From patchwork Mon Feb 5 11:33:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: William Wu X-Patchwork-Id: 10200155 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9394E601A1 for ; Mon, 5 Feb 2018 11:35:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8816028623 for ; Mon, 5 Feb 2018 11:35:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7B3E42871C; Mon, 5 Feb 2018 11:35:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_MED, RCVD_IN_SORBS_WEB autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C59CA28623 for ; Mon, 5 Feb 2018 11:35:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=CtRt3w0IF1pmi/B+4P6Xs4ILK9KfqV6rpPyM/L6bGpQ=; b=q7C OTSXzKT+YXvJ0wowiN6R/LzSB5AsVpddeSnUj844eM+IcHjIpiPOR1qN33OfcSw7fT17joN3QbB7g MQ7rKa+Bo2EtwrVsrTRbmGyZ7pEQVQclN/jyUn9O/W2jeyLLBNi23cGfLfXt0eqGxBA0/D9dAtdC+ kaD0wNpnTaenpJKyxA/MJItfcLrHlV8DaRv8+4hm/v0LniY1giJ5JRj134v9lJYauqxQqcFQ/qi// OgvX8mNgQJg6unaXP3USp689+Fbn/iKVUc66gCl4kyM8JonysnZBf2BwlJ/Ntf1knap64H6wzupUM rbpgM/JAjCnWSkLnIMNDGH5Ec6L50hw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1eif3I-0003MA-Uz; Mon, 05 Feb 2018 11:35:12 +0000 Received: from regular1.263xmail.com ([211.150.99.140]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eif3E-00027E-Mm for linux-rockchip@lists.infradead.org; Mon, 05 Feb 2018 11:35:11 +0000 Received: from william.wu?rock-chips.com (unknown [192.168.167.129]) by regular1.263xmail.com (Postfix) with ESMTP id 9EFF34A6E; Mon, 5 Feb 2018 19:34:48 +0800 (CST) X-263anti-spam: KSV:0; X-MAIL-GRAY: 0 X-MAIL-DELIVERY: 1 X-KSVirus-check: 0 X-ABS-CHECKED: 4 Received: from localhost.localdomain (localhost [127.0.0.1]) by smtp.263.net (Postfix) with ESMTPA id 6875F370; Mon, 5 Feb 2018 19:34:49 +0800 (CST) X-RL-SENDER: william.wu@rock-chips.com X-FST-TO: gregkh@linuxfoundation.org X-SENDER-IP: 58.22.7.114 X-LOGIN-NAME: william.wu@rock-chips.com X-UNIQUE-TAG: X-ATTACHMENT-NUM: 0 X-SENDER: wulf@rock-chips.com X-DNS-TYPE: 0 Received: from localhost.localdomain (unknown [58.22.7.114]) by smtp.263.net (Postfix) whith ESMTP id 2479GKRZI7; Mon, 05 Feb 2018 19:34:50 +0800 (CST) From: William Wu To: gregkh@linuxfoundation.org, felipe.balbi@linux.intel.com Subject: [PATCH] usb: gadget: f_fs: get the correct address of comp_desc Date: Mon, 5 Feb 2018 19:33:38 +0800 Message-Id: <1517830418-2648-1-git-send-email-william.wu@rock-chips.com> X-Mailer: git-send-email 2.0.0 X-BeenThere: linux-rockchip@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Upstream kernel work for Rockchip platforms List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: huangtao@rock-chips.com, frank.wang@rock-chips.com, fml@rock-chips.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, linux-rockchip@lists.infradead.org, william.wu@rock-chips.com, daniel.meng@rock-chips.com MIME-Version: 1.0 Sender: "Linux-rockchip" Errors-To: linux-rockchip-bounces+patchwork-linux-rockchip=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Refer to the USB 3.0 spec '9.6.7 SuperSpeed Endpoint Companion', the companion descriptor follows the standard endpoint descriptor. This descriptor is only defined for SuperSpeed endpoints. The f_fs driver gets the address of the companion descriptor via 'ds + USB_DT_ENDPOINT_SIZE', and actually, the ds variable is a pointer to the struct usb_endpoint_descriptor, so the offset of the companion descriptor which we get is USB_DT_ENDPOINT_SIZE * sizeof(struct usb_endpoint_descriptor), the wrong offset is 63 bytes. This cause out-of-bound with the following error log if CONFIG_KASAN and CONFIG_SLUB_DEBUG is enabled on Rockchip RK3399 Evaluation Board. android_work: sent uevent USB_STATE=CONNECTED configfs-gadget gadget: super-speed config #1: b ================================================================== BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x230/0x398 Read of size 1 at addr ffffffc0ce2d0b10 by task irq/224-dwc3/364 CPU: 4 PID: 364 Comm: irq/224-dwc3 Not tainted 4.4.112 #6 Hardware name: Rockchip RK3399 Evaluation Board v3 (Android) (DT) Call trace: [] dump_backtrace+0x0/0x244 [] show_stack+0x14/0x1c [] dump_stack+0xa4/0xcc [] print_address_description+0xa4/0x308 [] kasan_report+0x258/0x29c [] __asan_load1+0x44/0x4c [] ffs_func_set_alt+0x230/0x398 [] composite_setup+0xdcc/0x1ac8 [] android_setup+0x124/0x1a0 [] dwc3_ep0_delegate_req+0x48/0x68 [] dwc3_ep0_interrupt+0x758/0x1174 [] dwc3_thread_interrupt+0x204/0xe68 [] irq_thread_fn+0x44/0x94 [] irq_thread+0x128/0x22c [] kthread+0x11c/0x130 [] ret_from_fork+0x10/0x30 Allocated by task 1: [] save_stack_trace_tsk+0x0/0x134 [] save_stack_trace+0x14/0x1c [] kasan_kmalloc.part.3+0x48/0xf4 [] kasan_kmalloc+0x8c/0xa0 [] __kmalloc+0x208/0x268 [] ffs_func_bind+0x4b4/0x918 [] usb_add_function+0xd8/0x1d4 [] configfs_composite_bind+0x48c/0x570 [] udc_bind_to_driver+0x6c/0x170 [] usb_udc_attach_driver+0xa4/0xd0 [] gadget_dev_desc_UDC_store+0xd4/0x120 [] configfs_write_file+0x1a0/0x1f8 [] __vfs_write+0x64/0x174 [] vfs_write+0xe4/0x1e8 [] SyS_write+0x68/0xc8 [] el0_svc_naked+0x24/0x28 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffffffc0ce2d0900 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 528 bytes inside of 1024-byte region [ffffffc0ce2d0900, ffffffc0ce2d0d00) The buggy address belongs to the page: page:ffffffbdc338b400 count:1 mapcount:-2145648611 mapping: (null) index:0x0 flags: 0x4080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffc0ce2d0a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0ce2d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffc0ce2d0b00: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffffc0ce2d0b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffc0ce2d0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint android_work: sent uevent USB_STATE=CONFIGURED This patch adds struct usb_endpoint_descriptor * -> u8 * type conversion for ds variable, then we can get the correct address of comp_desc with offset USB_DT_ENDPOINT_SIZE bytes. Signed-off-by: William Wu --- drivers/usb/gadget/function/f_fs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 6756472..f13ead0 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1882,8 +1882,8 @@ static int ffs_func_eps_enable(struct ffs_function *func) ep->ep->desc = ds; if (needs_comp_desc) { - comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + - USB_DT_ENDPOINT_SIZE); + comp_desc = (struct usb_ss_ep_comp_descriptor *) + ((u8 *)ds + USB_DT_ENDPOINT_SIZE); ep->ep->maxburst = comp_desc->bMaxBurst + 1; ep->ep->comp_desc = comp_desc; }