| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9324065.O9NRuxeco7@localhost.localdomain>
Date: Fri, 10 Sep 2021 17:19:58 +0200
From: "Fabio M. De Francesco" <fmdefrancesco@...il.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Larry Finger <Larry.Finger@...inger.net>,
Phillip Potter <phil@...lpotter.co.uk>,
Pavel Skripkin <paskripkin@...il.com>,
linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/3] staging: r8188eu: Shorten calls chain of rtw_read8/16/32()
On Monday, September 6, 2021 4:07:26 PM CEST Greg Kroah-Hartman wrote:
> On Sun, Sep 05, 2021 at 12:00:47AM +0200, Fabio M. De Francesco wrote:
> > Shorten the calls chain of rtw_read8/16/32() down to the actual reads.
> > For this purpose unify the three usb_read8/16/32 into the new
> > usb_read(); make the latter parameterizable with 'size'; embed most of
> > the code of usbctrl_vendorreq() into usb_read() and use in it the new
> > usb_control_msg_recv() API of USB Core.
> >
> > Suggested-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > Co-developed-by: Pavel Skripkin <paskripkin@...il.com>
> > Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
> > Signed-off-by: Fabio M. De Francesco <fmdefrancesco@...il.com>
> > ---
> >
> > [...]
> >
> > + while (++vendorreq_times <= MAX_USBCTRL_VENDORREQ_TIMES) {
> > + status = usb_control_msg_recv(udev, 0,
REALTEK_USB_VENQT_CMD_REQ,
> > +
REALTEK_USB_VENQT_READ, value,
> > +
REALTEK_USB_VENQT_CMD_IDX, io_buf,
> > + size,
RTW_USB_CONTROL_MSG_TIMEOUT,
> > + GFP_KERNEL);
> > + if (!status) { /* Success this control transfer. */
>
> Comments go on the next line.
>
> > + rtw_reset_continual_urb_error(dvobjpriv);
> > + memcpy(data, io_buf, size);
> > + } else { /* error cases */
>
> Again, next line for the comment.
>
> > + DBG_88E("reg 0x%x, usb %s %u fail, status:
%d vendorreq_times:%d\n",
> > + value, "read", size, status,
vendorreq_times);
>
> These should be removed eventually...
>
> > +
> > + if (status == (-ESHUTDOWN) || status == -
ENODEV) {
> > + adapt->bSurpriseRemoved = true;
>
> Odd, but ok...
I'm not so sure that it is OK. Please correct me if I'm wrong...
The calls chain from usb_control_msg_recv() seems to be the following:
usb_control_msg_recv/send()
-> usb_control_msg()
-> usb_internal_control_msg()
-> usb_start_wait_urb()
-> usb_submit_urb()
Each of the above functions could fail for different reasons and if so they
return the errors up to the first caller into "status". I can find no lines
of code where the above-mentioned functions set and return -ESHUTDOWN.
Unless I'm missing something obvious, "status" is a non-shared variable. The
variables that are assigned with errors in all five of the above-mentioned
functions are also local (non shared) variables.
To summarize: how could "status" be assigned -ESHUTDOWN? Is any point in the
chain that value assigned by a concurrent thread to a shared variable and
then returned up to the caller (i.e., usb_control_msg_recv())?
Since the code has this "if (status == (-ESHUTDOWN) || ...)" it expects that
sometimes it could be 'true', so I'm 100% sure that I can't see where my
argument is not valid... :(
Can someone please help me to understand this topic?
Thanks,
Fabio
>
> > [...]
Powered by blists - more mailing lists