| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Nov 2017 09:20:00 -0800
From: Guenter Roeck <linux@...ck-us.net>
To: Adam Thomson <Adam.Thomson.Opensource@...semi.com>
Cc: Heikki Krogerus <heikki.krogerus@...ux.intel.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Hans de Goede <hdegoede@...hat.com>,
Yueyao Zhu <yueyao.zhu@...il.com>,
Rui Miguel Silva <rmfrfs@...il.com>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
support.opensource@...semi.com
Subject: Re: [PATCH v2] typec: tcpm: fusb302: Resolve out of order messaging
events
On Thu, Nov 16, 2017 at 04:28:11PM +0000, Adam Thomson wrote:
> The expectation in the FUSB302 driver is that a TX_SUCCESS event
> should occur after a message has been sent, but before a GCRCSENT
> event is raised to indicate successful receipt of a message from
> the partner. However in some circumstances it is possible to see
> the hardware raise a GCRCSENT event before a TX_SUCCESS event
> is raised. The upshot of this is that the GCRCSENT handling portion
> of code ends up reporting the GoodCRC message to TCPM because the
> TX_SUCCESS event hasn't yet arrived to trigger a consumption of it.
> When TX_SUCCESS is then raised by the chip it ends up consuming the
> actual message that was meant for TCPM, and this incorrect sequence
> results in a hard reset from TCPM.
>
> To avoid this problem, this commit moves all FIFO reading to be
> done based on a GCRCSENT event, and when reading from the FIFO
> any GoodCRC messages read in are discarded so only valid messages
> are reported to TCPM.
>
> Changes in v2:
> - Remove erroneous extended header check
>
> Patch is based on Linux next-20171114 to include move out of staging.
>
> Signed-off-by: Adam Thomson <Adam.Thomson.Opensource@...semi.com>
> ---
> drivers/usb/typec/fusb302/fusb302.c | 16 ++++++++++------
> 1 file changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/usb/typec/fusb302/fusb302.c b/drivers/usb/typec/fusb302/fusb302.c
> index 72cb060..ddf88f0 100644
> --- a/drivers/usb/typec/fusb302/fusb302.c
> +++ b/drivers/usb/typec/fusb302/fusb302.c
> @@ -1650,12 +1650,6 @@ static irqreturn_t fusb302_irq_intn(int irq, void *dev_id)
>
> if (interrupta & FUSB_REG_INTERRUPTA_TX_SUCCESS) {
> fusb302_log(chip, "IRQ: PD tx success");
> - /* read out the received good CRC */
> - ret = fusb302_pd_read_message(chip, &pd_msg);
> - if (ret < 0) {
> - fusb302_log(chip, "cannot read in GCRC, ret=%d", ret);
> - goto done;
> - }
If multiple "Good CRC" messages are received in a row, they won't be read from
the chip, which might result in a buffer overflow.
It might be better to always read all pending messages and handle it depending
on the message type. Something along the line of
while (interrupts & (FUSB_REG_INTERRUPTA_TX_SUCCESS |
FUSB_REG_INTERRUPTB_GCRCSENT)) {
ret = fusb302_pd_read_message(chip, &pd_msg);
if (ret < 0)
goto done;
if (msg_type == good CRC) {
tcpm_pd_transmit_complete(chip->tcpm_port, TCPC_TX_SUCCESS);
interrupts &= ~FUSB_REG_INTERRUPTA_TX_SUCCESS;
} else {
tcpm_pd_receive(chip->tcpm_port, &pd_msg);
interrupts &= ~FUSB_REG_INTERRUPTB_GCRCSENT;
}
}
Guenter
> tcpm_pd_transmit_complete(chip->tcpm_port, TCPC_TX_SUCCESS);
> }
>
> @@ -1671,12 +1665,22 @@ static irqreturn_t fusb302_irq_intn(int irq, void *dev_id)
>
> if (interruptb & FUSB_REG_INTERRUPTB_GCRCSENT) {
> fusb302_log(chip, "IRQ: PD sent good CRC");
> +retry:
> ret = fusb302_pd_read_message(chip, &pd_msg);
> if (ret < 0) {
> fusb302_log(chip,
> "cannot read in PD message, ret=%d", ret);
> goto done;
> }
> +
> + /*
> + * Check to make sure we've not read off a GoodCRC message.
> + * If so then read again to retrieve expected message
> + */
> + if ((!pd_header_cnt_le(pd_msg.header)) &&
> + (pd_header_type_le(pd_msg.header) == PD_CTRL_GOOD_CRC))
> + goto retry;
> +
> tcpm_pd_receive(chip->tcpm_port, &pd_msg);
> }
> done:
> --
> 1.9.1
>
Powered by blists - more mailing lists