From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: usb: gadget: f_fs: Use config_ep_by_speed() From: Jack Pham Message-Id: <20180125075820.5444-1-jackp@codeaurora.org> Date: Wed, 24 Jan 2018 23:58:20 -0800 To: Felipe Balbi , Michal Nazarewicz Cc: Mayank Rana , linux-usb@vger.kernel.org, Jack Pham , stable@vger.kernel.org List-ID: SW4gY29tbWl0IDJiZmEwNzE5YWMyYSAoInVzYjogZ2FkZ2V0OiBmdW5jdGlvbjogZl9mczogcGFz cwpjb21wYW5pb24gZGVzY3JpcHRvciBhbG9uZyIpIHRoZXJlIGlzIGEgcG9pbnRlciBhcml0aG1l dGljCmJ1ZyB3aGVyZSB0aGUgY29tcF9kZXNjIGlzIG9idGFpbmVkIGFzIGZvbGxvd3M6CgogY29t cF9kZXNjID0gKHN0cnVjdCB1c2Jfc3NfZXBfY29tcF9kZXNjcmlwdG9yICopKGRzICsKCSAgICAg ICBVU0JfRFRfRU5EUE9JTlRfU0laRSk7CgpTaW5jZSBkcyBpcyBhIHBvaW50ZXIgdG8gdXNiX2Vu ZHBvaW50X2Rlc2NyaXB0b3IsIGFkZGluZwo3IHRvIGl0IGVuZHMgdXAgZ29pbmcgb3V0IG9mIGJv dW5kcyAoNyAqIHNpemVvZihzdHJ1Y3QKdXNiX2VuZHBvaW50X2Rlc2NyaXB0b3IpLCB3aGljaCBp cyBhY3R1YWxseSA3KjkgYnl0ZXMpIHBhc3QKdGhlIFNTIGRlc2NyaXB0b3IuIEFzIGEgcmVzdWx0 IHRoZSBtYXhidXJzdCB2YWx1ZSB3aWxsIGJlCnJlYWQgaW5jb3JyZWN0bHksIGFuZCB0aGUgVURD IGRyaXZlciB3aWxsIGFsc28gZ2V0IGEgZ2FyYmFnZQpjb21wX2Rlc2MgKGFzc3VtaW5nIGl0IHVz ZXMgaXQpLgoKU2luY2UgRmVsaXBlIHdyb3RlLCAiRXZlbnR1YWxseSwgZl9mcy5jIHNob3VsZCBi ZSBjb252ZXJ0ZWQKdG8gdXNlIGNvbmZpZ19lcF9ieV9zcGVlZCgpIGxpa2UgYWxsIG90aGVyIGZ1 bmN0aW9ucywgdGhvdWdoIiwKbGV0J3MgZmluYWxseSBkbyBpdC4gVGhpcyBhbGxvd3MgdGhlIG90 aGVyIHVzYl9lcCBmaWVsZHMgdG8KYmUgcHJvcGVybHkgcG9wdWxhdGVkLCBzdWNoIGFzIG1heHBh Y2tldCBhbmQgbXVsdC4gSXQgYWxzbwplbGltaW5hdGVzIHRoZSBhd2t3YXJkIHNwZWVkLWJhc2Vk IGRlc2NyaXB0b3IgbG9va3VwIHNpbmNlCmNvbmZpZ19lcF9ieV9zcGVlZCgpIGRvZXMgdGhhdCBh bHJlYWR5IHVzaW5nIHRoZSBvbmVzIGZvdW5kCmluIHN0cnVjdCB1c2JfZnVuY3Rpb24uCgpGaXhl czogMmJmYTA3MTlhYzJhICgidXNiOiBnYWRnZXQ6IGZ1bmN0aW9uOiBmX2ZzOiBwYXNzIGNvbXBh bmlvbiBkZXNjcmlwdG9yIGFsb25nIikKQ2M6IHN0YWJsZUB2Z2VyLmtlcm5lbC5vcmcKU2lnbmVk LW9mZi1ieTogSmFjayBQaGFtIDxqYWNrcEBjb2RlYXVyb3JhLm9yZz4KLS0tCiBkcml2ZXJzL3Vz Yi9nYWRnZXQvZnVuY3Rpb24vZl9mcy5jIHwgMzggKysrKysrKy0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA3IGluc2VydGlvbnMoKyksIDMxIGRlbGV0aW9u cygtKQoKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdXNiL2dhZGdldC9mdW5jdGlvbi9mX2ZzLmMgYi9k cml2ZXJzL3VzYi9nYWRnZXQvZnVuY3Rpb24vZl9mcy5jCmluZGV4IDVmMmRhZmI1Li43MTdiMmRl IDEwMDY0NAotLS0gYS9kcml2ZXJzL3VzYi9nYWRnZXQvZnVuY3Rpb24vZl9mcy5jCisrKyBiL2Ry aXZlcnMvdXNiL2dhZGdldC9mdW5jdGlvbi9mX2ZzLmMKQEAgLTE4NTIsNDQgKzE4NTIsMjAgQEAg c3RhdGljIGludCBmZnNfZnVuY19lcHNfZW5hYmxlKHN0cnVjdCBmZnNfZnVuY3Rpb24gKmZ1bmMp CiAKIAlzcGluX2xvY2tfaXJxc2F2ZSgmZnVuYy0+ZmZzLT5lcHNfbG9jaywgZmxhZ3MpOwogCXdo aWxlKGNvdW50LS0pIHsKLQkJc3RydWN0IHVzYl9lbmRwb2ludF9kZXNjcmlwdG9yICpkczsKLQkJ c3RydWN0IHVzYl9zc19lcF9jb21wX2Rlc2NyaXB0b3IgKmNvbXBfZGVzYyA9IE5VTEw7Ci0JCWlu dCBuZWVkc19jb21wX2Rlc2MgPSBmYWxzZTsKLQkJaW50IGRlc2NfaWR4OwotCi0JCWlmIChmZnMt PmdhZGdldC0+c3BlZWQgPT0gVVNCX1NQRUVEX1NVUEVSKSB7Ci0JCQlkZXNjX2lkeCA9IDI7Ci0J CQluZWVkc19jb21wX2Rlc2MgPSB0cnVlOwotCQl9IGVsc2UgaWYgKGZmcy0+Z2FkZ2V0LT5zcGVl ZCA9PSBVU0JfU1BFRURfSElHSCkKLQkJCWRlc2NfaWR4ID0gMTsKLQkJZWxzZQotCQkJZGVzY19p ZHggPSAwOwotCi0JCS8qIGZhbGwtYmFjayB0byBsb3dlciBzcGVlZCBpZiBkZXNjIG1pc3Npbmcg Zm9yIGN1cnJlbnQgc3BlZWQgKi8KLQkJZG8gewotCQkJZHMgPSBlcC0+ZGVzY3NbZGVzY19pZHhd OwotCQl9IHdoaWxlICghZHMgJiYgLS1kZXNjX2lkeCA+PSAwKTsKLQotCQlpZiAoIWRzKSB7Ci0J CQlyZXQgPSAtRUlOVkFMOwotCQkJYnJlYWs7Ci0JCX0KLQogCQllcC0+ZXAtPmRyaXZlcl9kYXRh ID0gZXA7Ci0JCWVwLT5lcC0+ZGVzYyA9IGRzOwogCi0JCWlmIChuZWVkc19jb21wX2Rlc2MpIHsK LQkJCWNvbXBfZGVzYyA9IChzdHJ1Y3QgdXNiX3NzX2VwX2NvbXBfZGVzY3JpcHRvciAqKShkcyAr Ci0JCQkJCVVTQl9EVF9FTkRQT0lOVF9TSVpFKTsKLQkJCWVwLT5lcC0+bWF4YnVyc3QgPSBjb21w X2Rlc2MtPmJNYXhCdXJzdCArIDE7Ci0JCQllcC0+ZXAtPmNvbXBfZGVzYyA9IGNvbXBfZGVzYzsK KwkJcmV0ID0gY29uZmlnX2VwX2J5X3NwZWVkKGZ1bmMtPmdhZGdldCwgJmZ1bmMtPmZ1bmN0aW9u LCBlcC0+ZXApOworCQlpZiAocmV0KSB7CisJCQlwcl9lcnIoIiVzOiBjb25maWdfZXBfYnlfc3Bl ZWQoJXMpIHJldHVybmVkICVkXG4iLAorCQkJCQlfX2Z1bmNfXywgZXAtPmVwLT5uYW1lLCByZXQp OworCQkJYnJlYWs7CiAJCX0KIAogCQlyZXQgPSB1c2JfZXBfZW5hYmxlKGVwLT5lcCk7CiAJCWlm IChsaWtlbHkoIXJldCkpIHsKIAkJCWVwZmlsZS0+ZXAgPSBlcDsKLQkJCWVwZmlsZS0+aW4gPSB1 c2JfZW5kcG9pbnRfZGlyX2luKGRzKTsKLQkJCWVwZmlsZS0+aXNvYyA9IHVzYl9lbmRwb2ludF94 ZmVyX2lzb2MoZHMpOworCQkJZXBmaWxlLT5pbiA9IHVzYl9lbmRwb2ludF9kaXJfaW4oZXAtPmVw LT5kZXNjKTsKKwkJCWVwZmlsZS0+aXNvYyA9IHVzYl9lbmRwb2ludF94ZmVyX2lzb2MoZXAtPmVw LT5kZXNjKTsKIAkJfSBlbHNlIHsKIAkJCWJyZWFrOwogCQl9Cg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.codeaurora.org ([198.145.29.96]:51456 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751226AbeAYH6y (ORCPT ); Thu, 25 Jan 2018 02:58:54 -0500 From: Jack Pham To: Felipe Balbi , Michal Nazarewicz Cc: Mayank Rana , linux-usb@vger.kernel.org, Jack Pham , stable@vger.kernel.org Subject: [PATCH] usb: gadget: f_fs: Use config_ep_by_speed() Date: Wed, 24 Jan 2018 23:58:20 -0800 Message-Id: <20180125075820.5444-1-jackp@codeaurora.org> Sender: stable-owner@vger.kernel.org List-ID: In commit 2bfa0719ac2a ("usb: gadget: function: f_fs: pass companion descriptor along") there is a pointer arithmetic bug where the comp_desc is obtained as follows: comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + USB_DT_ENDPOINT_SIZE); Since ds is a pointer to usb_endpoint_descriptor, adding 7 to it ends up going out of bounds (7 * sizeof(struct usb_endpoint_descriptor), which is actually 7*9 bytes) past the SS descriptor. As a result the maxburst value will be read incorrectly, and the UDC driver will also get a garbage comp_desc (assuming it uses it). Since Felipe wrote, "Eventually, f_fs.c should be converted to use config_ep_by_speed() like all other functions, though", let's finally do it. This allows the other usb_ep fields to be properly populated, such as maxpacket and mult. It also eliminates the awkward speed-based descriptor lookup since config_ep_by_speed() does that already using the ones found in struct usb_function. Fixes: 2bfa0719ac2a ("usb: gadget: function: f_fs: pass companion descriptor along") Cc: stable@vger.kernel.org Signed-off-by: Jack Pham --- drivers/usb/gadget/function/f_fs.c | 38 +++++++------------------------------- 1 file changed, 7 insertions(+), 31 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 5f2dafb5..717b2de 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1852,44 +1852,20 @@ static int ffs_func_eps_enable(struct ffs_function *func) spin_lock_irqsave(&func->ffs->eps_lock, flags); while(count--) { - struct usb_endpoint_descriptor *ds; - struct usb_ss_ep_comp_descriptor *comp_desc = NULL; - int needs_comp_desc = false; - int desc_idx; - - if (ffs->gadget->speed == USB_SPEED_SUPER) { - desc_idx = 2; - needs_comp_desc = true; - } else if (ffs->gadget->speed == USB_SPEED_HIGH) - desc_idx = 1; - else - desc_idx = 0; - - /* fall-back to lower speed if desc missing for current speed */ - do { - ds = ep->descs[desc_idx]; - } while (!ds && --desc_idx >= 0); - - if (!ds) { - ret = -EINVAL; - break; - } - ep->ep->driver_data = ep; - ep->ep->desc = ds; - if (needs_comp_desc) { - comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + - USB_DT_ENDPOINT_SIZE); - ep->ep->maxburst = comp_desc->bMaxBurst + 1; - ep->ep->comp_desc = comp_desc; + ret = config_ep_by_speed(func->gadget, &func->function, ep->ep); + if (ret) { + pr_err("%s: config_ep_by_speed(%s) returned %d\n", + __func__, ep->ep->name, ret); + break; } ret = usb_ep_enable(ep->ep); if (likely(!ret)) { epfile->ep = ep; - epfile->in = usb_endpoint_dir_in(ds); - epfile->isoc = usb_endpoint_xfer_isoc(ds); + epfile->in = usb_endpoint_dir_in(ep->ep->desc); + epfile->isoc = usb_endpoint_xfer_isoc(ep->ep->desc); } else { break; } -- 2.9.1.200.gb1ec08f