All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg KH <greg@kroah.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Markus Rechberger <mrechberger@gmail.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-usb@vger.kernel.org, werner@guyane.dyn-o-saur.com,
	Marcus Meissner <meissner@suse.de>,
	linux-kernel@vger.kernel.org
Subject: Re: 2.6.33 bugs (USBFS, Intel graphic)
Date: Tue, 2 Mar 2010 16:09:38 -0800	[thread overview]
Message-ID: <20100303000938.GA3257@kroah.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1002271215290.25155-100000@netrider.rowland.org>

On Sat, Feb 27, 2010 at 12:20:35PM -0500, Alan Stern wrote:
> On Fri, 26 Feb 2010, Greg KH wrote:
> 
> > Hm, so it's back to the original idea of just doing a kzalloc of the
> > initial buffer, that should solve the problem that Marcus found.
> > 
> > I'll go dig that back up and if you could test it, that would be most
> > appreciated.
> 
> Here's a better solution.  In theory we could copy just the individual 
> packets from within the transfer buffer, but that would probably take 
> longer than simply copying the whole buffer.
> 
> (This was a little hasty; I haven't even compile-tested the patch. 
> Some small fixes may be needed.)

Markus, did you test this patch out?

thanks,

greg k-h

> -----------------------------------------------------------------------
> 
> This patch fixes a bug in the way isochronous input data is returned
> to userspace for usbfs transfers.  The entire buffer must be copied,
> not just the first actual_length bytes, because the individual packets
> will be discontiguous if any of them are short.
> 
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> CC: stable <stable@kernel.org>
> 
> ---
> 
> Index: usb-2.6/drivers/usb/core/devio.c
> ===================================================================
> --- usb-2.6.orig/drivers/usb/core/devio.c
> +++ usb-2.6/drivers/usb/core/devio.c
> @@ -1176,6 +1176,13 @@ static int proc_do_submiturb(struct dev_
>  			free_async(as);
>  			return -ENOMEM;
>  		}
> +		/* Isochronous input data may end up being discontiguous
> +		 * if some of the packets are short.  Clear the buffer so
> +		 * that the gaps don't leak kernel data to userspace.
> +		 */
> +		if (is_in && uurb->type == USBDEVFS_URB_TYPE_ISO)
> +			memset(as->urb->transfer_buffer, 0,
> +					uurb->buffer_length);
>  	}
>  	as->urb->dev = ps->dev;
>  	as->urb->pipe = (uurb->type << 30) |
> @@ -1312,10 +1319,14 @@ static int processcompl(struct async *as
>  	void __user *addr = as->userurb;
>  	unsigned int i;
>  
> -	if (as->userbuffer && urb->actual_length)
> -		if (copy_to_user(as->userbuffer, urb->transfer_buffer,
> -				 urb->actual_length))
> +	if (as->userbuffer && urb->actual_length) {
> +		if (urb->number_of_packets > 0)		/* Isochronous */
> +			i = urb->transfer_buffer_length;
> +		else					/* Non-Isoc */
> +			i = urb->actual_length;
> +		if (copy_to_user(as->userbuffer, urb->transfer_buffer, i))
>  			goto err_out;
> +	}
>  	if (put_user(as->status, &userurb->status))
>  		goto err_out;
>  	if (put_user(urb->actual_length, &userurb->actual_length))

  reply	other threads:[~2010-03-03  0:11 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-02-27  3:42 2.6.33 bugs (USBFS, Intel graphic) Markus Rechberger
2010-02-27  3:56 ` Greg KH
2010-02-27  4:05   ` Markus Rechberger
2010-02-27  4:18     ` Greg KH
2010-02-27  4:29       ` Linus Torvalds
2010-02-27  4:34         ` Markus Rechberger
2010-02-27  5:17           ` Greg KH
2010-02-27  5:26             ` Greg KH
2010-02-27  5:38               ` Markus Rechberger
2010-02-27  5:48                 ` Greg KH
2010-02-27 11:00                   ` Markus Rechberger
2010-02-27 12:15                     ` Pekka Enberg
2010-02-27 12:17                       ` Pekka Enberg
2010-02-27 16:49                         ` Jesse Barnes
2010-02-27 18:08                           ` Markus Rechberger
2010-02-27 22:33                             ` Markus Rechberger
2010-02-27 17:20             ` Alan Stern
2010-03-03  0:09               ` Greg KH [this message]
2010-03-05 21:37                 ` Markus Rechberger
2010-03-06 16:30                 ` Markus Rechberger
2010-03-06 17:06                   ` Greg KH
2010-03-06 20:04                     ` Alan Stern
2010-02-27  4:11 ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100303000938.GA3257@kroah.com \
    --to=greg@kroah.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=meissner@suse.de \
    --cc=mrechberger@gmail.com \
    --cc=stern@rowland.harvard.edu \
    --cc=torvalds@linux-foundation.org \
    --cc=werner@guyane.dyn-o-saur.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.