lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Sep 2012 11:51:26 -0700 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org, stable@...r.kernel.org Cc: Greg KH <gregkh@...uxfoundation.org>, alan@...rguk.ukuu.org.uk, Michael Grzeschik <m.grzeschik@...gutronix.de>, Marc Kleine-Budde <mkl@...gutronix.de>, Alexander Shishkin <alexander.shishkin@...ux.intel.com> Subject: [ 157/262] usb: chipidea: udc: dont stall endpoint if request list is empty in isr_tr_complete_low From: Greg KH <gregkh@...uxfoundation.org> 3.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michael Grzeschik <m.grzeschik@...gutronix.de> commit db89960e50f45274c07dc60926b5a49489b8a7a0 upstream. When attaching an imx28 or imx53 in USB gadget mode to a Windows host and starting a rndis connection we see this message every 4-10 seconds: g_ether gadget: high speed config #2: RNDIS Analysis shows that each time this message is printed, the rndis connection is re-establish due to a reset because of a stalled endpoint (ep 0, dir 1). The endpoint is stalled because the reqeust complete bit on that endpoint is set, but in isr_tr_complete_low() the endpoint request list (mEp->qh.queue) is empty. This patch removed this check, because the code doesn't take the following situation into account: The loop over all endpoints in isr_tr_complete_handler() will call ep_nuke() on both ep0/dir0 and ep/dir1 in the first loop. Pending reqeusts will be flushed and completed here. There seems to be a race condition, the request is nuked, but the request complete bit will be set, too. The subsequent check (in ep0/dir1's loop cycle) for endpoint request list (mEp->qh.queue) empty will fail. Both other mainline chipidea drivers (mv_udc_core.c and fsl_udc_core.c) don't have this check. Signed-off-by: Michael Grzeschik <m.grzeschik@...gutronix.de> Signed-off-by: Marc Kleine-Budde <mkl@...gutronix.de> Signed-off-by: Alexander Shishkin <alexander.shishkin@...ux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- drivers/usb/chipidea/udc.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) --- a/drivers/usb/chipidea/udc.c +++ b/drivers/usb/chipidea/udc.c @@ -771,10 +771,7 @@ __acquires(mEp->lock) { struct ci13xxx_req *mReq, *mReqTemp; struct ci13xxx_ep *mEpTemp = mEp; - int uninitialized_var(retval); - - if (list_empty(&mEp->qh.queue)) - return -EINVAL; + int retval = 0; list_for_each_entry_safe(mReq, mReqTemp, &mEp->qh.queue, queue) { -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists