| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Feb 2018 09:00:13 +0000
From: "Zengtao (B)" <prime.zeng@...ilicon.com>
To: "johnyoun@...opsys.com" <johnyoun@...opsys.com>
CC: "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Possible usb_request leak in the function
dwc2_gadget_complete_isoc_request_ddma
Hi johnyoun:
I found a suspected bug, and I am writing to confirm with you.
In the function dwc2_gadget_complete_isoc_request_ddma(drivers/usb/dwc2/gadget.c).
Only the first request from the eq queue is processed while maybe there are more than one descriptors done by the HW.
1. Each usb request is associated with a DMA descriptor, but this is not reflect in the driver, so when one DMA descriptor is done,
we don't know which usb request is done, but I think if only one DMA descriptor is done, we can know that the first USB request in
eq queue is done, because the HW DMA descriptor and SW usb request are both in sequence.
2. In the function dwc2_gadget_complete_isoc_request_ddma, we may complete more than one DMA descriptor but only the first
Usb request is processed, but in fact, we should all the usb requests associated with all the done DMA descriptors.
3. I noticed that each DMA descriptor is configured to report an interrupt, and if each DMA descriptor generate an interrupt, the above
Flow should be ok, but the interrupts can merge and we have used the depdma to figure out the largest finished DMA descriptor index.
Looking forward your reply.
Thank you.
Regards
Zengtao
Powered by blists - more mailing lists