lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20231206080744.253-1-aladyshev22@gmail.com>
Date:   Wed,  6 Dec 2023 11:07:43 +0300
From:   Konstantin Aladyshev <aladyshev22@...il.com>
To:     unlisted-recipients:; (no To-header on input)
Cc:     gregkh@...uxfoundation.org, benjamin.tissoires@...hat.com,
        aladyshev22@...il.com, ivan.orlov0322@...il.com,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
        john@...ping.me.uk, lee@...nel.org
Subject: [PATCH v2 0/1] usb: gadget: f_hid: fix report descriptor allocation

The commit "usb: gadget: f_hid: fix f_hidg lifetime vs cdev"
(89ff3dfac604614287ad5aad9370c3f984ea3f4b) has introduced a bug
that leads to hid device corruption after the replug operation.

The usb gadget driver bug was observed in the KVM functionality of the
OpenBMC distribution. In the test environment BMC provides KVM
functionality for the host (i.e. virtual USB keyboard) via the USB
gadget device.

The bug occurs when the KVM page is refreshed (i.e. USB device is
replugged).

Before the 89ff3dfac6 this opeartion was working without any issues.
Log messages from the host for this operation:
```
kernel: usb 1-7.4: USB disconnect, device number 3
kernel: usb 1-7.4: new high-speedUSB device number 4 using xhci_hcd
kernel: usb 1-7.4: New USB device found, idVendor=1d6b, idProduct=0104,
  bcdDevice= 1.00
kernel: usb 1-7.4: New USB device strings: Mfr=1, Produt=2, SerialNumber=3
kernel: usb 1-7.4: Product: Virtual Keyboard and Mouse
kernel: usb 1-7.4: Manufacturer: OpenBMC
kernel: usb 1-7.4: SerialNumber: OBMC0001
kernel: input: OpenBMC Virtual Keyboard and Mouse as /devices/pci0000:
  00/0000:00:140/usb1/1-7/1-7.4/1-7.4:1.0/0003:1D6B:0104.0003/input/input3
kernel: hid-generic 0003:1D6B:0104.0003: inputhidraw0: USB HID v1.01
  Keyboard [OpenBMC Virtual Keyboard and Mouse] on usb-0000:00:14.0-7.4/input0
kernel: input: OpenBMC Virtual Keyboard and Mouse as /devices/pci0000:
  00/0000:00:14.0/sb1/1-7/1-7.4/1-7.4:1.1/0003:1D6B:0104.0004/input/input4
kernel: hid-generic 0003:1D6B:0104.0004: input,hidraw1: USB HID v1.01
  Mouse [OpenBMC Virtual Keyboard and Mouse] on usb-0000:00:14.0-7.4/input1
```

After the 89ff3dfac6 the KVM page refresh (i.e. USB device replug) results
to the USB device corruction and the following messages from the driver:
```
kernel: usb 1-7.4: USB disconnect, device number 3
hid-generic 0003:1D6B:0104.0003: item fetching failed at offset 18/63
hid-generic 0003:1D6B:01040004: item fetching failed at offset 32/76
kernel: usb 1-7.4: new high-speed USB device number 4 using xhci_hcd
kernel: usb 1-7.4: New USB device found, idVendor=1d6b, idProduct=0104,
  bcdDevice= 1.00
kernel: usb 1-7.4:New USB device strings: Mfr=1, Product=2, SerialNumber=3
kernel: usb 1-7.4: Product: Virual Keyboard and Mouse
kernel: usb 1-7.4: Manufacturer: OpenBMC
kernel: usb 1-7.4: SerialNumber: OBMC0001
kernel: id-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item tag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: unknown main item ag 0x0
kernel: hid-generic 0003:1D6B:0104.0003: item fetching failed at offset 18/63
kernel: hid-eneric: probe of 0003:1D6B:0104.0003 failed with error -22
kernel: hid-generic 0003:1D6B:0104.0004: item fetching failed at offset 32/76
kernel hid-generic: probe of 0003:1D6B:0104.0004 failed with error -22
```

Reverse device managed memory allocation for the report descriptor
to fix the issue.


Changes v1 -> v2:
- update commit message


Konstantin Aladyshev (1):
  usb: gadget: f_hid: fix report descriptor allocation

 drivers/usb/gadget/function/f_hid.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ