From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D7FDDEB64DD for ; Wed, 5 Jul 2023 06:06:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To: From:Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=O0C66mVI1nkOIpn+KxsHOUvDqjbprbMxbnSqsj7WItk=; b=BhvbuOzAdGSX80tevBo+8SFCo9 Wk4z79vHnCcUpN+Avd7xAPDmO1wgo6rA9cawVmon47kI2nn1+5mZguCYthlSMRU9tCiGnPasKjvat 5yVsG901FJZoDKKKsfnDCA4v5N59e+VHc30tbxhf0pcqYntzpjn1wpVB8OPL6H41BLznbTHR4mbQC qs7Kh/sMlxBceNtCg0K6ZX+tBMKuMt5t6rJsVXeC20eBc0SukLbEHfT/KFEkapWom7fwNFqSNZUND 0+AZZUPcJEpz/1volJTwmCzyswLWQFDA9apO9Lp3Y/w8xCpbbFGmQYKPG4llFm2GgSr3otwf9gH81 f1j0xt6A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qGvet-00Ere6-1i; Wed, 05 Jul 2023 06:06:35 +0000 Received: from relay1-d.mail.gandi.net ([217.70.183.193]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qGvep-00Erd4-2L; Wed, 05 Jul 2023 06:06:33 +0000 X-GND-Sasl: herve.codina@bootlin.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1688537186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=O0C66mVI1nkOIpn+KxsHOUvDqjbprbMxbnSqsj7WItk=; b=HMzIJ0wIJQCx++SRoTVQ8bottUooWGrkC8U7ZbdBDWg4B+tUqyPdud6JH9otkTYx2SY5fR t1NQSyOEzJPRQQZvqLzSHQMzV+R/uoM4OOVbiiKYOkZ/nGpqrrmZVCcj4fbt4TjJ1AnkvT IrqpE/3YkiwUoF1JTiKaeXmwNTXWWbT0bIbEihf02ULF0r0KLhbj264ppLD/bndnr2ZLTR M4k/4p2K+3qLySn9vZ8R2zqGUElPkVybtLGVxq6YpF1ppekDo8CePFROKUoz5/SgrN3VnL pCnV4fnpHLFG4+CF5XYs+C8FMJdP4mepqUQJL1K5TwJf8dW+aTf7pPrk9vPIyw== X-GND-Sasl: herve.codina@bootlin.com X-GND-Sasl: herve.codina@bootlin.com X-GND-Sasl: herve.codina@bootlin.com X-GND-Sasl: herve.codina@bootlin.com X-GND-Sasl: herve.codina@bootlin.com X-GND-Sasl: herve.codina@bootlin.com Received: by mail.gandi.net (Postfix) with ESMTPSA id C88C824000A; Wed, 5 Jul 2023 06:06:25 +0000 (UTC) Date: Wed, 5 Jul 2023 08:06:25 +0200 From: Herve Codina To: Yu Hao Cc: chunfeng.yun@mediatek.com, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-kernel Subject: Re: [PATCH] usb: mtu3: Fix possible use-before-initialization bug Message-ID: <20230705080625.02b2bac5@bootlin.com> In-Reply-To: References: Organization: Bootlin X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230704_230632_062908_F90370ED X-CRM114-Status: GOOD ( 19.12 ) X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org Hi Yu, On Tue, 4 Jul 2023 16:25:50 -0700 Yu Hao wrote: > The struct usb_ctrlrequest setup should be initialized in the function > ep0_read_setup(mtu, &setup). However, inside that function, > the variable count could be 0 and the struct usb_ctrlrequest setup > is not initialized. But there is a read for setup.bRequestType. > > Signed-off-by: Yu Hao > --- > drivers/usb/mtu3/mtu3_gadget_ep0.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/mtu3/mtu3_gadget_ep0.c > b/drivers/usb/mtu3/mtu3_gadget_ep0.c > index e4fd1bb14a55..67034fa515d0 100644 > --- a/drivers/usb/mtu3/mtu3_gadget_ep0.c > +++ b/drivers/usb/mtu3/mtu3_gadget_ep0.c > @@ -638,7 +638,7 @@ static int ep0_handle_setup(struct mtu3 *mtu) > __releases(mtu->lock) > __acquires(mtu->lock) > { > - struct usb_ctrlrequest setup; > + struct usb_ctrlrequest setup = {}; > struct mtu3_request *mreq; > int handled = 0; > Looks strange to me because, if ep0_read_setup() cannot read the setup data why don't we simply abort the operation ? With setup = {}, the following test is true: if ((setup.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD) handled = handle_standard_request(mtu, &setup); handle_standard_request() is called and supposes an USB_REQ_GET_STATUS (0x00) request: case USB_REQ_GET_STATUS: handled = ep0_get_status(mtu, setup); break; Then ep0_get_status() supposes USB_RECIP_DEVICE (0x00) and performs some operation sending the data related to the GET_STATUS. All of these are not correct as the setup data that triggered this sequence was never received. Aborting the operation if ep0_read_setup() cannot read the setup data seems better to me. Best regards, Hervé -- Hervé Codina, Bootlin Embedded Linux and Kernel engineering https://bootlin.com