On Fri, 1 Apr 2016, Navin P.S wrote: > On Fri, Apr 1, 2016 at 8:00 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: > > On Fri, 1 Apr 2016, Navin P.S wrote: > > > >> Hi, > >> > >> I was looking at the bug https://bugzilla.kernel.org/show_bug.cgi?id=112171 > >> which says > >> > >> Feb 08 22:58:56 x kernel: UBSAN: Undefined behaviour in > >> drivers/usb/host/ehci-hub.c:873:47 > >> Feb 08 22:58:56 x kernel: index -1 is out of range for type 'u32 [1]' > >> > >> > >> > >> I'm suspective the ehci-tegra function ehci-tegra.c:291 calling with > >> wIndex as 0 . > >> > >> I'm not sure if that is even possible .So i ask in this list ? Can > >> someone give pointers ? > > > > Yes, it is possible. tegra_ehci_hub_control() needs to verify that > > wIndex > 0 before using status_reg. Would you like to write a patch to > > fix this? > > > > The actual bug submitted looks to be in a different call stack as i've > analzyed below but this diff also fixes tegra_ehci_hub_control if it > is called with wIndex 0. If you can confirm below i'll copy lkml after > the submitter verifies. > > > In case of wIndex can we return -EPIPE as in case of error in > ehci-hub.c or do we have to return some other error code ? If wIndex is wrong, you should always return -EPIPE. > diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c > index ffc9029..50194af 100644 > --- a/drivers/usb/host/ehci-hub.c > +++ b/drivers/usb/host/ehci-hub.c > @@ -872,6 +872,10 @@ int ehci_hub_control( > ) { > struct ehci_hcd *ehci = hcd_to_ehci (hcd); > int ports = HCS_N_PORTS (ehci->hcs_params); > + > + if (!wIndex || wIndex > ports) > + return -EPIPE; > + No, this is bad. There are cases where wIndex is allowed to be 0 or larger than ports. > In the below call trace we get wIndex as 0 due to > usb_set_configuration calling it with 0. Please see below. > > Feb 08 22:58:56 x kernel: UBSAN: Undefined behaviour in > drivers/usb/host/ehci-hub.c:873:47 > Feb 08 22:58:56 x kernel: index -1 is out of range for type 'u32 [1]' UBSAN is wrong here. Even though the index is out of range, the behavior is not undefined. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
