From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Felipe Balbi" <balbi@kernel.org>,
"Maciej Żenczykowski" <maze@google.com>
Subject: [PATCH 4.14 36/49] usb: fix various gadget panics on 10gbps cabling
Date: Mon, 14 Jun 2021 12:27:29 +0200 [thread overview]
Message-ID: <20210614102643.050682768@linuxfoundation.org> (raw)
In-Reply-To: <20210614102641.857724541@linuxfoundation.org>
From: Maciej Żenczykowski <maze@google.com>
commit 032e288097a553db5653af552dd8035cd2a0ba96 upstream.
usb_assign_descriptors() is called with 5 parameters,
the last 4 of which are the usb_descriptor_header for:
full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),
high-speed (USB2.0 - 480Mbps),
super-speed (USB3.0 - 5Gbps),
super-speed-plus (USB3.1 - 10Gbps).
The differences between full/high/super-speed descriptors are usually
substantial (due to changes in the maximum usb block size from 64 to 512
to 1024 bytes and other differences in the specs), while the difference
between 5 and 10Gbps descriptors may be as little as nothing
(in many cases the same tuning is simply good enough).
However if a gadget driver calls usb_assign_descriptors() with
a NULL descriptor for super-speed-plus and is then used on a max 10gbps
configuration, the kernel will crash with a null pointer dereference,
when a 10gbps capable device port + cable + host port combination shows up.
(This wouldn't happen if the gadget max-speed was set to 5gbps, but
it of course defaults to the maximum, and there's no real reason to
artificially limit it)
The fix is to simply use the 5gbps descriptor as the 10gbps descriptor,
if a 10gbps descriptor wasn't provided.
Obviously this won't fix the problem if the 5gbps descriptor is also
NULL, but such cases can't be so trivially solved (and any such gadgets
are unlikely to be used with USB3 ports any way).
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210609024459.1126080-1-zenczykowski@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/config.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/gadget/config.c
+++ b/drivers/usb/gadget/config.c
@@ -168,6 +168,14 @@ int usb_assign_descriptors(struct usb_fu
{
struct usb_gadget *g = f->config->cdev->gadget;
+ /* super-speed-plus descriptor falls back to super-speed one,
+ * if such a descriptor was provided, thus avoiding a NULL
+ * pointer dereference if a 5gbps capable gadget is used with
+ * a 10gbps capable config (device port + cable + host port)
+ */
+ if (!ssp)
+ ssp = ss;
+
if (fs) {
f->fs_descriptors = usb_copy_descriptors(fs);
if (!f->fs_descriptors)
next prev parent reply other threads:[~2021-06-14 10:41 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-14 10:26 [PATCH 4.14 00/49] 4.14.237-rc1 review Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 4.14 01/49] proc: Track /proc/$pid/attr/ opener mm_struct Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 4.14 02/49] net/nfc/rawsock.c: fix a permission check bug Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 4.14 03/49] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 4.14 04/49] isdn: mISDN: netjet: Fix crash in nj_probe: Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 4.14 05/49] bonding: init notify_work earlier to avoid uninitialized use Greg Kroah-Hartman
2021-06-14 10:26 ` [PATCH 4.14 06/49] netlink: disable IRQs for netlink_lock_table() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 07/49] net: mdiobus: get rid of a BUG_ON() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 08/49] cgroup: disable controllers at parse time Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 09/49] wq: handle VM suspension in stall detection Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 10/49] net/qla3xxx: fix schedule while atomic in ql_sem_spinlock Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 11/49] scsi: vmw_pvscsi: Set correct residual data length Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 12/49] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 13/49] net: macb: ensure the device is available before accessing GEMGXL control registers Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 14/49] net: appletalk: cops: Fix data race in cops_probe1 Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 15/49] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 16/49] bnx2x: Fix missing error code in bnx2x_iov_init_one() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 17/49] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 18/49] powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 " Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 19/49] i2c: mpc: Make use of i2c_recover_bus() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 20/49] i2c: mpc: implement erratum A-004447 workaround Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 21/49] drm: Fix use-after-free read in drm_getunique() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 22/49] drm: Lock pointer access in drm_master_release() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 23/49] kvm: avoid speculation-based attacks from out-of-range memslot accesses Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 24/49] staging: rtl8723bs: Fix uninitialized variables Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 25/49] btrfs: return value from btrfs_mark_extent_written() in case of error Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 26/49] cgroup1: dont allow \n in renaming Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 27/49] USB: f_ncm: ncm_bitrate (speed) is unsigned Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 28/49] usb: dwc3: ep0: fix NULL pointer exception Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 29/49] usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 30/49] usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 31/49] USB: serial: ftdi_sio: add NovaTech OrionMX product ID Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 32/49] USB: serial: omninet: add device id for Zyxel Omni 56K Plus Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 33/49] USB: serial: quatech2: fix control-request directions Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 34/49] usb: gadget: eem: fix wrong eem header operation Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 35/49] usb: fix various gadgets null ptr deref on 10gbps cabling Greg Kroah-Hartman
2021-06-14 10:27 ` Greg Kroah-Hartman [this message]
2021-06-14 10:27 ` [PATCH 4.14 37/49] regulator: core: resolve supply for boot-on/always-on regulators Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 38/49] regulator: max77620: Use device_set_of_node_from_dev() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 39/49] perf: Fix data race between pin_count increment/decrement Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 40/49] NFS: Fix a potential NULL dereference in nfs_get_client() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 41/49] perf session: Correct buffer copying when peeking events Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 42/49] kvm: fix previous commit for 32-bit builds Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 43/49] NFS: Fix use-after-free in nfs4_init_client() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 44/49] NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 45/49] scsi: core: Fix error handling of scsi_host_alloc() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 46/49] scsi: core: Put .shost_dev in failure path if host state changes to RUNNING Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 47/49] scsi: core: Only put parent device if host state differs from SHOST_CREATED Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 48/49] ftrace: Do not blindly read the ip address in ftrace_bug() Greg Kroah-Hartman
2021-06-14 10:27 ` [PATCH 4.14 49/49] tracing: Correct the length check which causes memory corruption Greg Kroah-Hartman
2021-06-15 1:03 ` [PATCH 4.14 00/49] 4.14.237-rc1 review Samuel Zou
2021-06-15 9:53 ` Naresh Kamboju
2021-06-15 14:20 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210614102643.050682768@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=balbi@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maze@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).