From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.cvg.de (mail.cvg.de [62.153.82.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.cvg.de", Issuer "SIGMA Chemnitz Server CA" (not verified)) by ozlabs.org (Postfix) with ESMTPS id 57D8C2C0099 for ; Fri, 7 Sep 2012 00:27:24 +1000 (EST) From: Enrico Scholz To: balbi@ti.com Subject: Re: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime STATUS for IN xfer References: <1346777932-3362-1-git-send-email-enrico.scholz@sigma-chemnitz.de> <20120906131708.GJ29202@arwen.pp.htv.fi> Date: Thu, 06 Sep 2012 16:27:12 +0200 In-Reply-To: <20120906131708.GJ29202@arwen.pp.htv.fi> (Felipe Balbi's message of "Thu, 6 Sep 2012 16:17:10 +0300") Message-ID: MIME-Version: 1.0 Content-Type: text/plain Sender: Enrico Scholz Cc: Chen Peter-B29397 , "linux-usb@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , Li Yang-R58472 , "gregkh@linuxfoundation.org" List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Felipe Balbi writes: >> > Because the fsl_udc_core driver shares one 'status_req' object for the >> > complete ep0 control transfer, it is not possible to prime the final >> > STATUS phase immediately after the IN transaction. E.g. ch9getstatus() >> > executed: >> > >> > | req = udc->status_req; >> > | ... >> > | list_add_tail(&req->queue, &ep->queue); >> > | if (ep0_prime_status(udc, EP_DIR_OUT)) >> > | .... >> > | struct fsl_req *req = udc->status_req; >> > | list_add_tail(&req->queue, &ep->queue); >> > >> > which corrupts the ep->queue list by inserting 'status_req' twice. This >> > causes a kernel oops e.g. when 'lsusb -v' is executed on the host. >> > >> > Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by moving it >> > into the ep0 completion handler. >> > >> Enrico, thanks for pointing this problem. >> >> As "prime STATUS phase immediately after the IN transaction" is followed >> USB 2.0 spec, to fix this problem, it is better to add data_req for ep0. >> In fact, it is already at FSL i.mx internal code, just still not mainlined. > > so, do I get an Acked-by to this patch ? Does it need to go on v3.6-rc > or can it wait until v3.7 merge window ? Without this (or the mentioned data_req patch), I can crash a g_multi gadget by executing 'lsusb -v' as root on the host. Should not be exploitable (only a BUG_ON() is triggered) but issue should be fixed asap. Enrico