Received: by 10.223.176.5 with SMTP id f5csp2405121wra; Mon, 5 Feb 2018 03:35:55 -0800 (PST) X-Google-Smtp-Source: AH8x226e7Qo2kDUMdMYR221vDF/OhMHBx0DJW/4X9jF/SN7QPOcujp3ipdHFU2m2E5oX3Rc2LKQ4 X-Received: by 10.99.189.18 with SMTP id a18mr6380938pgf.22.1517830555517; Mon, 05 Feb 2018 03:35:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517830555; cv=none; d=google.com; s=arc-20160816; b=bxXvofJG53/Wcns+QMuXY6A0DbJn0+hZif64i+LwddCFpQF3LT9MOBQAsskM9TEw05 r8dbPi816R2WTVb21wKZ8cO6cw6x1NjXJ8YYLNtxsPCXPqvbUAfPPAPE3X4UzvBwSGUH QwstJaqULT0u21B4oss4RfoeQEg2dZWrihZ1StFBwJ4DXd3gWykDnP7scKy8GOJ4tGJw q9fLdXJJf+jsRK+ds9O/qMgefg3K4whJ6wmpKTZlctDoj0hSwK57eyWIMIh3j/wIFN2M 9cF+7tvuqLrxNdWQU4feSCLvRj/+OYREIdCA8UUox/JbwjDyM4ob4tsJLktju6EixHVP djHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=+UYfe7aJZ2fUusMqxZ4Q4meiXl9jw7oe5eQjcmnJzSg=; b=UbhciBDDd4SNiBpPedC2H03BpmRR7cTSmxTl2BntgKYs2wBjW0OsuEaLtwIHXbZX4r FWW2EAAErFJUOsjKWyXv2iWKUnYQGAZlpDj9H9xUbAMuynBPMXE8zaNS7HUUFF/hUft/ qmF2ZuFzdD+IIjN7y0f9LmWWQ7TK+ZdXyDcn8pzLTMv574OqnbujZLyzZ7HnX32sc6bM VvstRcXFDkS9cERlnEJJawA7VO2g65MIxTKHQDuM0+JNfJhu6UFRBEBpbozb06E9i/t4 warm3xqqQ390sjTKQqk6c740nv467s+D3gZ+Hnj8mSi4Ru+F4GM4yKZKAw1ZsLAoQ8Ve ELVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j12-v6si598206plt.13.2018.02.05.03.35.40; Mon, 05 Feb 2018 03:35:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752937AbeBELfD (ORCPT + 99 others); Mon, 5 Feb 2018 06:35:03 -0500 Received: from regular1.263xmail.com ([211.150.99.140]:57491 "EHLO regular1.263xmail.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752317AbeBELe5 (ORCPT ); Mon, 5 Feb 2018 06:34:57 -0500 Received: from william.wu?rock-chips.com (unknown [192.168.167.129]) by regular1.263xmail.com (Postfix) with ESMTP id 9EFF34A6E; Mon, 5 Feb 2018 19:34:48 +0800 (CST) X-263anti-spam: KSV:0; X-MAIL-GRAY: 0 X-MAIL-DELIVERY: 1 X-KSVirus-check: 0 X-ABS-CHECKED: 4 Received: from localhost.localdomain (localhost [127.0.0.1]) by smtp.263.net (Postfix) with ESMTPA id 6875F370; Mon, 5 Feb 2018 19:34:49 +0800 (CST) X-RL-SENDER: william.wu@rock-chips.com X-FST-TO: gregkh@linuxfoundation.org X-SENDER-IP: 58.22.7.114 X-LOGIN-NAME: william.wu@rock-chips.com X-UNIQUE-TAG: X-ATTACHMENT-NUM: 0 X-SENDER: wulf@rock-chips.com X-DNS-TYPE: 0 Received: from localhost.localdomain (unknown [58.22.7.114]) by smtp.263.net (Postfix) whith ESMTP id 2479GKRZI7; Mon, 05 Feb 2018 19:34:50 +0800 (CST) From: William Wu To: gregkh@linuxfoundation.org, felipe.balbi@linux.intel.com Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-rockchip@lists.infradead.org, frank.wang@rock-chips.com, huangtao@rock-chips.com, daniel.meng@rock-chips.com, william.wu@rock-chips.com, fml@rock-chips.com Subject: [PATCH] usb: gadget: f_fs: get the correct address of comp_desc Date: Mon, 5 Feb 2018 19:33:38 +0800 Message-Id: <1517830418-2648-1-git-send-email-william.wu@rock-chips.com> X-Mailer: git-send-email 2.0.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Refer to the USB 3.0 spec '9.6.7 SuperSpeed Endpoint Companion', the companion descriptor follows the standard endpoint descriptor. This descriptor is only defined for SuperSpeed endpoints. The f_fs driver gets the address of the companion descriptor via 'ds + USB_DT_ENDPOINT_SIZE', and actually, the ds variable is a pointer to the struct usb_endpoint_descriptor, so the offset of the companion descriptor which we get is USB_DT_ENDPOINT_SIZE * sizeof(struct usb_endpoint_descriptor), the wrong offset is 63 bytes. This cause out-of-bound with the following error log if CONFIG_KASAN and CONFIG_SLUB_DEBUG is enabled on Rockchip RK3399 Evaluation Board. android_work: sent uevent USB_STATE=CONNECTED configfs-gadget gadget: super-speed config #1: b ================================================================== BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x230/0x398 Read of size 1 at addr ffffffc0ce2d0b10 by task irq/224-dwc3/364 CPU: 4 PID: 364 Comm: irq/224-dwc3 Not tainted 4.4.112 #6 Hardware name: Rockchip RK3399 Evaluation Board v3 (Android) (DT) Call trace: [] dump_backtrace+0x0/0x244 [] show_stack+0x14/0x1c [] dump_stack+0xa4/0xcc [] print_address_description+0xa4/0x308 [] kasan_report+0x258/0x29c [] __asan_load1+0x44/0x4c [] ffs_func_set_alt+0x230/0x398 [] composite_setup+0xdcc/0x1ac8 [] android_setup+0x124/0x1a0 [] dwc3_ep0_delegate_req+0x48/0x68 [] dwc3_ep0_interrupt+0x758/0x1174 [] dwc3_thread_interrupt+0x204/0xe68 [] irq_thread_fn+0x44/0x94 [] irq_thread+0x128/0x22c [] kthread+0x11c/0x130 [] ret_from_fork+0x10/0x30 Allocated by task 1: [] save_stack_trace_tsk+0x0/0x134 [] save_stack_trace+0x14/0x1c [] kasan_kmalloc.part.3+0x48/0xf4 [] kasan_kmalloc+0x8c/0xa0 [] __kmalloc+0x208/0x268 [] ffs_func_bind+0x4b4/0x918 [] usb_add_function+0xd8/0x1d4 [] configfs_composite_bind+0x48c/0x570 [] udc_bind_to_driver+0x6c/0x170 [] usb_udc_attach_driver+0xa4/0xd0 [] gadget_dev_desc_UDC_store+0xd4/0x120 [] configfs_write_file+0x1a0/0x1f8 [] __vfs_write+0x64/0x174 [] vfs_write+0xe4/0x1e8 [] SyS_write+0x68/0xc8 [] el0_svc_naked+0x24/0x28 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffffffc0ce2d0900 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 528 bytes inside of 1024-byte region [ffffffc0ce2d0900, ffffffc0ce2d0d00) The buggy address belongs to the page: page:ffffffbdc338b400 count:1 mapcount:-2145648611 mapping: (null) index:0x0 flags: 0x4080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffc0ce2d0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0ce2d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffc0ce2d0b00: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffffc0ce2d0b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffc0ce2d0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint android_work: sent uevent USB_STATE=CONFIGURED This patch adds struct usb_endpoint_descriptor * -> u8 * type conversion for ds variable, then we can get the correct address of comp_desc with offset USB_DT_ENDPOINT_SIZE bytes. Signed-off-by: William Wu --- drivers/usb/gadget/function/f_fs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 6756472..f13ead0 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1882,8 +1882,8 @@ static int ffs_func_eps_enable(struct ffs_function *func) ep->ep->desc = ds; if (needs_comp_desc) { - comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + - USB_DT_ENDPOINT_SIZE); + comp_desc = (struct usb_ss_ep_comp_descriptor *) + ((u8 *)ds + USB_DT_ENDPOINT_SIZE); ep->ep->maxburst = comp_desc->bMaxBurst + 1; ep->ep->comp_desc = comp_desc; } -- 2.0.0