[PATCH] USB: usbmon: fix bug in mon_buff_area_shrink

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch (as1299) fixes a bug in an error-handling path of usbmon's
binary interface.  The storage area for URB data is divided into
fixed-size blocks.  If an URB's data can't be copied, the area
reserved for it should be decreased to the size of the truncated
information (rounded up to a block boundary).  Rounding up the amount
to be removed and subtracting it from the reserved size is definitely
the wrong thing to do.

Also, when the data for an isochronous URB can't be copied, we can
still copy the isoc packet descriptors.  In fact the current code does
copy the descriptors, but then sets the capture length to 0 so they
become inaccessible.  The capture length should be reduced to the
length of the descriptors, not set to 0.

Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
CC: Pete Zaitcev <zaitcev@xxxxxxxxxx>

---

With Pete's approval, this patch probably should go into 2.6.32 and the
earlier stable trees.  I don't know if the bug has affected anyone yet,
but it certainly could.



Index: usb-2.6/drivers/usb/mon/mon_bin.c
===================================================================
--- usb-2.6.orig/drivers/usb/mon/mon_bin.c
+++ usb-2.6/drivers/usb/mon/mon_bin.c
@@ -350,10 +350,13 @@ static unsigned int mon_buff_area_alloc_
  * Return a few (kilo-)bytes to the head of the buffer.
  * This is used if a DMA fetch fails.
  */
-static void mon_buff_area_shrink(struct mon_reader_bin *rp, unsigned int size)
+static void mon_buff_area_shrink(struct mon_reader_bin *rp, unsigned int num,
+		unsigned int oldsize)
 {
+	unsigned int size;
 
-	size = (size + PKT_ALIGN-1) & ~(PKT_ALIGN-1);
+	size = ((oldsize + PKT_ALIGN-1) & ~(PKT_ALIGN-1)) -
+			((oldsize - num + PKT_ALIGN-1) & ~(PKT_ALIGN-1));
 	rp->b_cnt -= size;
 	if (rp->b_in < size)
 		rp->b_in += rp->b_size;
@@ -537,8 +540,9 @@ static void mon_bin_event(struct mon_rea
 	if (length != 0) {
 		ep->flag_data = mon_bin_get_data(rp, offset, urb, length);
 		if (ep->flag_data != 0) {	/* Yes, it's 0x00, not '0' */
-			ep->len_cap = 0;
-			mon_buff_area_shrink(rp, length);
+			ep->len_cap = lendesc;
+			mon_buff_area_shrink(rp, length,
+					length + PKT_SIZE + lendesc);
 		}
 	} else {
 		ep->flag_data = data_tag;

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux