[PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer
Li Yang-R58472
r58472 at freescale.com
Wed Sep 12 21:17:14 EST 2012
> -----Original Message-----
> From: Felipe Balbi [mailto:balbi at ti.com]
> Sent: Thursday, September 06, 2012 10:28 PM
> To: Enrico Scholz
> Cc: balbi at ti.com; Chen Peter-B29397; linux-usb at vger.kernel.org; linuxppc-
> dev at lists.ozlabs.org; Li Yang-R58472; gregkh at linuxfoundation.org
> Subject: Re: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime
> STATUS for IN xfer
>
> Hi,
>
> On Thu, Sep 06, 2012 at 04:27:12PM +0200, Enrico Scholz wrote:
> > Felipe Balbi <balbi at ti.com> writes:
> >
> > >> > Because the fsl_udc_core driver shares one 'status_req' object
> > >> > for the complete ep0 control transfer, it is not possible to
> > >> > prime the final STATUS phase immediately after the IN
> > >> > transaction. E.g. ch9getstatus()
> > >> > executed:
> > >> >
> > >> > | req = udc->status_req;
> > >> > | ...
> > >> > | list_add_tail(&req->queue, &ep->queue); if
> > >> > | (ep0_prime_status(udc, EP_DIR_OUT))
> > >> > | ....
> > >> > | struct fsl_req *req = udc->status_req;
> > >> > | list_add_tail(&req->queue, &ep->queue);
> > >> >
> > >> > which corrupts the ep->queue list by inserting 'status_req'
> > >> > twice. This causes a kernel oops e.g. when 'lsusb -v' is executed
> on the host.
> > >> >
> > >> > Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by
> > >> > moving it into the ep0 completion handler.
> > >> >
> > >> Enrico, thanks for pointing this problem.
> > >>
> > >> As "prime STATUS phase immediately after the IN transaction" is
> > >> followed USB 2.0 spec, to fix this problem, it is better to add
> data_req for ep0.
> > >> In fact, it is already at FSL i.mx internal code, just still not
> mainlined.
> > >
> > > so, do I get an Acked-by to this patch ? Does it need to go on
> > > v3.6-rc or can it wait until v3.7 merge window ?
> >
> > Without this (or the mentioned data_req patch), I can crash a g_multi
> > gadget by executing 'lsusb -v' as root on the host. Should not be
> > exploitable (only a BUG_ON() is triggered) but issue should be fixed
> > asap.
>
> cool, so I'll apply to my fixes branch as soon as I get Acked-by or
> Tested-by from someone.
This seems to revert the error handling for USB2.0 spec 8.5.3.3. But the problem is a serious one to be fixed right away. So
Acked-by: Li Yang <leoli at freescale.com>
We need to revisit the error handling issue later and find a proper way to address it.
Regards,
Leo
More information about the Linuxppc-dev
mailing list