lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BYAPR07MB5381A0D4D62053442E34B275DD1AA@BYAPR07MB5381.namprd07.prod.outlook.com>
Date:   Thu, 17 Aug 2023 09:10:33 +0000
From:   Pawel Laszczak <pawell@...ence.com>
To:     Peter Chen <peter.chen@...nel.org>
CC:     "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH] usb: cdnsp: Fixes issue with dequeuing not queued
 requests


>> >
>> >On 23-07-13 04:14:29, Pawel Laszczak wrote:
>> >> Gadget ACM while unloading module try to dequeue not queued usb
>> >> request which causes the kernel to crash.
>> >> Patch adds extra condition to check whether usb request is
>> >> processed by CDNSP driver.
>> >>
>> >
>> >Why ACM does that?
>
>Would you please explain which situation triggers it?

The sequence to trigger is simple:
- Load modules (u_serial, f_acm and udc driver)
- unload module

In my case the plug is attached to host.

While unloading in the gs_console_disconnect function is involved
which try dequeue the usb_request not queued.

Without fix controller driver during dequeuing trees to make operation
on not initialized field which causes the kernel to crash.

Regards,
Pawel

>> >
>> >> cc: <stable@...r.kernel.org>
>> >> Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence
>> >> USBSSP DRD Driver")
>> >> Signed-off-by: Pawel Laszczak <pawell@...ence.com>
>> >> ---
>> >>  drivers/usb/cdns3/cdnsp-gadget.c | 3 +++
>> >>  1 file changed, 3 insertions(+)
>> >>
>> >> diff --git a/drivers/usb/cdns3/cdnsp-gadget.c
>> >> b/drivers/usb/cdns3/cdnsp-gadget.c
>> >> index fff9ec9c391f..3a30c2af0c00 100644
>> >> --- a/drivers/usb/cdns3/cdnsp-gadget.c
>> >> +++ b/drivers/usb/cdns3/cdnsp-gadget.c
>> >> @@ -1125,6 +1125,9 @@ static int cdnsp_gadget_ep_dequeue(struct
>> >usb_ep *ep,
>> >>  	unsigned long flags;
>> >>  	int ret;
>> >>
>> >> +	if (request->status != -EINPROGRESS)
>> >> +		return 0;
>> >> +
>> >
>> >Why not you use pending list which used at cdnsp_ep_enqueue to do this?
>>
>> It's just simpler and faster way - no other reasons.
>
>Okay, get it.
>
>--
>
>Thanks,
>Peter Chen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ