[PATCH RFC] wifi: zd1211rw: restrict binding to a single interface
0 views
Skip to first unread message
syzbot
May 12, 2026, 5:05:56 PM (3 days ago) May 12
to syzkaller-upst...@googlegroups.com, syz...@lists.linux.dev
A malicious USB device with multiple interfaces can trigger a lockdep
warning about a possible recursive locking deadlock in the zd1211rw
driver.
The driver lacks a check for the interface number in its probe function,
allowing it to bind to all interfaces of a matching USB device. During
probe, the driver calls usb_reset_device(). If the device has multiple
interfaces, usb_reset_device() invokes the pre_reset callback for all
currently bound interfaces. Because pre_reset acquires and holds
&chip->mutex, calling it for multiple interfaces sequentially causes the
task to acquire multiple mutexes of the same lock class, triggering the
lockdep warning.
Real ZD1211 Wi-Fi dongles only have a single interface (interface 0).
Binding to multiple interfaces is a bug that not only causes this
lockdep warning but would also lead to functional issues if the
interfaces share endpoints.
Fix this by rejecting any interface other than 0 at the beginning of the
probe function. This ensures that at most one interface is ever bound to
this driver per device, preventing the recursive locking scenario and
underlying functional bugs.
Fixes: e85d0918b54fbd9b38003752f7d665416b06edd8 ("[PATCH] ZyDAS ZD1211 USB-WLAN driver")
Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview
Reported-by: syzbot+0ec3d1...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=0ec3d1a6cf1fbe79c153
Link: https://syzkaller.appspot.com/ai_job?id=81d3d19a-926e-45c1-a50d-098739716a84
To: <linux-w...@vger.kernel.org>
Cc: <linux-...@vger.kernel.org>
---
diff --git a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
index 966d8ccb0..968fa338f 100644
--- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
@@ -1353,6 +1353,10 @@ static int probe(struct usb_interface *intf, const struct usb_device_id *id)
struct zd_usb *usb;
struct ieee80211_hw *hw = NULL;
+ /* ZD1211 devices only have a single interface */
+ if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
+ return -ENODEV;
+
print_id(udev);
if (id->driver_info & DEVICE_INSTALLER)
base-commit: 5d6919055dec134de3c40167a490f33c74c12581
--
This is an AI-generated patch subject to moderation.
Reply with '#syz upstream' to send it to the mailing list.
Reply with '#syz reject' to reject it.
See for more information.
warning about a possible recursive locking deadlock in the zd1211rw
driver.
The driver lacks a check for the interface number in its probe function,
allowing it to bind to all interfaces of a matching USB device. During
probe, the driver calls usb_reset_device(). If the device has multiple
interfaces, usb_reset_device() invokes the pre_reset callback for all
currently bound interfaces. Because pre_reset acquires and holds
&chip->mutex, calling it for multiple interfaces sequentially causes the
task to acquire multiple mutexes of the same lock class, triggering the
lockdep warning.
Real ZD1211 Wi-Fi dongles only have a single interface (interface 0).
Binding to multiple interfaces is a bug that not only causes this
lockdep warning but would also lead to functional issues if the
interfaces share endpoints.
Fix this by rejecting any interface other than 0 at the beginning of the
probe function. This ensures that at most one interface is ever bound to
this driver per device, preventing the recursive locking scenario and
underlying functional bugs.
Fixes: e85d0918b54fbd9b38003752f7d665416b06edd8 ("[PATCH] ZyDAS ZD1211 USB-WLAN driver")
Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview
Reported-by: syzbot+0ec3d1...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=0ec3d1a6cf1fbe79c153
Link: https://syzkaller.appspot.com/ai_job?id=81d3d19a-926e-45c1-a50d-098739716a84
To: <linux-w...@vger.kernel.org>
Cc: <linux-...@vger.kernel.org>
---
diff --git a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
index 966d8ccb0..968fa338f 100644
--- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
@@ -1353,6 +1353,10 @@ static int probe(struct usb_interface *intf, const struct usb_device_id *id)
struct zd_usb *usb;
struct ieee80211_hw *hw = NULL;
+ /* ZD1211 devices only have a single interface */
+ if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
+ return -ENODEV;
+
print_id(udev);
if (id->driver_info & DEVICE_INSTALLER)
base-commit: 5d6919055dec134de3c40167a490f33c74c12581
--
This is an AI-generated patch subject to moderation.
Reply with '#syz upstream' to send it to the mailing list.
Reply with '#syz reject' to reject it.
See for more information.
Aleksandr Nogikh
May 13, 2026, 9:57:57 AM (3 days ago) May 13
to syzbot, syzkaller-upst...@googlegroups.com, syz...@lists.linux.dev
Is it correct to return ENODEV here?
On Tue, May 12, 2026 at 11:05 PM 'syzbot' via
syzkaller-upstream-moderation
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/affecee3-b60c-498b-ae12-99ade5e65f05%40mail.kernel.org.
On Tue, May 12, 2026 at 11:05 PM 'syzbot' via
syzkaller-upstream-moderation
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/affecee3-b60c-498b-ae12-99ade5e65f05%40mail.kernel.org.
syzbot
May 13, 2026, 3:09:42 PM (2 days ago) May 13
to nog...@google.com, syzkaller-upst...@googlegroups.com, syz...@lists.linux.dev
> Is it correct to return ENODEV here?
Yes, returning `-ENODEV` is the standard and correct way to reject an
interface in a USB probe function. It tells the USB core that this
driver does not support the given interface, allowing the core to either
try matching other drivers or simply leave the interface unbound without
logging a probe failure error.
--
This reply was generated by an AI model.
See for more information.
Reply all
Reply to author
Forward
0 new messages