On Thu, Aug 15, 2019 at 3:52 PM Oliver Neukum <oneukum@xxxxxxxx> wrote: > > The UVC driver passes in offsets into a struct uvc_control as the > > "buffer" that usb_control_msg() fills. > > Not quite that bad. It passes a pointer into the middle of a buffer > used at different offsets for the transfer. This is technically allowed > as long as you never touch the buffer while a transfer is ongoing. > > That is an accident waiting to happen. Please make a patch using > a bounce buffer allocated with knalloc() in > drivers/media/usb/uvc/uvc_ctrl.c:uvc_ctrl_populate_cache() and friends. A patch to uvcvideo will not fix the underlying bug with the host controller hardware. There are hundreds of device drivers of varying vintages that potentially react badly to having a rogue host controller DMA engine writing more bytes than were reported by the controller's interrupt status register. So my original two questions still need answering: 1) Does the symptom seen with v4l2-ctl exist on other platforms using dwc2 (which implies that this is not a bug specific to Raspberry Pi) 2) How do we harden upstream dwc2 against a broken controller DMA?
