Message ID | 1623810298-32001-1-git-send-email-jun.li@nxp.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | usb: chipidea: host: fix port index underflow and UBSAN complains | expand |
On Wed, Jun 16, 2021 at 10:24:58AM +0800, Li Jun wrote: > If wIndex is 0 (and it often is), these calculations underflow and > UBSAN complains, here resolve this by not decrementing the index when > it is equal to 0, this copies the solution from commit 85e3990bea49 > ("USB: EHCI: avoid undefined pointer arithmetic and placate UBSAN") > > Reported-by: zhipeng.wang <zhipeng.wang_1@nxp.com> > Signed-off-by: Li Jun <jun.li@nxp.com> > --- > drivers/usb/chipidea/host.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c > index e86d13c04bdb..25327b1b49b7 100644 > --- a/drivers/usb/chipidea/host.c > +++ b/drivers/usb/chipidea/host.c > @@ -241,14 +241,16 @@ static int ci_ehci_hub_control( > { > struct ehci_hcd *ehci = hcd_to_ehci(hcd); > u32 __iomem *status_reg; > - u32 temp; > + u32 temp, port_index; > unsigned long flags; > int retval = 0; > bool done = false; > struct device *dev = hcd->self.controller; > struct ci_hdrc *ci = dev_get_drvdata(dev); > > - status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1]; > + port_index = wIndex & 0xff; > + port_index -= (port_index > 0); > + status_reg = &ehci->regs->port_status[port_index]; > > spin_lock_irqsave(&ehci->lock, flags); > > @@ -288,7 +290,7 @@ static int ci_ehci_hub_control( > ehci_writel(ehci, temp, status_reg); > } > > - set_bit((wIndex & 0xff) - 1, &ehci->suspended_ports); > + set_bit(port_index, &ehci->suspended_ports); > goto done; > } Does this code test anywhere to ensure that wIndex > 0 and wIndex <= number of ports? Alan Stern
> -----Original Message----- > From: Alan Stern <stern@rowland.harvard.edu> > Sent: Wednesday, June 16, 2021 11:55 PM > To: Jun Li <jun.li@nxp.com> > Cc: peter.chen@kernel.org; gregkh@linuxfoundation.org; > linux-usb@vger.kernel.org; dl-linux-imx <linux-imx@nxp.com>; Zhipeng Wang > <zhipeng.wang_1@nxp.com> > Subject: Re: [PATCH] usb: chipidea: host: fix port index underflow and UBSAN > complains > > On Wed, Jun 16, 2021 at 10:24:58AM +0800, Li Jun wrote: > > If wIndex is 0 (and it often is), these calculations underflow and > > UBSAN complains, here resolve this by not decrementing the index when > > it is equal to 0, this copies the solution from commit 85e3990bea49 > > ("USB: EHCI: avoid undefined pointer arithmetic and placate UBSAN") > > > > Reported-by: zhipeng.wang <zhipeng.wang_1@nxp.com> > > Signed-off-by: Li Jun <jun.li@nxp.com> > > --- > > drivers/usb/chipidea/host.c | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c > > index e86d13c04bdb..25327b1b49b7 100644 > > --- a/drivers/usb/chipidea/host.c > > +++ b/drivers/usb/chipidea/host.c > > @@ -241,14 +241,16 @@ static int ci_ehci_hub_control( { > > struct ehci_hcd *ehci = hcd_to_ehci(hcd); > > u32 __iomem *status_reg; > > - u32 temp; > > + u32 temp, port_index; > > unsigned long flags; > > int retval = 0; > > bool done = false; > > struct device *dev = hcd->self.controller; > > struct ci_hdrc *ci = dev_get_drvdata(dev); > > > > - status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1]; > > + port_index = wIndex & 0xff; > > + port_index -= (port_index > 0); > > + status_reg = &ehci->regs->port_status[port_index]; > > > > spin_lock_irqsave(&ehci->lock, flags); > > > > @@ -288,7 +290,7 @@ static int ci_ehci_hub_control( > > ehci_writel(ehci, temp, status_reg); > > } > > > > - set_bit((wIndex & 0xff) - 1, &ehci->suspended_ports); > > + set_bit(port_index, &ehci->suspended_ports); > > goto done; > > } > > Does this code test anywhere to ensure that wIndex > 0 and wIndex <= number > of ports? Missed that, thanks for pointing it out, will add it in v2. Li Jun > > Alan Stern
diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c index e86d13c04bdb..25327b1b49b7 100644 --- a/drivers/usb/chipidea/host.c +++ b/drivers/usb/chipidea/host.c @@ -241,14 +241,16 @@ static int ci_ehci_hub_control( { struct ehci_hcd *ehci = hcd_to_ehci(hcd); u32 __iomem *status_reg; - u32 temp; + u32 temp, port_index; unsigned long flags; int retval = 0; bool done = false; struct device *dev = hcd->self.controller; struct ci_hdrc *ci = dev_get_drvdata(dev); - status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1]; + port_index = wIndex & 0xff; + port_index -= (port_index > 0); + status_reg = &ehci->regs->port_status[port_index]; spin_lock_irqsave(&ehci->lock, flags); @@ -288,7 +290,7 @@ static int ci_ehci_hub_control( ehci_writel(ehci, temp, status_reg); } - set_bit((wIndex & 0xff) - 1, &ehci->suspended_ports); + set_bit(port_index, &ehci->suspended_ports); goto done; }
If wIndex is 0 (and it often is), these calculations underflow and UBSAN complains, here resolve this by not decrementing the index when it is equal to 0, this copies the solution from commit 85e3990bea49 ("USB: EHCI: avoid undefined pointer arithmetic and placate UBSAN") Reported-by: zhipeng.wang <zhipeng.wang_1@nxp.com> Signed-off-by: Li Jun <jun.li@nxp.com> --- drivers/usb/chipidea/host.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)