On Thu, Dec 12, 2019 at 4:38 PM Peter Chen <peter.chen@xxxxxxx> wrote:
>
> The UDC core uses req->num_sgs to judge if scatter buffer list is used.
> Eg: usb_gadget_map_request_by_dev. For f_fs sync io mode, the request
> is re-used for each request, so if the 1st request->length > PAGE_SIZE,
> and the 2nd request->length is <= PAGE_SIZE, the f_fs uses the 1st
> req->num_sgs for the 2nd request, it causes the UDC core get the wrong
> req->num_sgs value (The 2nd request doesn't use sg). For f_fs async
> io mode, it is not harm to initialize req->num_sgs as 0 either, in case,
> the UDC driver doesn't zeroed request structure.
>
> Cc: Jun Li <jun.li@xxxxxxx>
> Cc: stable <stable@xxxxxxxxxxxxxxx>
> Fixes: 772a7a724f69 ("usb: gadget: f_fs: Allow scatter-gather buffers")
> Signed-off-by: Peter Chen <peter.chen@xxxxxxx>
> ---
> Changes for v2:
> - Using the correct patch, and initialize req->num_sgs as 0 for aio too.
>
> drivers/usb/gadget/function/f_fs.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index 59d9d512dcda..ced2581cf99f 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -1062,6 +1062,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
> req->num_sgs = io_data->sgt.nents;
> } else {
> req->buf = data;
> + req->num_sgs = 0;
> }
> req->length = data_len;
>
> @@ -1105,6 +1106,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
> req->num_sgs = io_data->sgt.nents;
> } else {
> req->buf = data;
> + req->num_sgs = 0;
> }
> req->length = data_len;
>
> --
> 2.17.1
>
A gental ping...
Thanks,
Peter
