lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 15 Feb 2022 10:16:47 +0800
From:   3090101217@....edu.cn
To:     gregkh@...uxfoundation.org
Cc:     balbi@...nel.org, jleng@...arella.com,
        laurent.pinchart@...asonboard.com, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org
Subject: [PATCH v2] usb: gadget: f_uvc: fix superspeedplus transfer

From: Jing Leng <jleng@...arella.com>

UVC driver doesn't set ssp_descriptors in struct usb_function,
If UVC uses superspeedplus UDC (e.g. cdnsp), when
config_ep_by_speed_and_alt is called, the g->speed is
USB_SPEED_SUPER_PLUS, and f->ssp_descriptors is NULL,
So kernel will access NULL pointer of speed_desc.

Call trace:
 config_ep_by_speed_and_alt+0x3c/0x2a0 [libcomposite]
 uvc_function_set_alt+0xd4/0x2e8 [usb_f_uvc]
 set_config.constprop.0+0x154/0x3a0 [libcomposite]
 composite_setup+0x314/0xb44 [libcomposite]
 configfs_composite_setup+0x84/0xb0 [libcomposite]
 cdnsp_ep0_std_request+0x25c/0x470 [cdns3]
 cdnsp_setup_analyze+0x94/0x25c [cdns3]
 cdnsp_handle_event+0xe8/0x23c [cdns3]
 cdnsp_thread_irq_handler+0x58/0xe8 [cdns3]
 irq_thread_fn+0x2c/0xa0
 irq_thread+0x164/0x280
 kthread+0x128/0x134
 ret_from_fork+0x10/0x40

Signed-off-by: Jing Leng <jleng@...arella.com>
---
 drivers/usb/gadget/function/f_uvc.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index 71bb5e477dba..8fc9b035481e 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -478,6 +478,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	void *mem;
 
 	switch (speed) {
+	case USB_SPEED_SUPER_PLUS:
 	case USB_SPEED_SUPER:
 		uvc_control_desc = uvc->desc.ss_control;
 		uvc_streaming_cls = uvc->desc.ss_streaming;
@@ -521,7 +522,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	      + uvc_control_ep.bLength + uvc_control_cs_ep.bLength
 	      + uvc_streaming_intf_alt0.bLength;
 
-	if (speed == USB_SPEED_SUPER) {
+	if (speed == USB_SPEED_SUPER || speed == USB_SPEED_SUPER_PLUS) {
 		bytes += uvc_ss_control_comp.bLength;
 		n_desc = 6;
 	} else {
@@ -565,7 +566,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
 	uvc_control_header->baInterfaceNr[0] = uvc->streaming_intf;
 
 	UVC_COPY_DESCRIPTOR(mem, dst, &uvc_control_ep);
-	if (speed == USB_SPEED_SUPER)
+	if (speed == USB_SPEED_SUPER || speed == USB_SPEED_SUPER_PLUS)
 		UVC_COPY_DESCRIPTOR(mem, dst, &uvc_ss_control_comp);
 
 	UVC_COPY_DESCRIPTOR(mem, dst, &uvc_control_cs_ep);
@@ -727,6 +728,15 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
 		}
 	}
 
+	if (gadget_is_superspeed_plus(c->cdev->gadget)) {
+		f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS);
+		if (IS_ERR(f->ssp_descriptors)) {
+			ret = PTR_ERR(f->ssp_descriptors);
+			f->ssp_descriptors = NULL;
+			goto error;
+		}
+	}
+
 	/* Preallocate control endpoint request. */
 	uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
 	uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL);
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ