From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758244AbcG0T72 (ORCPT ); Wed, 27 Jul 2016 15:59:28 -0400 Received: from mail-wm0-f43.google.com ([74.125.82.43]:36003 "EHLO mail-wm0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757121AbcG0T70 convert rfc822-to-8bit (ORCPT ); Wed, 27 Jul 2016 15:59:26 -0400 From: Michal Nazarewicz To: "Felipe F. Tonello" , linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Felipe Balbi , Baolin Wang , Andrzej Pietrasiewicz Subject: Re: [PATCH 2/9] usb: gadget: align buffer size when allocating for OUT endpoint In-Reply-To: <20160726191200.18943-3-eu@felipetonello.com> Organization: http://mina86.com/ References: <20160726191200.18943-1-eu@felipetonello.com> <20160726191200.18943-3-eu@felipetonello.com> User-Agent: Notmuch/0.19+53~g2e63a09 (http://notmuchmail.org) Emacs/25.1.50.1 (x86_64-unknown-linux-gnu) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWbfGlUPDDHgE57V0jUupKjgIObY0PLrom9mH4dFRK4gmjPs41MxjOgAAACP0lEQVQ4T23Sv2vbQBQHcBk1xE6WyALX107VUEgmn6+ouUwpEQQ6uRjttkWP4CkBg2M0BQLBdPFZYPsyFYo7qEtKDQ7on+t7+nF2Ux8ahD587717OmNYrOvycHsZ+o2r051wHTHysAvGb8ygvgu4QWT0sCmkgZCIEnlV2X8BtyraazFGDuxhmKSQJMlwHQ7v5MHSNxmz78rfElwAa3ieVD9e+hBhjaPDDG6NgFo2f4wBMNIo5YmRtF0RyDgFjJjlMIWbnuM4x9MMfABGTlN4qgIQB4A1DEyA1BHWtfeWNUMwiVJKoqh97KrkOO+qzgluVYLvFCUKAX73nONeBr7BGMdM6Sg0kuep03VywLaIzRiVr+GAzKlpQIsAFnWAG2e6DT5WmWDiudZMIc6hYrMOmeMQK9WX0B+/RfjzL9DI7Y9/Iayn29Ci0r2i4f9gMimMSZLCDMalgQGU5hnUtqAN0OGvEmO1Wnl0C0wWSCEHnuHBqmygxdxA8oWXwbipoc1EoNR9DqOpBpOJrnr0criQab9ZT4LL+wI+K7GBQH30CrhUruilgP9DRTrhVWZCiAyILP+wiuLeCKGTD6r/nc8LOJcAwR6IBTUs+7CASw3QFZ0MdA2PI3zNziH4ZKVhXCRMBjeZ1DWMekKwDCASwExy+NQ86TaykaDAFHO4aP48y4fIcDM5yOG8GcTLbOyp8A8azjJI93JFd1EA6yN8sSxMQJWoABqniRZVykYgRXErzrdqExAoUrRb0xfRp8p2A/4XmfilTtkDZ4cAAAAASUVORK5CYII= X-Face: -TR8(rDTHy/(xl?SfWd1|3:TTgDIatE^t'vop%*gVg[kn$t{EpK(P"VQ=~T2#ysNmJKN$"yTRLB4YQs$4{[.]Fc1)*O]3+XO^oXM>Q#b^ix,O)Zbn)q[y06$`e3?C)`CwR9y5riE=fv^X@x$y?D:XO6L&x4f-}}I4=VRNwiA^t1-ZrVK^07.Pi/57c_du'& X-PGP: 50751FF4 X-PGP-FP: AC1F 5F5C D418 88F8 CC84 5858 2060 4012 5075 1FF4 X-Hashcash: 1:20:160727:balbi@kernel.org::Bir4ya5SAsjQBQjz:00NYA X-Hashcash: 1:20:160727:eu@felipetonello.com::dDOYmgfZXIT4ICku:000000000000000000000000000000000000000002Fw+ X-Hashcash: 1:20:160727:baolin.wang@linaro.org::A/wC2IHtkW1IRZBI:00000000000000000000000000000000000000025v9 X-Hashcash: 1:20:160727:linux-kernel@vger.kernel.org::eZ3TW/jX0qRStCb5:0000000000000000000000000000000006NGx X-Hashcash: 1:20:160727:andrzej.p@samsung.com::RCdljK+tqQ8sq/qt:00000000000000000000000000000000000000007Ja/ X-Hashcash: 1:20:160727:linux-usb@vger.kernel.org::jdjuH0X6L07HJNCC:00000000000000000000000000000000000061SY Date: Wed, 27 Jul 2016 21:59:21 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 26 2016, Felipe F. Tonello wrote: > Using usb_ep_align() makes sure that the buffer size for OUT endpoints is > always aligned with wMaxPacketSize (512 usually). This makes sure > that no buffer has the wrong size, which can cause nasty bugs. > > Signed-off-by: Felipe F. Tonello > --- > drivers/usb/gadget/u_f.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/usb/gadget/u_f.c b/drivers/usb/gadget/u_f.c > index 4bc7eea8bfc8..d1933b0b76c3 100644 > --- a/drivers/usb/gadget/u_f.c > +++ b/drivers/usb/gadget/u_f.c > @@ -12,6 +12,7 @@ > */ > > #include "u_f.h" > +#include > > struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len) > { > @@ -20,6 +21,8 @@ struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len) > req = usb_ep_alloc_request(ep, GFP_ATOMIC); > if (req) { > req->length = len ?: default_len; > + if (usb_endpoint_dir_out(ep->desc)) > + req->length = usb_ep_align(ep, req->length); > req->buf = kmalloc(req->length, GFP_ATOMIC); > if (!req->buf) { > usb_ep_free_request(ep, req); I’m a bit scared of this change. Drivers which call alloc_ep_req and then ignore req->length using the same length they passed to the function will silently drop data. Drivers which do not ignore req->length may end up overwriting some other buffer, e.g.: some_buffer = kmalloc(length, GFP_KERNEL); req = alloc_ep_req(ep, length, 0); … later … memcpy(some_buffer, req->buf, req->length); -- Best regards ミハウ “𝓶𝓲𝓷𝓪86” ナザレヴイツ «If at first you don’t succeed, give up skydiving»