From: Masakazu Mokuno <masakazu.mokuno@gmail.com>
To: Mathias Nyman <mathias.nyman@linux.intel.com>
Cc: gregkh@linuxfoundation.org, linux-usb@vger.kernel.org,
linux-stable <stable@vger.kernel.org>
Subject: USB: Fix off by one in type-specific length check of BOS SSP capability
Date: Wed, 20 Dec 2017 02:34:39 +0900 [thread overview]
Message-ID: <20171220023435.9B5C.F48FD4B1@gmail.com> (raw)
Hi Mathias,
On Tue, 19 Dec 2017 11:14:42 +0200
Mathias Nyman <mathias.nyman@linux.intel.com> wrote:
> USB 3.1 devices are not detected as 3.1 capable since 4.15-rc3 due to a
> off by one in commit 81cf4a45360f ("USB: core: Add type-specific length
> check of BOS descriptors")
>
> It uses USB_DT_USB_SSP_CAP_SIZE() to get SSP capability size which takes
> the zero based SSAC as argument, not the actual count of sublink speed
> attributes.
>
> USB3 spec 9.6.2.5 says "The number of Sublink Speed Attributes = SSAC + 1."
>
> The type-specific length check patch was added to stable and needs to be
> fixed there as well
>
> Fixes: 81cf4a45360f ("USB: core: Add type-specific length check of BOS descriptors")
> Cc: linux-stable <stable@vger.kernel.org>
> CC: Masakazu Mokuno <masakazu.mokuno@gmail.com>
> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
> ---
> drivers/usb/core/config.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 78e92d2..c821b4b 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -1007,7 +1007,7 @@ int usb_get_bos_descriptor(struct usb_device *dev)
> case USB_SSP_CAP_TYPE:
> ssp_cap = (struct usb_ssp_cap_descriptor *)buffer;
> ssac = (le32_to_cpu(ssp_cap->bmAttributes) &
> - USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1;
> + USB_SSP_SUBLINK_SPEED_ATTRIBS);
> if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac))
> dev->bos->ssp_cap = ssp_cap;
> break;
> --
> 2.7.4
Thanks for the fix. I got confused the meaning of USB_DT_USB_SSP_CAP_SIZE()
just as you described. The sizeof(struct usb_ssp_cap_descriptor) is 16,
but I did not noticed it included one SSAC.
There's another place that wrongly uses USB_DT_USB_SSP_CAP_SIZE() in my
previous patch. It should be fixed also. I'll make the patch.
WARNING: multiple messages have this Message-ID (diff)
From: Masakazu Mokuno <masakazu.mokuno@gmail.com>
To: Mathias Nyman <mathias.nyman@linux.intel.com>
Cc: <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, linux-stable <stable@vger.kernel.org>
Subject: Re: [PATCH] USB: Fix off by one in type-specific length check of BOS SSP capability
Date: Wed, 20 Dec 2017 02:34:39 +0900 [thread overview]
Message-ID: <20171220023435.9B5C.F48FD4B1@gmail.com> (raw)
In-Reply-To: <1513674882-18422-1-git-send-email-mathias.nyman@linux.intel.com>
Hi Mathias,
On Tue, 19 Dec 2017 11:14:42 +0200
Mathias Nyman <mathias.nyman@linux.intel.com> wrote:
> USB 3.1 devices are not detected as 3.1 capable since 4.15-rc3 due to a
> off by one in commit 81cf4a45360f ("USB: core: Add type-specific length
> check of BOS descriptors")
>
> It uses USB_DT_USB_SSP_CAP_SIZE() to get SSP capability size which takes
> the zero based SSAC as argument, not the actual count of sublink speed
> attributes.
>
> USB3 spec 9.6.2.5 says "The number of Sublink Speed Attributes = SSAC + 1."
>
> The type-specific length check patch was added to stable and needs to be
> fixed there as well
>
> Fixes: 81cf4a45360f ("USB: core: Add type-specific length check of BOS descriptors")
> Cc: linux-stable <stable@vger.kernel.org>
> CC: Masakazu Mokuno <masakazu.mokuno@gmail.com>
> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
> ---
> drivers/usb/core/config.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 78e92d2..c821b4b 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -1007,7 +1007,7 @@ int usb_get_bos_descriptor(struct usb_device *dev)
> case USB_SSP_CAP_TYPE:
> ssp_cap = (struct usb_ssp_cap_descriptor *)buffer;
> ssac = (le32_to_cpu(ssp_cap->bmAttributes) &
> - USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1;
> + USB_SSP_SUBLINK_SPEED_ATTRIBS);
> if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac))
> dev->bos->ssp_cap = ssp_cap;
> break;
> --
> 2.7.4
Thanks for the fix. I got confused the meaning of USB_DT_USB_SSP_CAP_SIZE()
just as you described. The sizeof(struct usb_ssp_cap_descriptor) is 16,
but I did not noticed it included one SSAC.
There's another place that wrongly uses USB_DT_USB_SSP_CAP_SIZE() in my
previous patch. It should be fixed also. I'll make the patch.
--
Masakazu Mokuno
next reply other threads:[~2017-12-19 17:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-19 17:34 Masakazu Mokuno [this message]
2017-12-19 17:34 ` [PATCH] USB: Fix off by one in type-specific length check of BOS SSP capability Masakazu Mokuno
-- strict thread matches above, loose matches on Subject: below --
2017-12-19 9:14 Mathias Nyman
2017-12-19 9:14 ` [PATCH] " Mathias Nyman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171220023435.9B5C.F48FD4B1@gmail.com \
--to=masakazu.mokuno@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.