| Message ID | 20250328085603.2156517-1-fisaksen@baylibre.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | usb: dwc3: gadget: check that event count does not exceed event buffer length | expand |
On Fri, Mar 28, 2025 at 09:55:25AM +0100, Frode Isaksen wrote: > From: Frode Isaksen <frode@meta.com> > > The event count is read from register DWC3_GEVNTCOUNT. > There is a check for the count being zero, but not for exceeding the > event buffer length. > Check that event count does not exceed event buffer length, > avoiding an out-of-bounds access when memcpy'ing the event. > Crash log: > Unable to handle kernel paging request at virtual address ffffffc0129be000 > pc : __memcpy+0x114/0x180 > lr : dwc3_check_event_buf+0xec/0x348 > x3 : 0000000000000030 x2 : 000000000000dfc4 > x1 : ffffffc0129be000 x0 : ffffff87aad60080 > Call trace: > __memcpy+0x114/0x180 > dwc3_interrupt+0x24/0x34 > > Signed-off-by: Frode Isaksen <frode@meta.com> > --- > This bug was discovered, tested and fixed (no more crashes seen) on Meta Quest 3 device. > Also tested on T.I. AM62x board. What commit id does this fix? Should it go to stable kernels too? thanks, greg k-h
>What commit id does this fix? It fixes commit ebbb2d59398fb7ef92fae83d6aeba0cbb2b6f99f ("usb: dwc3: gadget: use evt->cache for processing events"). >Should it go to stable kernels too? Don't know, it happens extremely seldom. First seen on kernel 5.10. Thanks, Frode Le ven. 28 mars 2025 à 10:10, Greg KH <gregkh@linuxfoundation.org> a écrit : > > On Fri, Mar 28, 2025 at 09:55:25AM +0100, Frode Isaksen wrote: > > From: Frode Isaksen <frode@meta.com> > > > > The event count is read from register DWC3_GEVNTCOUNT. > > There is a check for the count being zero, but not for exceeding the > > event buffer length. > > Check that event count does not exceed event buffer length, > > avoiding an out-of-bounds access when memcpy'ing the event. > > Crash log: > > Unable to handle kernel paging request at virtual address ffffffc0129be000 > > pc : __memcpy+0x114/0x180 > > lr : dwc3_check_event_buf+0xec/0x348 > > x3 : 0000000000000030 x2 : 000000000000dfc4 > > x1 : ffffffc0129be000 x0 : ffffff87aad60080 > > Call trace: > > __memcpy+0x114/0x180 > > dwc3_interrupt+0x24/0x34 > > > > Signed-off-by: Frode Isaksen <frode@meta.com> > > --- > > This bug was discovered, tested and fixed (no more crashes seen) on Meta Quest 3 device. > > Also tested on T.I. AM62x board. > > What commit id does this fix? Should it go to stable kernels too? > > thanks, > > greg k-h
A: http://en.wikipedia.org/wiki/Top_post Q: Were do I find info about this thing called top-posting? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? A: No. Q: Should I include quotations after my reply? http://daringfireball.net/2007/07/on_top On Fri, Mar 28, 2025 at 10:57:46AM +0100, Frode Isaksen wrote: > >What commit id does this fix? > It fixes commit ebbb2d59398fb7ef92fae83d6aeba0cbb2b6f99f ("usb: dwc3: > gadget: use evt->cache for processing events"). Great, please add a Fixes: tag. > >Should it go to stable kernels too? > Don't know, it happens extremely seldom. First seen on kernel 5.10. So you do not think it should be applied to any older kernels? If it is a bugfix, it probably should. Please resubmit with the proper cc: stable tag as well. thanks, greg k-h
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 63fef4a1a498..548e112167f3 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4564,7 +4564,7 @@ static irqreturn_t dwc3_check_event_buf(struct dwc3_event_buffer *evt) count = dwc3_readl(dwc->regs, DWC3_GEVNTCOUNT(0)); count &= DWC3_GEVNTCOUNT_MASK; - if (!count) + if (!count || count > evt->length) return IRQ_NONE; evt->count = count;