Re: [PATCH] usb: mon: Fix slab-out-of-bounds in mon_bin_event due to unsafe URB transfer_buffer access

From: kernel test robot
Date: Tue Jul 22 2025 - 18:11:02 EST

Next message: Joel Fernandes: "Re: [PATCH v3 2/4] srcu: Add srcu_read_lock_fast_notrace() and srcu_read_unlock_fast_notrace()"
Previous message: Bhaskar Chowdhury: "[PATCH] samples:pktgen: This file was missing shebang line, so added it"
In reply to: Lecomte, Arnaud: "Re: [PATCH] usb: mon: Fix slab-out-of-bounds in mon_bin_event due to unsafe URB transfer_buffer access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Arnaud,

kernel test robot noticed the following build warnings:

[auto build test WARNING on usb/usb-testing]
[also build test WARNING on usb/usb-next usb/usb-linus westeri-thunderbolt/next linus/master v6.16-rc7 next-20250722]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Arnaud-Lecomte/usb-mon-Fix-slab-out-of-bounds-in-mon_bin_event-due-to-unsafe-URB-transfer_buffer-access/20250721-040222
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
patch link: https://lore.kernel.org/r/20250720200057.19720-1-contact%40arnaud-lcm.com
patch subject: [PATCH] usb: mon: Fix slab-out-of-bounds in mon_bin_event due to unsafe URB transfer_buffer access
config: m68k-randconfig-r073-20250723 (https://download.01.org/0day-ci/archive/20250723/202507230548.g6zwppI6-lkp@xxxxxxxxx/config)
compiler: m68k-linux-gcc (GCC) 14.3.0

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-kbuild-all/202507230548.g6zwppI6-lkp@xxxxxxxxx/

smatch warnings:
drivers/usb/mon/mon_bin.c:422 mon_bin_get_data() warn: unsigned 'mon_copy_to_buff(rp, offset, urb->transfer_buffer, length)' is never less than zero.
drivers/usb/mon/mon_bin.c:443 mon_bin_get_data() warn: unsigned 'offset' is never less than zero.

vim +422 drivers/usb/mon/mon_bin.c

409
410 static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
411 unsigned int offset, struct urb *urb, unsigned int length,
412 char *flag)
413 {
414 int i;
415 struct scatterlist *sg;
416 unsigned int this_len;
417
418 *flag = 0;
419 if (urb->num_sgs == 0) {
420 if (
421 urb->transfer_buffer == NULL ||
> 422 mon_copy_to_buff(rp, offset, urb->transfer_buffer, length) < 0
423 ) {
424 *flag = 'Z';
425 return length;
426 }
427 length = 0;
428
429 } else {
430 /* If IOMMU coalescing occurred, we cannot trust sg_page */
431 if (urb->transfer_flags & URB_DMA_SG_COMBINED) {
432 *flag = 'D';
433 return length;
434 }
435
436 /* Copy up to the first non-addressable segment */
437 for_each_sg(urb->sg, sg, urb->num_sgs, i) {
438 if (length == 0 || PageHighMem(sg_page(sg)))
439 break;
440 this_len = min_t(unsigned int, sg->length, length);
441 offset = mon_copy_to_buff(rp, offset, sg_virt(sg),
442 this_len);
> 443 if (offset < 0) {
444 *flag = 'Z';
445 return length;
446 }
447 length -= this_len;
448 }
449 if (i == 0)
450 *flag = 'D';
451 }
452
453 return length;
454 }
455

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Next message: Joel Fernandes: "Re: [PATCH v3 2/4] srcu: Add srcu_read_lock_fast_notrace() and srcu_read_unlock_fast_notrace()"
Previous message: Bhaskar Chowdhury: "[PATCH] samples:pktgen: This file was missing shebang line, so added it"
In reply to: Lecomte, Arnaud: "Re: [PATCH] usb: mon: Fix slab-out-of-bounds in mon_bin_event due to unsafe URB transfer_buffer access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]