Maciej Żenczykowski <zenczykowski@xxxxxxxxx> writes: > From: Maciej Żenczykowski <maze@xxxxxxxxxx> > > usb_assign_descriptors() is called with 5 parameters, > the last 4 of which are the usb_descriptor_header for: > full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps), > high-speed (USB2.0 - 480Mbps), > super-speed (USB3.0 - 5Gbps), > super-speed-plus (USB3.1 - 10Gbps). > > The differences between full/high/super-speed descriptors are usually > substantial (due to changes in the maximum usb block size from 64 to 512 > to 1024 bytes and other differences in the specs), while the difference > between 5 and 10Gbps descriptors may be as little as nothing > (in many cases the same tuning is simply good enough). > > However if a gadget driver calls usb_assign_descriptors() with > a NULL descriptor for super-speed-plus and is then used on a max 10gbps > configuration, the kernel will crash with a null pointer dereference, > when a 10gbps capable device port + cable + host port combination shows up. > (This wouldn't happen if the gadget max-speed was set to 5gbps, but > it of course defaults to the maximum, and there's no real reason to > artificially limit it) > > The fix is to simply use the 5gbps descriptor as the 10gbps descriptor, > if a 10gbps descriptor wasn't provided. > > Obviously this won't fix the problem if the 5gbps descriptor is also > NULL, but such cases can't be so trivially solved (and any such gadgets > are unlikely to be used with USB3 ports any way). > > Cc: Felipe Balbi <balbi@xxxxxxxxxx> > Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > Signed-off-by: Maciej Żenczykowski <maze@xxxxxxxxxx> nice catch!! I think this is already in Greg's tree, but in any case: Acked-by: Felipe Balbi <balbi@xxxxxxxxxx> -- balbi
Attachment:
signature.asc
Description: PGP signature
