> -----Original Message----- > From: Felipe Balbi [mailto:balbi@xxxxxx] > Sent: Thursday, September 06, 2012 10:28 PM > To: Enrico Scholz > Cc: balbi@xxxxxx; Chen Peter-B29397; linux-usb@xxxxxxxxxxxxxxx; linuxppc- > dev@xxxxxxxxxxxxxxxx; Li Yang-R58472; gregkh@xxxxxxxxxxxxxxxxxxx > Subject: Re: [PATCH] usb: gadget: fsl_udc_core: do not immediatly prime > STATUS for IN xfer > > Hi, > > On Thu, Sep 06, 2012 at 04:27:12PM +0200, Enrico Scholz wrote: > > Felipe Balbi <balbi@xxxxxx> writes: > > > > >> > Because the fsl_udc_core driver shares one 'status_req' object > > >> > for the complete ep0 control transfer, it is not possible to > > >> > prime the final STATUS phase immediately after the IN > > >> > transaction. E.g. ch9getstatus() > > >> > executed: > > >> > > > >> > | req = udc->status_req; > > >> > | ... > > >> > | list_add_tail(&req->queue, &ep->queue); if > > >> > | (ep0_prime_status(udc, EP_DIR_OUT)) > > >> > | .... > > >> > | struct fsl_req *req = udc->status_req; > > >> > | list_add_tail(&req->queue, &ep->queue); > > >> > > > >> > which corrupts the ep->queue list by inserting 'status_req' > > >> > twice. This causes a kernel oops e.g. when 'lsusb -v' is executed > on the host. > > >> > > > >> > Patch delays the final 'ep0_prime_status(udc, EP_DIR_OUT))' by > > >> > moving it into the ep0 completion handler. > > >> > > > >> Enrico, thanks for pointing this problem. > > >> > > >> As "prime STATUS phase immediately after the IN transaction" is > > >> followed USB 2.0 spec, to fix this problem, it is better to add > data_req for ep0. > > >> In fact, it is already at FSL i.mx internal code, just still not > mainlined. > > > > > > so, do I get an Acked-by to this patch ? Does it need to go on > > > v3.6-rc or can it wait until v3.7 merge window ? > > > > Without this (or the mentioned data_req patch), I can crash a g_multi > > gadget by executing 'lsusb -v' as root on the host. Should not be > > exploitable (only a BUG_ON() is triggered) but issue should be fixed > > asap. > > cool, so I'll apply to my fixes branch as soon as I get Acked-by or > Tested-by from someone. This seems to revert the error handling for USB2.0 spec 8.5.3.3. But the problem is a serious one to be fixed right away. So Acked-by: Li Yang <leoli@xxxxxxxxxxxxx> We need to revisit the error handling issue later and find a proper way to address it. Regards, Leo -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
