lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44L0.1208071342410.2400-100000@iolanthe.rowland.org>
Date:	Tue, 7 Aug 2012 13:47:16 -0400 (EDT)
From:	Alan Stern <stern@...land.harvard.edu>
To:	Virupax Sadashivpetimath <virupax.sadashivpetimath@...ricsson.com>
cc:	balbi@...com, <gregkh@...uxfoundation.org>,
	<linux-usb@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<linus.walleij@...aro.org>, <praveen.nadahally@...ricsson.com>,
	<ragupathy.rajaram@...ricsson.com>, <vikrant.bapat@...ricsson.com>
Subject: Re: [PATCH v2] usb:musb:musb_host: Handle highmem in PIO mode

On Tue, 7 Aug 2012, Virupax Sadashivpetimath wrote:

> In case of USB bulk transfer, when himem page
> is received, the usb_sg_init function sets the
> urb transfer buffer to NULL. When such URB
> transfer is handled, kernel crashes in PIO mode.
> Handle this by mapping the highmem buffer in PIO mode.

...

> @@ -1332,9 +1353,38 @@ void musb_host_tx(struct musb *musb, u8 epnum)
>  		length = qh->maxpacket;
>  	/* Unmap the buffer so that CPU can use it */
>  	usb_hcd_unmap_urb_for_dma(musb_to_hcd(musb), urb);
> -	musb_write_fifo(hw_ep, length, urb->transfer_buffer + offset);
> +
> +	/*
> +	 * We need to map sg if the transfer_buffer is
> +	 * NULL.
> +	 */
> +	if (!urb->transfer_buffer)
> +		use_sg = true;

Here you test urb->transfer_buffer.

> +	if (use_sg) {
> +		/* sg_miter_start is already done in musb_ep_program */
> +		if (!sg_miter_next(&qh->sg_miter)) {
> +			dev_err(musb->controller, "error: sg list empty\n");
> +			sg_miter_stop(&qh->sg_miter);
> +			status = -EINVAL;
> +			goto done;
> +		}
> +		urb->transfer_buffer = qh->sg_miter.addr;

And here you set it.  As a result, on the next iteration of this
routine the test above won't work right.  (This function gets invoked
once for each entry in the sg list, right?)

Is there any reason to set urb->transfer_buffer here?  You could just
use qh->sg_miter.addr directly in the musb_write_fifo() call two lines
below.

> +		length = min_t(u32, length, qh->sg_miter.length);
> +		musb_write_fifo(hw_ep, length, urb->transfer_buffer);
> +		qh->sg_miter.consumed = length;
> +		sg_miter_stop(&qh->sg_miter);
> +	} else {
> +		musb_write_fifo(hw_ep, length, urb->transfer_buffer + offset);
> +	}

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ