| Message ID | 20190824083619.69139-1-pmalani@chromium.org |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | r8152: Set memory to all 0xFFs on failed reg reads | expand |
From: Prashant Malani <pmalani@chromium.org> Date: Sat, 24 Aug 2019 01:36:19 -0700 > get_registers() blindly copies the memory written to by the > usb_control_msg() call even if the underlying urb failed. > > This could lead to junk register values being read by the driver, since > some indirect callers of get_registers() ignore the return values. One > example is: > ocp_read_dword() ignores the return value of generic_ocp_read(), which > calls get_registers(). > > So, emulate PCI "Master Abort" behavior by setting the buffer to all > 0xFFs when usb_control_msg() fails. > > This patch is copied from the r8152 driver (v2.12.0) published by > Realtek (www.realtek.com). > > Signed-off-by: Prashant Malani <pmalani@chromium.org> Hayes, please review.
Prashant Malani [mailto:pmalani@chromium.org] > Sent: Saturday, August 24, 2019 4:36 PM [...] > get_registers() blindly copies the memory written to by the > usb_control_msg() call even if the underlying urb failed. > > This could lead to junk register values being read by the driver, since > some indirect callers of get_registers() ignore the return values. One > example is: > ocp_read_dword() ignores the return value of generic_ocp_read(), which > calls get_registers(). > > So, emulate PCI "Master Abort" behavior by setting the buffer to all > 0xFFs when usb_control_msg() fails. > > This patch is copied from the r8152 driver (v2.12.0) published by > Realtek (www.realtek.com). > > Signed-off-by: Prashant Malani <pmalani@chromium.org> > --- Acked-by: Hayes Wang <hayeswang@realtek.com> Best Regards, Hayes
From: Prashant Malani <pmalani@chromium.org> Date: Sat, 24 Aug 2019 01:36:19 -0700 > get_registers() blindly copies the memory written to by the > usb_control_msg() call even if the underlying urb failed. > > This could lead to junk register values being read by the driver, since > some indirect callers of get_registers() ignore the return values. One > example is: > ocp_read_dword() ignores the return value of generic_ocp_read(), which > calls get_registers(). > > So, emulate PCI "Master Abort" behavior by setting the buffer to all > 0xFFs when usb_control_msg() fails. > > This patch is copied from the r8152 driver (v2.12.0) published by > Realtek (www.realtek.com). > > Signed-off-by: Prashant Malani <pmalani@chromium.org> Applied.
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c index 0cc03a9ff545..eee0f5007ee3 100644 --- a/drivers/net/usb/r8152.c +++ b/drivers/net/usb/r8152.c @@ -799,8 +799,11 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) ret = usb_control_msg(tp->udev, usb_rcvctrlpipe(tp->udev, 0), RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, value, index, tmp, size, 500); + if (ret < 0) + memset(data, 0xff, size); + else + memcpy(data, tmp, size); - memcpy(data, tmp, size); kfree(tmp); return ret;
get_registers() blindly copies the memory written to by the usb_control_msg() call even if the underlying urb failed. This could lead to junk register values being read by the driver, since some indirect callers of get_registers() ignore the return values. One example is: ocp_read_dword() ignores the return value of generic_ocp_read(), which calls get_registers(). So, emulate PCI "Master Abort" behavior by setting the buffer to all 0xFFs when usb_control_msg() fails. This patch is copied from the r8152 driver (v2.12.0) published by Realtek (www.realtek.com). Signed-off-by: Prashant Malani <pmalani@chromium.org> --- drivers/net/usb/r8152.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)