Received: by 10.223.176.5 with SMTP id f5csp2818717wra; Mon, 5 Feb 2018 10:21:16 -0800 (PST) X-Google-Smtp-Source: AH8x224Feb+0MU+282fJRRNbBbMDXUy86pVksQyH7cR+hAl61H5pB2yUNcOiA+sEODkd5YrD1vnn X-Received: by 10.99.183.76 with SMTP id w12mr14724418pgt.331.1517854876719; Mon, 05 Feb 2018 10:21:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517854876; cv=none; d=google.com; s=arc-20160816; b=NBgY8EhilII4+CDcdIFEtm03CRsShl8Gws6r6CznME441Wg8BCJxBJ9DdeQjt0kmtz L9ZirbwpqG1ezILRjTsUX3d8J/kVyZnylSlFHU+XgMmH6fgvt5zRmOEFkAKp+8Gji4RM Q8bK6ztF9vvLUbYysDnEok7TaRYPsMKBT57j2vJ3zO43d+qlndxm42gexKeceZrdfV+A G6XDP9FfJ0yWy3uTnPwMzA1eNU/gwBacWWVbHYJ11/E1QtfXFIlAgTP7iykA81FZjqL6 uS2pp33sDckgY1CpcC9Z500Yl4+23TRaS8e4NtLu3pVeLlCmPKJKk4Kb2ejsFonbU2Zf bgZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dmarc-filter:dkim-signature:dkim-signature :arc-authentication-results; bh=uWV9Livc9g2uA8XtLVxpoMuyfobZVLYNz0FEPpEGzUE=; b=q9UGETkaVvYsmFtiN3hIB2Mn4KbpcpFGa/P98CYRE/NccSTbKT0PqF0V4L2kqIbYIZ 5qyrU/Sfb76OQJcb9czV9Y1SgwXeXVZL0lQupK1W/Wl5UDdyWlLMljIRmo8Oe397gZsR Pf6yCBza0a9XcLg0gKo8aVtcRrpM1Ka3P61AT+jObnnKAeuwyYADxUjQszihebGNXrH1 LqMIHnmFoqJaKFC3By0sXYFfYtkPhgAkCUXRWRWicyO2ixbjIDj6+uLt1e8gSXFsKMX1 oghJoZcF62o+b2SYgVMlVd1cLDHl9MJhUbVyAR0/RcDM7vcYU/nV5ZM0WO+xUYlIgMvh rwYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=XYwbQSyy; dkim=pass header.i=@codeaurora.org header.s=default header.b=Dneo7jks; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n10-v6si1200193plp.698.2018.02.05.10.21.02; Mon, 05 Feb 2018 10:21:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=XYwbQSyy; dkim=pass header.i=@codeaurora.org header.s=default header.b=Dneo7jks; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753414AbeBESSO (ORCPT + 99 others); Mon, 5 Feb 2018 13:18:14 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:52878 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753359AbeBESSH (ORCPT ); Mon, 5 Feb 2018 13:18:07 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 8A4C36029D; Mon, 5 Feb 2018 18:18:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1517854686; bh=Wexi0NQyMIZBtdk4e1+eZVGxALPqC9ueSy+za1OwK1Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XYwbQSyyylueEsa6Adq3gRMdSPzTcvcIDYI1yYwk6Aa2hUiLlE8kwl971hwA32gAN 4FTGs0qKmOLQGAuZlVjFKxVpflMnVVjgghDVFnsvlAtx/ws4hFD4uBtAUpBlmsFPCs M9NZO4ejkuGp3R8KB7haIaD3yUxTPAq+sVv8nGKI= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0 Received: from usblab-sd-06.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jackp@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 8DAE4601C4; Mon, 5 Feb 2018 18:18:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1517854685; bh=Wexi0NQyMIZBtdk4e1+eZVGxALPqC9ueSy+za1OwK1Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Dneo7jksR+Nt8ERtvYuOjHMVgv2tOS/XfzhZi3K18OoGNsXO45cf02zsm8CjNL2b5 M2XpT37z8YGZMvLWRnO6+32hGHznjCxARTJrW2HNlpJ0VvNkdxDeR9+PjYvsOTeoPT HyiKKEQrDqZ7KBZh73nHQyVr5v6SUlgJ6vv9ol+c= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 8DAE4601C4 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=jackp@codeaurora.org Date: Mon, 5 Feb 2018 10:17:58 -0800 From: Jack Pham To: William Wu Cc: gregkh@linuxfoundation.org, felipe.balbi@linux.intel.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-rockchip@lists.infradead.org, frank.wang@rock-chips.com, huangtao@rock-chips.com, daniel.meng@rock-chips.com, fml@rock-chips.com Subject: Re: [PATCH] usb: gadget: f_fs: get the correct address of comp_desc Message-ID: <20180205181758.GA22738@usblab-sd-06.qualcomm.com> References: <1517830418-2648-1-git-send-email-william.wu@rock-chips.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1517830418-2648-1-git-send-email-william.wu@rock-chips.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi William, On Mon, Feb 05, 2018 at 07:33:38PM +0800, William Wu wrote: > Refer to the USB 3.0 spec '9.6.7 SuperSpeed Endpoint Companion', > the companion descriptor follows the standard endpoint descriptor. > This descriptor is only defined for SuperSpeed endpoints. The > f_fs driver gets the address of the companion descriptor via > 'ds + USB_DT_ENDPOINT_SIZE', and actually, the ds variable is > a pointer to the struct usb_endpoint_descriptor, so the offset > of the companion descriptor which we get is USB_DT_ENDPOINT_SIZE * > sizeof(struct usb_endpoint_descriptor), the wrong offset is 63 > bytes. This cause out-of-bound with the following error log if > CONFIG_KASAN and CONFIG_SLUB_DEBUG is enabled on Rockchip RK3399 > Evaluation Board. > > android_work: sent uevent USB_STATE=CONNECTED > configfs-gadget gadget: super-speed config #1: b > ================================================================== > BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x230/0x398 > Read of size 1 at addr ffffffc0ce2d0b10 by task irq/224-dwc3/364 > Memory state around the buggy address: > ffffffc0ce2d0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffffffc0ce2d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffffffc0ce2d0b00: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > ffffffc0ce2d0b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffffffc0ce2d0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > Disabling lock debugging due to kernel taint > android_work: sent uevent USB_STATE=CONFIGURED > > This patch adds struct usb_endpoint_descriptor * -> u8 * type conversion > for ds variable, then we can get the correct address of comp_desc > with offset USB_DT_ENDPOINT_SIZE bytes. > > Signed-off-by: William Wu > --- > drivers/usb/gadget/function/f_fs.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index 6756472..f13ead0 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -1882,8 +1882,8 @@ static int ffs_func_eps_enable(struct ffs_function *func) > ep->ep->desc = ds; > > if (needs_comp_desc) { > - comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + > - USB_DT_ENDPOINT_SIZE); > + comp_desc = (struct usb_ss_ep_comp_descriptor *) > + ((u8 *)ds + USB_DT_ENDPOINT_SIZE); > ep->ep->maxburst = comp_desc->bMaxBurst + 1; > ep->ep->comp_desc = comp_desc; > } Please see my alternative fix for this. I proposed changing this function to use config_ep_by_speed() instead. https://www.spinics.net/lists/linux-usb/msg165149.html Jack -- The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project