lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 19 Mar 2021 02:31:23 -0700
From:   Wesley Cheng <wcheng@...eaurora.org>
To:     balbi@...nel.org, gregkh@...uxfoundation.org
Cc:     linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
        Wesley Cheng <wcheng@...eaurora.org>
Subject: [PATCH 0/2] Fix allowing of ep queuing while stopping transfers

commit f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping
transfers") addressed an issue where the DWC3 gadget was still allowing EP
queuing to occur while the pullup disable routine was executing.  This led to
a situation where the controller prepares a TRB, which will be unmapped by the
stop active transfer call.

In addition to the above, there are a few other places in the DWC3 gadget where
we need to block preparing of TRBs:

 1. While the DWC3 gadget cleans up completed TRBs (during
    dwc3_gadget_endpoint_trbs_complete()), DWC3 gadget giveback is utilized and
    will release the dwc->lock.  If a pullup disable call occurs while the
    cleanup is happening, then there is a chance dwc3_gadget_ep_should_continue
    will prepare a TRB, which will later on be unmapped by the stop active
    transfer in the pullup disable path.

 2. If we are in the CONFIGURED state and the host issues a bus RESET.  In this
    situation, the connected flag is still set to true while we stop active
    transfers, which can lead to the same initial problem.  Ideally, function
    drivers would stop any pending usb requests through dwc3_reset_gadget()
    using the EP disable call, but for some function drivers, this does not
    occur synchronously in their disable() callback.  These functions would rely
    on the stop active transfers in the reset handler to issue the endxfer cmd.

Wesley Cheng (2):
  usb: dwc3: gadget: Avoid continuing preparing TRBs during teardown
  usb: dwc3: gadget: Ignore EP queue requests during bus reset

 drivers/usb/dwc3/gadget.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ