From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756574AbcHVUkg (ORCPT <rfc822;w@1wt.eu>);
        Mon, 22 Aug 2016 16:40:36 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:36772 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1756429AbcHVUkd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Aug 2016 16:40:33 -0400
Date: Mon, 22 Aug 2016 16:40:32 -0400 (EDT)
From: Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To: =?utf-8?Q?Bj=C3=B8rn_Mork?= <bjorn@mork.no>
cc: Jiri Slaby <jslaby@suse.cz>, Vittorio Zecca <zeccav@gmail.com>,
        <stable@vger.kernel.org>, USB list <linux-usb@vger.kernel.org>,
        Linux kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: UBSAN: Undefined behaviour in linux-4.7.2/drivers/usb/core/devio.c:1713:25
In-Reply-To: <87twecy2qa.fsf@miraculix.mork.no>
Message-ID: <Pine.LNX.4.44L0.1608221628320.5195-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 22 Aug 2016, Bjørn Mork wrote:

> Alan Stern <stern@rowland.harvard.edu> writes:
> 
> > On Sun, 21 Aug 2016, Jiri Slaby wrote:
> >
> >> Cc: proper lists.
> >> 
> >> ep->desc.bInterval seems to be 0 here.

> > As far as I can see, this isn't possible.  The usb_parse_endpoint()  
> > routine in drivers/usb/core/config.c is supposed to guarantee that
> > ep->desc.bInterval is never 0.
> 
> That is if it is an ISO endpoint, right?

I can't tell; the bug report doesn't say.  However, ep->desc.bInterval 
is ignored for bulk and control endpoints, so it must be either 
isochronous or interrupt.

> Maybe I misunderstand something fundamental, but the "||" strikes me as
> odd here:
> 
>         as->urb->stream_id = stream_id;
>         if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
>                         ps->dev->speed == USB_SPEED_HIGH)
>                 as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
>         else
>                 as->urb->interval = ep->desc.bInterval;
>         as->urb->context = as;

No, that's right (mostly -- we really should check for ps->dev->speed 
>= USB_SPEED_SUPER as well as == USB_SPEED_HIGH).

> Typo?

USB uses two different encodings for endpoint intervals.  The second
encoding above just gives the interval in frames; this is used for low-
and full-speed interrupt endpoints.  The first encoding above is
exponential (it gives n where the actual interval is 2^(n-1) frames or
microframes); this is used for all isochronous endpoints and for
high-speed (or SuperSpeed etc.) interrupt endpoints.

See for example the definition of usb_fill_int_urb() in 
include/linux/usb.h.

Alan Stern