Received: by 10.223.185.116 with SMTP id b49csp4175415wrg; Mon, 26 Feb 2018 12:34:38 -0800 (PST) X-Google-Smtp-Source: AH8x224xNTNwKvcKKADeVt1dOLgK0+O8SF+AyfqeUeFRf1G4ukamoGRmb9EeKzXbboHXi3gfs05A X-Received: by 10.99.123.74 with SMTP id k10mr9457269pgn.217.1519677278462; Mon, 26 Feb 2018 12:34:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519677278; cv=none; d=google.com; s=arc-20160816; b=e0zrAghuywnOKT+znH1jFLJ5ipvtAuIPBfXx4L+CspNCiXqzONqUhi8+9++kxeugzQ C5GkSuQ8LrmZRNcfxw88USCZjxuXybP6RbJxPsG/0w+28r/QDXre5BxHGuFs1/ibut1A vsmpVEjP83n4IEr53+ZjzHyOgOGn8DETPeAsZxiTmmMIYtSabQHMmx/qfA2Q6/hwiwAl 81xZgtgtTZPac8HAacNsCoF3zQPipzo3f9Tfl+QjMCrcKn4vjQ4DjKQ1nS4yxM/QN7Iu FymmT+7pgsvDB98hreCjTgvd5A7UuQKHbJabL81iSoK9neluZnRrguVAukwM2d6zJsAU uMwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=AfD8H/2qlan5daKGjD1jjOVZxi7RktWVG5YbLX6Gy88=; b=p+AdzvgKbZsQy+EgQSInKIu8Dv9sGPQTG42xELmi0zH7/DRPKXSmLZ5ACmPrwVksg0 v0EtAAkQHsn/TQ+L7Os6+6u3RCSzXbktGAK5wxgsgbI+hV1vRemRbsexQzGxmRGpPspq FF7lKBmV7Vgk0CGxmhGzLQzdvBtgoXRgc5d9o+CGB6cl1OxGwmnEyxTNJGiFtfd/QRA2 SpdSWXuPeyrj2NePwZpDwRiTcZ16a6ZG85TV+GcICVphzHKvQmMKLt/6wB5zsRu7JPU/ D/PZLKiScnEuoofYhP1/oPjowj1ABaWh6CtQwtu8JyBCDJZDqd2M66Dn3K6s15CdKhK7 fscA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c2-v6si7212048pli.696.2018.02.26.12.34.22; Mon, 26 Feb 2018 12:34:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753267AbeBZUcq (ORCPT + 99 others); Mon, 26 Feb 2018 15:32:46 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:37146 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753915AbeBZU2U (ORCPT ); Mon, 26 Feb 2018 15:28:20 -0500 Received: from localhost (clnet-b04-243.ikbnet.co.at [83.175.124.243]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 52729E4B; Mon, 26 Feb 2018 20:28:19 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jack Pham , Felipe Balbi Subject: [PATCH 4.15 51/64] usb: gadget: f_fs: Use config_ep_by_speed() Date: Mon, 26 Feb 2018 21:22:28 +0100 Message-Id: <20180226202155.631310593@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180226202153.453363333@linuxfoundation.org> References: <20180226202153.453363333@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jack Pham commit 675272d092e4a5570bace92593776f7348daf4c5 upstream. In commit 2bfa0719ac2a ("usb: gadget: function: f_fs: pass companion descriptor along") there is a pointer arithmetic bug where the comp_desc is obtained as follows: comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + USB_DT_ENDPOINT_SIZE); Since ds is a pointer to usb_endpoint_descriptor, adding 7 to it ends up going out of bounds (7 * sizeof(struct usb_endpoint_descriptor), which is actually 7*9 bytes) past the SS descriptor. As a result the maxburst value will be read incorrectly, and the UDC driver will also get a garbage comp_desc (assuming it uses it). Since Felipe wrote, "Eventually, f_fs.c should be converted to use config_ep_by_speed() like all other functions, though", let's finally do it. This allows the other usb_ep fields to be properly populated, such as maxpacket and mult. It also eliminates the awkward speed-based descriptor lookup since config_ep_by_speed() does that already using the ones found in struct usb_function. Fixes: 2bfa0719ac2a ("usb: gadget: function: f_fs: pass companion descriptor along") Cc: stable@vger.kernel.org Signed-off-by: Jack Pham Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/function/f_fs.c | 38 ++++++------------------------------- 1 file changed, 7 insertions(+), 31 deletions(-) --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1852,44 +1852,20 @@ static int ffs_func_eps_enable(struct ff spin_lock_irqsave(&func->ffs->eps_lock, flags); while(count--) { - struct usb_endpoint_descriptor *ds; - struct usb_ss_ep_comp_descriptor *comp_desc = NULL; - int needs_comp_desc = false; - int desc_idx; - - if (ffs->gadget->speed == USB_SPEED_SUPER) { - desc_idx = 2; - needs_comp_desc = true; - } else if (ffs->gadget->speed == USB_SPEED_HIGH) - desc_idx = 1; - else - desc_idx = 0; - - /* fall-back to lower speed if desc missing for current speed */ - do { - ds = ep->descs[desc_idx]; - } while (!ds && --desc_idx >= 0); - - if (!ds) { - ret = -EINVAL; - break; - } - ep->ep->driver_data = ep; - ep->ep->desc = ds; - if (needs_comp_desc) { - comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + - USB_DT_ENDPOINT_SIZE); - ep->ep->maxburst = comp_desc->bMaxBurst + 1; - ep->ep->comp_desc = comp_desc; + ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); + if (ret) { + pr_err("%s: config_ep_by_speed(%s) returned %d\n", + __func__, ep->ep->name, ret); + break; } ret = usb_ep_enable(ep->ep); if (likely(!ret)) { epfile->ep = ep; - epfile->in = usb_endpoint_dir_in(ds); - epfile->isoc = usb_endpoint_xfer_isoc(ds); + epfile->in = usb_endpoint_dir_in(ep->ep->desc); + epfile->isoc = usb_endpoint_xfer_isoc(ep->ep->desc); } else { break; }