Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1570530pxb; Thu, 16 Sep 2021 10:07:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyuufakTHulVB/Xwg6eNFD4O7YRl4ElMgv3rgqHPnixHOjDP6qr468wC6EeVKgYkc9Jq2XC X-Received: by 2002:a17:906:b7cf:: with SMTP id fy15mr7498527ejb.397.1631812044435; Thu, 16 Sep 2021 10:07:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631812044; cv=none; d=google.com; s=arc-20160816; b=sGzDkAXplQo0qHo+0g5JH7bfzUS2mEHcZ6VIjThgTM3VwV6gbIV1GoH5s3TlgNYcCf UemhlnVQM0RFZ4mUdQzvNVA1FmFT6Vl1fta5PU6F5T2XAvoo7QwkED8WeC7E2ihtew0m c6Clz52gtmlIJ4kyg1D6HRSfmfLySwcB7vsgZN7ukD1QC9BriYoZWCniF4CZoc/P12L+ iu9jgTpoPrxkU1Yl9KL3RSfzWd/dnCx09nzXml94nJtVkTIyNxBco0Ed2Xx7Luw2bz0C YO3Zm9d/2SPzPwrSDp+PxzuXJJB8/ZFfWMbtg70NMBDmBSukkQUcj2JAVvrovHpbOUbG r1eA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=f1abGhzJn/oN3I7Z/TrGEszYCS4Erri8uJMyC2LGHyY=; b=TXbOzlALax5lazwzdpFkuO4pD4bHYJV67OaBd5TdTzwJA/npp/yImh7HysWauElCYf rYwDglXsaARaUuC79ZMz6PdlgR4N7egzSslfRGxAXLIh0TxgW+AqPkmqAHfIefuxlvDg yxC8YBptQ9mNz8YKTUrL3q/UWq9tElGmlNQDd1r/Or/HFuuPoSQKJopKeY/dUBMOcLF+ gRmMTryTYHUSuX83m9COvgq1kN7qlmp1VWzxaibqvzHCyhRp4cKKUphwJoJpHqhPuozX QpkW15K/eZItpTSxCaYxB2MXllKmGvxODiUb5X0PMjdtr6Jjs7q6VCZwxsAhMlGka5wB N+mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IP1JX55Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id di3si3965271ejc.490.2021.09.16.10.06.57; Thu, 16 Sep 2021 10:07:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IP1JX55Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348520AbhIPRDA (ORCPT + 99 others); Thu, 16 Sep 2021 13:03:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:51642 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346321AbhIPQyn (ORCPT ); Thu, 16 Sep 2021 12:54:43 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9E67061354; Thu, 16 Sep 2021 16:30:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631809810; bh=EFk7taVLDDEyryR2UN+6vNU2VWI9oVuX3ynm0n8vEZM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IP1JX55YMSQj7WWGtfzSA8UMwZRItqlD23bG/Gq+nTHmYwC/gkEebPgL1IRviHeGc cfTEhC93OtasJxl5isiByrgr3/mHCzpIeyhhjpQDrMYGYcg08sKbR4bDBRNCqUlBtY Vt1upBAJ4X7JlkRaAdPfEAxzFeeeaQKISND/tBsg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhipeng Wang , Li Jun , Peter Chen , Sasha Levin Subject: [PATCH 5.13 292/380] usb: chipidea: host: fix port index underflow and UBSAN complains Date: Thu, 16 Sep 2021 18:00:49 +0200 Message-Id: <20210916155814.000330580@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155803.966362085@linuxfoundation.org> References: <20210916155803.966362085@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Li Jun [ Upstream commit e5d6a7c6cfae9e714a0e8ff64facd1ac68a784c6 ] If wIndex is 0 (and it often is), these calculations underflow and UBSAN complains, here resolve this by not decrementing the index when it is equal to 0, this copies the solution from commit 85e3990bea49 ("USB: EHCI: avoid undefined pointer arithmetic and placate UBSAN") Reported-by: Zhipeng Wang Signed-off-by: Li Jun Link: https://lore.kernel.org/r/1624004938-2399-1-git-send-email-jun.li@nxp.com Signed-off-by: Peter Chen Signed-off-by: Sasha Levin --- drivers/usb/chipidea/host.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c index e86d13c04bdb..bdc3885c0d49 100644 --- a/drivers/usb/chipidea/host.c +++ b/drivers/usb/chipidea/host.c @@ -240,15 +240,18 @@ static int ci_ehci_hub_control( ) { struct ehci_hcd *ehci = hcd_to_ehci(hcd); + unsigned int ports = HCS_N_PORTS(ehci->hcs_params); u32 __iomem *status_reg; - u32 temp; + u32 temp, port_index; unsigned long flags; int retval = 0; bool done = false; struct device *dev = hcd->self.controller; struct ci_hdrc *ci = dev_get_drvdata(dev); - status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1]; + port_index = wIndex & 0xff; + port_index -= (port_index > 0); + status_reg = &ehci->regs->port_status[port_index]; spin_lock_irqsave(&ehci->lock, flags); @@ -260,6 +263,11 @@ static int ci_ehci_hub_control( } if (typeReq == SetPortFeature && wValue == USB_PORT_FEAT_SUSPEND) { + if (!wIndex || wIndex > ports) { + retval = -EPIPE; + goto done; + } + temp = ehci_readl(ehci, status_reg); if ((temp & PORT_PE) == 0 || (temp & PORT_RESET) != 0) { retval = -EPIPE; @@ -288,7 +296,7 @@ static int ci_ehci_hub_control( ehci_writel(ehci, temp, status_reg); } - set_bit((wIndex & 0xff) - 1, &ehci->suspended_ports); + set_bit(port_index, &ehci->suspended_ports); goto done; } -- 2.30.2