From: Oliver Neukum <oneukum@suse.com>
To: Jonathan Bell <jonathan@raspberrypi.org>
Cc: Minas Harutyunyan <hminas@synopsys.com>, linux-usb@vger.kernel.org
Subject: Re: dwc2 / Raspberry Pi - hardware bug for small transfers results in memory corruption
Date: Thu, 15 Aug 2019 16:52:17 +0200 [thread overview]
Message-ID: <1565880737.5780.12.camel@suse.com> (raw)
In-Reply-To: <CAPHs_JLkWmgvWJPyBdugFPfgPMpyeQL1bQe3VLru4BTf9L+iag@mail.gmail.com>
Am Donnerstag, den 15.08.2019, 12:41 +0100 schrieb Jonathan Bell:
> On Thu, Aug 15, 2019 at 11:55 AM Oliver Neukum <oneukum@suse.com> wrote:
> >
> > Am Mittwoch, den 14.08.2019, 16:59 +0100 schrieb Jonathan Bell:
> > > As reported by one of our users here:
> > > https://github.com/raspberrypi/linux/issues/3148
> > >
> > > There is a bug when the dwc2 core receives USB data packets that are
> > > between 1 and 4 bytes in length - 4 bytes are always written to memory
> > > where the non-packet bytes are garbage.
> >
> > Hi,
> >
> > in which function does that happen? If your buffer cannot handle 4
> > bytes I cannot see how it copes with teh DMA rules.
> >
>
> In drivers/media/usb/uvc/uvc_ctrl.c:uvc_ctrl_populate_cache() and friends.
OK, I see.
> The UVC driver passes in offsets into a struct uvc_control as the
> "buffer" that usb_control_msg() fills.
Not quite that bad. It passes a pointer into the middle of a buffer
used at different offsets for the transfer. This is technically allowed
as long as you never touch the buffer while a transfer is ongoing.
That is an accident waiting to happen. Please make a patch using
a bounce buffer allocated with knalloc() in
drivers/media/usb/uvc/uvc_ctrl.c:uvc_ctrl_populate_cache() and friends.
Regards
Oliver
next prev parent reply other threads:[~2019-08-15 14:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 15:59 dwc2 / Raspberry Pi - hardware bug for small transfers results in memory corruption Jonathan Bell
2019-08-15 10:55 ` Oliver Neukum
2019-08-15 11:41 ` Jonathan Bell
2019-08-15 14:37 ` Alan Stern
2019-08-15 14:52 ` Oliver Neukum [this message]
2019-08-16 22:18 ` Jonathan Bell
2019-08-19 11:01 ` Oliver Neukum
2019-08-15 12:51 ` Lars Melin
2019-08-15 12:54 ` Jonathan Bell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1565880737.5780.12.camel@suse.com \
--to=oneukum@suse.com \
--cc=hminas@synopsys.com \
--cc=jonathan@raspberrypi.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.