On Fri, Jul 09, 2021 at 10:16:56PM -0400, Sasha Levin wrote:
From: Alan Stern stern@rowland.harvard.edu
[ Upstream commit 60dfe484cef45293e631b3a6e8995f1689818172 ]
The USB core has utility routines to retrieve various types of descriptors. These routines will now provoke a WARN if they are asked to retrieve 0 bytes (USB "receive" requests must not have zero length), so avert this by checking the size argument at the start.
CC: Johan Hovold johan@kernel.org Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com Reviewed-by: Johan Hovold johan@kernel.org Signed-off-by: Alan Stern stern@rowland.harvard.edu Link: https://lore.kernel.org/r/20210607152307.GD1768031@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org
drivers/usb/core/message.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 30e9e680c74c..4d59d927ae3e 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -783,6 +783,9 @@ int usb_get_descriptor(struct usb_device *dev, unsigned char type, int i; int result;
- if (size <= 0) /* No point in asking for no data */
return -EINVAL;- memset(buf, 0, size); /* Make sure we parse really received data */
for (i = 0; i < 3; ++i) { @@ -832,6 +835,9 @@ static int usb_get_string(struct usb_device *dev, unsigned short langid, int i; int result;
- if (size <= 0) /* No point in asking for no data */
return -EINVAL;- for (i = 0; i < 3; ++i) { /* retry on length 0 or stall; some devices are flakey */ result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
-- 2.30.2
This patch should be dropped from all of the autosel branches it was picked to, as I do not think the USB core has been fixed up, along with all of the different drivers that we noticed doing this, in the stable trees.
So please drop from everywhere at this time.
thanks,
greg k-h