Received: by 10.223.176.5 with SMTP id f5csp710613wra;
        Tue, 6 Feb 2018 06:12:52 -0800 (PST)
X-Google-Smtp-Source: AH8x224RUVFyRrD+ek5Q9LBwYzdmYPtf6+sKaK0Sfkq5+1OS72lDrO1C+yJg3uCORktyaM7Ujr3x
X-Received: by 10.98.225.20 with SMTP id q20mr944936pfh.23.1517926372760;
        Tue, 06 Feb 2018 06:12:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517926372; cv=none;
        d=google.com; s=arc-20160816;
        b=k4PvbIMBlb6teRc1JZz1s6DGNFEioEe959hUJIH+JgKciLt/LAd7QwH3gdr1FpOdIg
         vOVf5SNIXduKiw/sqvaYdZgP5RET+QRh7qoYgSEdKA36wQie0zYG1RUawkuQvc/ljCL3
         g8NDhNW3ZGcZQw4nX4nhHzo+y9HJ/YwskgU17LJUF4+2mdXGjpMgm5qf3ckqjsg0+1oZ
         aLP+NxIzkfHdsnMyxdCG3kXVUaabUmV9gKwyUeuMv74g9dbwXD4nuGIi42dfa0TFM9pZ
         UPC5lE2TnEHJCA1o42m6/X5Ns3Z6NJZqqbTkMmoV/0jTIAMq3uLJssouVXewG+OBqXKd
         gIKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=iWzs0t2rKIYpFV6n3PXTUCp0j3wQxQTb1IztQNYdVq4=;
        b=ydsh/uq1S96KL1phfYyn4Fy1PMhJ9o26zB0MKcSkkq/nPWBaOaDH87GzkBAlIK6383
         oIqes7aJrs2w0Uty/WXjd1oA4peQJfvxIp1JHOn98arVFTr+pQoMvfEYnI1q6G8DJ1kx
         qknYnl/dgvyA5LI5NzYxWj1Y8LildJgz0z3BSKx2v2V3hE0xLRX02qzLMZE5YgwUOHD4
         8N0jVYk54j3tmgkipVZBQoQp/tztqdEfSdOSq+0gtfL5TQA6urO1zI2Ahzud5L6HY1D0
         GaVg4bS8THlXYT4GgWSDBfvxyb213z8h7PC0izOt/nxOURSXSIqQBPDIFAJRp9vnIt0g
         bhZg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b191si2781079pga.61.2018.02.06.06.12.37;
        Tue, 06 Feb 2018 06:12:52 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752322AbeBFOKy (ORCPT <rfc822;sduhuangshuai@gmail.com>
        + 99 others); Tue, 6 Feb 2018 09:10:54 -0500
Received: from regular1.263xmail.com ([211.150.99.134]:48675 "EHLO
        regular1.263xmail.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752054AbeBFOKp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Feb 2018 09:10:45 -0500
Received: from wulf?rock-chips.com (unknown [192.168.167.243])
        by regular1.263xmail.com (Postfix) with ESMTP id 10C2F8117;
        Tue,  6 Feb 2018 22:10:35 +0800 (CST)
X-263anti-spam: KSV:0;
X-MAIL-GRAY: 0
X-MAIL-DELIVERY: 1
X-KSVirus-check: 0
X-ABS-CHECKED: 4
Received: from [172.16.12.3] (localhost [127.0.0.1])
        by smtp.263.net (Postfix) with ESMTPA id 2AC4233B;
        Tue,  6 Feb 2018 22:10:31 +0800 (CST)
X-RL-SENDER: wulf@rock-chips.com
X-FST-TO: fml@rock-chips.com
X-SENDER-IP: 58.22.7.114
X-LOGIN-NAME: wulf@rock-chips.com
X-UNIQUE-TAG: <a0e6db9f820c214f35276e2a106a452f>
X-ATTACHMENT-NUM: 0
X-SENDER: wulf@rock-chips.com
X-DNS-TYPE: 0
Received: from [172.16.12.3] (unknown [58.22.7.114])
        by smtp.263.net (Postfix) whith ESMTP id 177805WB98T;
        Tue, 06 Feb 2018 22:10:32 +0800 (CST)
Subject: Re: [PATCH] usb: gadget: f_fs: get the correct address of comp_desc
To:     Jack Pham <jackp@codeaurora.org>,
        William Wu <william.wu@rock-chips.com>
Cc:     gregkh@linuxfoundation.org, felipe.balbi@linux.intel.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        linux-rockchip@lists.infradead.org, frank.wang@rock-chips.com,
        huangtao@rock-chips.com, daniel.meng@rock-chips.com,
        fml@rock-chips.com
References: <1517830418-2648-1-git-send-email-william.wu@rock-chips.com>
 <20180205181758.GA22738@usblab-sd-06.qualcomm.com>
From:   wlf <wulf@rock-chips.com>
Message-ID: <9d809068-1100-0ffc-6508-43e029543949@rock-chips.com>
Date:   Tue, 6 Feb 2018 22:10:30 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180205181758.GA22738@usblab-sd-06.qualcomm.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Jack,

在 2018年02月06日 02:17, Jack Pham 写道:
> Hi William,
>
> On Mon, Feb 05, 2018 at 07:33:38PM +0800, William Wu wrote:
>> Refer to the USB 3.0 spec '9.6.7 SuperSpeed Endpoint Companion',
>> the companion descriptor follows the standard endpoint descriptor.
>> This descriptor is only defined for SuperSpeed endpoints. The
>> f_fs driver gets the address of the companion descriptor via
>> 'ds + USB_DT_ENDPOINT_SIZE', and actually, the ds variable is
>> a pointer to the struct usb_endpoint_descriptor, so the offset
>> of the companion descriptor which we get is USB_DT_ENDPOINT_SIZE *
>> sizeof(struct usb_endpoint_descriptor), the wrong offset is 63
>> bytes. This cause out-of-bound with the following error log if
>> CONFIG_KASAN and CONFIG_SLUB_DEBUG is enabled on Rockchip RK3399
>> Evaluation Board.
>>
>> android_work: sent uevent USB_STATE=CONNECTED
>> configfs-gadget gadget: super-speed config #1: b
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x230/0x398
>> Read of size 1 at addr ffffffc0ce2d0b10 by task irq/224-dwc3/364
>> Memory state around the buggy address:
>>   ffffffc0ce2d0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>   ffffffc0ce2d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>   >ffffffc0ce2d0b00: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>                           ^
>>   ffffffc0ce2d0b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>   ffffffc0ce2d0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ==================================================================
>> Disabling lock debugging due to kernel taint
>> android_work: sent uevent USB_STATE=CONFIGURED
>>
>> This patch adds struct usb_endpoint_descriptor * -> u8 * type conversion
>> for ds variable, then we can get the correct address of comp_desc
>> with offset USB_DT_ENDPOINT_SIZE bytes.
>>
>> Signed-off-by: William Wu <william.wu@rock-chips.com>
>> ---
>>   drivers/usb/gadget/function/f_fs.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
>> index 6756472..f13ead0 100644
>> --- a/drivers/usb/gadget/function/f_fs.c
>> +++ b/drivers/usb/gadget/function/f_fs.c
>> @@ -1882,8 +1882,8 @@ static int ffs_func_eps_enable(struct ffs_function *func)
>>   		ep->ep->desc = ds;
>>   
>>   		if (needs_comp_desc) {
>> -			comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
>> -					USB_DT_ENDPOINT_SIZE);
>> +			comp_desc = (struct usb_ss_ep_comp_descriptor *)
>> +				     ((u8 *)ds + USB_DT_ENDPOINT_SIZE);
>>   			ep->ep->maxburst = comp_desc->bMaxBurst + 1;
>>   			ep->ep->comp_desc = comp_desc;
>>   		}
> Please see my alternative fix for this. I proposed changing this
> function to use config_ep_by_speed() instead.
>
> https://www.spinics.net/lists/linux-usb/msg165149.html
Thanks for your great job!
  Your patch seems good, I will test your patch on my RK3399-EVB board.

William

>
> Jack