mirror
/
linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
linux/drivers/usb/gadget/function
History
Dan Vacura 71d471e3fa usb: gadget: uvc: Fix crash when encoding data for usb request 
During the uvcg_video_pump() process, if an error occurs and
uvcg_queue_cancel() is called, the buffer queue will be cleared out, but
the current marker (queue->buf_used) of the active buffer (no longer
active) is not reset. On the next iteration of uvcg_video_pump() the
stale buf_used count will be used and the logic of min((unsigned
int)len, buf->bytesused - queue->buf_used) may incorrectly calculate a
nbytes size, causing an invalid memory access.

[80802.185460][  T315] configfs-gadget gadget: uvc: VS request completed
with status -18.
[80802.185519][  T315] configfs-gadget gadget: uvc: VS request completed
with status -18.
...
uvcg_queue_cancel() is called and the queue is cleared out, but the
marker queue->buf_used is not reset.
...
[80802.262328][ T8682] Unable to handle kernel paging request at virtual
address ffffffc03af9f000
...
...
[80802.263138][ T8682] Call trace:
[80802.263146][ T8682]  __memcpy+0x12c/0x180
[80802.263155][ T8682]  uvcg_video_pump+0xcc/0x1e0
[80802.263165][ T8682]  process_one_work+0x2cc/0x568
[80802.263173][ T8682]  worker_thread+0x28c/0x518
[80802.263181][ T8682]  kthread+0x160/0x170
[80802.263188][ T8682]  ret_from_fork+0x10/0x18
[80802.263198][ T8682] Code: a8c12829 a88130cb a8c130

Fixes: d692522577 ("usb: gadget/uvc: Port UVC webcam gadget to use videobuf2 framework")
Cc: <stable@vger.kernel.org>
Signed-off-by: Dan Vacura <w36195@motorola.com>
Link: https://lore.kernel.org/r/20220331184024.23918-1-w36195@motorola.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-04-19 16:22:20 +02:00
..
Makefile
f_acm.c
f_ecm.c usb: fix various gadgets null ptr deref on 10gbps cabling. 2021-06-09 10:37:13 +02:00
f_eem.c usb: gadget: eem: fix echo command packet response issue 2021-06-21 11:27:22 +02:00
f_fs.c Linux 5.17-rc4 2022-02-14 09:04:36 +01:00
f_hid.c usb: gadget: f_hid: optional SETUP/SET_REPORT mode 2021-08-24 15:41:08 +02:00
f_loopback.c usb: fix various gadgets null ptr deref on 10gbps cabling. 2021-06-09 10:37:13 +02:00
f_mass_storage.c USB/Thunderbolt patches for 5.18-rc1 2022-03-26 13:08:25 -07:00
f_mass_storage.h
f_midi.c usb: gadget: f_midi: allow resetting index option 2021-11-17 14:40:43 +01:00
f_ncm.c usb: gadget: f_ncm: ncm_wrap_ntb - move var definitions into if statement 2021-07-21 10:04:19 +02:00
f_obex.c
f_phonet.c usb: gadget: f_phonet: Use struct_size() helper in kzalloc() 2022-01-26 14:01:28 +01:00
f_printer.c Linux 5.13-rc6 2021-06-14 09:18:07 +02:00
f_rndis.c usb: fix various gadgets null ptr deref on 10gbps cabling. 2021-06-09 10:37:13 +02:00
f_serial.c usb: gadget: f_serial: Ensure gserial disconnected during unbind 2022-01-26 13:57:59 +01:00
f_sourcesink.c usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS 2022-01-26 13:41:53 +01:00
f_subset.c usb: fix various gadgets null ptr deref on 10gbps cabling. 2021-06-09 10:37:13 +02:00
f_tcm.c scsi: target: usb: Replace enable attr with ops.enable 2021-10-04 23:27:39 -04:00
f_uac1.c usb: gadget: f_uac1: allow changing interface name via configfs 2022-01-26 14:10:40 +01:00
f_uac1_legacy.c
f_uac2.c Linux 5.17-rc4 2022-02-14 09:04:36 +01:00
f_uvc.c usb: gadget: uvc: ensure the vdev is unset 2021-10-21 12:58:57 +02:00
f_uvc.h
g_zero.h
ndis.h
rndis.c usb: gadget: rndis: prevent integer overflow in rndis_set_response() 2022-03-15 15:48:57 +01:00
rndis.h usb: gadget: rndis: add spinlock for rndis response list 2022-02-24 11:16:57 +01:00
storage_common.c
storage_common.h
tcm.h
u_audio.c usb: gadget: u_audio: Add suspend call 2022-01-26 14:06:09 +01:00
u_audio.h usb: gadget: u_audio: Add suspend call 2022-01-26 14:06:09 +01:00
u_ecm.h
u_eem.h
u_ether.c usb: gadget: u_ether: fix race in setting MAC address in setup phase 2021-12-13 15:22:23 +01:00
u_ether.h
u_ether_configfs.h
u_fs.h
u_gether.h
u_hid.h usb: gadget: f_hid: optional SETUP/SET_REPORT mode 2021-08-24 15:41:08 +02:00
u_midi.h usb: gadget: function: Fix inconsistent indent 2021-05-10 11:16:10 +02:00
u_ncm.h
u_phonet.h
u_printer.h
u_rndis.h
u_serial.c Merge 5.14-rc5 into tty-next 2021-08-09 08:52:46 +02:00
u_serial.h
u_tcm.h
u_uac1.h usb: gadget: f_uac1: allow changing interface name via configfs 2022-01-26 14:10:40 +01:00
u_uac1_legacy.c
u_uac1_legacy.h
u_uac2.h usb: gadget: f_uac2: Optionally determine bInterval for HS and SS 2022-01-31 14:26:18 +01:00
u_uvc.h
uac_common.h usb: gadget: u_audio: Support multiple sampling rates 2022-01-26 14:06:08 +01:00
uvc.h usb: gadget: uvc: implement dwPresentationTime and scrSourceClock 2021-10-25 09:20:08 +02:00
uvc_configfs.c usb: gadget: Drop unnecessary NULL checks after container_of 2021-05-10 11:16:10 +02:00
uvc_configfs.h
uvc_queue.c usb: gadget: uvc: Fix crash when encoding data for usb request 2022-04-19 16:22:20 +02:00
uvc_queue.h usb: gadget: uvc: add scatter gather support 2021-07-27 15:59:19 +02:00
uvc_v4l2.c usb: gadget: uvc: only schedule stream in streaming state 2021-10-21 12:58:34 +02:00
uvc_v4l2.h
uvc_video.c usb: gadget: uvc: implement dwPresentationTime and scrSourceClock 2021-10-25 09:20:08 +02:00
uvc_video.h usb: gadget: uvc: consistently use define for headerlen 2021-10-21 12:53:31 +02:00