On Wed, Aug 26, 2020 at 06:53:02PM +0300, Andy Shevchenko wrote:
> On Wed, Aug 26, 2020 at 6:36 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > On Wed, Aug 26, 2020 at 05:02:38PM +0200, Marek Szyprowski wrote:
> > > On 26.08.2020 15:43, Greg KH wrote:
>
> > > > Brooke Basile (2):
> > > > USB: gadget: u_f: add overflow checks to VLA macros
> > >
> > > Sorry, but the above patch breaks USB Ethernet Gadget operation. It also
> > > didn't get the proper testing in linux-next (next-20200826 is the first
> > > one with this patch).
> > >
> > > This is how it explodes on Samsung Exynos (ARM 32bit) based board with
> > > g_ether module loaded:
>
> > Odd, for a "normal" descriptor, the logic should have remained the same
> > as without this patch.
>
> > Brooke, any ideas?
>
> I have an idea.
>
> Does below fix this?
>
>
> --
> With Best Regards,
> Andy Shevchenko
> diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h
> index df4e1dcb357d..0b5c5f0dd073 100644
> --- a/drivers/usb/gadget/u_f.h
> +++ b/drivers/usb/gadget/u_f.h
> @@ -25,8 +25,8 @@
> size_t offset = 0; \
> if (groupname##__next != SIZE_MAX) { \
> size_t align_mask = __alignof__(type) - 1; \
> - size_t offset = (groupname##__next + align_mask) \
> - & ~align_mask; \
> + offset = (groupname##__next + align_mask) & \
> + ~align_mask; \
> size_t size = array_size(n, sizeof(type)); \
> if (check_add_overflow(offset, size, \
> &groupname##__next)) { \
> @@ -43,8 +43,8 @@
> size_t offset = 0; \
> if (groupname##__next != SIZE_MAX) { \
> size_t align_mask = __alignof__(type) - 1; \
> - size_t offset = (groupname##__next + align_mask) \
> - & ~align_mask; \
> + offset = (groupname##__next + align_mask) & \
> + ~align_mask; \
> if (check_add_overflow(offset, groupname##_##name##__sz,\
> &groupname##__next)) { \
> groupname##__next = SIZE_MAX; \
Oh wow, yeah, that should fix the problem, but would be good to get
confirmation...
thanks,
greg k-h
