USBFS Bugfix

Chase Douglas wrote:
> On Wed, Mar 24, 2010 at 12:39 PM, Stefan Bader
> <stefan.bader@canonical.com> wrote:
>> Chase Douglas wrote:
>>> Hi Markus,
>>>
>>> On Wed, Mar 24, 2010 at 12:21 PM, Markus Rechberger
>>> <mrechberger@gmail.com> wrote:
>>>> Hi,
>>>>
>>>> on IRC I was recommended to submit this information to the mailinglist
>>>>
>>>> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/544527
>>> The bug itself doesn't list much information. It basically says "usbfs
>>> is broken." We need some proof of what is going wrong, preferably
>>> something that can be tested when a fix is available.
>>>
>>>> Here's a better solution.  In theory we could copy just the individual
>>>> packets from within the transfer buffer, but that would probably take
>>>> longer than simply copying the whole buffer.
>>>>
>>>> (This was a little hasty; I haven't even compile-tested the patch.
>>>> Some small fixes may be needed.)
>>> The general procedure for fixes to reach Ubuntu is to have them sent
>>> upstream and be included in the mainline linux, and then to have the
>>> fix read the -stable tree. We then pull patches from the -stable tree
>>> for inclusion in Ubuntu.
>>>
>>> If you can show that a specific patch has been found to fix an issue
>>> in Ubuntu and it has been accepted upstream by the maintainers of the
>>> kernel subsystem this impacts, we may be able to accept the patch as a
>>> pre-stable fix, in anticipation that it will be accepted into the
>>> -stable tree in the future.
>>>
>>> What is the origin of this patch? Is it from upstream somewhere? A
>>> commit hash from linux-2.6 or some other tree would be very helpful.
>>>
>>>> Alan Stern
>>>>
>>>>
>>>> -----------------------------------------------------------------------
>>>> This patch fixes a bug in the way isochronous input data is returned
>>>> to userspace for usbfs transfers.  The entire buffer must be copied,
>>>> not just the first actual_length bytes, because the individual packets
>>>> will be discontiguous if any of them are short.
>>>>
>>>> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
>>>> CC: stable <stable@kernel.org>
>>>>
>>>> ---
>>>> Index: usb-2.6/drivers/usb/core/devio.c
>>>> ===================================================================
>>>> --- usb-2.6.orig/drivers/usb/core/devio.c
>>>> +++ usb-2.6/drivers/usb/core/devio.c
>>>> @@ -1176,6 +1176,13 @@ static int proc_do_submiturb(struct dev_
>>>>                        free_async(as);
>>>>                        return -ENOMEM;
>>>>                }
>>>> +               /* Isochronous input data may end up being discontiguous
>>>> +                * if some of the packets are short.  Clear the buffer so
>>>> +                * that the gaps don't leak kernel data to userspace.
>>>> +                */
>>>> +               if (is_in && uurb->type == USBDEVFS_URB_TYPE_ISO)
>>>> +                       memset(as->urb->transfer_buffer, 0,
>>>> +                                       uurb->buffer_length);
>>>>        }
>>>>        as->urb->dev = ps->dev;
>>>>        as->urb->pipe = (uurb->type << 30) |
>>>> @@ -1312,10 +1319,14 @@ static int processcompl(struct async *as
>>>>        void __user *addr = as->userurb;
>>>>        unsigned int i;
>>>>
>>>> -       if (as->userbuffer && urb->actual_length)
>>>> -               if (copy_to_user(as->userbuffer, urb->transfer_buffer,
>>>> -                                urb->actual_length))
>>>> +       if (as->userbuffer && urb->actual_length) {
>>>> +               if (urb->number_of_packets > 0)         /* Isochronous */
>>>> +                       i = urb->transfer_buffer_length;
>>>> +               else                                    /* Non-Isoc */
>>>> +                       i = urb->actual_length;
>>>> +               if (copy_to_user(as->userbuffer, urb->transfer_buffer, i))
>>>>                        goto err_out;
>>>> +       }
>>>>        if (put_user(as->status, &userurb->status))
>>>>                goto err_out;
>>>>        if (put_user(urb->actual_length, &userurb->actual_length))
>>>>
>>>> It would be nice if this patch could go into the ubuntu lucid kernel
>>>> as soon as possible.
>>>>
>>>> Thanks,
>>>> Markus
>>> -- Chase
>>>
>> Well it seems to come from Alan Stern and be cc'ed to stable. So it should/would
>> come from there. But I have not seen it in the queue, yet. But it is in upstream:
>>
>> commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec
>> Author: Alan Stern <stern@rowland.harvard.edu>
>> Date:   Sat Mar 6 15:04:03 2010 -0500
>>
>>    USB: fix usbfs regression
> 
> Ahh, I didn't realize Alan is the maintainer of the code. I'll leave
> it up to you, Stefan, to determine how to handle this.
> 
> -- Chase

As this patch is upstream and has been cc'ed to stable too, I would ACK to
cherry-pick the upstream patch (attached for simplicity)

Stefan

On Mon, Mar 29, 2010 at 03:41:18PM +0200, Stefan Bader wrote:

> As this patch is upstream and has been cc'ed to stable too, I would ACK to
> cherry-pick the upstream patch (attached for simplicity)
> 
> Stefan

I concur:

Acked-by: Andy Whitcroft <apw@canonical.com>

> From 7152b592593b9d48b33f8997b1dfd6df9143f7ec Mon Sep 17 00:00:00 2001
> From: Alan Stern <stern@rowland.harvard.edu>
> Date: Sat, 6 Mar 2010 15:04:03 -0500
> Subject: [PATCH] USB: fix usbfs regression
> 
> This patch (as1352) fixes a bug in the way isochronous input data is
> returned to userspace for usbfs transfers.  The entire buffer must be
> copied, not just the first actual_length bytes, because the individual
> packets will be discontiguous if any of them are short.
> 
> Reported-by: Markus Rechberger <mrechberger@gmail.com>
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> CC: stable <stable@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> ---
>  drivers/usb/core/devio.c |   17 ++++++++++++++---
>  1 files changed, 14 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index e909ff7..3466fdc 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -1207,6 +1207,13 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
>  			free_async(as);
>  			return -ENOMEM;
>  		}
> +		/* Isochronous input data may end up being discontiguous
> +		 * if some of the packets are short.  Clear the buffer so
> +		 * that the gaps don't leak kernel data to userspace.
> +		 */
> +		if (is_in && uurb->type == USBDEVFS_URB_TYPE_ISO)
> +			memset(as->urb->transfer_buffer, 0,
> +					uurb->buffer_length);
>  	}
>  	as->urb->dev = ps->dev;
>  	as->urb->pipe = (uurb->type << 30) |
> @@ -1345,10 +1352,14 @@ static int processcompl(struct async *as, void __user * __user *arg)
>  	void __user *addr = as->userurb;
>  	unsigned int i;
>  
> -	if (as->userbuffer && urb->actual_length)
> -		if (copy_to_user(as->userbuffer, urb->transfer_buffer,
> -				 urb->actual_length))
> +	if (as->userbuffer && urb->actual_length) {
> +		if (urb->number_of_packets > 0)		/* Isochronous */
> +			i = urb->transfer_buffer_length;
> +		else					/* Non-Isoc */
> +			i = urb->actual_length;
> +		if (copy_to_user(as->userbuffer, urb->transfer_buffer, i))
>  			goto err_out;
> +	}
>  	if (put_user(as->status, &userurb->status))
>  		goto err_out;
>  	if (put_user(urb->actual_length, &userurb->actual_length))

-apw

Applied to Lucid.

-apw

On Tue, Mar 30, 2010 at 6:55 PM, Andy Whitcroft <apw@canonical.com> wrote:
> Applied to Lucid.
>

great thanks

Markus