[PATCH] USB: Fix off by one in type-specific length check of BOS SSP capability

[PATCH] USB: Fix off by one in type-specific length check of BOS SSP capability

[Mathias Nyman]

USB 3.1 devices are not detected as 3.1 capable since 4.15-rc3 due to a
off by one in commit 81cf4a45360f ("USB: core: Add type-specific length
check of BOS descriptors")

It uses USB_DT_USB_SSP_CAP_SIZE() to get SSP capability size which takes
the zero based SSAC as argument, not the actual count of sublink speed
attributes.

USB3 spec 9.6.2.5 says "The number of Sublink Speed Attributes = SSAC + 1."

The type-specific length check patch was added to stable and needs to be
fixed there as well

Fixes: 81cf4a45360f ("USB: core: Add type-specific length check of BOS descriptors")
Cc: linux-stable <stable@vger.kernel.org>
CC: Masakazu Mokuno <masakazu.mokuno@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
 drivers/usb/core/config.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 78e92d2..c821b4b 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -1007,7 +1007,7 @@ int usb_get_bos_descriptor(struct usb_device *dev)
 		case USB_SSP_CAP_TYPE:
 			ssp_cap = (struct usb_ssp_cap_descriptor *)buffer;
 			ssac = (le32_to_cpu(ssp_cap->bmAttributes) &
-				USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1;
+				USB_SSP_SUBLINK_SPEED_ATTRIBS);
 			if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac))
 				dev->bos->ssp_cap = ssp_cap;
 			break;
-- 
2.7.4

Re: [PATCH] USB: Fix off by one in type-specific length check of BOS SSP capability

[Masakazu Mokuno]

Hi Mathias,

On Tue, 19 Dec 2017 11:14:42 +0200
Mathias Nyman <mathias.nyman@linux.intel.com> wrote:

> USB 3.1 devices are not detected as 3.1 capable since 4.15-rc3 due to a
> off by one in commit 81cf4a45360f ("USB: core: Add type-specific length
> check of BOS descriptors")
> 
> It uses USB_DT_USB_SSP_CAP_SIZE() to get SSP capability size which takes
> the zero based SSAC as argument, not the actual count of sublink speed
> attributes.
> 
> USB3 spec 9.6.2.5 says "The number of Sublink Speed Attributes = SSAC + 1."
> 
> The type-specific length check patch was added to stable and needs to be
> fixed there as well
> 
> Fixes: 81cf4a45360f ("USB: core: Add type-specific length check of BOS descriptors")
> Cc: linux-stable <stable@vger.kernel.org>
> CC: Masakazu Mokuno <masakazu.mokuno@gmail.com>
> Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
> ---
>  drivers/usb/core/config.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 78e92d2..c821b4b 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -1007,7 +1007,7 @@ int usb_get_bos_descriptor(struct usb_device *dev)
>  		case USB_SSP_CAP_TYPE:
>  			ssp_cap = (struct usb_ssp_cap_descriptor *)buffer;
>  			ssac = (le32_to_cpu(ssp_cap->bmAttributes) &
> -				USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1;
> +				USB_SSP_SUBLINK_SPEED_ATTRIBS);
>  			if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac))
>  				dev->bos->ssp_cap = ssp_cap;
>  			break;
> -- 
> 2.7.4

Thanks for the fix.  I got confused the meaning of USB_DT_USB_SSP_CAP_SIZE()
just as you described.  The sizeof(struct usb_ssp_cap_descriptor) is 16,
but I did not noticed it included one SSAC.

There's another place that wrongly uses USB_DT_USB_SSP_CAP_SIZE() in my
previous patch.  It should be fixed also.  I'll make the patch.

-- 
Masakazu Mokuno