From: "Måns Rullgård" <mans@mansr.com>
To: Bin Liu <b-liu@ti.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] usb: musb: fix crash with highmen PIO and usbmon
Date: Mon, 09 Mar 2020 14:41:01 +0000 [thread overview]
Message-ID: <yw1xpndlioaq.fsf@mansr.com> (raw)
In-Reply-To: <20200309140106.GA31115@iaqt7> (Bin Liu's message of "Mon, 9 Mar 2020 09:01:06 -0500")
Bin Liu <b-liu@ti.com> writes:
> Hi Mans,
>
> On Sat, Mar 07, 2020 at 01:07:20PM +0000, Mans Rullgard wrote:
>> When handling a PIO bulk transfer with highmem buffer, a temporary
>> mapping is assigned to urb->transfer_buffer. After the transfer is
>> complete, an invalid address is left behind in this pointer. This is
>> not ordinarily a problem since nothing touches that buffer before the
>> urb is released. However, when usbmon is active, usbmon_urb_complete()
>> calls (indirectly) mon_bin_get_data() which does access the transfer
>> buffer if it is set. To prevent an invalid memory access here, reset
>> urb->tranfer_buffer to NULL when finished.
>>
>> Fixes: 8e8a55165469 ("usb: musb: host: Handle highmem in PIO mode")
>> Signed-off-by: Mans Rullgard <mans@mansr.com>
>
> Thanks for fixing the bug.
>
>> ---
>> drivers/usb/musb/musb_host.c | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
>> index 1c813c37462a..b67b40de1947 100644
>> --- a/drivers/usb/musb/musb_host.c
>> +++ b/drivers/usb/musb/musb_host.c
>> @@ -1459,8 +1459,10 @@ void musb_host_tx(struct musb *musb, u8 epnum)
>> qh->segsize = length;
>>
>> if (qh->use_sg) {
>> - if (offset + length >= urb->transfer_buffer_length)
>> + if (offset + length >= urb->transfer_buffer_length) {
>> qh->use_sg = false;
>> + urb->transfer_buffer = NULL;
>> + }
>
> In this tx case, can you directly pass qh->sg_miter.addr to
> musb_write_fifo() so that urb->transfer_buffer is not touched at all?
Yes, that seems to work. I'll prepare a new patch.
--
Måns Rullgård
prev parent reply other threads:[~2020-03-09 14:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-07 13:07 [PATCH] usb: musb: fix crash with highmen PIO and usbmon Mans Rullgard
2020-03-09 14:01 ` Bin Liu
2020-03-09 14:41 ` Måns Rullgård [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yw1xpndlioaq.fsf@mansr.com \
--to=mans@mansr.com \
--cc=b-liu@ti.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.