMEOUT 1000 /* (ms) */
|
|
|
|
#define HIF_USB_MAX_RXPIPES 2
|
|
#define HIF_USB_MAX_TXPIPES 4
|
|
|
|
struct tx_buf {
|
|
u8 *buf;
|
|
u16 len;
|
|
u16 offset;
|
|
struct urb *urb;
|
|
struct sk_buff_head skb_queue;
|
|
struct hif_device_usb *hif_dev;
|
|
struct list_head list;
|
|
};
|
|
|
|
struct rx_buf {
|
|
struct sk_buff *skb;
|
|
struct hif_device_usb *hif_dev;
|
|
};
|
|
|
|
#define HIF_USB_TX_STOP BIT(0)
|
|
#define HIF_USB_TX_FLUSH BIT(1)
|
|
|
|
struct hif_usb_tx {
|
|
u8 flags;
|
|
u8 tx_buf_cnt;
|
|
u16 tx_skb_cnt;
|
|
struct sk_buff_head tx_skb_queue;
|
|
struct list_head tx_buf;
|
|
struct list_head tx_pending;
|
|
spinlock_t tx_lock;
|
|
};
|
|
|
|
struct cmd_buf {
|
|
struct sk_buff *skb;
|
|
struct hif_device_usb *hif_dev;
|
|
};
|
|
|
|
#define HIF_USB_START BIT(0)
|
|
#define HIF_USB_READY BIT(1)
|
|
|
|
struct hif_device_usb {
|
|
struct usb_device *udev;
|
|
struct usb_interface *interface;
|
|
const struct usb_device_id *usb_device_id;
|
|
const void *fw_data;
|
|
size_t fw_size;
|
|
struct completion fw_done;
|
|
struct htc_target *htc_handle;
|
|
struct hif_usb_tx tx;
|
|
struct usb_anchor regout_submitted;
|
|
struct usb_anchor rx_submitted;
|
|
struct usb_anchor reg_in_submitted;
|
|
struct usb_anchor mgmt_submitted;
|
|
struct sk_buff *remain_skb;
|
|
char fw_name[32];
|
|
int fw_minor_index;
|
|
int rx_remain_len;
|
|
int rx_pkt_len;
|
|
int rx_transfer_len;
|
|
int rx_pad_len;
|
|
spinlock_t rx_lock;
|
|
u8 flags; /* HIF_USB_* */
|
|
};
|
|
|
|
int ath9k_hif_usb_init(void);
|
|
void ath9k_hif_usb_exit(void);
|
|
void ath9k_hif_usb_dealloc_urbs(struct hif_device_usb *hif_dev);
|
|
|
|
#endif /* HTC_USB_H */
|