From: Rui Miguel Silva <rmfrfs@gmail.com>
To: "Alexey V. Vissarionov" <gremlin@altlinux.org>,
"Rui Miguel Silva" <rui.silva@linaro.org>
Cc: "Fedor Pchelkin" <pchelkin@ispras.ru>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
<linux-usb@vger.kernel.org>, <lvc-project@linuxtesting.org>
Subject: Re: [PATCH v1] usb: isp1760: increase buffer size to avoid overflow
Date: Thu, 24 Apr 2025 10:15:57 +0100 [thread overview]
Message-ID: <D9ER7AW8WZDW.31XZT9R087DFN@linaro.com> (raw)
In-Reply-To: <20250423111040.GC857@altlinux.org>
Hey Alexey,
On Wed Apr 23, 2025 at 12:10 PM WEST, Alexey V. Vissarionov wrote:
> When isp1760_udc_init_hw() calls isp1760_set_pullup(), its call of
> isp1760_field_set() may access the udc->fields array beyond the size
> of DC_FIELD_MAX up to HC_FIELD_MAX, which is (now) bigger. Increase
> the buffer size to max(DC_FIELD_MAX,HC_FIELD_MAX) to avoid possible
> overflow.
This will fix the access, but not the main issue, so this is not
correct. The isp1760_set_pullup should pass to isp1760_field_set
the hcd fields and not the udc ones.
I will send a proper fix for this. Thanks for reporting.
Cheers,
Rui
>
> Found by ALT Linux Team (altlinux.org) and Linux Verification Center
> (linuxtesting.org).
>
> Fixes: 1da9e1c06873 ("usb: isp1760: move to regmap for register access")
> Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
> ---
> drivers/usb/isp1760/isp1760-hcd.h | 2 +-
> drivers/usb/isp1760/isp1760-regs.h | 3 +++
> drivers/usb/isp1760/isp1760-udc.h | 2 +-
> 3 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/isp1760/isp1760-hcd.h b/drivers/usb/isp1760/isp1760-hcd.h
> index ee3063a34de3bccf..34dacde96c4ae3cf 100644
> --- a/drivers/usb/isp1760/isp1760-hcd.h
> +++ b/drivers/usb/isp1760/isp1760-hcd.h
> @@ -50,7 +50,7 @@ struct isp1760_hcd {
> void __iomem *base;
>
> struct regmap *regs;
> - struct regmap_field *fields[HC_FIELD_MAX];
> + struct regmap_field *fields[DC_HC_FIELD_MAX];
>
> bool is_isp1763;
> const struct isp1760_memory_layout *memory_layout;
> diff --git a/drivers/usb/isp1760/isp1760-regs.h b/drivers/usb/isp1760/isp1760-regs.h
> index 3a6751197e970013..a5a442015887ce0b 100644
> --- a/drivers/usb/isp1760/isp1760-regs.h
> +++ b/drivers/usb/isp1760/isp1760-regs.h
> @@ -267,6 +267,9 @@ enum isp176x_device_controller_fields {
> DC_FIELD_MAX,
> };
>
> +#define DC_HC_FIELD_MAX \
> + (DC_FIELD_MAX > HC_FIELD_MAX ? DC_FIELD_MAX : HC_FIELD_MAX)
> +
> /* ISP1763 */
> /* Initialization Registers */
> #define ISP1763_DC_ADDRESS 0x00
> diff --git a/drivers/usb/isp1760/isp1760-udc.h b/drivers/usb/isp1760/isp1760-udc.h
> index 22044e86bc0ecb84..609444bea306ba81 100644
> --- a/drivers/usb/isp1760/isp1760-udc.h
> +++ b/drivers/usb/isp1760/isp1760-udc.h
> @@ -69,7 +69,7 @@ struct isp1760_udc {
> char *irqname;
>
> struct regmap *regs;
> - struct regmap_field *fields[DC_FIELD_MAX];
> + struct regmap_field *fields[DC_HC_FIELD_MAX];
>
> struct usb_gadget_driver *driver;
> struct usb_gadget gadget;
>
> --
> Alexey V. Vissarionov
> gremlin ПРИ altlinux ТЧК org; +vii-cmiii-ccxxix-lxxix-xlii
> GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net
next prev parent reply other threads:[~2025-04-24 9:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-22 23:00 [PATCH] usb: isp1760: increase buffer size to avoid overflow Alexey V. Vissarionov
2025-04-23 6:30 ` Fedor Pchelkin
2025-04-23 11:05 ` Alexey V. Vissarionov
2025-04-23 11:10 ` [PATCH v1] " Alexey V. Vissarionov
2025-04-24 9:15 ` Rui Miguel Silva [this message]
2025-04-24 10:04 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D9ER7AW8WZDW.31XZT9R087DFN@linaro.com \
--to=rmfrfs@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=gremlin@altlinux.org \
--cc=linux-usb@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=pchelkin@ispras.ru \
--cc=rui.silva@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).