Re: [PATCH 2/2] usb: gadget: function: f_fs: pass companion descriptor along

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 01/31/2017 04:56 PM, Felipe Balbi wrote:
> 
> Hi,
> 
> Krzysztof Opasiak <k.opasiak@xxxxxxxxxxx> writes:
>> On 01/31/2017 02:08 PM, Felipe Balbi wrote:
>>> If we're dealing with SuperSpeed endpoints, we need
>>> to make sure to pass along the companion descriptor
>>> and initialize fields needed by the Gadget
>>> API. Eventually, f_fs.c should be converted to use
>>> config_ep_by_speed() like all other functions,
>>> though.
>>>
>>> Cc: <stable@xxxxxxxxxxxxxxx>
>>> Signed-off-by: Felipe Balbi <felipe.balbi@xxxxxxxxxxxxxxx>
>>> ---
>>>
>>> Will be sent in a pull request during v4.11-rc
>>>
>>>  drivers/usb/gadget/function/f_fs.c | 15 +++++++++++++--
>>>  1 file changed, 13 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
>>> index 87fccf611b69..86aba2ebb3ef 100644
>>> --- a/drivers/usb/gadget/function/f_fs.c
>>> +++ b/drivers/usb/gadget/function/f_fs.c
>>> @@ -1833,11 +1833,14 @@ static int ffs_func_eps_enable(struct ffs_function *func)
>>>  	spin_lock_irqsave(&func->ffs->eps_lock, flags);
>>>  	while(count--) {
>>>  		struct usb_endpoint_descriptor *ds;
>>> +		struct usb_ss_ep_comp_descriptor *comp_desc = NULL;
>>> +		int needs_comp_desc = false;
>>>  		int desc_idx;
>>>  
>>> -		if (ffs->gadget->speed == USB_SPEED_SUPER)
>>> +		if (ffs->gadget->speed == USB_SPEED_SUPER) {
>>>  			desc_idx = 2;
>>> -		else if (ffs->gadget->speed == USB_SPEED_HIGH)
>>> +			needs_comp_desc = true;
>>> +		} else if (ffs->gadget->speed == USB_SPEED_HIGH)
>>>  			desc_idx = 1;
>>>  		else
>>>  			desc_idx = 0;
>>> @@ -1854,6 +1857,14 @@ static int ffs_func_eps_enable(struct ffs_function *func)
>>>  
>>>  		ep->ep->driver_data = ep;
>>>  		ep->ep->desc = ds;
>>> +
>>> +		comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
>>> +				USB_DT_ENDPOINT_SIZE);
>>> +		ep->ep->maxburst = comp_desc->bMaxBurst + 1;
>>> +
>>> +		if (needs_comp_desc)
>>> +			ep->ep->comp_desc = comp_desc;
>>> +
>>
>> Please correct me if I'm wrong but wouldn't we read rubbish here if user
>> provided us SS ep descriptor without companion descriptor?
> 
> companion desc is required for SS endpoints, it's also required that
> they follow EP desc. If user doesn't write it, don't they deserve the
> errors they'll have?
> 

But do we deserve to access potentially unallocated memory inside kernel
each time when some malicious application requests this?;)

In my humble opinion user should get -EINVAL or sth like this from
write(desc, sizeof(desc)) instead of some random data in companion
descriptor.

Cheers,
-- 
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]