Patch "USB: avoid left shift by -1" has been added to the 4.7-stable tree

Patch "USB: avoid left shift by -1" has been added to the 4.7-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    USB: avoid left shift by -1

to the 4.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-avoid-left-shift-by-1.patch
and it can be found in the queue-4.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa Mon Sep 17 00:00:00 2001
From: Alan Stern <stern@rowland.harvard.edu>
Date: Tue, 23 Aug 2016 15:32:51 -0400
Subject: USB: avoid left shift by -1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Alan Stern <stern@rowland.harvard.edu>

commit 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa upstream.

UBSAN complains about a left shift by -1 in proc_do_submiturb().  This
can occur when an URB is submitted for a bulk or control endpoint on
a high-speed device, since the code doesn't bother to check the
endpoint type; normally only interrupt or isochronous endpoints have
a nonzero bInterval value.

Aside from the fact that the operation is illegal, it shouldn't matter
because the result isn't used.  Still, in theory it could cause a
hardware exception or other problem, so we should work around it.
This patch avoids doing the left shift unless the shift amount is >= 0.

The same piece of code has another problem.  When checking the device
speed (the exponential encoding for interrupt endpoints is used only
by high-speed or faster devices), we need to look for speed >=
USB_SPEED_SUPER as well as speed == USB_SPEED HIGH.  The patch adds
this check.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Vittorio Zecca <zeccav@gmail.com>
Tested-by: Vittorio Zecca <zeccav@gmail.com>
Suggested-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/devio.c |   16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1709,11 +1709,17 @@ static int proc_do_submiturb(struct usb_
 	as->urb->start_frame = uurb->start_frame;
 	as->urb->number_of_packets = number_of_packets;
 	as->urb->stream_id = stream_id;
-	if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
-			ps->dev->speed == USB_SPEED_HIGH)
-		as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
-	else
-		as->urb->interval = ep->desc.bInterval;
+
+	if (ep->desc.bInterval) {
+		if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
+				ps->dev->speed == USB_SPEED_HIGH ||
+				ps->dev->speed >= USB_SPEED_SUPER)
+			as->urb->interval = 1 <<
+					min(15, ep->desc.bInterval - 1);
+		else
+			as->urb->interval = ep->desc.bInterval;
+	}
+
 	as->urb->context = as;
 	as->urb->complete = async_completed;
 	for (totlen = u = 0; u < number_of_packets; u++) {


Patches currently in stable-queue which might be from stern@rowland.harvard.edu are

queue-4.7/usb-ehci-change-order-of-register-cleanup-during-shutdown.patch
queue-4.7/usb-devio-do-not-warn-when-allocation-fails.patch
queue-4.7/usb-hub-fix-up-early-exit-pathway-in-hub_activate.patch
queue-4.7/usb-hub-change-the-locking-in-hub_activate.patch
queue-4.7/usb-avoid-left-shift-by-1.patch
queue-4.7/usb-validate-wmaxpacketvalue-entries-in-endpoint-descriptors.patch
queue-4.7/usb-fix-typo-in-wmaxpacketsize-validation.patch
queue-4.7/usb-serial-fix-memleak-in-driver-registration-error-path.patch
queue-4.7/usb-hub-fix-unbalanced-reference-count-memory-leak-deadlocks.patch
queue-4.7/usb-misc-usbtest-add-fix-for-driver-hang.patch