From: Felipe Balbi <balbi@ti.com>
To: Kishon Vijay Abraham I <kishon@ti.com>
Cc: balbi@ti.com, linux-usb@vger.kernel.org,
linux-omap@vger.kernel.org, linux-kernel@vger.kernel.org,
gregkh@linuxfoundation.org, Sekhar Nori <nsekhar@ti.com>
Subject: Re: [RFC PATCH 2/2] usb: dwc3: Add chained TRB support for ep0
Date: Mon, 1 Jun 2015 13:42:36 -0500 [thread overview]
Message-ID: <20150601184236.GH26081@saruman.tx.rr.com> (raw)
In-Reply-To: <556C2BAC.4070901@ti.com>
[-- Attachment #1: Type: text/plain, Size: 2453 bytes --]
Hi,
On Mon, Jun 01, 2015 at 03:23:48PM +0530, Kishon Vijay Abraham I wrote:
> >>+ transferred = transfer_size - length;
> >>+ buf = (u8 *)buf + transferred;
> >>+ ur->actual += transferred;
> >
> >this is dangerous. The extra size is because you *must* align OUT to
> >wMaxPacketSize, so you cannot allow more than the original req->length
> >to be copied into buf. That bounce buffer, is really supposed to be a
>
> Here we are not handling bounce buffer. The bounce buffer is used only for
> the 2nd TRB which actually programs to receive data that is less than bounce
> buffer size. The 1st TRB will always be max packet aligned and the data is
> directly copied to the request buffer. (However note that if the request
> length is less than bounce buffer size, we'll use 1 TRB only)
>
> To summarize..
> We are splitting req->length into 2 TRB's if the req->length is not aligned
> to wMaxPacketSize _and_ req->length is greater than bounce buffer size. By
> this way we can make the 2nd TRB to receive data lesser than or equal to
> bounce buffer size and the rest of it can be received using the 1st TRB.
>
> Consider the following case.
> ur->length = 612;
> maxp = 512;
>
> This case can't be handled by the existing bounce buffer mechanism since the
> size of bounce buffer is only 512. So we program 2 TRB's.
> First TRB
> trb->size = 512; /* We don't need bounce buffer for this TRB since it is max
> packet aligned. The data is directly loaded to the request buffer. */
>
> Second TRB
> trb->size = 512 /* For the remaining 100 bytes we use bounce buffer and it
> uses the same existing bounce buffer mechanism. But instead of copying the
> data to the start of the request buffer, it has to be appended to the data
> that is received due to first TRB. */
this is all fine, but you need to make sure that you only copy the
remaining 100 bytes. Never, ever, ever copy anything past that.
> >throw-away buffer and should never have data in it. You should really
> >add a big fat WARN() if transferred > req->length.
> >
> >The thing is that if host sends more data than we were expecting, this
> >could be someone trying to use our driver as an exploit vector, trying
> >to send more data than it should. We must be robust against that.
>
> This is handled in the existing bounce buffer mechanism and I use the same
> bounce buffer mechanism for the 2nd TRB.
ok.
--
balbi
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Felipe Balbi <balbi@ti.com>
To: Kishon Vijay Abraham I <kishon@ti.com>
Cc: <balbi@ti.com>, <linux-usb@vger.kernel.org>,
<linux-omap@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<gregkh@linuxfoundation.org>, Sekhar Nori <nsekhar@ti.com>
Subject: Re: [RFC PATCH 2/2] usb: dwc3: Add chained TRB support for ep0
Date: Mon, 1 Jun 2015 13:42:36 -0500 [thread overview]
Message-ID: <20150601184236.GH26081@saruman.tx.rr.com> (raw)
In-Reply-To: <556C2BAC.4070901@ti.com>
[-- Attachment #1: Type: text/plain, Size: 2453 bytes --]
Hi,
On Mon, Jun 01, 2015 at 03:23:48PM +0530, Kishon Vijay Abraham I wrote:
> >>+ transferred = transfer_size - length;
> >>+ buf = (u8 *)buf + transferred;
> >>+ ur->actual += transferred;
> >
> >this is dangerous. The extra size is because you *must* align OUT to
> >wMaxPacketSize, so you cannot allow more than the original req->length
> >to be copied into buf. That bounce buffer, is really supposed to be a
>
> Here we are not handling bounce buffer. The bounce buffer is used only for
> the 2nd TRB which actually programs to receive data that is less than bounce
> buffer size. The 1st TRB will always be max packet aligned and the data is
> directly copied to the request buffer. (However note that if the request
> length is less than bounce buffer size, we'll use 1 TRB only)
>
> To summarize..
> We are splitting req->length into 2 TRB's if the req->length is not aligned
> to wMaxPacketSize _and_ req->length is greater than bounce buffer size. By
> this way we can make the 2nd TRB to receive data lesser than or equal to
> bounce buffer size and the rest of it can be received using the 1st TRB.
>
> Consider the following case.
> ur->length = 612;
> maxp = 512;
>
> This case can't be handled by the existing bounce buffer mechanism since the
> size of bounce buffer is only 512. So we program 2 TRB's.
> First TRB
> trb->size = 512; /* We don't need bounce buffer for this TRB since it is max
> packet aligned. The data is directly loaded to the request buffer. */
>
> Second TRB
> trb->size = 512 /* For the remaining 100 bytes we use bounce buffer and it
> uses the same existing bounce buffer mechanism. But instead of copying the
> data to the start of the request buffer, it has to be appended to the data
> that is received due to first TRB. */
this is all fine, but you need to make sure that you only copy the
remaining 100 bytes. Never, ever, ever copy anything past that.
> >throw-away buffer and should never have data in it. You should really
> >add a big fat WARN() if transferred > req->length.
> >
> >The thing is that if host sends more data than we were expecting, this
> >could be someone trying to use our driver as an exploit vector, trying
> >to send more data than it should. We must be robust against that.
>
> This is handled in the existing bounce buffer mechanism and I use the same
> bounce buffer mechanism for the 2nd TRB.
ok.
--
balbi
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2015-06-01 18:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-06 11:55 [RFC PATCH 1/2] usb: dwc3: ep0: preparation for implementing chained TRB Kishon Vijay Abraham I
2015-02-06 11:55 ` Kishon Vijay Abraham I
2015-02-06 11:55 ` [RFC PATCH 2/2] usb: dwc3: Add chained TRB support for ep0 Kishon Vijay Abraham I
2015-02-06 11:55 ` Kishon Vijay Abraham I
2015-02-06 14:48 ` Felipe Balbi
2015-02-06 14:48 ` Felipe Balbi
[not found] ` <20150206144841.GB16783-HgARHv6XitJaoMGHk7MhZQC/G2K4zDHf@public.gmane.org>
2015-06-01 9:53 ` Kishon Vijay Abraham I
2015-06-01 9:53 ` Kishon Vijay Abraham I
2015-06-01 18:42 ` Felipe Balbi [this message]
2015-06-01 18:42 ` Felipe Balbi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150601184236.GH26081@saruman.tx.rr.com \
--to=balbi@ti.com \
--cc=gregkh@linuxfoundation.org \
--cc=kishon@ti.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-omap@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=nsekhar@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.