[PATCH v2] usb: gadget: f_uvc: fix superspeedplus transfer

From: 3090101217
Date: Mon Feb 14 2022 - 21:17:38 EST

Next message: Sean Christopherson: "Re: [PATCH] kvm,x86: Use the refined tsc rate for the guest tsc."
Previous message: Tom Rix: "Re: [PATCH] mctp: fix use after free"
In reply to: Greg KH: "Re: [PATCH] usb: gadget: f_uvc: fix superspeedplus transfer"
Next in thread: Greg KH: "Re: [PATCH v2] usb: gadget: f_uvc: fix superspeedplus transfer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jing Leng <jleng@xxxxxxxxxxxxx>

UVC driver doesn't set ssp_descriptors in struct usb_function,
If UVC uses superspeedplus UDC (e.g. cdnsp), when
config_ep_by_speed_and_alt is called, the g->speed is
USB_SPEED_SUPER_PLUS, and f->ssp_descriptors is NULL,
So kernel will access NULL pointer of speed_desc.

Call trace:
config_ep_by_speed_and_alt+0x3c/0x2a0 [libcomposite]
uvc_function_set_alt+0xd4/0x2e8 [usb_f_uvc]
set_config.constprop.0+0x154/0x3a0 [libcomposite]
composite_setup+0x314/0xb44 [libcomposite]
configfs_composite_setup+0x84/0xb0 [libcomposite]
cdnsp_ep0_std_request+0x25c/0x470 [cdns3]
cdnsp_setup_analyze+0x94/0x25c [cdns3]
cdnsp_handle_event+0xe8/0x23c [cdns3]
cdnsp_thread_irq_handler+0x58/0xe8 [cdns3]
irq_thread_fn+0x2c/0xa0
irq_thread+0x164/0x280
kthread+0x128/0x134
ret_from_fork+0x10/0x40

Signed-off-by: Jing Leng <jleng@xxxxxxxxxxxxx>
---
drivers/usb/gadget/function/f_uvc.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
index 71bb5e477dba..8fc9b035481e 100644
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -478,6 +478,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
void *mem;

switch (speed) {
+ case USB_SPEED_SUPER_PLUS:
case USB_SPEED_SUPER:
uvc_control_desc = uvc->desc.ss_control;
uvc_streaming_cls = uvc->desc.ss_streaming;
@@ -521,7 +522,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
+ uvc_control_ep.bLength + uvc_control_cs_ep.bLength
+ uvc_streaming_intf_alt0.bLength;

- if (speed == USB_SPEED_SUPER) {
+ if (speed == USB_SPEED_SUPER || speed == USB_SPEED_SUPER_PLUS) {
bytes += uvc_ss_control_comp.bLength;
n_desc = 6;
} else {
@@ -565,7 +566,7 @@ uvc_copy_descriptors(struct uvc_device *uvc, enum usb_device_speed speed)
uvc_control_header->baInterfaceNr[0] = uvc->streaming_intf;

UVC_COPY_DESCRIPTOR(mem, dst, &uvc_control_ep);
- if (speed == USB_SPEED_SUPER)
+ if (speed == USB_SPEED_SUPER || speed == USB_SPEED_SUPER_PLUS)
UVC_COPY_DESCRIPTOR(mem, dst, &uvc_ss_control_comp);

UVC_COPY_DESCRIPTOR(mem, dst, &uvc_control_cs_ep);
@@ -727,6 +728,15 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
}
}

+ if (gadget_is_superspeed_plus(c->cdev->gadget)) {
+ f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS);
+ if (IS_ERR(f->ssp_descriptors)) {
+ ret = PTR_ERR(f->ssp_descriptors);
+ f->ssp_descriptors = NULL;
+ goto error;
+ }
+ }
+
/* Preallocate control endpoint request. */
uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL);
--
2.17.1

Next message: Sean Christopherson: "Re: [PATCH] kvm,x86: Use the refined tsc rate for the guest tsc."
Previous message: Tom Rix: "Re: [PATCH] mctp: fix use after free"
In reply to: Greg KH: "Re: [PATCH] usb: gadget: f_uvc: fix superspeedplus transfer"
Next in thread: Greg KH: "Re: [PATCH v2] usb: gadget: f_uvc: fix superspeedplus transfer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]