UBSAN whinge in ihci-hub.c

From: Valdis Kletnieks
Date: Tue May 17 2016 - 17:52:55 EST

So, not content in the amount of breakage I generate already, I
compiled with UBSAN enabled...

The immediately relevant part:

[ 2.418576] ================================================================================
[ 2.418579] UBSAN: Undefined behaviour in drivers/usb/host/ehci-hub.c:877:47
[ 2.418582] index -1 is out of range for type 'u32 [1]'

The code there:

875 u32 __iomem *status_reg = &ehci->regs->port_status[
876 (wIndex & 0xff) - 1];
877 u32 __iomem *hostpc_reg = &ehci->regs->hostpc[(wIndex & 0xff) - 1];
878 u32 temp, temp1, status;

I'm guessing that the only reason that port_status[] didn't throw an error
because that's declared as 'u32 port_status[0]' with a 'u32 reserved3[9]'
behind it, while it's 'u32 hostpc[1]'. So we have (possibly) 2 bugs:

1) hostpc should possibly be a 'u32 hostpc[0]' I'd attach a patch, except
I'm low on caffeine and unsure if the 'u32 reserved5[16]' that follows needs
to be a [17] to compensate. Either that, or port_status[] and hostpc[]
should *both* be explicitly sized so range-checking works better.

2) We need to figure out who passed a 0 wIndex down the stack, resulting in
the busted indexing...

The entire splat:

[ 2.418567] hub 1-0:1.0: USB hub found
[ 2.418576] ================================================================================
[ 2.418579] UBSAN: Undefined behaviour in drivers/usb/host/ehci-hub.c:877:47
[ 2.418582] index -1 is out of range for type 'u32 [1]'
[ 2.418587] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.6.0-next-20160517-00001-gede618fce89c-dirty #279
[ 2.418590] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A17 08/19/2015
[ 2.418599] 0000000000000000 00000000ac1ab326 ffff88022ca232e8 ffffffffaa690aea
[ 2.418605] ffff88022ca23300 00000000ac1ab326 ffff88022ca23310 ffffffffffffffff
[ 2.418613] ffff88022ca23300 ffffffffaa7087ad ffffffffabd5aee0 ffff88022ca23358
[ 2.418615] Call Trace:
[ 2.418628] [<ffffffffaa690aea>] dump_stack+0x7b/0xd1
[ 2.418633] [<ffffffffaa7087ad>] ubsan_epilogue+0xd/0x40
[ 2.418639] [<ffffffffaa708ec5>] __ubsan_handle_out_of_bounds+0x75/0xa0
[ 2.418644] [<ffffffffaa00312d>] ? syscall_slow_exit_work+0x1ed/0x310
[ 2.418649] [<ffffffffaa98b7b8>] ? usb_hcd_submit_urb+0x368/0xe00
[ 2.418655] [<ffffffffaa9b4dac>] ehci_hub_control+0xd9c/0xdc0
[ 2.418662] [<ffffffffaa98bd01>] usb_hcd_submit_urb+0x8b1/0xe00
[ 2.418667] [<ffffffffaa98da01>] usb_submit_urb+0x2e1/0x8f0
[ 2.418672] [<ffffffffaa132a72>] ? __init_waitqueue_head+0x52/0xa0
[ 2.418677] [<ffffffffaa98eced>] usb_start_wait_urb+0x7d/0x130
[ 2.418682] [<ffffffffaa98ee7c>] usb_control_msg+0xdc/0x120
[ 2.418691] [<ffffffffaa9861a9>] hub_probe+0x4e9/0x1110
[ 2.418696] [<ffffffffab077f27>] ? _raw_spin_unlock_irqrestore+0x87/0x90
[ 2.418701] [<ffffffffaa0f8bda>] ? preempt_count_sub+0x4a/0x90
[ 2.418706] [<ffffffffab077f14>] ? _raw_spin_unlock_irqrestore+0x74/0x90
[ 2.418711] [<ffffffffaa995369>] usb_probe_interface+0x139/0x3e0
[ 2.418717] [<ffffffffaa86b011>] driver_probe_device+0x131/0x3c0
[ 2.418723] [<ffffffffaa86b463>] __device_attach_driver+0xc3/0x180
[ 2.418728] [<ffffffffaa86b3a0>] ? __driver_attach+0x100/0x100
[ 2.418732] [<ffffffffaa867f1d>] bus_for_each_drv+0x8d/0x100
[ 2.418737] [<ffffffffaa86ad98>] __device_attach+0xe8/0x170
[ 2.418742] [<ffffffffaa86b583>] device_initial_probe+0x13/0x20
[ 2.418746] [<ffffffffaa869a67>] bus_probe_device+0xe7/0x150
[ 2.418750] [<ffffffffaa8669cb>] device_add+0x49b/0x690
[ 2.418756] [<ffffffffaa991f2b>] usb_set_configuration+0x5bb/0xc80
[ 2.418762] [<ffffffffaa9a4856>] generic_probe+0x36/0xa0
[ 2.418766] [<ffffffffaa9951eb>] usb_probe_device+0x3b/0x80
[ 2.418770] [<ffffffffaa86b011>] driver_probe_device+0x131/0x3c0
[ 2.418775] [<ffffffffaa86b463>] __device_attach_driver+0xc3/0x180
[ 2.418779] [<ffffffffaa86b3a0>] ? __driver_attach+0x100/0x100
[ 2.418783] [<ffffffffaa867f1d>] bus_for_each_drv+0x8d/0x100
[ 2.418788] [<ffffffffaa86ad98>] __device_attach+0xe8/0x170
[ 2.418793] [<ffffffffaa86b583>] device_initial_probe+0x13/0x20
[ 2.418797] [<ffffffffaa869a67>] bus_probe_device+0xe7/0x150
[ 2.418801] [<ffffffffaa8669cb>] device_add+0x49b/0x690
[ 2.418807] [<ffffffffaa9828c9>] usb_new_device+0x319/0x970
[ 2.418812] [<ffffffffaa98a01b>] usb_add_hcd+0x67b/0xa40
[ 2.418817] [<ffffffffaa9a86d3>] usb_hcd_pci_probe+0x4c3/0x770
[ 2.418822] [<ffffffffaa1464c6>] ? trace_hardirqs_on_caller+0x16/0x2c0
[ 2.418827] [<ffffffffaa0f8bda>] ? preempt_count_sub+0x4a/0x90
[ 2.418832] [<ffffffffaa9c1256>] ehci_pci_probe+0x36/0x40
[ 2.418837] [<ffffffffaa71e5fc>] pci_device_probe+0xdc/0x180
[ 2.418842] [<ffffffffaa86b011>] driver_probe_device+0x131/0x3c0
[ 2.418846] [<ffffffffaa86b359>] __driver_attach+0xb9/0x100
[ 2.418851] [<ffffffffaa86b2a0>] ? driver_probe_device+0x3c0/0x3c0
[ 2.418855] [<ffffffffaa867e0a>] bus_for_each_dev+0x8a/0xf0
[ 2.418860] [<ffffffffaa86a537>] driver_attach+0x27/0x50
[ 2.418864] [<ffffffffaa869e16>] bus_add_driver+0x116/0x2b0
[ 2.418868] [<ffffffffaa86bb6f>] driver_register+0x9f/0x160
[ 2.418873] [<ffffffffaa71d44f>] __pci_register_driver+0x8f/0xe0
[ 2.418879] [<ffffffffac37d5db>] ? ehci_hcd_init+0x90/0x90
[ 2.418885] [<ffffffffac37d640>] ehci_pci_init+0x65/0x67
[ 2.418890] [<ffffffffaa00043f>] do_one_initcall+0x5f/0x210
[ 2.418896] [<ffffffffac320848>] kernel_init_freeable+0x33d/0x3d4
[ 2.418903] [<ffffffffab069e6f>] kernel_init+0xf/0x120
[ 2.418907] [<ffffffffab07897f>] ret_from_fork+0x1f/0x40
[ 2.418911] [<ffffffffab069e60>] ? rest_init+0x170/0x170
[ 2.418915] ================================================================================
[ 2.418934] hub 1-0:1.0: 2 ports detected
[ 2.419850] ehci-pci 0000:00:1d.0: EHCI Host Controller
[ 2.419993] ehci-pci 0000:00:1d.0: new USB bus registered, assigned bus number 2
[ 2.420031] ehci-pci 0000:00:1d.0: debug port 2
[ 2.423961] ehci-pci 0000:00:1d.0: cache line size of 64 is not supported
[ 2.423998] ehci-pci 0000:00:1d.0: irq 21, io mem 0xf7737000
[ 2.430045] ehci-pci 0000:00:1d.0: USB 2.0 started, EHCI 1.00

Attachment: pgpsyv6jEvqC3.pgp
Description: PGP signature