Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] usb: dwc3: gadget: Check for NULL descriptor
@ 2019-11-27 21:45 Thinh Nguyen
  2019-11-28  7:18 ` Greg Kroah-Hartman
  2019-12-03 14:03 ` Felipe Balbi
  0 siblings, 2 replies; 5+ messages in thread
From: Thinh Nguyen @ 2019-11-27 21:45 UTC (permalink / raw)
  To: Felipe Balbi, Greg Kroah-Hartman, linux-usb
  Cc: John Youn, Thinh Nguyen, stable

The function driver may try to enable an unconfigured endpoint. This
check make sure that we do not attempt to access a NULL descriptor and
crash.

Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
---
 drivers/usb/dwc3/gadget.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 7f97856e6b20..00f8f079bbf2 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -619,6 +619,9 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, unsigned int action)
 	u32			reg;
 	int			ret;
 
+	if (!desc)
+		return -EINVAL;
+
 	if (!(dep->flags & DWC3_EP_ENABLED)) {
 		ret = dwc3_gadget_start_config(dep);
 		if (ret)
-- 
2.11.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] usb: dwc3: gadget: Check for NULL descriptor
  2019-11-27 21:45 [PATCH] usb: dwc3: gadget: Check for NULL descriptor Thinh Nguyen
@ 2019-11-28  7:18 ` Greg Kroah-Hartman
  2019-11-28 20:40   ` Thinh Nguyen
  2019-12-03 14:03 ` Felipe Balbi
  1 sibling, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2019-11-28  7:18 UTC (permalink / raw)
  To: Thinh Nguyen; +Cc: Felipe Balbi, linux-usb, John Youn, stable

On Wed, Nov 27, 2019 at 01:45:15PM -0800, Thinh Nguyen wrote:
> The function driver may try to enable an unconfigured endpoint. This
> check make sure that we do not attempt to access a NULL descriptor and
> crash.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
> ---
>  drivers/usb/dwc3/gadget.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
> index 7f97856e6b20..00f8f079bbf2 100644
> --- a/drivers/usb/dwc3/gadget.c
> +++ b/drivers/usb/dwc3/gadget.c
> @@ -619,6 +619,9 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, unsigned int action)
>  	u32			reg;
>  	int			ret;
>  
> +	if (!desc)
> +		return -EINVAL;

How can this happen?  Shouldn't this be caught at an earlier point in
time?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] usb: dwc3: gadget: Check for NULL descriptor
  2019-11-28  7:18 ` Greg Kroah-Hartman
@ 2019-11-28 20:40   ` Thinh Nguyen
  0 siblings, 0 replies; 5+ messages in thread
From: Thinh Nguyen @ 2019-11-28 20:40 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Thinh Nguyen
  Cc: Felipe Balbi, linux-usb, John Youn, stable

Greg Kroah-Hartman wrote:
> On Wed, Nov 27, 2019 at 01:45:15PM -0800, Thinh Nguyen wrote:
>> The function driver may try to enable an unconfigured endpoint. This
>> check make sure that we do not attempt to access a NULL descriptor and
>> crash.
>>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
>> ---
>>   drivers/usb/dwc3/gadget.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
>> index 7f97856e6b20..00f8f079bbf2 100644
>> --- a/drivers/usb/dwc3/gadget.c
>> +++ b/drivers/usb/dwc3/gadget.c
>> @@ -619,6 +619,9 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, unsigned int action)
>>   	u32			reg;
>>   	int			ret;
>>   
>> +	if (!desc)
>> +		return -EINVAL;
> How can this happen?  Shouldn't this be caught at an earlier point in
> time?

Yeah, it should, and it's already handled or noted in all the function 
drivers in the kernel. It just bugs me a little seeing that it doesn't 
fail gracefully if it's not the case.

You can discard this patch if you think it's unnecessary.

Thanks,
Thinh

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] usb: dwc3: gadget: Check for NULL descriptor
  2019-11-27 21:45 [PATCH] usb: dwc3: gadget: Check for NULL descriptor Thinh Nguyen
  2019-11-28  7:18 ` Greg Kroah-Hartman
@ 2019-12-03 14:03 ` Felipe Balbi
  2019-12-04  1:48   ` Thinh Nguyen
  1 sibling, 1 reply; 5+ messages in thread
From: Felipe Balbi @ 2019-12-03 14:03 UTC (permalink / raw)
  To: Thinh Nguyen, Greg Kroah-Hartman, linux-usb
  Cc: John Youn, Thinh Nguyen, stable

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]


Hi,

Thinh Nguyen <Thinh.Nguyen@synopsys.com> writes:

> The function driver may try to enable an unconfigured endpoint. This
> check make sure that we do not attempt to access a NULL descriptor and
> crash.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
> ---
>  drivers/usb/dwc3/gadget.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
> index 7f97856e6b20..00f8f079bbf2 100644
> --- a/drivers/usb/dwc3/gadget.c
> +++ b/drivers/usb/dwc3/gadget.c
> @@ -619,6 +619,9 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, unsigned int action)
>  	u32			reg;
>  	int			ret;
>  
> +	if (!desc)
> +		return -EINVAL;

I would rather have a dev_WARN() (and return -EINVAL) added to
usb_ep_enable() so we catch those doing this. That way we don't have to
patch every UDC.

-- 
balbi

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] usb: dwc3: gadget: Check for NULL descriptor
  2019-12-03 14:03 ` Felipe Balbi
@ 2019-12-04  1:48   ` Thinh Nguyen
  0 siblings, 0 replies; 5+ messages in thread
From: Thinh Nguyen @ 2019-12-04  1:48 UTC (permalink / raw)
  To: Felipe Balbi, Thinh Nguyen, Greg Kroah-Hartman, linux-usb
  Cc: John Youn, stable

Hi Felipe,

Felipe Balbi wrote:
> Hi,
>
> Thinh Nguyen <Thinh.Nguyen@synopsys.com> writes:
>
>> The function driver may try to enable an unconfigured endpoint. This
>> check make sure that we do not attempt to access a NULL descriptor and
>> crash.
>>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
>> ---
>>   drivers/usb/dwc3/gadget.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
>> index 7f97856e6b20..00f8f079bbf2 100644
>> --- a/drivers/usb/dwc3/gadget.c
>> +++ b/drivers/usb/dwc3/gadget.c
>> @@ -619,6 +619,9 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep, unsigned int action)
>>   	u32			reg;
>>   	int			ret;
>>   
>> +	if (!desc)
>> +		return -EINVAL;
> I would rather have a dev_WARN() (and return -EINVAL) added to
> usb_ep_enable() so we catch those doing this. That way we don't have to
> patch every UDC.
>

Sure, we can do that.

Thanks,
Thinh

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-27 21:45 [PATCH] usb: dwc3: gadget: Check for NULL descriptor Thinh Nguyen
2019-11-28  7:18 ` Greg Kroah-Hartman
2019-11-28 20:40   ` Thinh Nguyen
2019-12-03 14:03 ` Felipe Balbi
2019-12-04  1:48   ` Thinh Nguyen

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org
	public-inbox-index linux-usb

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git