Use the Interval value from isoc/intr endpoint descriptor, no need
minus one. But the original code doesn't cause transfer error for
normal cases, due to the interval is less than the host request.
Signed-off-by: Chunfeng Yun <[email protected]>
---
drivers/usb/mtu3/mtu3_gadget.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index a9a65b4bbfed..c51be015345b 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -77,7 +77,7 @@ static int mtu3_ep_enable(struct mtu3_ep *mep)
if (usb_endpoint_xfer_int(desc) ||
usb_endpoint_xfer_isoc(desc)) {
interval = desc->bInterval;
- interval = clamp_val(interval, 1, 16) - 1;
+ interval = clamp_val(interval, 1, 16);
if (usb_endpoint_xfer_isoc(desc) && comp_desc)
mult = comp_desc->bmAttributes;
}
@@ -89,7 +89,7 @@ static int mtu3_ep_enable(struct mtu3_ep *mep)
if (usb_endpoint_xfer_isoc(desc) ||
usb_endpoint_xfer_int(desc)) {
interval = desc->bInterval;
- interval = clamp_val(interval, 1, 16) - 1;
+ interval = clamp_val(interval, 1, 16);
mult = usb_endpoint_maxp_mult(desc) - 1;
}
break;
--
2.18.0
This is caused by uninitialization of list_head.
BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
Call trace:
dump_backtrace+0x0/0x298
show_stack+0x24/0x34
dump_stack+0x130/0x1a8
print_address_description+0x88/0x56c
__kasan_report+0x1b8/0x2a0
kasan_report+0x14/0x20
__asan_load8+0x9c/0xa0
__list_del_entry_valid+0x34/0xe4
mtu3_req_complete+0x4c/0x300 [mtu3]
mtu3_gadget_stop+0x168/0x448 [mtu3]
usb_gadget_unregister_driver+0x204/0x3a0
unregister_gadget_item+0x44/0xa4
Reported-by: Yuwen Ng <[email protected]>
Signed-off-by: Chunfeng Yun <[email protected]>
---
drivers/usb/mtu3/mtu3_gadget.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index c51be015345b..b6c8a4a99c4d 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -235,6 +235,7 @@ struct usb_request *mtu3_alloc_request(struct usb_ep *ep, gfp_t gfp_flags)
mreq->request.dma = DMA_ADDR_INVALID;
mreq->epnum = mep->epnum;
mreq->mep = mep;
+ INIT_LIST_HEAD(&mreq->list);
trace_mtu3_alloc_request(mreq);
return &mreq->request;
--
2.18.0
Hello!
On 09.12.2021 6:14, Chunfeng Yun wrote:
> This is caused by uninitialization of list_head.
No such word, suggesting to replace with "not initializing". :-)
> BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
>
> Call trace:
> dump_backtrace+0x0/0x298
> show_stack+0x24/0x34
> dump_stack+0x130/0x1a8
> print_address_description+0x88/0x56c
> __kasan_report+0x1b8/0x2a0
> kasan_report+0x14/0x20
> __asan_load8+0x9c/0xa0
> __list_del_entry_valid+0x34/0xe4
> mtu3_req_complete+0x4c/0x300 [mtu3]
> mtu3_gadget_stop+0x168/0x448 [mtu3]
> usb_gadget_unregister_driver+0x204/0x3a0
> unregister_gadget_item+0x44/0xa4
>
> Reported-by: Yuwen Ng <[email protected]>
> Signed-off-by: Chunfeng Yun <[email protected]>
[...]
MBR, Sergey
On Thu, 2021-12-09 at 12:10 +0300, Sergey Shtylyov wrote:
> Hello!
>
> On 09.12.2021 6:14, Chunfeng Yun wrote:
>
> > This is caused by uninitialization of list_head.
>
> No such word, suggesting to replace with "not initializing". :-)
Will fix it, thanks
>
> > BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
> >
> > Call trace:
> > dump_backtrace+0x0/0x298
> > show_stack+0x24/0x34
> > dump_stack+0x130/0x1a8
> > print_address_description+0x88/0x56c
> > __kasan_report+0x1b8/0x2a0
> > kasan_report+0x14/0x20
> > __asan_load8+0x9c/0xa0
> > __list_del_entry_valid+0x34/0xe4
> > mtu3_req_complete+0x4c/0x300 [mtu3]
> > mtu3_gadget_stop+0x168/0x448 [mtu3]
> > usb_gadget_unregister_driver+0x204/0x3a0
> > unregister_gadget_item+0x44/0xa4
> >
> > Reported-by: Yuwen Ng <[email protected]>
> > Signed-off-by: Chunfeng Yun <[email protected]>
>
> [...]
>
> MBR, Sergey
On Thu, Dec 09, 2021 at 11:14:24AM +0800, Chunfeng Yun wrote:
> This is caused by uninitialization of list_head.
>
> BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
>
> Call trace:
> dump_backtrace+0x0/0x298
> show_stack+0x24/0x34
> dump_stack+0x130/0x1a8
> print_address_description+0x88/0x56c
> __kasan_report+0x1b8/0x2a0
> kasan_report+0x14/0x20
> __asan_load8+0x9c/0xa0
> __list_del_entry_valid+0x34/0xe4
> mtu3_req_complete+0x4c/0x300 [mtu3]
> mtu3_gadget_stop+0x168/0x448 [mtu3]
> usb_gadget_unregister_driver+0x204/0x3a0
> unregister_gadget_item+0x44/0xa4
>
> Reported-by: Yuwen Ng <[email protected]>
> Signed-off-by: Chunfeng Yun <[email protected]>
> ---
> drivers/usb/mtu3/mtu3_gadget.c | 1 +
> 1 file changed, 1 insertion(+)
What commit does this fix? Should it go to stable kernels?
thanks,
greg k-h
On Thu, Dec 09, 2021 at 11:14:22AM +0800, Chunfeng Yun wrote:
> Use the Interval value from isoc/intr endpoint descriptor, no need
> minus one. But the original code doesn't cause transfer error for
> normal cases, due to the interval is less than the host request.
>
> Signed-off-by: Chunfeng Yun <[email protected]>
> ---
> drivers/usb/mtu3/mtu3_gadget.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
What commit does this fix?
On Mon, 2021-12-13 at 15:19 +0100, Greg Kroah-Hartman wrote:
> On Thu, Dec 09, 2021 at 11:14:24AM +0800, Chunfeng Yun wrote:
> > This is caused by uninitialization of list_head.
> >
> > BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4
> >
> > Call trace:
> > dump_backtrace+0x0/0x298
> > show_stack+0x24/0x34
> > dump_stack+0x130/0x1a8
> > print_address_description+0x88/0x56c
> > __kasan_report+0x1b8/0x2a0
> > kasan_report+0x14/0x20
> > __asan_load8+0x9c/0xa0
> > __list_del_entry_valid+0x34/0xe4
> > mtu3_req_complete+0x4c/0x300 [mtu3]
> > mtu3_gadget_stop+0x168/0x448 [mtu3]
> > usb_gadget_unregister_driver+0x204/0x3a0
> > unregister_gadget_item+0x44/0xa4
> >
> > Reported-by: Yuwen Ng <[email protected]>
> > Signed-off-by: Chunfeng Yun <[email protected]>
> > ---
> > drivers/usb/mtu3/mtu3_gadget.c | 1 +
> > 1 file changed, 1 insertion(+)
>
> What commit does this fix? Should it go to stable kernels?
I add it in next version, thanks
>
> thanks,
>
> greg k-h
On Mon, 2021-12-13 at 15:20 +0100, Greg Kroah-Hartman wrote:
> On Thu, Dec 09, 2021 at 11:14:22AM +0800, Chunfeng Yun wrote:
> > Use the Interval value from isoc/intr endpoint descriptor, no need
> > minus one. But the original code doesn't cause transfer error for
> > normal cases, due to the interval is less than the host request.
> >
> > Signed-off-by: Chunfeng Yun <[email protected]>
> > ---
> > drivers/usb/mtu3/mtu3_gadget.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
>
> What commit does this fix?
The interval between transfers is less than the Interval value, I add
it in commit massage when send out v2.
Thanks