lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 10 Sep 2021 17:19:58 +0200
From:   "Fabio M. De Francesco" <fmdefrancesco@...il.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Larry Finger <Larry.Finger@...inger.net>,
        Phillip Potter <phil@...lpotter.co.uk>,
        Pavel Skripkin <paskripkin@...il.com>,
        linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/3] staging: r8188eu: Shorten calls chain of rtw_read8/16/32()

On Monday, September 6, 2021 4:07:26 PM CEST Greg Kroah-Hartman wrote:
> On Sun, Sep 05, 2021 at 12:00:47AM +0200, Fabio M. De Francesco wrote:
> > Shorten the calls chain of rtw_read8/16/32() down to the actual reads.
> > For this purpose unify the three usb_read8/16/32 into the new
> > usb_read(); make the latter parameterizable with 'size'; embed most of
> > the code of usbctrl_vendorreq() into usb_read() and use in it the new
> > usb_control_msg_recv() API of USB Core.
> > 
> > Suggested-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > Co-developed-by: Pavel Skripkin <paskripkin@...il.com>
> > Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
> > Signed-off-by: Fabio M. De Francesco <fmdefrancesco@...il.com>
> > ---
> >
> > [...]
> > 
> > +	while (++vendorreq_times <= MAX_USBCTRL_VENDORREQ_TIMES) {
> > +		status = usb_control_msg_recv(udev, 0, 
REALTEK_USB_VENQT_CMD_REQ,
> > +					      
REALTEK_USB_VENQT_READ, value,
> > +					      
REALTEK_USB_VENQT_CMD_IDX, io_buf,
> > +					      size, 
RTW_USB_CONTROL_MSG_TIMEOUT,
> > +					      GFP_KERNEL);
> > +		if (!status) {   /*  Success this control transfer. */
> 
> Comments go on the next line.
> 
> > +			rtw_reset_continual_urb_error(dvobjpriv);
> > +			memcpy(data, io_buf, size);
> > +		} else { /*  error cases */
> 
> Again, next line for the comment.
> 
> > +			DBG_88E("reg 0x%x, usb %s %u fail, status:
%d vendorreq_times:%d\n",
> > +				value, "read", size, status, 
vendorreq_times);
> 
> These should be removed eventually...
> 
> > +
> > +			if (status == (-ESHUTDOWN) || status == -
ENODEV) {
> > +				adapt->bSurpriseRemoved = true;
> 
> Odd, but ok...

I'm not so sure that it is OK. Please correct me if I'm wrong...

The calls chain from usb_control_msg_recv() seems to be the following:

usb_control_msg_recv/send()
        -> usb_control_msg()
                -> usb_internal_control_msg()
                        -> usb_start_wait_urb()
                                -> usb_submit_urb()

Each of the above functions could fail for different reasons and if so they 
return the errors up to the first caller into "status". I can find no lines 
of code where the above-mentioned functions set and return -ESHUTDOWN.

Unless I'm missing something obvious, "status" is a non-shared variable. The 
variables that are assigned with errors in all five of the above-mentioned 
functions are also local (non shared) variables.

To summarize: how could "status" be assigned -ESHUTDOWN? Is any point in the 
chain that value assigned by a concurrent thread to a shared variable and 
then returned up to the caller (i.e., usb_control_msg_recv())?

Since the code has this "if (status == (-ESHUTDOWN) || ...)" it expects that 
sometimes it could be 'true', so I'm 100% sure that I can't see where my 
argument is not valid... :(

Can someone please help me to understand this topic?

Thanks,

Fabio



> 
> > [...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ