[linux-usb-devel] [PATCH] EHCI: fix conflation of buf == 0 with len == 0

[Alan Stern]

Dave:

When the ehci-hcd driver prepares a control URB, it tests for a
zero-length data stage by looking at the transfer_dma value instead of the
transfer_buffer_length.  (In fact it does this even for non-control URBs,
which is an additional aspect of the same bug.)

However, under certain circumstances it's possible for transfer_dma to be 
0 while transfer_buffer_length is non-zero.  This can happen when a 
freshly allocated page (mapped to address 0 and marked Copy-On-Write, but 
never written to) is used as the source buffer for an OUT transfer.  This 
patch (as598) fixes the problem.

Alan Stern



Signed-off-by: Alan Stern <[EMAIL PROTECTED]>

---

This was originally posted back when email to you was bouncing, so you
may not have seen it.  Hence I'm sending it again.

I've given this only light testing, but it seems to work okay.  You should
go over it to be sure.

Index: usb-2.6/drivers/usb/host/ehci-q.c
===================================================================
--- usb-2.6.orig/drivers/usb/host/ehci-q.c
+++ usb-2.6/drivers/usb/host/ehci-q.c
@@ -514,18 +514,18 @@ qh_urb_transaction (
                qtd->urb = urb;
                qtd_prev->hw_next = QTD_NEXT (qtd->qtd_dma);
                list_add_tail (&qtd->qtd_list, head);
+
+               /* for zero length DATA stages, STATUS is always IN */
+               if (len == 0)
+                       token |= (1 /* "in" */ << 8);
        } 
 
        /*
         * data transfer stage:  buffer setup
         */
-       if (likely (len > 0))
-               buf = urb->transfer_dma;
-       else
-               buf = 0;
+       buf = urb->transfer_dma;
 
-       /* for zero length DATA stages, STATUS is always IN */
-       if (!buf || is_input)
+       if (is_input)
                token |= (1 /* "in" */ << 8);
        /* else it's already initted to "out" pid (0 << 8) */
 
@@ -572,7 +572,7 @@ qh_urb_transaction (
         * control requests may need a terminating data "status" ack;
         * bulk ones may need a terminating short packet (zero length).
         */
-       if (likely (buf != 0)) {
+       if (likely (urb->transfer_buffer_length != 0)) {
                int     one_more = 0;
 
                if (usb_pipecontrol (urb->pipe)) {



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel