lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 18 Jul 2019 18:26:27 +0000
From:   "Yang, Fei" <fei.yang@...el.com>
To:     Felipe Balbi <felipe.balbi@...ux.intel.com>,
        "john.stultz@...aro.org" <john.stultz@...aro.org>,
        "andrzej.p@...labora.com" <andrzej.p@...labora.com>,
        "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH V2] usb: dwc3: gadget: trb_dequeue is not updated
 properly

> Can only be true for last TRB
>
| 	if (event->status & DEPEVT_STATUS_IOC)
| 		return 1;

This is the problem. The whole USB request gets only one interrupt when the last TRB completes, so dwc3_gadget_ep_reclaim_trb_sg()
gets called with event->status = 0x6 which has DEPEVT_STATUS_IOC bit set. Thus dwc3_gadget_ep_reclaim_completed_trb() returns 1
for the first TRB and the for-loop ends without having a chance to iterate through the sg list.

> If we have a short packet, then we may fall here. Is that the case?

No need for a short packet to make it fail. In my case below, a 16384 byte request got slipt into 4 TRBs of 4096 bytes. All TRBs were
completed normally, but the for-loop in dwc3_gadget_ep_reclaim_trb_sg() was terminated right after handling the first TRB. After that
the trb_dequeue is messed up.

buffer_addr,size,type,ioc,isp_imi,csp,chn,lst,hwo
0000000077849000, 4096,normal,0,0,1,1,0,0
000000007784a000, 4096,normal,0,0,1,1,0,0
000000007784b000, 4096,normal,0,0,1,1,0,0
000000007784c000, 4096,normal,1,0,1,0,0,0
000000007784d000, 512,normal,1,0,1,0,0,0

My first version of the patch was trying to address the issue in dwc3_gadget_ep_reclaim_completed_trb(), but then I thought it's a bad
idea to touch this function because that is also called from non scatter_gather list case, and I was not sure if returning 1 for the linear
case is correct or not.


-Fei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ