lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <678F3D1BB717D949B966B68EAEB446ED0C861F47@DGGEMM506-MBX.china.huawei.com>
Date:   Wed, 28 Feb 2018 09:00:13 +0000
From:   "Zengtao (B)" <prime.zeng@...ilicon.com>
To:     "johnyoun@...opsys.com" <johnyoun@...opsys.com>
CC:     "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Possible usb_request leak  in the function
 dwc2_gadget_complete_isoc_request_ddma 

Hi johnyoun:

I found a suspected bug, and I am writing to confirm with you.

In the function dwc2_gadget_complete_isoc_request_ddma(drivers/usb/dwc2/gadget.c).
Only the first request from the eq queue is processed while maybe there are more than one descriptors done by the HW.

1. Each usb request is associated with a DMA descriptor, but this is not reflect in the driver, so when one DMA descriptor is done, 
we don't know which usb request is done, but I think if only one DMA descriptor is done, we can know that the first USB request in 
eq queue is done, because the HW DMA descriptor and SW usb request are both in sequence.

2. In the function dwc2_gadget_complete_isoc_request_ddma, we may complete more than one DMA descriptor but only the first
Usb request is processed, but in fact, we should all the usb requests associated with all the done DMA descriptors.

3. I noticed that each DMA descriptor is configured to report an interrupt, and if each DMA descriptor generate an interrupt, the above
Flow should be ok, but the interrupts can merge and we have used the depdma to figure out the largest finished DMA descriptor index.

Looking forward your reply.

Thank you. 

Regards
Zengtao 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ