lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Wed,  6 Nov 2013 19:42:35 +0800
From:	xiao jin <jin.xiao@...el.com>
To:	sarah.a.sharp@...ux.intel.com, gregkh@...uxfoundation.org,
	linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:	xiao jin <jin.xiao@...el.com>
Subject: [PATCH] xhci-ring: process bulk set actual_length only when not COMP_STOP_INVAL

When suspend, some urb is put into cancelled_td_list.
process_bulk_intr_td may process the last trb as below:
xhci_transfer_event.transfer_len = 0
xhci_transfer_event.trb_comp_code = 27
urb.transfer_buffer_length = 1024

trb_comp_code is COMP_STOP_INVAL, it should be taken as
invalid urb and discarded, but urb actual_length still is
calculated as transfer_buffer_length. When handling Stop
Endpoint Command completion, the urb in cancelled_td_list
is transferred to upper layer(cdc-acm for example). The
content of urb transfer_buffer is the overlay of previous
two read transfer_buffer. It makes upper layer process wrong
buffer.

This patch is to set actual_length as transfer_buffer_length
only if trb_comp_code is not COMP_STOP_INVAL when
process_bulk_intr_td.

Signed-off-by: xiao jin <jin.xiao@...el.com>
---
 drivers/usb/host/xhci-ring.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 6bfbd80..c9a8863 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2319,8 +2319,11 @@ static int process_bulk_intr_td(struct xhci_hcd *xhci, struct xhci_td *td,
 					*status = 0;
 			}
 		} else {
-			td->urb->actual_length =
-				td->urb->transfer_buffer_length;
+			if (trb_comp_code != COMP_STOP_INVAL)
+				td->urb->actual_length =
+					td->urb->transfer_buffer_length;
+			else
+				td->urb->actual_length = 0;
 			/* Ignore a short packet completion if the
 			 * untransferred length was zero.
 			 */
-- 
1.7.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ