forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
William Wu 49bf9944dd UPSTREAM: usb: gadget: f_fs: avoid out of bounds access on comp_desc 
Companion descriptor is only used for SuperSpeed endpoints,
if the endpoints are HighSpeed or FullSpeed, the Companion
descriptor will not allocated, so we can only access it if
gadget is SuperSpeed.

I can reproduce this issue on Rockchip platform rk3368 SoC
which supports USB 2.0, and use functionfs for ADB. Kernel
build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report
the following BUG:

==================================================================
BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509
Read of size 1 by task swapper/0/0
============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1
alloc_debug_processing+0x128/0x17c
___slab_alloc.constprop.58+0x50c/0x610
__slab_alloc.isra.55.constprop.57+0x24/0x34
__kmalloc+0xe0/0x250
ffs_func_bind+0x52c/0x99c
usb_add_function+0xd8/0x1d4
configfs_composite_bind+0x48c/0x570
udc_bind_to_driver+0x6c/0x170
usb_udc_attach_driver+0xa4/0xd0
gadget_dev_desc_UDC_store+0xcc/0x118
configfs_write_file+0x1a0/0x1f8
__vfs_write+0x64/0x174
vfs_write+0xe4/0x200
SyS_write+0x68/0xc8
el0_svc_naked+0x24/0x28
INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247
...
Call trace:
[<ffffff900808aab4>] dump_backtrace+0x0/0x230
[<ffffff900808acf8>] show_stack+0x14/0x1c
[<ffffff90084ad420>] dump_stack+0xa0/0xc8
[<ffffff90082157cc>] print_trailer+0x188/0x198
[<ffffff9008215948>] object_err+0x3c/0x4c
[<ffffff900821b5ac>] kasan_report+0x324/0x4dc
[<ffffff900821aa38>] __asan_load1+0x24/0x50
[<ffffff90089eb750>] ffs_func_set_alt+0x224/0x3a0
[<ffffff90089d3760>] composite_setup+0xdcc/0x1ac8
[<ffffff90089d7394>] android_setup+0x124/0x1a0
[<ffffff90089acd18>] _setup+0x54/0x74
[<ffffff90089b6b98>] handle_ep0+0x3288/0x4390
[<ffffff90089b9b44>] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4
[<ffffff90089be85c>] dwc_otg_pcd_handle_intr+0x1ec/0x298
[<ffffff90089ad680>] dwc_otg_pcd_irq+0x10/0x20
[<ffffff9008116328>] handle_irq_event_percpu+0x124/0x3ac
[<ffffff9008116610>] handle_irq_event+0x60/0xa0
[<ffffff900811af30>] handle_fasteoi_irq+0x10c/0x1d4
[<ffffff9008115568>] generic_handle_irq+0x30/0x40
[<ffffff90081159b4>] __handle_domain_irq+0xac/0xdc
[<ffffff9008080e9c>] gic_handle_irq+0x64/0xa4
...
Memory state around the buggy address:
  ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc
 >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
  ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================

Signed-off-by: William Wu <william.wu@rock-chips.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>

(cherry picked from commit b7f73850bb)

Signed-off-by: Jerry Zhang <zhangjerry@google.com>

Signed-off-by: Jerry Zhang <zhangjerry@google.com>
2017-07-10 16:27:29 +05:30
..
accessibility
acpi ACPI / power: Avoid maybe-uninitialized warning 2017-04-27 09:09:33 +02:00
amba
android ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES. 2017-04-10 13:28:07 +05:30
ata libata: apply MAX_SEC_1024 to all CX1-JB*-HP devices 2017-02-09 08:02:45 +01:00
atm
auxdisplay
base ANDROID: power: align wakeup_sources format 2017-04-10 13:12:16 +05:30
bcma bcma: use (get|put)_device when probing/removing device driver 2017-03-12 06:37:30 +01:00
block drbd: avoid redefinition of BITS_PER_PAGE 2017-05-08 07:46:01 +02:00
bluetooth Bluetooth: hci_intel: add missing tty-device sanity check 2017-05-20 14:27:02 +02:00
bus bus: vexpress-config: fix device reference leak 2017-01-19 20:17:22 +01:00
cdrom
char Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-06-08 12:11:52 +08:00
clk clk: Make x86/ conditional on CONFIG_COMMON_CLK 2017-05-14 13:32:55 +02:00
clocksource clocksource/exynos_mct: Clear interrupt when cpu is shut down 2017-01-26 08:23:48 +01:00
connector
cpufreq BACKPORT: cpufreq: schedutil: New governor based on scheduler utilization data 2017-06-21 16:34:04 +05:30
cpuidle Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2016-10-18 12:31:07 +08:00
crypto crypto: caam - fix RNG deinstantiation error checking 2017-04-18 07:14:36 +02:00
dca
devfreq
dio
dma dmaengine: ipu: Make sure the interrupt routine checks all interrupts. 2017-03-12 06:37:30 +01:00
dma-buf
edac EDAC: Increment correct counter in edac_inc_ue_error() 2016-09-07 08:32:41 +02:00
eisa
extcon extcon: max77843: Use correct size for reading the interrupt register 2016-05-04 14:48:54 -07:00
firewire firewire: net: fix fragmented datagram_size off-by-one 2016-11-10 16:36:35 +01:00
firmware UPSTREAM: efi/arm64: Don't apply MEMBLOCK_NOMAP to UEFI memory map mapping 2017-01-02 13:54:08 +05:30
fmc
fpga
gpio gpio: mpc8xxx: Correct irq handler function 2016-10-28 03:01:25 -04:00
gpu Merge tag 'v4.4.71' into linux-linaro-lsk-v4.4 2017-06-08 12:11:49 +08:00
hid ANDROID: hid: uhid: implement refcount for open and close 2017-06-21 16:34:04 +05:30
hsi
hv hv: don't reset hv_context.tsc_page on crash 2017-04-27 09:09:34 +02:00
hwmon hwmon: (g762) Fix overflows and crash seen when writing limit attributes 2017-01-12 11:22:48 +01:00
hwspinlock
hwtracing Merge branch 'v4.4/topic/coresight' into linux-linaro-lsk-v4.4 2017-03-24 11:27:10 +08:00
i2c i2c: i2c-tiny-usb: fix buffer not being DMA capable 2017-06-07 12:06:00 +02:00
ide
idle intel_idle: Support for Intel Xeon Phi Processor x200 Product Family 2016-09-15 08:27:46 +02:00
iio iio: proximity: as3935: fix as3935_write 2017-05-25 14:30:13 +02:00
infiniband infiniband: call ipv6 route lookup via the stub interface 2017-05-25 14:30:07 +02:00
input Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-05-04 12:01:39 +08:00
iommu iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings 2017-05-25 14:30:16 +02:00
ipack
irqchip irqchip/irq-imx-gpcv2: Fix spinlock initialization 2017-04-21 09:30:06 +02:00
isdn isdn/gigaset: fix NULL-deref at probe 2017-03-26 12:13:19 +02:00
leds leds: ktd2692: avoid harmless maybe-uninitialized warning 2017-05-14 13:32:55 +02:00
lguest
lightnvm lightnvm: put bio before return 2016-09-24 10:07:35 +02:00
macintosh
mailbox
mcb mcb: Fixed bar number assignment for the gdd 2016-06-01 12:15:53 -07:00
md Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-05-26 12:03:29 +08:00
media xc2028: Fix use-after-free bug properly 2017-05-25 14:30:15 +02:00
memory memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing 2016-07-27 09:47:35 -07:00
memstick memstick: rtsx_usb_ms: Manage runtime PM when accessing the device 2016-10-28 03:01:35 -04:00
message
mfd mfd: core: Fix device reference leak in mfd_clone_cell 2016-11-26 09:54:53 +01:00
misc ANDROID: uid_sys_stats: check previous uid_entry before call find_or_register_uid 2017-06-21 16:39:42 +05:30
mmc Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-06-08 12:11:52 +08:00
mtd Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-05-15 17:32:20 +08:00
net Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-06-08 12:11:52 +08:00
nfc mei: bus: fix received data size check in NFC fixup 2016-11-18 10:48:36 +01:00
ntb ntb_transport: Pick an unused queue 2017-02-23 17:43:10 +01:00
nubus
nvdimm libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat 2017-04-21 09:30:06 +02:00
nvme nvme: Call pci_disable_device on the error path. 2016-09-15 08:27:51 +02:00
nvmem nvmem: mxs-ocotp: fix buffer overflow in read 2016-05-11 11:21:21 +02:00
of Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-05-26 12:03:29 +08:00
oprofile
parisc
parport parport: fix attempt to write duplicate procfiles 2017-03-30 09:35:17 +02:00
pci PCI: Freeze PME scan before suspending devices 2017-05-25 14:30:17 +02:00
pcmcia pcmcia: db1xxx_ss: fix last irq_to_gpio user 2016-04-20 15:42:09 +09:00
perf drivers/perf: arm_pmu: Fix leak in error path 2016-10-07 15:23:41 +02:00
phy phy: qcom-usb-hs: Add depends on EXTCON 2017-05-14 13:32:57 +02:00
pinctrl pinctrl: qcom: Don't clear status bit on irq_unmask 2017-03-31 09:49:53 +02:00
platform Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-04-23 12:02:14 +08:00
pnp PNP: Add Broadwell to Intel MCH size workaround 2016-08-16 09:30:48 +02:00
power Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-05-15 17:32:20 +08:00
powercap
pps pps: do not crash when failed to register 2016-08-10 11:49:25 +02:00
ps3
ptp
pwm pwm: pca9685: Fix period change with same duty cycle 2017-03-15 09:57:14 +08:00
rapidio
ras
regulator regulator: tps65023: Fix inverted core enable logic. 2017-05-25 14:30:09 +02:00
remoteproc remoteproc: Fix potential race condition in rproc_add 2016-08-20 18:09:20 +02:00
reset
rpmsg
rtc Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-04-23 12:02:14 +08:00
s390 s390/qeth: avoid null pointer dereference on OSN 2017-06-07 12:05:57 +02:00
sbus
scsi Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-06-08 12:11:52 +08:00
sfi
sh
sn
soc ARM: 8485/1: cpuidle: remove cpu parameter from the cpuidle_ops suspend hook 2016-11-21 11:48:09 +08:00
spi spi: mvebu: fix baudrate calculation for armada variant 2017-01-15 13:41:36 +01:00
spmi
ssb ssb: Fix error routine when fallback SPROM fails 2017-01-09 08:07:42 +01:00
staging Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-05-26 12:03:29 +08:00
target iscsi-target: Set session_fall_back_to_erl0 when forcing reinstatement 2017-05-20 14:26:58 +02:00
tc
thermal thermal: hwmon: Properly report critical temperature in sysfs 2017-01-09 08:07:44 +01:00
thunderbolt thunderbolt: Fix double free of drom buffer 2016-06-01 12:15:53 -07:00
tty Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-05-25 10:05:41 +08:00
uio uio: fix dmem_region_start computation 2016-10-31 04:13:59 -06:00
usb UPSTREAM: usb: gadget: f_fs: avoid out of bounds access on comp_desc 2017-07-10 16:27:29 +05:30
uwb uwb: fix device quirk on big-endian hosts 2017-05-25 14:30:17 +02:00
vfio vfio/type1: Remove locked page accounting workqueue 2017-05-20 14:27:00 +02:00
vhost vhost/scsi: fix reuse of &vq->iov[out] in response 2016-09-15 08:27:53 +02:00
video Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-04-23 12:02:14 +08:00
virt
virtio virtio_balloon: init 1st buffer in stats vq 2017-03-31 09:49:53 +02:00
vlynq
vme vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-19 20:17:21 +01:00
w1 Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android 2017-03-20 12:03:10 +08:00
watchdog watchdog: pcwd_usb: fix NULL-deref at probe 2017-05-25 14:30:07 +02:00
xen xen/acpi: upload PM state from init-domain to Xen 2017-03-30 09:35:18 +02:00
zorro
Kconfig Revert "switch: switch class and GPIO drivers." 2016-05-19 12:32:41 +05:30
Makefile usb: Make sure usb/phy/of gets built-in 2017-05-20 14:26:59 +02:00