Message ID | 20240228115441.2105585-1-quic_kriskura@quicinc.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel+bounces-84982-ouuuleilei=gmail.com@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:a81b:b0:108:e6aa:91d0 with SMTP id bq27csp3294944dyb; Wed, 28 Feb 2024 04:00:06 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUdgp7notIZPqIFUGUgJs0Yzny/93Q/CB8kRoPIRh41CKcllranFqwj2zH2DruIUXuMsgfTV7iNW6TBiSIwAqMqNaO1Ag== X-Google-Smtp-Source: AGHT+IFpNJtL2wyxVhbEuC2l3OZAFTu2Msbp/l1OsYkdagckRPHAvsPKAt/zAgod43GzQC6YXBkW X-Received: by 2002:a17:906:118c:b0:a44:1b36:22c3 with SMTP id n12-20020a170906118c00b00a441b3622c3mr281838eja.42.1709121606256; Wed, 28 Feb 2024 04:00:06 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709121606; cv=pass; d=google.com; s=arc-20160816; b=i3eWhijHkj4AR/IIY87RFzyG0dFff6pUBpx6OQdHrPJdZfevqbqVKMstp//GnLHiTz rFtjr7xDgSKIPTqPEKctL42Sw/1LBVncv4R0poKsntsEUhpyN7KsGvu+pIVrniOf6Nlg hK2l/onABYJchr76GNyFOJH8bNepSeBglg33uwJVa6OpsOHKV9kYhR/UoTt03Br/zkh9 0e8I1q7eUcmxeJ4iBWv+0hU1Aa/ykIms/cWDwiMBLMKn1imCbSjanM8yQVpjydEZZ5fg UM3+KiNMdiakqsoai9W6In8SahIwo18SKb8Ofj+9rVV4qL5kDMGVvppZTziBr6oBKpJ9 /DoA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=lPKI7ijCRTDGsDbPL2swmcpW7vZDAd8x9irmrXuFoQc=; fh=9wUwERTIPV6Pq/kGZbROlqDw7mqDQqKlfQaJ7sOIt70=; b=gc8wBzMUclmEwyHHRSU9tnZOp57B7/gzfNjQqnEvLaXQAdiYi+URQTGqKGXaJRDdGS kqjf0wxZn1EQZaheEV63H4d9wJK4HotvCj0j+ja1SOYRdDnq55nqsYxgIuzqJt/a/GbW XHGtSBjxIFQy9DxAltrpHjFQ+JJA0sihmIGMofidgnSExesjgYwovAPeRfI4w9l7gnf4 f0weqntvtal/YPcd1n76yaxddprI6UAeHWnJB7FJD0mXqsMyJcGJXfHrZGmaFmpmvv45 0QWbA4JFJuR+KaAuUnc+vNrYt1bKCqflQNC1cefpU/zpWFgXP+ogPPzNqd7BFMKKv4Wt GINg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=lx9cvsd0; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of linux-kernel+bounces-84982-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-84982-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id qu15-20020a170907110f00b00a4389f1525fsi1713445ejb.356.2024.02.28.04.00.06 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Feb 2024 04:00:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-84982-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=lx9cvsd0; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of linux-kernel+bounces-84982-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-84982-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id DBF141F2523A for <ouuuleilei@gmail.com>; Wed, 28 Feb 2024 12:00:05 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 53E756CDD5; Wed, 28 Feb 2024 11:55:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="lx9cvsd0" Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 687373BBFE; Wed, 28 Feb 2024 11:54:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709121301; cv=none; b=Ecp+gXTdtA9SysRDFG3qxCSGSyGJrqXDQTOaYSLBm791YmQ0x0rNNjhxrLjf/EXW24d5vIlduKwlz2f92/XBTXe4rPztZ8KWZrTz3uNWcYL47zFuWiC/q+31ChkE8oEEB202pBlpr7PP5j9RREzTF8BTnZCCUrR+vvkZ56TZRio= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709121301; c=relaxed/simple; bh=xMUdnGoq6QicZhMufyqPYAP3/Ngm6o1tDFpEwqzwkVQ=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=sSOTEhErlriNhRSfh7k/wf0cuit55E6l1KElPi720ZRbU7ZiE7uToHza20ifLtWpQqruxnIf2jnK0KNbEp1kglA/hYyqC7/fS6TBXwg/Fob3LAvNtdXFFLMTN2N1+zGIrrhzlgCcrHaXZQ3/Ja+ccbZy2RrF37k98Xj5X/OqvnY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=lx9cvsd0; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 41S9EScE015466; Wed, 28 Feb 2024 11:54:56 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= from:to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=qcppdkim1; bh=lPKI7ijCRTDGsDbPL2sw mcpW7vZDAd8x9irmrXuFoQc=; b=lx9cvsd0WselbOFtpFVVdKSUmGLrN73AHpLH xs/JJK2XgAWSP4Qzl5Mxl4cDW4XpGJKGb17bQqLfuQJHeRVuf2fFyGpgLk9+/9dP 0BgEbtSIgaUOF5XVHMlZ2EVOws9wpMEseZTWT5VYfi5UyiKxZKB9eRri5MHAaPKi /DadNnbziqx3cmPSFYZDhsFxj04ub9KNvuci4t/5OYNUTstq5isoswVZ5K+Zkh4X plYa9pdEcDlp1FGmPnwAKjXVpazGZjfg2PNWrOnDCDVNZFPLxXI5+8qtlzrCJzKe tIWkt0rwzlv9tDLJyewmR6dZzislXM8/5NBdhORCE0CzU2NYEg== Received: from nalasppmta02.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3wj2148bcf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 28 Feb 2024 11:54:56 +0000 (GMT) Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 41SBst9o019977 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 28 Feb 2024 11:54:55 GMT Received: from hu-kriskura-hyd.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Wed, 28 Feb 2024 03:54:51 -0800 From: Krishna Kurapati <quic_kriskura@quicinc.com> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, =?utf-8?q?Maciej_=C5=BB?= =?utf-8?q?enczykowski?= <maze@google.com> CC: <linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <quic_ppratap@quicinc.com>, <quic_wcheng@quicinc.com>, <quic_jackp@quicinc.com>, Krishna Kurapati <quic_kriskura@quicinc.com>, <stable@vger.kernel.org> Subject: [PATCH v2] usb: gadget: ncm: Fix handling of zero block length packets Date: Wed, 28 Feb 2024 17:24:41 +0530 Message-ID: <20240228115441.2105585-1-quic_kriskura@quicinc.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: f2AS7FZha-3XF9GRzWVZ9FWsyCu41o0B X-Proofpoint-GUID: f2AS7FZha-3XF9GRzWVZ9FWsyCu41o0B X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-28_04,2024-02-27_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 lowpriorityscore=0 suspectscore=0 bulkscore=0 spamscore=0 adultscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=496 clxscore=1015 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2402120000 definitions=main-2402280094 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1792143897441122744 X-GMAIL-MSGID: 1792143897441122744 |
Series |
[v2] usb: gadget: ncm: Fix handling of zero block length packets
|
|
Commit Message
Krishna Kurapati
Feb. 28, 2024, 11:54 a.m. UTC
While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX
set to 65536, it has been observed that we receive short packets,
which come at interval of 5-10 seconds sometimes and have block
length zero but still contain 1-2 valid datagrams present.
According to the NCM spec:
"If wBlockLength = 0x0000, the block is terminated by a
short packet. In this case, the USB transfer must still
be shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If
exactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,
and the size is a multiple of wMaxPacketSize for the
given pipe, then no ZLP shall be sent.
wBlockLength= 0x0000 must be used with extreme care, because
of the possibility that the host and device may get out of
sync, and because of test issues.
wBlockLength = 0x0000 allows the sender to reduce latency by
starting to send a very large NTB, and then shortening it when
the sender discovers that there’s not sufficient data to justify
sending a large NTB"
However, there is a potential issue with the current implementation,
as it checks for the occurrence of multiple NTBs in a single
giveback by verifying if the leftover bytes to be processed is zero
or not. If the block length reads zero, we would process the same
NTB infintely because the leftover bytes is never zero and it leads
to a crash. Fix this by bailing out if block length reads zero.
Cc: <stable@vger.kernel.org>
Fixes: 427694cfaafa ("usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call")
Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
---
Changes in v2:
Removed goto label
Link to v1:
https://lore.kernel.org/all/20240226112815.2616719-1-quic_kriskura@quicinc.com/
drivers/usb/gadget/function/f_ncm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Wed, Feb 28, 2024 at 3:54 AM Krishna Kurapati <quic_kriskura@quicinc.com> wrote: > > While connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX > set to 65536, it has been observed that we receive short packets, > which come at interval of 5-10 seconds sometimes and have block > length zero but still contain 1-2 valid datagrams present. > > According to the NCM spec: > > "If wBlockLength = 0x0000, the block is terminated by a > short packet. In this case, the USB transfer must still > be shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If > exactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent, > and the size is a multiple of wMaxPacketSize for the > given pipe, then no ZLP shall be sent. > > wBlockLength= 0x0000 must be used with extreme care, because > of the possibility that the host and device may get out of > sync, and because of test issues. > > wBlockLength = 0x0000 allows the sender to reduce latency by > starting to send a very large NTB, and then shortening it when > the sender discovers that there’s not sufficient data to justify > sending a large NTB" > > However, there is a potential issue with the current implementation, > as it checks for the occurrence of multiple NTBs in a single > giveback by verifying if the leftover bytes to be processed is zero > or not. If the block length reads zero, we would process the same > NTB infintely because the leftover bytes is never zero and it leads > to a crash. Fix this by bailing out if block length reads zero. > > Cc: <stable@vger.kernel.org> > Fixes: 427694cfaafa ("usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call") > Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com> > --- > Changes in v2: > Removed goto label > > Link to v1: > https://lore.kernel.org/all/20240226112815.2616719-1-quic_kriskura@quicinc.com/ > > drivers/usb/gadget/function/f_ncm.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c > index e2a059cfda2c..28f4e6552e84 100644 > --- a/drivers/usb/gadget/function/f_ncm.c > +++ b/drivers/usb/gadget/function/f_ncm.c > @@ -1346,7 +1346,7 @@ static int ncm_unwrap_ntb(struct gether *port, > if (to_process == 1 && > (*(unsigned char *)(ntb_ptr + block_len) == 0x00)) { > to_process--; > - } else if (to_process > 0) { > + } else if ((to_process > 0) && (block_len != 0)) { > ntb_ptr = (unsigned char *)(ntb_ptr + block_len); > goto parse_ntb; > } > -- > 2.34.1 Reviewed-by: Maciej Żenczykowski <maze@google.com>
diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c index e2a059cfda2c..28f4e6552e84 100644 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@ -1346,7 +1346,7 @@ static int ncm_unwrap_ntb(struct gether *port, if (to_process == 1 && (*(unsigned char *)(ntb_ptr + block_len) == 0x00)) { to_process--; - } else if (to_process > 0) { + } else if ((to_process > 0) && (block_len != 0)) { ntb_ptr = (unsigned char *)(ntb_ptr + block_len); goto parse_ntb; }