lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 27 Feb 2010 06:38:09 +0100
From:	Markus Rechberger <mrechberger@...il.com>
To:	Greg KH <greg@...ah.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-usb@...r.kernel.org, werner@...ane.dyn-o-saur.com,
	Marcus Meissner <meissner@...e.de>,
	linux-kernel@...r.kernel.org
Subject: Re: 2.6.33 bugs (USBFS, Intel graphic)

On Sat, Feb 27, 2010 at 6:26 AM, Greg KH <greg@...ah.com> wrote:
> On Fri, Feb 26, 2010 at 09:17:37PM -0800, Greg KH wrote:
>> On Sat, Feb 27, 2010 at 05:34:27AM +0100, Markus Rechberger wrote:
>> > On Sat, Feb 27, 2010 at 5:29 AM, Linus Torvalds
>> > <torvalds@...ux-foundation.org> wrote:
>> > >
>> > >
>> > > On Fri, 26 Feb 2010, Greg KH wrote:
>> > >>
>> > >> Yes, and that patch didn't touch the iso frames. ?That happens later on
>> > >> in the functions that were modified. ?The patch should not have had any
>> > >> affect on iso transfers. ?Unless I'm missing something?
>> > >
>> > > Hmm. What seems to happen is that for an isochronous transfer, the buffer
>> > > is split for each microframe. No?
>> > >
>> >
>> > exactly. and each microframe has its own buffer length identifier.
>> >
>> > the current behaviour breaks VMware, QEMU and virtualbox .. probably
>> > other things too.
>> >
>> >
>> > > So the total length may be in 'urb->actual_length', but the actual data in
>> > > the buffer may not be contiguous, because it's created from multiple
>> > > smaller frames, some of which might not be full length?
>> > >
>> >
>> > yes, it's only contiguous for BULK.
>> >
>> > > I dunno. That would explain the problem - actual_length is correct, but
>> > > the 'copy_to_user()' still doesn't copy all the data, because it's
>> > > fragmented.
>> > >
>> >
>> > no you got it, but your patch does not work. The best way would be to
>> > revert it if someone wants to speed up BULK it should go down another
>> > path, leaving the old working implementation untouched.
>>
>> Hm, so it's back to the original idea of just doing a kzalloc of the
>> initial buffer, that should solve the problem that Marcus found.
>>
>> I'll go dig that back up and if you could test it, that would be most
>> appreciated.
>
> Here, can you try this on top of everything?
>

just tested it, everything's back to normal again now!

thanks,
Markus

> thanks,
>
> greg k-h
>
>
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index a678186..252d3b4 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -1168,7 +1168,7 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
>                return -ENOMEM;
>        }
>        if (uurb->buffer_length > 0) {
> -               as->urb->transfer_buffer = kmalloc(uurb->buffer_length,
> +               as->urb->transfer_buffer = kzalloc(uurb->buffer_length,
>                                GFP_KERNEL);
>                if (!as->urb->transfer_buffer) {
>                        kfree(isopkt);
> @@ -1312,9 +1312,9 @@ static int processcompl(struct async *as, void __user * __user *arg)
>        void __user *addr = as->userurb;
>        unsigned int i;
>
> -       if (as->userbuffer && urb->actual_length)
> +       if (as->userbuffer)
>                if (copy_to_user(as->userbuffer, urb->transfer_buffer,
> -                                urb->actual_length))
> +                                urb->transfer_buffer_length))
>                        goto err_out;
>        if (put_user(as->status, &userurb->status))
>                goto err_out;
> @@ -1480,9 +1480,9 @@ static int processcompl_compat(struct async *as, void __user * __user *arg)
>        void __user *addr = as->userurb;
>        unsigned int i;
>
> -       if (as->userbuffer && urb->actual_length)
> +       if (as->userbuffer)
>                if (copy_to_user(as->userbuffer, urb->transfer_buffer,
> -                                urb->actual_length))
> +                                urb->transfer_buffer_length))
>                        return -EFAULT;
>        if (put_user(as->status, &userurb->status))
>                return -EFAULT;
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ