From: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
To: "Andy Guo (郭卫斌)" <guoweibin@inspur.com>
Cc: "b-liu@ti.com" <b-liu@ti.com>,
"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] usb: musb: Fix musb_gadget.c rxstate may cause request->buf overflow problems
Date: Wed, 27 Jul 2022 11:25:40 +0200 [thread overview]
Message-ID: <YuEElC563HN5ldMu@kroah.com> (raw)
In-Reply-To: <200f38d3e3eb44ec8ec8f8e9f210f131@inspur.com>
On Wed, Jul 27, 2022 at 08:43:34AM +0000, Andy Guo (郭卫斌) wrote:
> From: guoweibin <guoweibin@inspur.com>
Your From: in your email has your real name, why not use that instead of
just putting your email alias here?
>
> when the rxstate function executes the 'goto buffer_aint_mapped' code
> branch, it will always copy the fifocnt bytes data to request->buf,
> which may cause request->buf out of bounds. for Ethernet-over-USB will
> cause skb_over_panic when a packet larger than mtu is recived.
How can we get a bigger packet than mtu?
>
> Fix it by add the length check :
> fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
>
> Signed-off-by: guoweibin <guoweibin@inspur.com>
Same here.
> ---
> v2:
> -fix format error
> drivers/usb/musb/musb_gadget.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
> index 51274b87f46c..4ad5a1f31d7e 100644
> --- a/drivers/usb/musb/musb_gadget.c
> +++ b/drivers/usb/musb/musb_gadget.c
> @@ -760,6 +760,7 @@ static void rxstate(struct musb *musb, struct musb_request *req)
> musb_writew(epio, MUSB_RXCSR, csr);
>
> buffer_aint_mapped:
> + fifo_count = min_t(unsigned, request->length - request->actual, fifo_count);
Why the case to "unsigned"?
And if we get a too big packet, shouldn't we drop it?
And what does this have to do with a usb-ethernet device, this is in the
generic musb code, not an ethernet driver.
thanks,
greg k-h
next prev parent reply other threads:[~2022-07-27 9:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 8:43 [PATCH v2] usb: musb: Fix musb_gadget.c rxstate may cause request->buf overflow problems Andy Guo (郭卫斌)
2022-07-27 9:25 ` gregkh [this message]
2022-07-28 1:14 ` 答复: [vger.kernel.org代发]Re: " Andy Guo (郭卫斌)
2022-07-28 6:56 ` gregkh
2022-07-28 12:24 ` Andy Guo (郭卫斌)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YuEElC563HN5ldMu@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=b-liu@ti.com \
--cc=guoweibin@inspur.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.