On Wed, Aug 26, 2020 at 06:53:02PM +0300, Andy Shevchenko wrote: > On Wed, Aug 26, 2020 at 6:36 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote: > > > On 26.08.2020 15:43, Greg KH wrote: > > > > > Brooke Basile (2): > > > > USB: gadget: u_f: add overflow checks to VLA macros > > > > > > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also > > > didn't get the proper testing in linux-next (next-20200826 is the first > > > one with this patch). > > > > > > This is how it explodes on Samsung Exynos (ARM 32bit) based board with > > > g_ether module loaded: > > > Odd, for a "normal" descriptor, the logic should have remained the same > > as without this patch. > > > Brooke, any ideas? > > I have an idea. > > Does below fix this? > > > -- > With Best Regards, > Andy Shevchenko > diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h > index df4e1dcb357d..0b5c5f0dd073 100644 > --- a/drivers/usb/gadget/u_f.h > +++ b/drivers/usb/gadget/u_f.h > @@ -25,8 +25,8 @@ > size_t offset = 0; \ > if (groupname##__next != SIZE_MAX) { \ > size_t align_mask = __alignof__(type) - 1; \ > - size_t offset = (groupname##__next + align_mask) \ > - & ~align_mask; \ > + offset = (groupname##__next + align_mask) & \ > + ~align_mask; \ > size_t size = array_size(n, sizeof(type)); \ > if (check_add_overflow(offset, size, \ > &groupname##__next)) { \ > @@ -43,8 +43,8 @@ > size_t offset = 0; \ > if (groupname##__next != SIZE_MAX) { \ > size_t align_mask = __alignof__(type) - 1; \ > - size_t offset = (groupname##__next + align_mask) \ > - & ~align_mask; \ > + offset = (groupname##__next + align_mask) & \ > + ~align_mask; \ > if (check_add_overflow(offset, groupname##_##name##__sz,\ > &groupname##__next)) { \ > groupname##__next = SIZE_MAX; \ Oh wow, yeah, that should fix the problem, but would be good to get confirmation... thanks, greg k-h