From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
David Mosberger <davidm@egauge.net>,
Jaejoong Kim <climbbb.kim@gmail.com>,
Mauro Carvalho Chehab <mchehab@infradead.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
GregKroah-Hartman <gregkh@linuxfoundation.org>,
<linux-rpi-kernel@lists.infradead.org>,
Jonathan Corbet <corbet@lwn.net>,
Wolfram Sang <wsa-dev@sang-engineering.com>,
John Youn <johnyoun@synopsys.com>, Roger Quadros <rogerq@ti.com>,
Linux Doc MailingList <linux-doc@vger.kernel.org>,
Linux Media Mailing List <linux-media@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>
Subject: Re: [PATCH 22/22] usb: document that URB transfer_buffer should be aligned
Date: Thu, 30 Mar 2017 12:45:01 -0300 [thread overview]
Message-ID: <20170330124501.6ba20ded@vento.lan> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1703301024090.2186-100000@iolanthe.rowland.org>
Em Thu, 30 Mar 2017 10:26:32 -0400 (EDT)
Alan Stern <stern@rowland.harvard.edu> escreveu:
> On Thu, 30 Mar 2017, Oliver Neukum wrote:
>
> > > Btw, I'm a lot more concerned about USB storage drivers. When I was
> > > discussing about this issue at the #raspberrypi-devel IRC channel,
> > > someone complained that, after switching from the RPi downstream Kernel
> > > to upstream, his USB data storage got corrupted. Well, if the USB
> > > storage drivers also assume that the buffer can be continuous,
> > > that can corrupt data.
>
> >
> > They do assume that.
>
> Wait a minute. Where does that assumption occur?
>
> And exactly what is the assumption? Mauro wrote "the buffer can be
> continuous", but that is certainly not what he meant.
What I meant to say is that drivers like the uvcdriver (and maybe network and
usb-storage drivers) may allocate a big buffer and get data there on some
random order, e. g.:
int get_from_buf_pos(char *buf, int pos, int size)
{
/* or an equivalent call to usb_submit_urb() */
usb_control_msg(..., buf + pos, size, ...);
}
some_function ()
{
...
chr *buf = kzalloc(4, GFP_KERNEL);
/*
* Access the bytes at the array on a random order, with random size,
* Like:
*/
get_from_buf_pos(buf, 2, 2); /* should read 0x56, 0x78 */
get_from_buf_pos(buf, 0, 2); /* should read 0x12, 0x34 */
/*
* the expected value for the buffer would be:
* { 0x12, 0x34, 0x56, 0x78 }
*/
E. g. they assume that the transfer URB can work with any arbitrary
pointer and size, without needing of pre-align them.
This doesn't work with HCD drivers like dwc2, as each USB_IN operation will
actually write 4 bytes to the buffer.
So, what happens, instead, is that each data transfer will get four
bytes. Due to a hack inside dwc2, with checks if the transfer_buffer
is DWORD aligned. So, the first transfer will do what's expected: it will
read 4 bytes to a temporary buffer, allocated inside the driver,
copying just two bytes to buf. So, after the first read, the
buffer content will be:
buf = { 0x00, x00, 0x56, 0x78 }
But, on the second read, it won't be using any temporary
buffer. So, instead of reading a 16-bits word (0x5678),
it will actually read 32 bits, with 16-bits with some random value,
causing a buffer overflow. E. g. buffer content will now be:
buf = { 0x12, x34, 0xde, 0xad }
In other words, the second transfer corrupted the data from the
first transfer.
Thanks,
Mauro
next prev parent reply other threads:[~2017-03-30 15:45 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-29 18:54 [PATCH 01/22] driver-api/basics.rst: add device table header Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 02/22] docs-rst: convert usb docbooks to ReST Mauro Carvalho Chehab
2017-03-30 7:48 ` Markus Heiser
2017-03-30 8:21 ` Jani Nikula
2017-03-30 9:20 ` Markus Heiser
2017-03-30 10:12 ` Mauro Carvalho Chehab
2017-03-30 11:17 ` Markus Heiser
2017-03-30 11:35 ` Markus Heiser
2017-03-30 12:10 ` Mauro Carvalho Chehab
2017-03-31 14:46 ` Jonathan Corbet
2017-03-29 18:54 ` [PATCH 03/22] usb.rst: Enrich its ReST representation Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 04/22] gadget.rst: Enrich its ReST representation and add kernel-doc tag Mauro Carvalho Chehab
2017-03-30 7:01 ` Jani Nikula
2017-03-30 7:04 ` Jani Nikula
2017-03-30 9:29 ` Mauro Carvalho Chehab
2017-03-30 8:45 ` Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 05/22] writing_usb_driver.rst: Enrich its ReST representation Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 06/22] writing_musb_glue_layer.rst: " Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 07/22] usb/anchors.txt: convert to ReST and add to driver-api book Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 08/22] usb/bulk-streams.txt: " Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 09/22] usb/callbacks.txt: " Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 10/22] usb/power-management.txt: " Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 11/22] usb/dma.txt: " Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 12/22] error-codes.rst: " Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 13/22] usb/hotplug.txt: " Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 14/22] usb/persist.txt: " Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 15/22] usb/URB.txt: convert to ReST and update it Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 16/22] usb/gadget.rst: remove unused kernel-doc tags Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 17/22] usb.rst: get rid of some Sphinx errors Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 18/22] usb: get rid of some ReST doc build errors Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 19/22] usb: composite.h: fix two warnings when building docs Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 20/22] usb: gadget.h: be consistent at kernel doc macros Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 21/22] docs-rst: fix usb cross-references Mauro Carvalho Chehab
2017-03-29 18:54 ` [PATCH 22/22] usb: document that URB transfer_buffer should be aligned Mauro Carvalho Chehab
2017-03-29 22:15 ` Laurent Pinchart
2017-03-30 1:06 ` Mauro Carvalho Chehab
2017-03-30 9:38 ` Laurent Pinchart
2017-03-30 10:51 ` Mauro Carvalho Chehab
2017-03-30 8:11 ` Oliver Neukum
2017-03-30 9:34 ` Laurent Pinchart
2017-03-30 10:28 ` Mauro Carvalho Chehab
2017-03-30 11:07 ` David Laight
2017-03-30 12:05 ` Laurent Pinchart
2017-03-30 12:37 ` Mauro Carvalho Chehab
2017-03-30 12:56 ` Oliver Neukum
2017-03-30 14:26 ` Alan Stern
2017-03-30 15:45 ` Mauro Carvalho Chehab [this message]
2017-03-30 15:55 ` Alan Stern
2017-03-30 20:16 ` Laurent Pinchart
2017-03-30 20:57 ` Oliver Neukum
2017-03-31 14:07 ` Alan Stern
2017-03-31 1:26 ` [PATCH 01/22] driver-api/basics.rst: add device table header kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170330124501.6ba20ded@vento.lan \
--to=mchehab@s-opensource.com \
--cc=climbbb.kim@gmail.com \
--cc=corbet@lwn.net \
--cc=davidm@egauge.net \
--cc=gregkh@linuxfoundation.org \
--cc=johnyoun@synopsys.com \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@infradead.org \
--cc=mchehab@kernel.org \
--cc=oneukum@suse.com \
--cc=rogerq@ti.com \
--cc=stern@rowland.harvard.edu \
--cc=wsa-dev@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox