[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <24464.1463705976@turing-police.cc.vt.edu>
Date: Thu, 19 May 2016 20:59:36 -0400
From: Valdis.Kletnieks@...edu
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Alan Stern <stern@...land.harvard.edu>,
Andrey Ryabinin <ryabinin.a.a@...il.com>,
Oliver Neukum <oneukum@...e.com>, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org
Subject: Re: [PATCH] - silence UBSAN complaint in ehci-hcd.
On Thu, 19 May 2016 17:50:31 -0700, Greg Kroah-Hartman said:
> On Thu, May 19, 2016 at 05:19:00PM -0400, Valdis Kletnieks wrote:
> > UBSAN throws a complaint:
> >
> > [ 2.418579] UBSAN: Undefined behaviour in drivers/usb/host/ehci-hub.c:877:47
> > [ 2.418582] index -1 is out of range for type 'u32 [1]'
> >
> > though it's only on the hostpc[] part, not on the port_status[] on the
> > previous line which has the same exact index calculation. The root cause is
> > that the first declaration is port_status[0], which uses a GCC extension and
> > UBSAN is smart enough to realize the programmer is doing something
> > intentionally odd.
> >
> > However, the problematic declaration is hostpc[1], which doesn't have
> > the "I know what I'm doing" semantics of [0]. Change the declaration to match.
> >
> > Signed-Off-By: Valdis Kletnieks <valdis.kletnieks@...edu>
> >
> > --- a/include/linux/usb/ehci_def.h 2015-01-06 01:04:24.342436706 -0500
> > +++ b/include/linux/usb/ehci_def.h 2016-05-19 13:57:20.869304540 -0400
> > @@ -180,11 +180,11 @@ struct ehci_regs {
> > * PORTSCx
> > */
> > /* HOSTPC: offset 0x84 */
> > - u32 hostpc[1]; /* HOSTPC extension */
> > + u32 hostpc[0]; /* HOSTPC extension */
> > #define HOSTPC_PHCD (1<<22) /* Phy clock disable */
> > #define HOSTPC_PSPD (3<<25) /* Port speed detection */
>
> Hm, this is odd, you really do want hostpc to be 1 u32 value, don't make
> it 0 please. If you walk off the end of hostpc, well, let's fix that
> properly.
Well, UBSAN doesn't complain about the *other* use of the same exact index,
apparently because 'u32 port_status[0]' tells it to shut up we know what we're
doing.
And I'm pretty sure that if hostpc was supposed to be exactly one u32 rather
than an array, it wouldn't have the [] semantics everyplace...
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists