linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3 0/2] Fix syzkaller bug: hung task in hub_port_init
@ 2021-08-13 18:25 Anirudh Rayabharam
  2021-08-13 18:25 ` [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup Anirudh Rayabharam
  2021-08-13 18:25 ` [PATCH v3 2/2] usbip: eliminate duplicate code in vhci_device_unlink_cleanup Anirudh Rayabharam
  0 siblings, 2 replies; 8+ messages in thread
From: Anirudh Rayabharam @ 2021-08-13 18:25 UTC (permalink / raw)
  To: valentina.manea.m, shuah, gregkh
  Cc: Anirudh Rayabharam, linux-usb, linux-kernel, linux-kernel-mentees

This series fixes the hung task bug in hub_port_init reported by
syzkaller at:

https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76

The first patch in the series fixes the issue and the second patch does
some refactoring to avoid duplicate code.

Changes in v3:
- Split the patch into two patches
- Remove the convenience wrappers as suggested by Shuah
- Remove the WARN as suggested by Greg

Changes in v2:
Use WARN_ON() instead of BUG() when unlink_list is neither unlink_tx nor
unlink_rx.
v2: https://lore.kernel.org/lkml/20210806181335.2078-1-mail@anirudhrb.com/

v1: https://lore.kernel.org/lkml/20210806164015.25263-1-mail@anirudhrb.com/

Anirudh Rayabharam (2):
  usbip: give back URBs for unsent unlink requests during cleanup
  usbip: eliminate duplicate code in vhci_device_unlink_cleanup

 drivers/usb/usbip/vhci_hcd.c | 31 ++++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

-- 
2.26.2


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup
  2021-08-13 18:25 [PATCH v3 0/2] Fix syzkaller bug: hung task in hub_port_init Anirudh Rayabharam
@ 2021-08-13 18:25 ` Anirudh Rayabharam
  2021-08-17 23:16   ` Shuah Khan
  2021-08-13 18:25 ` [PATCH v3 2/2] usbip: eliminate duplicate code in vhci_device_unlink_cleanup Anirudh Rayabharam
  1 sibling, 1 reply; 8+ messages in thread
From: Anirudh Rayabharam @ 2021-08-13 18:25 UTC (permalink / raw)
  To: valentina.manea.m, shuah, gregkh
  Cc: Anirudh Rayabharam, linux-usb, linux-kernel,
	linux-kernel-mentees, syzbot+74d6ef051d3d2eacf428

In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are
not given back. This sometimes causes usb_kill_urb to wait indefinitely
for that urb to be given back. syzbot has reported a hung task issue [1]
for this.

To fix this, give back the urbs corresponding to unsent unlink requests
(unlink_tx list) similar to how urbs corresponding to unanswered unlink
requests (unlink_rx list) are given back.

[1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76

Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
---
 drivers/usb/usbip/vhci_hcd.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index 4ba6bcdaa8e9..6f3f374d4bbc 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -957,8 +957,34 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
 	spin_lock(&vdev->priv_lock);
 
 	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
+		struct urb *urb;
+
+		/* give back URB of unsent unlink request */
 		pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
+
+		urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
+		if (!urb) {
+			pr_info("the urb (seqnum %lu) was already given back\n",
+				unlink->unlink_seqnum);
+			list_del(&unlink->list);
+			kfree(unlink);
+			continue;
+		}
+
+		urb->status = -ENODEV;
+
+		usb_hcd_unlink_urb_from_ep(hcd, urb);
+
 		list_del(&unlink->list);
+
+		spin_unlock(&vdev->priv_lock);
+		spin_unlock_irqrestore(&vhci->lock, flags);
+
+		usb_hcd_giveback_urb(hcd, urb, urb->status);
+
+		spin_lock_irqsave(&vhci->lock, flags);
+		spin_lock(&vdev->priv_lock);
+
 		kfree(unlink);
 	}
 
-- 
2.26.2


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v3 2/2] usbip: eliminate duplicate code in vhci_device_unlink_cleanup
  2021-08-13 18:25 [PATCH v3 0/2] Fix syzkaller bug: hung task in hub_port_init Anirudh Rayabharam
  2021-08-13 18:25 ` [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup Anirudh Rayabharam
@ 2021-08-13 18:25 ` Anirudh Rayabharam
  1 sibling, 0 replies; 8+ messages in thread
From: Anirudh Rayabharam @ 2021-08-13 18:25 UTC (permalink / raw)
  To: valentina.manea.m, shuah, gregkh
  Cc: Anirudh Rayabharam, linux-usb, linux-kernel, linux-kernel-mentees

The cleanup code for unlink_tx and unlink_rx lists is almost the same.
So, extract it into a new function and call it for both unlink_rx and
unlink_tx.

Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
---
 drivers/usb/usbip/vhci_hcd.c | 57 ++++++++++++------------------------
 1 file changed, 18 insertions(+), 39 deletions(-)

diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index 6f3f374d4bbc..b142508b46ce 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -945,7 +945,8 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
 	return 0;
 }
 
-static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
+static void vhci_cleanup_unlink_list(struct vhci_device *vdev,
+		struct list_head *unlink_list)
 {
 	struct vhci_hcd *vhci_hcd = vdev_to_vhci_hcd(vdev);
 	struct usb_hcd *hcd = vhci_hcd_to_hcd(vhci_hcd);
@@ -956,46 +957,15 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
 	spin_lock_irqsave(&vhci->lock, flags);
 	spin_lock(&vdev->priv_lock);
 
-	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
+	list_for_each_entry_safe(unlink, tmp, unlink_list, list) {
 		struct urb *urb;
 
-		/* give back urb of unsent unlink request */
-		pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
-
-		urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
-		if (!urb) {
-			pr_info("the urb (seqnum %lu) was already given back\n",
-				unlink->unlink_seqnum);
-			list_del(&unlink->list);
-			kfree(unlink);
-			continue;
-		}
-
-		urb->status = -ENODEV;
-
-		usb_hcd_unlink_urb_from_ep(hcd, urb);
-
-		list_del(&unlink->list);
-
-		spin_unlock(&vdev->priv_lock);
-		spin_unlock_irqrestore(&vhci->lock, flags);
-
-		usb_hcd_giveback_urb(hcd, urb, urb->status);
-
-		spin_lock_irqsave(&vhci->lock, flags);
-		spin_lock(&vdev->priv_lock);
-
-		kfree(unlink);
-	}
-
-	while (!list_empty(&vdev->unlink_rx)) {
-		struct urb *urb;
-
-		unlink = list_first_entry(&vdev->unlink_rx, struct vhci_unlink,
-			list);
-
-		/* give back URB of unanswered unlink request */
-		pr_info("unlink cleanup rx %lu\n", unlink->unlink_seqnum);
+		if (unlink_list == &vdev->unlink_tx)
+			pr_info("unlink cleanup tx %lu\n",
+					unlink->unlink_seqnum);
+		else
+			pr_info("unlink_cleanup rx %lu\n",
+					unlink->unlink_seqnum);
 
 		urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
 		if (!urb) {
@@ -1027,6 +997,15 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
 	spin_unlock_irqrestore(&vhci->lock, flags);
 }
 
+static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
+{
+	/* give back URB of unsent unlink request */
+	vhci_cleanup_unlink_list(vdev, &vdev->unlink_tx);
+
+	/* give back URB of unanswered unlink request */
+	vhci_cleanup_unlink_list(vdev, &vdev->unlink_rx);
+}
+
 /*
  * The important thing is that only one context begins cleanup.
  * This is why error handling and cleanup become simple.
-- 
2.26.2


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup
  2021-08-13 18:25 ` [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup Anirudh Rayabharam
@ 2021-08-17 23:16   ` Shuah Khan
  2021-08-18  5:39     ` Greg KH
  0 siblings, 1 reply; 8+ messages in thread
From: Shuah Khan @ 2021-08-17 23:16 UTC (permalink / raw)
  To: Anirudh Rayabharam, valentina.manea.m, shuah, gregkh
  Cc: syzbot+74d6ef051d3d2eacf428, linux-kernel-mentees, linux-usb,
	linux-kernel, Shuah Khan

On 8/13/21 12:25 PM, Anirudh Rayabharam wrote:
> In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are
> not given back. This sometimes causes usb_kill_urb to wait indefinitely
> for that urb to be given back. syzbot has reported a hung task issue [1]
> for this.
> 
> To fix this, give back the urbs corresponding to unsent unlink requests
> (unlink_tx list) similar to how urbs corresponding to unanswered unlink
> requests (unlink_rx list) are given back.
> 
> [1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76
> 
> Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
> Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
> Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
> ---
>   drivers/usb/usbip/vhci_hcd.c | 26 ++++++++++++++++++++++++++
>   1 file changed, 26 insertions(+)
> 
> diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
> index 4ba6bcdaa8e9..6f3f374d4bbc 100644
> --- a/drivers/usb/usbip/vhci_hcd.c
> +++ b/drivers/usb/usbip/vhci_hcd.c
> @@ -957,8 +957,34 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
>   	spin_lock(&vdev->priv_lock);
>   
>   	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
> +		struct urb *urb;
> +
> +		/* give back URB of unsent unlink request */
>   		pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);

I know this is an exiting one.
Let's make this pr_debug or remove it all together.

> +
> +		urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
> +		if (!urb) {
> +			pr_info("the urb (seqnum %lu) was already given back\n",
> +				unlink->unlink_seqnum);

Let's make this pr_debug or remove it all together.

> +			list_del(&unlink->list);
> +			kfree(unlink);
> +			continue;
> +		}
> +
> +		urb->status = -ENODEV;
> +
> +		usb_hcd_unlink_urb_from_ep(hcd, urb);
> +
>   		list_del(&unlink->list);
> +
> +		spin_unlock(&vdev->priv_lock);
> +		spin_unlock_irqrestore(&vhci->lock, flags);
> +
> +		usb_hcd_giveback_urb(hcd, urb, urb->status);
> +
> +		spin_lock_irqsave(&vhci->lock, flags);
> +		spin_lock(&vdev->priv_lock);
> +
>   		kfree(unlink);
>   	}
>   
> 

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup
  2021-08-17 23:16   ` Shuah Khan
@ 2021-08-18  5:39     ` Greg KH
  2021-08-18 18:36       ` Shuah Khan
  0 siblings, 1 reply; 8+ messages in thread
From: Greg KH @ 2021-08-18  5:39 UTC (permalink / raw)
  To: Shuah Khan
  Cc: Anirudh Rayabharam, valentina.manea.m, shuah,
	syzbot+74d6ef051d3d2eacf428, linux-kernel-mentees, linux-usb,
	linux-kernel

On Tue, Aug 17, 2021 at 05:16:51PM -0600, Shuah Khan wrote:
> On 8/13/21 12:25 PM, Anirudh Rayabharam wrote:
> > In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are
> > not given back. This sometimes causes usb_kill_urb to wait indefinitely
> > for that urb to be given back. syzbot has reported a hung task issue [1]
> > for this.
> > 
> > To fix this, give back the urbs corresponding to unsent unlink requests
> > (unlink_tx list) similar to how urbs corresponding to unanswered unlink
> > requests (unlink_rx list) are given back.
> > 
> > [1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76
> > 
> > Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
> > Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
> > Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
> > ---
> >   drivers/usb/usbip/vhci_hcd.c | 26 ++++++++++++++++++++++++++
> >   1 file changed, 26 insertions(+)
> > 
> > diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
> > index 4ba6bcdaa8e9..6f3f374d4bbc 100644
> > --- a/drivers/usb/usbip/vhci_hcd.c
> > +++ b/drivers/usb/usbip/vhci_hcd.c
> > @@ -957,8 +957,34 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
> >   	spin_lock(&vdev->priv_lock);
> >   	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
> > +		struct urb *urb;
> > +
> > +		/* give back URB of unsent unlink request */
> >   		pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
> 
> I know this is an exiting one.
> Let's make this pr_debug or remove it all together.
> 
> > +
> > +		urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
> > +		if (!urb) {
> > +			pr_info("the urb (seqnum %lu) was already given back\n",
> > +				unlink->unlink_seqnum);
> 
> Let's make this pr_debug or remove it all together.

As you have a struct device for all of these, please use dev_dbg() and
friends, not pr_*(), for all of these.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup
  2021-08-18  5:39     ` Greg KH
@ 2021-08-18 18:36       ` Shuah Khan
  2021-08-19 18:09         ` Anirudh Rayabharam
  0 siblings, 1 reply; 8+ messages in thread
From: Shuah Khan @ 2021-08-18 18:36 UTC (permalink / raw)
  To: Greg KH
  Cc: Anirudh Rayabharam, valentina.manea.m, shuah,
	syzbot+74d6ef051d3d2eacf428, linux-kernel-mentees, linux-usb,
	linux-kernel, Shuah Khan

On 8/17/21 11:39 PM, Greg KH wrote:
> On Tue, Aug 17, 2021 at 05:16:51PM -0600, Shuah Khan wrote:
>> On 8/13/21 12:25 PM, Anirudh Rayabharam wrote:
>>> In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are
>>> not given back. This sometimes causes usb_kill_urb to wait indefinitely
>>> for that urb to be given back. syzbot has reported a hung task issue [1]
>>> for this.
>>>
>>> To fix this, give back the urbs corresponding to unsent unlink requests
>>> (unlink_tx list) similar to how urbs corresponding to unanswered unlink
>>> requests (unlink_rx list) are given back.
>>>
>>> [1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76
>>>
>>> Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
>>> Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
>>> Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
>>> ---
>>>    drivers/usb/usbip/vhci_hcd.c | 26 ++++++++++++++++++++++++++
>>>    1 file changed, 26 insertions(+)
>>>
>>> diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
>>> index 4ba6bcdaa8e9..6f3f374d4bbc 100644
>>> --- a/drivers/usb/usbip/vhci_hcd.c
>>> +++ b/drivers/usb/usbip/vhci_hcd.c
>>> @@ -957,8 +957,34 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
>>>    	spin_lock(&vdev->priv_lock);
>>>    	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
>>> +		struct urb *urb;
>>> +
>>> +		/* give back URB of unsent unlink request */
>>>    		pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
>>
>> I know this is an exiting one.
>> Let's make this pr_debug or remove it all together.
>>
>>> +
>>> +		urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
>>> +		if (!urb) {
>>> +			pr_info("the urb (seqnum %lu) was already given back\n",
>>> +				unlink->unlink_seqnum);
>>
>> Let's make this pr_debug or remove it all together.
> 
> As you have a struct device for all of these, please use dev_dbg() and
> friends, not pr_*(), for all of these.
> 

Yes. Makes perfect sense.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup
  2021-08-18 18:36       ` Shuah Khan
@ 2021-08-19 18:09         ` Anirudh Rayabharam
  2021-08-19 18:49           ` Shuah Khan
  0 siblings, 1 reply; 8+ messages in thread
From: Anirudh Rayabharam @ 2021-08-19 18:09 UTC (permalink / raw)
  To: Shuah Khan
  Cc: Greg KH, valentina.manea.m, shuah, syzbot+74d6ef051d3d2eacf428,
	linux-kernel-mentees, linux-usb, linux-kernel

On Wed, Aug 18, 2021 at 12:36:11PM -0600, Shuah Khan wrote:
> On 8/17/21 11:39 PM, Greg KH wrote:
> > On Tue, Aug 17, 2021 at 05:16:51PM -0600, Shuah Khan wrote:
> > > On 8/13/21 12:25 PM, Anirudh Rayabharam wrote:
> > > > In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are
> > > > not given back. This sometimes causes usb_kill_urb to wait indefinitely
> > > > for that urb to be given back. syzbot has reported a hung task issue [1]
> > > > for this.
> > > > 
> > > > To fix this, give back the urbs corresponding to unsent unlink requests
> > > > (unlink_tx list) similar to how urbs corresponding to unanswered unlink
> > > > requests (unlink_rx list) are given back.
> > > > 
> > > > [1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76
> > > > 
> > > > Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
> > > > Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
> > > > Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
> > > > ---
> > > >    drivers/usb/usbip/vhci_hcd.c | 26 ++++++++++++++++++++++++++
> > > >    1 file changed, 26 insertions(+)
> > > > 
> > > > diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
> > > > index 4ba6bcdaa8e9..6f3f374d4bbc 100644
> > > > --- a/drivers/usb/usbip/vhci_hcd.c
> > > > +++ b/drivers/usb/usbip/vhci_hcd.c
> > > > @@ -957,8 +957,34 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
> > > >    	spin_lock(&vdev->priv_lock);
> > > >    	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
> > > > +		struct urb *urb;
> > > > +
> > > > +		/* give back URB of unsent unlink request */
> > > >    		pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
> > > 
> > > I know this is an exiting one.
> > > Let's make this pr_debug or remove it all together.
> > > 
> > > > +
> > > > +		urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
> > > > +		if (!urb) {
> > > > +			pr_info("the urb (seqnum %lu) was already given back\n",
> > > > +				unlink->unlink_seqnum);
> > > 
> > > Let's make this pr_debug or remove it all together.
> > 
> > As you have a struct device for all of these, please use dev_dbg() and
> > friends, not pr_*(), for all of these.
> > 
> 
> Yes. Makes perfect sense.

Perhaps we should use usbip_dbg_vhci_hc() instead of dev_dbg()? It is
one of the custom macros defined by the usbip driver for printing debug
logs.

Thanks,

	Anirudh

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup
  2021-08-19 18:09         ` Anirudh Rayabharam
@ 2021-08-19 18:49           ` Shuah Khan
  0 siblings, 0 replies; 8+ messages in thread
From: Shuah Khan @ 2021-08-19 18:49 UTC (permalink / raw)
  To: Anirudh Rayabharam
  Cc: Greg KH, valentina.manea.m, shuah, syzbot+74d6ef051d3d2eacf428,
	linux-kernel-mentees, linux-usb, linux-kernel, Shuah Khan

On 8/19/21 12:09 PM, Anirudh Rayabharam wrote:
> On Wed, Aug 18, 2021 at 12:36:11PM -0600, Shuah Khan wrote:
>> On 8/17/21 11:39 PM, Greg KH wrote:
>>> On Tue, Aug 17, 2021 at 05:16:51PM -0600, Shuah Khan wrote:
>>>> On 8/13/21 12:25 PM, Anirudh Rayabharam wrote:
>>>>> In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are
>>>>> not given back. This sometimes causes usb_kill_urb to wait indefinitely
>>>>> for that urb to be given back. syzbot has reported a hung task issue [1]
>>>>> for this.
>>>>>
>>>>> To fix this, give back the urbs corresponding to unsent unlink requests
>>>>> (unlink_tx list) similar to how urbs corresponding to unanswered unlink
>>>>> requests (unlink_rx list) are given back.
>>>>>
>>>>> [1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76
>>>>>
>>>>> Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
>>>>> Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com
>>>>> Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
>>>>> ---
>>>>>     drivers/usb/usbip/vhci_hcd.c | 26 ++++++++++++++++++++++++++
>>>>>     1 file changed, 26 insertions(+)
>>>>>
>>>>> diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
>>>>> index 4ba6bcdaa8e9..6f3f374d4bbc 100644
>>>>> --- a/drivers/usb/usbip/vhci_hcd.c
>>>>> +++ b/drivers/usb/usbip/vhci_hcd.c
>>>>> @@ -957,8 +957,34 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
>>>>>     	spin_lock(&vdev->priv_lock);
>>>>>     	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
>>>>> +		struct urb *urb;
>>>>> +
>>>>> +		/* give back URB of unsent unlink request */
>>>>>     		pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
>>>>
>>>> I know this is an exiting one.
>>>> Let's make this pr_debug or remove it all together.
>>>>
>>>>> +
>>>>> +		urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
>>>>> +		if (!urb) {
>>>>> +			pr_info("the urb (seqnum %lu) was already given back\n",
>>>>> +				unlink->unlink_seqnum);
>>>>
>>>> Let's make this pr_debug or remove it all together.
>>>
>>> As you have a struct device for all of these, please use dev_dbg() and
>>> friends, not pr_*(), for all of these.
>>>
>>
>> Yes. Makes perfect sense.
> 
> Perhaps we should use usbip_dbg_vhci_hc() instead of dev_dbg()? It is
> one of the custom macros defined by the usbip driver for printing debug
> logs.
> 

Yes that macro could be used. However, let's just get rid of the messages.
I don't see much use for them.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-08-19 18:49 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-13 18:25 [PATCH v3 0/2] Fix syzkaller bug: hung task in hub_port_init Anirudh Rayabharam
2021-08-13 18:25 ` [PATCH v3 1/2] usbip: give back URBs for unsent unlink requests during cleanup Anirudh Rayabharam
2021-08-17 23:16   ` Shuah Khan
2021-08-18  5:39     ` Greg KH
2021-08-18 18:36       ` Shuah Khan
2021-08-19 18:09         ` Anirudh Rayabharam
2021-08-19 18:49           ` Shuah Khan
2021-08-13 18:25 ` [PATCH v3 2/2] usbip: eliminate duplicate code in vhci_device_unlink_cleanup Anirudh Rayabharam

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).