[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <529CD206.5080605@linux.intel.com>
Date: Mon, 02 Dec 2013 10:31:34 -0800
From: David Cohen <david.a.cohen@...ux.intel.com>
To: balbi@...com
CC: gregkh@...uxfoundation.org, stern@...land.harvard.edu,
mina86@...a86.com, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 5/5] usb: dwc3: implement gadget's quirk ep_out_align_size
On 11/25/2013 01:06 PM, Felipe Balbi wrote:
> Hi,
>
> On Tue, Nov 12, 2013 at 01:04:46PM -0800, David Cohen wrote:
>> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
>> index 5452c0fce360..7c2d36f6ad4b 100644
>> --- a/drivers/usb/dwc3/gadget.c
>> +++ b/drivers/usb/dwc3/gadget.c
>> @@ -1130,6 +1130,14 @@ static int dwc3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request,
>> dev_vdbg(dwc->dev, "queing request %p to %s length %d\n",
>> request, ep->name, request->length);
>>
>> + /* If ep out, roundup request->length to epout maxpacketsize */
>> + if (!(dep->number & 1)) {
>
> we have a direction field in the dep structure, please use that.
>
>> + unsigned int aligned = roundup(request->length,
>> + ep->desc->wMaxPacketSize);
>> + req->pad = aligned - request->length;
>> + request->length = aligned;
>
> this is quite dangerous. You really don't know the size that gadget
> driver allocated. What if we're using SLOB and gadget driver allocated
> exactly 31 bytes (think MSC's CBW) ? Then you change request->length to
> 512-bytes (or 1024 if USB SS), and host happens to be buggy (or
> exploited somehow) and sends more than 31-bytes ? You told dwc3 you
> could receive more than 31-bytes even though you don't know what follows
> your 31-byte buffer.
>
> This is why I have been saying that gadget driver *must* be the one
> hadnling this issue based on the quirk flag.
Thanks. I've seen different point of views in this thread. Since you're
the maintainer, I'll resend the patch following your directions.
Br, David
Download attachment "signature.asc" of type "application/pgp-signature" (898 bytes)
Powered by blists - more mailing lists