Re: [PATCH v2] usb: musb: Fix musb_gadget.c rxstate may cause request->buf overflow problems
From: gregkh@xxxxxxxxxxxxxxxxxxx
Date: Wed Jul 27 2022 - 05:25:51 EST
On Wed, Jul 27, 2022 at 08:43:34AM +0000, Andy Guo (郭卫斌) wrote:
> From: guoweibin <guoweibin@xxxxxxxxxx>
Your From: in your email has your real name, why not use that instead of
just putting your email alias here?
>
> when the rxstate function executes the 'goto buffer_aint_mapped' code
> branch, it will always copy the fifocnt bytes data to request->buf,
> which may cause request->buf out of bounds. for Ethernet-over-USB will
> cause skb_over_panic when a packet larger than mtu is recived.
How can we get a bigger packet than mtu?
>
> Fix it by add the length check :
> fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
>
> Signed-off-by: guoweibin <guoweibin@xxxxxxxxxx>
Same here.
> ---
> v2:
> -fix format error
> drivers/usb/musb/musb_gadget.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
> index 51274b87f46c..4ad5a1f31d7e 100644
> --- a/drivers/usb/musb/musb_gadget.c
> +++ b/drivers/usb/musb/musb_gadget.c
> @@ -760,6 +760,7 @@ static void rxstate(struct musb *musb, struct musb_request *req)
> musb_writew(epio, MUSB_RXCSR, csr);
>
> buffer_aint_mapped:
> + fifo_count = min_t(unsigned, request->length - request->actual, fifo_count);
Why the case to "unsigned"?
And if we get a too big packet, shouldn't we drop it?
And what does this have to do with a usb-ethernet device, this is in the
generic musb code, not an ethernet driver.
thanks,
greg k-h