Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp7376616yba; Thu, 2 May 2019 08:50:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqwybf8uXVpuOjQBqpWiI9gRqkJZt19II2hWAuwdE8B4G/4D4HCmMBM1QYD2Ilp+NTjMAbbt X-Received: by 2002:a17:902:b68d:: with SMTP id c13mr4603946pls.10.1556812235418; Thu, 02 May 2019 08:50:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556812235; cv=none; d=google.com; s=arc-20160816; b=YDBfBJkp3KO7w6YnVlttdjTTvzT8/B/syrH/Cb2Xak3oME1wlS9sGtbyc10wysDhsc hZgI2HTfB0azAcZDQk4HfEDBOoj7hff+u8HDX/RPcz4+AChlXGP+UYyaSxXCV16iMdq5 E2xIKP5inCi8LOBA5iJu2ABJay5mBFQRvNDxyMpjKw1/qbiT0wc7MrJclHYbha91725T fseGwKEyTesXrX6cqhdmFZjhdeHjuOwguqGwszvgem+RY0klmwfhJ+RdLoa0g8x3jw8j sqjShB5WfTt3VgjrezAlI4/R8/N4fmMcTJ+4INHRDQ+5T7PDizYuvh8jOE/EvULyoL9p 2rgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CWpwt89Y8+QDA4LPFyFaAwq2k2rlxoggNsTEYvuMTy8=; b=0PxDa/OBzvhLPLqO9YpJw+2Uo9yYJWlzSA2KZFxDKzQkmT4VT9loX0lY1Svt9t66jx 98FTPtH970rknvTkl4gE9QLijSpr2ySeluCIha839+wqVU1WE1UP0dKHxxJW8rb2y8IL /hpwyGyneFLes+RYi0ju2qI+puiKvQhcQPMpQBLTP6NHcN3MM9aip1Lx8FTXVTRB1Oqk a9YCZiLGcFPdQxz8WZqCnTqTZgRxO0VgXhOtNDR0gApdDTwOkVkiX2m/mWKqIWIYS2g7 Zai0/sqqvf0i7fOrMw/MT5yJxdIa3skYr9j+djoVfDlzBlu55JS6WDaYqqpGfFl/hApD i9fA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xB80QtNX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p13si47536831pll.324.2019.05.02.08.50.20; Thu, 02 May 2019 08:50:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xB80QtNX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727120AbfEBPXr (ORCPT + 99 others); Thu, 2 May 2019 11:23:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:39438 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727100AbfEBPXn (ORCPT ); Thu, 2 May 2019 11:23:43 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 57EE120B7C; Thu, 2 May 2019 15:23:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556810622; bh=ws82KC501gVjUTNJBv5cgYxkLmImrqdirK6yBkcTvhs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xB80QtNXt4aOik0O1RR82NBaNS3Edc4F7mjZ5ddpUBIPKKq2ANUhMl+EvzqTwWq9t Ura9UugosE+LTchI2DqABvMtoPpzN9PiRmdT5CbkSiTcO+tDH36eAZqZ4uH7RrXmpZ 4SHcetcmz8cMmr3MU9vJmC6uO5dpYhvX9kYB4EU8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alan Stern , Guido Kiener , Felipe Balbi , "Sasha Levin (Microsoft)" Subject: [PATCH 4.14 17/49] usb: gadget: net2280: Fix overrun of OUT messages Date: Thu, 2 May 2019 17:20:54 +0200 Message-Id: <20190502143326.250537180@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190502143323.397051088@linuxfoundation.org> References: <20190502143323.397051088@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 9d6a54c1430647355a5e23434881b2ca3d192b48 ] The OUT endpoint normally blocks (NAK) subsequent packets when a short packet was received and returns an incomplete queue entry to the gadget driver. Thereby the gadget driver can detect a short packet when reading queue entries with a length that is not equal to a multiple of packet size. The start_queue() function enables receiving OUT packets regardless of the content of the OUT FIFO. This results in a race: With the current code, it's possible that the "!ep->is_in && (readl(&ep->regs->ep_stat) & BIT(NAK_OUT_PACKETS))" test in start_dma() will fail, then a short packet will be received, and then start_queue() will call stop_out_naking(). That's what we don't want (OUT naking gets turned off while there is data in the FIFO) because then the next driver request might receive a mixture of old and new packets. With the patch, this race can't occur because the FIFO's state is tested after we know that OUT naking is already turned on, and OUT naking is stopped only when both of the conditions are met. This ensures that all received data is delivered to the gadget driver, which can detect a short packet now before new packets are appended to the last short packet. Acked-by: Alan Stern Signed-off-by: Guido Kiener Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin (Microsoft) --- drivers/usb/gadget/udc/net2280.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c index 9cbb061582a7..a071ab0c163b 100644 --- a/drivers/usb/gadget/udc/net2280.c +++ b/drivers/usb/gadget/udc/net2280.c @@ -870,9 +870,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma) (void) readl(&ep->dev->pci->pcimstctl); writel(BIT(DMA_START), &dma->dmastat); - - if (!ep->is_in) - stop_out_naking(ep); } static void start_dma(struct net2280_ep *ep, struct net2280_request *req) @@ -911,6 +908,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req) writel(BIT(DMA_START), &dma->dmastat); return; } + stop_out_naking(ep); } tmp = dmactl_default; -- 2.19.1