linux/drivers/usb/gadget/udc
Raz Manor ef5e2fa9f6 usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver
In the function scan_dma_completions() there is a reusage of tmp
variable. That coused a wrong value being used in some case when
reading a short packet terminated transaction from an endpoint,
in 2 concecutive reads.

This was my logic for the patch:

The req->td->dmadesc equals to 0 iff:
-- There was a transaction ending with a short packet, and
-- The read() to read it was shorter than the transaction length, and
-- The read() to complete it is longer than the residue.
I believe this is true from the printouts of various cases,
but I can't be positive it is correct.

Entering this if, there should be no more data in the endpoint
(a short packet terminated the transaction).
If there is, the transaction wasn't really done and we should exit and
wait for it to finish entirely. That is the inner if.
That inner if should never happen, but it is there to be on the safe
side. That is why it is marked with the comment /* paranoia */.
The size of the data available in the endpoint is ep->dma->dmacount
and it is read to tmp.
This entire clause is based on my own educated guesses.

If we passed that inner if without breaking in the original code,
than tmp & DMA_BYTE_MASK_COUNT== 0.
That means we will always pass dma bytes count of 0 to dma_done(),
meaning all the requested bytes were read.

dma_done() reports back to the upper layer that the request (read())
was done and how many bytes were read.
In the original code that would always be the request size,
regardless of the actual size of the data.
That did not make sense to me at all.

However, the original value of tmp is req->td->dmacount,
which is the dmacount value when the request's dma transaction was
finished. And that is a much more reasonable value to report back to
the caller.

To recreate the problem:
Read from a bulk out endpoint in a loop, 1024 * n bytes in each
iteration.
Connect the PLX to a host you can control.
Send to that endpoint 1024 * n + x bytes,
such that 0 < x < 1024 * n and (x % 1024) != 0
You would expect the first read() to return 1024 * n
and the second read() to return x.
But you will get the first read to return 1024 * n
and the second one to return 1024 * n.
That is true for every positive integer n.

Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Signed-off-by: Raz Manor <Raz.Manor@valens.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2017-03-06 17:14:26 +02:00
..
bdc usb: gadget: udc: bdc: remove unnecessary & operation 2016-11-03 10:38:25 +02:00
amd5536udc.c usb: gadget: fix unused-but-set-variale warnings 2016-06-21 11:04:09 +03:00
amd5536udc.h usb: gadget: amd5536udc: remove unnecessary conditions 2015-10-01 12:40:20 -05:00
at91_udc.c usb: gadget: udc: at91: use PTR_ERR_OR_ZERO() 2016-04-14 09:24:38 +03:00
at91_udc.h usb: Convert pr_warning to pr_warn 2016-11-03 10:38:36 +02:00
atmel_usba_udc.c usb: gadget: udc: atmel: fix debug output 2017-03-06 16:54:29 +02:00
atmel_usba_udc.h USB: changes for v4.11 2017-01-26 15:36:28 +01:00
bcm63xx_udc.c treewide: remove redundant #include <linux/kconfig.h> 2016-10-11 15:06:33 -07:00
core.c usb: gadget: udc-core: Rescan pending list on driver unbind 2017-01-24 11:04:07 +02:00
dummy_hcd.c usb: gadget: dummy_hcd: clear usb_gadget region before registration 2017-03-06 16:33:20 +02:00
fotg210-udc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
fotg210.h
fsl_mxc_udc.c
fsl_qe_udc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
fsl_qe_udc.h
fsl_udc_core.c scripts/spelling.txt: add "intialization" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
fsl_usb2_udc.h usb: Convert pr_warning to pr_warn 2016-11-03 10:38:36 +02:00
fusb300_udc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
fusb300_udc.h usb: gadget: fusb300_udc.h: Fix typo in include guard 2014-09-03 09:15:57 -05:00
goku_udc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
goku_udc.h
gr_udc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
gr_udc.h usb: gadget: gr_udc: Add bounce buffer to handle odd sized OUT requests 2014-09-16 10:01:45 -05:00
Kconfig usb: gadget: udc: atmel: Update endpoint allocation scheme 2017-01-24 11:04:24 +02:00
lpc32xx_udc.c usb: udc: lpc32xx: remove USB PLL and USB OTG clock management 2016-03-04 15:14:49 +02:00
m66592-udc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
m66592-udc.h
Makefile usb: gadget: add tracepoints to the gadget API 2016-06-21 10:38:41 +03:00
mv_u3d_core.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
mv_u3d.h
mv_udc_core.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
mv_udc.h
net2272.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
net2272.h usb: gadget: net2272: use common is_selfpowered 2015-01-29 10:35:27 -06:00
net2280.c usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver 2017-03-06 17:14:26 +02:00
net2280.h usb: gadget: net2280: add USB2380 support 2016-06-20 12:30:03 +03:00
omap_udc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
omap_udc.h usb: Convert pr_warning to pr_warn 2016-11-03 10:38:36 +02:00
pch_udc.c usb: gadget: pch_udc: reorder spin_[un]lock to avoid deadlock 2016-06-21 13:18:23 +03:00
pxa25x_udc.c usb: gadget: pxa25x_udc: document endianess better 2016-03-04 15:14:31 +02:00
pxa25x_udc.h usb: Convert pr_warning to pr_warn 2016-11-03 10:38:36 +02:00
pxa27x_udc.c usb: gadget: pxa27x: Test for a valid argument pointer 2017-03-06 17:00:24 +02:00
pxa27x_udc.h usb: gadget: pxa27x_udc: add ep capabilities support 2015-08-04 12:26:52 -05:00
r8a66597-udc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
r8a66597-udc.h
renesas_usb3.c scripts/spelling.txt: add "followings" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
s3c2410_udc.c usb: gadget: udc: s3c2410: remove unnecessary & operation 2016-11-03 10:38:27 +02:00
s3c2410_udc.h
s3c-hsudc.c usb: gadget: udc: constify usb_ep_ops structures 2017-01-24 11:04:24 +02:00
trace.c usb: gadget: add tracepoints to the gadget API 2016-06-21 10:38:41 +03:00
trace.h usb: gadget: add tracepoints to the gadget API 2016-06-21 10:38:41 +03:00
udc-xilinx.c usb: gadget: udc: udc-xilinx: don't print on ENOMEM 2016-08-30 19:17:37 +02:00