diff options
| author | Alan Stern <stern@rowland.harvard.edu> | 2016-08-23 15:32:51 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2016-08-23 16:35:20 -0400 |
| commit | 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa (patch) | |
| tree | c9f3dae00c6bec6bfc129754e37397533718ad1e /drivers/usb | |
| parent | 6c73358c83ce870c0cf32413e5cadb3b9a39c606 (diff) | |
USB: avoid left shift by -1
UBSAN complains about a left shift by -1 in proc_do_submiturb(). This
can occur when an URB is submitted for a bulk or control endpoint on
a high-speed device, since the code doesn't bother to check the
endpoint type; normally only interrupt or isochronous endpoints have
a nonzero bInterval value.
Aside from the fact that the operation is illegal, it shouldn't matter
because the result isn't used. Still, in theory it could cause a
hardware exception or other problem, so we should work around it.
This patch avoids doing the left shift unless the shift amount is >= 0.
The same piece of code has another problem. When checking the device
speed (the exponential encoding for interrupt endpoints is used only
by high-speed or faster devices), we need to look for speed >=
USB_SPEED_SUPER as well as speed == USB_SPEED HIGH. The patch adds
this check.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Vittorio Zecca <zeccav@gmail.com>
Tested-by: Vittorio Zecca <zeccav@gmail.com>
Suggested-by: Bjørn Mork <bjorn@mork.no>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb')
| -rw-r--r-- | drivers/usb/core/devio.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index e6a6d67c8705..09c8d9ca61ae 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c | |||
| @@ -1709,11 +1709,17 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb | |||
| 1709 | as->urb->start_frame = uurb->start_frame; | 1709 | as->urb->start_frame = uurb->start_frame; |
| 1710 | as->urb->number_of_packets = number_of_packets; | 1710 | as->urb->number_of_packets = number_of_packets; |
| 1711 | as->urb->stream_id = stream_id; | 1711 | as->urb->stream_id = stream_id; |
| 1712 | if (uurb->type == USBDEVFS_URB_TYPE_ISO || | 1712 | |
| 1713 | ps->dev->speed == USB_SPEED_HIGH) | 1713 | if (ep->desc.bInterval) { |
| 1714 | as->urb->interval = 1 << min(15, ep->desc.bInterval - 1); | 1714 | if (uurb->type == USBDEVFS_URB_TYPE_ISO || |
| 1715 | else | 1715 | ps->dev->speed == USB_SPEED_HIGH || |
| 1716 | as->urb->interval = ep->desc.bInterval; | 1716 | ps->dev->speed >= USB_SPEED_SUPER) |
| 1717 | as->urb->interval = 1 << | ||
| 1718 | min(15, ep->desc.bInterval - 1); | ||
| 1719 | else | ||
| 1720 | as->urb->interval = ep->desc.bInterval; | ||
| 1721 | } | ||
| 1722 | |||
| 1717 | as->urb->context = as; | 1723 | as->urb->context = as; |
| 1718 | as->urb->complete = async_completed; | 1724 | as->urb->complete = async_completed; |
| 1719 | for (totlen = u = 0; u < number_of_packets; u++) { | 1725 | for (totlen = u = 0; u < number_of_packets; u++) { |