RE: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer
-Original Message- From: Felipe Balbi [mailto:ba...@ti.com] Sent: Thursday, September 06, 2012 10:28 PM To: Enrico Scholz Cc: ba...@ti.com; Chen Peter-B29397; linux-...@vger.kernel.org; linuxppc- d...@lists.ozlabs.org; Li Yang-R58472; gre...@linuxfoundation.org Subject: Re: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer Hi, On Thu, Sep 06, 2012 at 04:27:12PM +0200, Enrico Scholz wrote: Felipe Balbi ba...@ti.com writes: Because the fsl_udc_core driver shares one 'status_req' object for the complete ep0 control transfer, it is not possible to prime the final STATUS phase immediately after the IN transaction. E.g. ch9getstatus() executed: | req = udc-status_req; | ... | list_add_tail(req-queue, ep-queue); if | (ep0_prime_status(udc, EP_DIR_OUT)) | | struct fsl_req *req = udc-status_req; | list_add_tail(req-queue, ep-queue); which corrupts the ep-queue list by inserting 'status_req' twice. This causes a kernel oops e.g. when 'lsusb -v' is executed on the host. Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by moving it into the ep0 completion handler. Enrico, thanks for pointing this problem. As prime STATUS phase immediately after the IN transaction is followed USB 2.0 spec, to fix this problem, it is better to add data_req for ep0. In fact, it is already at FSL i.mx internal code, just still not mainlined. so, do I get an Acked-by to this patch ? Does it need to go on v3.6-rc or can it wait until v3.7 merge window ? Without this (or the mentioned data_req patch), I can crash a g_multi gadget by executing 'lsusb -v' as root on the host. Should not be exploitable (only a BUG_ON() is triggered) but issue should be fixed asap. cool, so I'll apply to my fixes branch as soon as I get Acked-by or Tested-by from someone. This seems to revert the error handling for USB2.0 spec 8.5.3.3. But the problem is a serious one to be fixed right away. So Acked-by: Li Yang le...@freescale.com We need to revisit the error handling issue later and find a proper way to address it. Regards, Leo ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer
On Thu, Sep 06, 2012 at 05:27:42PM +0300, Felipe Balbi wrote: Hi, On Thu, Sep 06, 2012 at 04:27:12PM +0200, Enrico Scholz wrote: Felipe Balbi ba...@ti.com writes: Because the fsl_udc_core driver shares one 'status_req' object for the complete ep0 control transfer, it is not possible to prime the final STATUS phase immediately after the IN transaction. E.g. ch9getstatus() executed: | req = udc-status_req; | ... | list_add_tail(req-queue, ep-queue); | if (ep0_prime_status(udc, EP_DIR_OUT)) | | struct fsl_req *req = udc-status_req; | list_add_tail(req-queue, ep-queue); which corrupts the ep-queue list by inserting 'status_req' twice. This causes a kernel oops e.g. when 'lsusb -v' is executed on the host. Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by moving it into the ep0 completion handler. Enrico, thanks for pointing this problem. As prime STATUS phase immediately after the IN transaction is followed USB 2.0 spec, to fix this problem, it is better to add data_req for ep0. In fact, it is already at FSL i.mx internal code, just still not mainlined. so, do I get an Acked-by to this patch ? Does it need to go on v3.6-rc or can it wait until v3.7 merge window ? Without this (or the mentioned data_req patch), I can crash a g_multi gadget by executing 'lsusb -v' as root on the host. Should not be exploitable (only a BUG_ON() is triggered) but issue should be fixed asap. cool, so I'll apply to my fixes branch as soon as I get Acked-by or Tested-by from someone. No Acks, no Tested-by ? -- balbi signature.asc Description: Digital signature ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer
On Wed, Sep 05, 2012 at 02:10:39AM +, Chen Peter-B29397 wrote: Because the fsl_udc_core driver shares one 'status_req' object for the complete ep0 control transfer, it is not possible to prime the final STATUS phase immediately after the IN transaction. E.g. ch9getstatus() executed: | req = udc-status_req; | ... | list_add_tail(req-queue, ep-queue); | if (ep0_prime_status(udc, EP_DIR_OUT)) | | struct fsl_req *req = udc-status_req; | list_add_tail(req-queue, ep-queue); which corrupts the ep-queue list by inserting 'status_req' twice. This causes a kernel oops e.g. when 'lsusb -v' is executed on the host. Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by moving it into the ep0 completion handler. Enrico, thanks for pointing this problem. As prime STATUS phase immediately after the IN transaction is followed USB 2.0 spec, to fix this problem, it is better to add data_req for ep0. In fact, it is already at FSL i.mx internal code, just still not mainlined. so, do I get an Acked-by to this patch ? Does it need to go on v3.6-rc or can it wait until v3.7 merge window ? -- balbi signature.asc Description: Digital signature ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer
Felipe Balbi ba...@ti.com writes: Because the fsl_udc_core driver shares one 'status_req' object for the complete ep0 control transfer, it is not possible to prime the final STATUS phase immediately after the IN transaction. E.g. ch9getstatus() executed: | req = udc-status_req; | ... | list_add_tail(req-queue, ep-queue); | if (ep0_prime_status(udc, EP_DIR_OUT)) | | struct fsl_req *req = udc-status_req; | list_add_tail(req-queue, ep-queue); which corrupts the ep-queue list by inserting 'status_req' twice. This causes a kernel oops e.g. when 'lsusb -v' is executed on the host. Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by moving it into the ep0 completion handler. Enrico, thanks for pointing this problem. As prime STATUS phase immediately after the IN transaction is followed USB 2.0 spec, to fix this problem, it is better to add data_req for ep0. In fact, it is already at FSL i.mx internal code, just still not mainlined. so, do I get an Acked-by to this patch ? Does it need to go on v3.6-rc or can it wait until v3.7 merge window ? Without this (or the mentioned data_req patch), I can crash a g_multi gadget by executing 'lsusb -v' as root on the host. Should not be exploitable (only a BUG_ON() is triggered) but issue should be fixed asap. Enrico ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer
Hi, On Thu, Sep 06, 2012 at 04:27:12PM +0200, Enrico Scholz wrote: Felipe Balbi ba...@ti.com writes: Because the fsl_udc_core driver shares one 'status_req' object for the complete ep0 control transfer, it is not possible to prime the final STATUS phase immediately after the IN transaction. E.g. ch9getstatus() executed: | req = udc-status_req; | ... | list_add_tail(req-queue, ep-queue); | if (ep0_prime_status(udc, EP_DIR_OUT)) | | struct fsl_req *req = udc-status_req; | list_add_tail(req-queue, ep-queue); which corrupts the ep-queue list by inserting 'status_req' twice. This causes a kernel oops e.g. when 'lsusb -v' is executed on the host. Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by moving it into the ep0 completion handler. Enrico, thanks for pointing this problem. As prime STATUS phase immediately after the IN transaction is followed USB 2.0 spec, to fix this problem, it is better to add data_req for ep0. In fact, it is already at FSL i.mx internal code, just still not mainlined. so, do I get an Acked-by to this patch ? Does it need to go on v3.6-rc or can it wait until v3.7 merge window ? Without this (or the mentioned data_req patch), I can crash a g_multi gadget by executing 'lsusb -v' as root on the host. Should not be exploitable (only a BUG_ON() is triggered) but issue should be fixed asap. cool, so I'll apply to my fixes branch as soon as I get Acked-by or Tested-by from someone. cheers -- balbi signature.asc Description: Digital signature ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
RE: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer
Because the fsl_udc_core driver shares one 'status_req' object for the complete ep0 control transfer, it is not possible to prime the final STATUS phase immediately after the IN transaction. E.g. ch9getstatus() executed: | req = udc-status_req; | ... | list_add_tail(req-queue, ep-queue); | if (ep0_prime_status(udc, EP_DIR_OUT)) | | struct fsl_req *req = udc-status_req; | list_add_tail(req-queue, ep-queue); which corrupts the ep-queue list by inserting 'status_req' twice. This causes a kernel oops e.g. when 'lsusb -v' is executed on the host. Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by moving it into the ep0 completion handler. Enrico, thanks for pointing this problem. As prime STATUS phase immediately after the IN transaction is followed USB 2.0 spec, to fix this problem, it is better to add data_req for ep0. In fact, it is already at FSL i.mx internal code, just still not mainlined. Peter ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
