* [PATCH] usbip: vhci_hcd: check rhport before using in vhci_hub_control()
@ 2018-04-05 22:31 ` Shuah Khan
0 siblings, 0 replies; 8+ messages in thread
From: Shuah Khan @ 2018-04-05 22:31 UTC (permalink / raw)
To: valentina.manea.m, shuah, gregkh; +Cc: Shuah Khan, linux-usb, linux-kernel
Validate !rhport < 0 before using it to access port_status array.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable <stable@vger.kernel.org>
---
drivers/usb/usbip/vhci_hcd.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index 20e3d4609583..d11f3f8dad40 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -354,6 +354,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
usbip_dbg_vhci_rh(" ClearHubFeature\n");
break;
case ClearPortFeature:
+ if (rhport < 0)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_SUSPEND:
if (hcd->speed == HCD_USB3) {
@@ -511,11 +513,16 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
goto error;
}
+ if (rhport < 0)
+ goto error;
+
vhci_hcd->port_status[rhport] |= USB_PORT_STAT_SUSPEND;
break;
case USB_PORT_FEAT_POWER:
usbip_dbg_vhci_rh(
" SetPortFeature: USB_PORT_FEAT_POWER\n");
+ if (rhport < 0)
+ goto error;
if (hcd->speed == HCD_USB3)
vhci_hcd->port_status[rhport] |= USB_SS_PORT_STAT_POWER;
else
@@ -524,6 +531,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
case USB_PORT_FEAT_BH_PORT_RESET:
usbip_dbg_vhci_rh(
" SetPortFeature: USB_PORT_FEAT_BH_PORT_RESET\n");
+ if (rhport < 0)
+ goto error;
/* Applicable only for USB3.0 hub */
if (hcd->speed != HCD_USB3) {
pr_err("USB_PORT_FEAT_BH_PORT_RESET req not "
@@ -534,6 +543,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
case USB_PORT_FEAT_RESET:
usbip_dbg_vhci_rh(
" SetPortFeature: USB_PORT_FEAT_RESET\n");
+ if (rhport < 0)
+ goto error;
/* if it's already enabled, disable */
if (hcd->speed == HCD_USB3) {
vhci_hcd->port_status[rhport] = 0;
@@ -554,6 +565,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
default:
usbip_dbg_vhci_rh(" SetPortFeature: default %d\n",
wValue);
+ if (rhport < 0)
+ goto error;
if (hcd->speed == HCD_USB3) {
if ((vhci_hcd->port_status[rhport] &
USB_SS_PORT_STAT_POWER) != 0) {
--
2.14.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* usbip: vhci_hcd: check rhport before using in vhci_hub_control()
@ 2018-04-05 22:31 ` Shuah Khan
0 siblings, 0 replies; 8+ messages in thread
From: Shuah Khan @ 2018-04-05 22:31 UTC (permalink / raw)
To: valentina.manea.m, shuah, gregkh; +Cc: Shuah Khan, linux-usb, linux-kernel
Validate !rhport < 0 before using it to access port_status array.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
---
drivers/usb/usbip/vhci_hcd.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index 20e3d4609583..d11f3f8dad40 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -354,6 +354,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
usbip_dbg_vhci_rh(" ClearHubFeature\n");
break;
case ClearPortFeature:
+ if (rhport < 0)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_SUSPEND:
if (hcd->speed == HCD_USB3) {
@@ -511,11 +513,16 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
goto error;
}
+ if (rhport < 0)
+ goto error;
+
vhci_hcd->port_status[rhport] |= USB_PORT_STAT_SUSPEND;
break;
case USB_PORT_FEAT_POWER:
usbip_dbg_vhci_rh(
" SetPortFeature: USB_PORT_FEAT_POWER\n");
+ if (rhport < 0)
+ goto error;
if (hcd->speed == HCD_USB3)
vhci_hcd->port_status[rhport] |= USB_SS_PORT_STAT_POWER;
else
@@ -524,6 +531,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
case USB_PORT_FEAT_BH_PORT_RESET:
usbip_dbg_vhci_rh(
" SetPortFeature: USB_PORT_FEAT_BH_PORT_RESET\n");
+ if (rhport < 0)
+ goto error;
/* Applicable only for USB3.0 hub */
if (hcd->speed != HCD_USB3) {
pr_err("USB_PORT_FEAT_BH_PORT_RESET req not "
@@ -534,6 +543,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
case USB_PORT_FEAT_RESET:
usbip_dbg_vhci_rh(
" SetPortFeature: USB_PORT_FEAT_RESET\n");
+ if (rhport < 0)
+ goto error;
/* if it's already enabled, disable */
if (hcd->speed == HCD_USB3) {
vhci_hcd->port_status[rhport] = 0;
@@ -554,6 +565,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
default:
usbip_dbg_vhci_rh(" SetPortFeature: default %d\n",
wValue);
+ if (rhport < 0)
+ goto error;
if (hcd->speed == HCD_USB3) {
if ((vhci_hcd->port_status[rhport] &
USB_SS_PORT_STAT_POWER) != 0) {
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] usbip: vhci_hcd: check rhport before using in vhci_hub_control()
@ 2018-04-06 8:01 ` Sergei Shtylyov
0 siblings, 0 replies; 8+ messages in thread
From: Sergei Shtylyov @ 2018-04-06 8:01 UTC (permalink / raw)
To: Shuah Khan, valentina.manea.m, shuah, gregkh; +Cc: linux-usb, linux-kernel
Hello!
On 4/6/2018 1:31 AM, Shuah Khan wrote:
> Validate !rhport < 0 before using it to access port_status array.
Why '!'?
> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
> ---
> drivers/usb/usbip/vhci_hcd.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
> index 20e3d4609583..d11f3f8dad40 100644
> --- a/drivers/usb/usbip/vhci_hcd.c
> +++ b/drivers/usb/usbip/vhci_hcd.c
[...]
MBR, Sergei
^ permalink raw reply [flat|nested] 8+ messages in thread
* usbip: vhci_hcd: check rhport before using in vhci_hub_control()
@ 2018-04-06 8:01 ` Sergei Shtylyov
0 siblings, 0 replies; 8+ messages in thread
From: Sergei Shtylyov @ 2018-04-06 8:01 UTC (permalink / raw)
To: Shuah Khan, valentina.manea.m, shuah, gregkh; +Cc: linux-usb, linux-kernel
Hello!
On 4/6/2018 1:31 AM, Shuah Khan wrote:
> Validate !rhport < 0 before using it to access port_status array.
Why '!'?
> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
> ---
> drivers/usb/usbip/vhci_hcd.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
> index 20e3d4609583..d11f3f8dad40 100644
> --- a/drivers/usb/usbip/vhci_hcd.c
> +++ b/drivers/usb/usbip/vhci_hcd.c
[...]
MBR, Sergei
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] usbip: vhci_hcd: check rhport before using in vhci_hub_control()
@ 2018-04-06 19:00 ` Shuah Khan
0 siblings, 0 replies; 8+ messages in thread
From: Shuah Khan @ 2018-04-06 19:00 UTC (permalink / raw)
To: Sergei Shtylyov, valentina.manea.m, shuah, gregkh
Cc: linux-usb, linux-kernel, Shuah Khan
On 04/06/2018 02:01 AM, Sergei Shtylyov wrote:
> Hello!
>
> On 4/6/2018 1:31 AM, Shuah Khan wrote:
>
>> Validate !rhport < 0 before using it to access port_status array.
>
> Why '!'?
>
I should have explained it better in the commit log.
rhport is set based on input wIndex which could be 0. This isn't
the case for all the Request but some. wIndex is range checked in
the code paths that it shouldn't be. The same applies to rhport
in some request handling paths. Without the checks there is the
potential for out of bounds access on port_status array.
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 8+ messages in thread
* usbip: vhci_hcd: check rhport before using in vhci_hub_control()
@ 2018-04-06 19:00 ` Shuah Khan
0 siblings, 0 replies; 8+ messages in thread
From: Shuah Khan @ 2018-04-06 19:00 UTC (permalink / raw)
To: Sergei Shtylyov, valentina.manea.m, shuah, gregkh
Cc: linux-usb, linux-kernel, Shuah Khan
On 04/06/2018 02:01 AM, Sergei Shtylyov wrote:
> Hello!
>
> On 4/6/2018 1:31 AM, Shuah Khan wrote:
>
>> Validate !rhport < 0 before using it to access port_status array.
>
> Why '!'?
>
I should have explained it better in the commit log.
rhport is set based on input wIndex which could be 0. This isn't
the case for all the Request but some. wIndex is range checked in
the code paths that it shouldn't be. The same applies to rhport
in some request handling paths. Without the checks there is the
potential for out of bounds access on port_status array.
thanks,
-- Shuah
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] usbip: vhci_hcd: check rhport before using in vhci_hub_control()
@ 2018-04-10 13:50 ` Sasha Levin
0 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2018-04-10 13:50 UTC (permalink / raw)
To: Sasha Levin, Shuah Khan, valentina.manea.m, shuah
Cc: Shuah Khan, linux-usb, stable
Hi,
[This is an automated email]
This commit has been processed by the -stable helper bot and determined
to be a high probability candidate for -stable trees. (score: 8.8613)
The bot has tested the following trees: v4.16.1, v4.15.16, v4.14.33, v4.9.93, v4.4.127.
v4.16.1: Build OK!
v4.15.16: Build OK!
v4.14.33: Build OK!
v4.9.93: Failed to apply! Possible dependencies:
1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support")
v4.4.127: Failed to apply! Possible dependencies:
1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support")
Please let us know if you'd like to have this patch included in a stable tree.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 8+ messages in thread
* usbip: vhci_hcd: check rhport before using in vhci_hub_control()
@ 2018-04-10 13:50 ` Sasha Levin
0 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2018-04-10 13:50 UTC (permalink / raw)
To: Sasha Levin, Shuah Khan, valentina.manea.m, shuah; +Cc: linux-usb, stable
Hi,
[This is an automated email]
This commit has been processed by the -stable helper bot and determined
to be a high probability candidate for -stable trees. (score: 8.8613)
The bot has tested the following trees: v4.16.1, v4.15.16, v4.14.33, v4.9.93, v4.4.127.
v4.16.1: Build OK!
v4.15.16: Build OK!
v4.14.33: Build OK!
v4.9.93: Failed to apply! Possible dependencies:
1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support")
v4.4.127: Failed to apply! Possible dependencies:
1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support")
Please let us know if you'd like to have this patch included in a stable tree.
---
Thanks,
Sasha--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-04-10 13:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-05 22:31 [PATCH] usbip: vhci_hcd: check rhport before using in vhci_hub_control() Shuah Khan
2018-04-05 22:31 ` Shuah Khan
2018-04-06 8:01 ` [PATCH] " Sergei Shtylyov
2018-04-06 8:01 ` Sergei Shtylyov
2018-04-06 19:00 ` [PATCH] " Shuah Khan
2018-04-06 19:00 ` Shuah Khan
2018-04-10 13:50 ` [PATCH] " Sasha Levin
2018-04-10 13:50 ` Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.