| Message ID | 048cd6972c50c33c2e8f81d5228fed928519918b.1683987673.git.deren.wu@mediatek.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] mmc: vub300: fix invalid response handling | expand |
On Sat, 13 May 2023 at 16:49, Deren Wu <deren.wu@mediatek.com> wrote: > > We may get an empty response with zero length at the beginning of > the driver start and get following UBSAN error. Since there is no > content(SDRT_NONE) for the response, just return and skip the response > handling to avoid this problem. > > Test pass : SDIO wifi throughput test with this patch > > [ 126.980684] UBSAN: array-index-out-of-bounds in drivers/mmc/host/vub300.c:1719:12 > [ 126.980709] index -1 is out of range for type 'u32 [4]' > [ 126.980729] CPU: 4 PID: 9 Comm: kworker/u16:0 Tainted: G E 6.3.0-rc4-mtk-local-202304272142 #1 > [ 126.980754] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020 > [ 126.980770] Workqueue: kvub300c vub300_cmndwork_thread [vub300] > [ 126.980833] Call Trace: > [ 126.980845] <TASK> > [ 126.980860] dump_stack_lvl+0x48/0x70 > [ 126.980895] dump_stack+0x10/0x20 > [ 126.980916] ubsan_epilogue+0x9/0x40 > [ 126.980944] __ubsan_handle_out_of_bounds+0x70/0x90 > [ 126.980979] vub300_cmndwork_thread+0x58e7/0x5e10 [vub300] > [ 126.981018] ? _raw_spin_unlock+0x18/0x40 > [ 126.981042] ? finish_task_switch+0x175/0x6f0 > [ 126.981070] ? __switch_to+0x42e/0xda0 > [ 126.981089] ? __switch_to_asm+0x3a/0x80 > [ 126.981129] ? __pfx_vub300_cmndwork_thread+0x10/0x10 [vub300] > [ 126.981174] ? __kasan_check_read+0x11/0x20 > [ 126.981204] process_one_work+0x7ee/0x13d0 > [ 126.981246] worker_thread+0x53c/0x1240 > [ 126.981291] kthread+0x2b8/0x370 > [ 126.981312] ? __pfx_worker_thread+0x10/0x10 > [ 126.981336] ? __pfx_kthread+0x10/0x10 > [ 126.981359] ret_from_fork+0x29/0x50 > [ 126.981400] </TASK> > > Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") > Signed-off-by: Deren Wu <deren.wu@mediatek.com> Applied for fixes and by adding a stable tag, thanks! Kind regards Uffe > --- > v2: add Fixes tag > update commit description > --- > drivers/mmc/host/vub300.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c > index e4c4bfac3763..9ec593d52f0f 100644 > --- a/drivers/mmc/host/vub300.c > +++ b/drivers/mmc/host/vub300.c > @@ -1713,6 +1713,9 @@ static void construct_request_response(struct vub300_mmc_host *vub300, > int bytes = 3 & less_cmd; > int words = less_cmd >> 2; > u8 *r = vub300->resp.response.command_response; > + > + if (!resp_len) > + return; > if (bytes == 3) { > cmd->resp[words] = (r[1 + (words << 2)] << 24) > | (r[2 + (words << 2)] << 16) > -- > 2.18.0 >
diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c index e4c4bfac3763..9ec593d52f0f 100644 --- a/drivers/mmc/host/vub300.c +++ b/drivers/mmc/host/vub300.c @@ -1713,6 +1713,9 @@ static void construct_request_response(struct vub300_mmc_host *vub300, int bytes = 3 & less_cmd; int words = less_cmd >> 2; u8 *r = vub300->resp.response.command_response; + + if (!resp_len) + return; if (bytes == 3) { cmd->resp[words] = (r[1 + (words << 2)] << 24) | (r[2 + (words << 2)] << 16)
We may get an empty response with zero length at the beginning of the driver start and get following UBSAN error. Since there is no content(SDRT_NONE) for the response, just return and skip the response handling to avoid this problem. Test pass : SDIO wifi throughput test with this patch [ 126.980684] UBSAN: array-index-out-of-bounds in drivers/mmc/host/vub300.c:1719:12 [ 126.980709] index -1 is out of range for type 'u32 [4]' [ 126.980729] CPU: 4 PID: 9 Comm: kworker/u16:0 Tainted: G E 6.3.0-rc4-mtk-local-202304272142 #1 [ 126.980754] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020 [ 126.980770] Workqueue: kvub300c vub300_cmndwork_thread [vub300] [ 126.980833] Call Trace: [ 126.980845] <TASK> [ 126.980860] dump_stack_lvl+0x48/0x70 [ 126.980895] dump_stack+0x10/0x20 [ 126.980916] ubsan_epilogue+0x9/0x40 [ 126.980944] __ubsan_handle_out_of_bounds+0x70/0x90 [ 126.980979] vub300_cmndwork_thread+0x58e7/0x5e10 [vub300] [ 126.981018] ? _raw_spin_unlock+0x18/0x40 [ 126.981042] ? finish_task_switch+0x175/0x6f0 [ 126.981070] ? __switch_to+0x42e/0xda0 [ 126.981089] ? __switch_to_asm+0x3a/0x80 [ 126.981129] ? __pfx_vub300_cmndwork_thread+0x10/0x10 [vub300] [ 126.981174] ? __kasan_check_read+0x11/0x20 [ 126.981204] process_one_work+0x7ee/0x13d0 [ 126.981246] worker_thread+0x53c/0x1240 [ 126.981291] kthread+0x2b8/0x370 [ 126.981312] ? __pfx_worker_thread+0x10/0x10 [ 126.981336] ? __pfx_kthread+0x10/0x10 [ 126.981359] ret_from_fork+0x29/0x50 [ 126.981400] </TASK> Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") Signed-off-by: Deren Wu <deren.wu@mediatek.com> --- v2: add Fixes tag update commit description --- drivers/mmc/host/vub300.c | 3 +++ 1 file changed, 3 insertions(+)