From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Sasha Levin <sashal@kernel.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Alan Stern <stern@rowland.harvard.edu>,
Johan Hovold <johan@kernel.org>,
syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com,
linux-usb@vger.kernel.org
Subject: Re: [PATCH AUTOSEL 5.13 062/114] USB: core: Avoid WARNings for 0-length descriptor requests
Date: Sat, 10 Jul 2021 08:23:50 +0200 [thread overview]
Message-ID: <YOk89mYb8p0Dm23k@kroah.com> (raw)
In-Reply-To: <20210710021748.3167666-62-sashal@kernel.org>
On Fri, Jul 09, 2021 at 10:16:56PM -0400, Sasha Levin wrote:
> From: Alan Stern <stern@rowland.harvard.edu>
>
> [ Upstream commit 60dfe484cef45293e631b3a6e8995f1689818172 ]
>
> The USB core has utility routines to retrieve various types of
> descriptors. These routines will now provoke a WARN if they are asked
> to retrieve 0 bytes (USB "receive" requests must not have zero
> length), so avert this by checking the size argument at the start.
>
> CC: Johan Hovold <johan@kernel.org>
> Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com
> Reviewed-by: Johan Hovold <johan@kernel.org>
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> Link: https://lore.kernel.org/r/20210607152307.GD1768031@rowland.harvard.edu
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/usb/core/message.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> index 30e9e680c74c..4d59d927ae3e 100644
> --- a/drivers/usb/core/message.c
> +++ b/drivers/usb/core/message.c
> @@ -783,6 +783,9 @@ int usb_get_descriptor(struct usb_device *dev, unsigned char type,
> int i;
> int result;
>
> + if (size <= 0) /* No point in asking for no data */
> + return -EINVAL;
> +
> memset(buf, 0, size); /* Make sure we parse really received data */
>
> for (i = 0; i < 3; ++i) {
> @@ -832,6 +835,9 @@ static int usb_get_string(struct usb_device *dev, unsigned short langid,
> int i;
> int result;
>
> + if (size <= 0) /* No point in asking for no data */
> + return -EINVAL;
> +
> for (i = 0; i < 3; ++i) {
> /* retry on length 0 or stall; some devices are flakey */
> result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
> --
> 2.30.2
>
This patch should be dropped from all of the autosel branches it was
picked to, as I do not think the USB core has been fixed up, along with
all of the different drivers that we noticed doing this, in the stable
trees.
So please drop from everywhere at this time.
thanks,
greg k-h
next prev parent reply other threads:[~2021-07-10 6:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210710021748.3167666-1-sashal@kernel.org>
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 010/114] usb: dwc3: pci: Fix DEFINE for Intel Elkhart Lake Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 024/114] usb: common: usb-conn-gpio: fix NULL pointer dereference of charger Sasha Levin
2021-07-10 2:16 ` [PATCH AUTOSEL 5.13 062/114] USB: core: Avoid WARNings for 0-length descriptor requests Sasha Levin
2021-07-10 6:23 ` Greg Kroah-Hartman [this message]
2021-07-18 0:44 ` Sasha Levin
2021-07-10 2:17 ` [PATCH AUTOSEL 5.13 072/114] thunderbolt: Fix DROM handling for USB4 DROM Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YOk89mYb8p0Dm23k@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox