linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alan Stern <stern@rowland.harvard.edu>
To: Suwan Kim <suwan.kim027@gmail.com>
Cc: shuah@kernel.org, <valentina.manea.m@gmail.com>,
	<gregkh@linuxfoundation.org>, <marmarek@invisiblethingslab.com>,
	<linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<stable@vger.kernel.org>
Subject: Re: [PATCH 2/2] usbip: Fix error path of vhci_recv_ret_submit()
Date: Thu, 12 Dec 2019 10:54:08 -0500 (EST)	[thread overview]
Message-ID: <Pine.LNX.4.44L0.1912121050130.14053-100000@netrider.rowland.org> (raw)
In-Reply-To: <20191212052841.6734-3-suwan.kim027@gmail.com>

On Thu, 12 Dec 2019, Suwan Kim wrote:

> If a transaction error happens in vhci_recv_ret_submit(), event
> handler closes connection and changes port status to kick hub_event.
> Then hub tries to flush the endpoint URBs, but that causes infinite
> loop between usb_hub_flush_endpoint() and vhci_urb_dequeue() because
> "vhci_priv" in vhci_urb_dequeue() was already released by
> vhci_recv_ret_submit() before a transmission error occurred. Thus,
> vhci_urb_dequeue() terminates early and usb_hub_flush_endpoint()
> continuously calls vhci_urb_dequeue().
> 
> The root cause of this issue is that vhci_recv_ret_submit()
> terminates early without giving back URB when transaction error
> occurs in vhci_recv_ret_submit(). That causes the error URB to still
> be linked at endpoint list without “vhci_priv".
> 
> So, in the case of trasnaction error in vhci_recv_ret_submit(),
> unlink URB from the endpoint, insert proper error code in
> urb->status and give back URB.
> 
> Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
> Signed-off-by: Suwan Kim <suwan.kim027@gmail.com>
> ---
>  drivers/usb/usbip/vhci_rx.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c
> index 33f8972ba842..dc26acad6baf 100644
> --- a/drivers/usb/usbip/vhci_rx.c
> +++ b/drivers/usb/usbip/vhci_rx.c
> @@ -77,16 +77,21 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
>  	usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0);
>  
>  	/* recv transfer buffer */
> -	if (usbip_recv_xbuff(ud, urb) < 0)
> -		return;
> +	if (usbip_recv_xbuff(ud, urb) < 0) {
> +		urb->status = -EPIPE;
> +		goto error;
> +	}
>  
>  	/* recv iso_packet_descriptor */
> -	if (usbip_recv_iso(ud, urb) < 0)
> -		return;
> +	if (usbip_recv_iso(ud, urb) < 0) {
> +		urb->status = -EPIPE;
> +		goto error;
> +	}

-EPIPE is used for STALL.  The appropriate error code for transaction 
error would be -EPROTO (or -EILSEQ or -ETIME, but people seem to be 
settling on -EPROTO).

Alan Stern


  parent reply	other threads:[~2019-12-12 15:54 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-12  5:28 [PATCH 0/2] usbip: Fix infinite loop in vhci rx Suwan Kim
2019-12-12  5:28 ` [PATCH 1/2] usbip: Fix receive error in vhci-hcd when using scatter-gather Suwan Kim
2019-12-12 11:45   ` Marek Marczykowski-Górecki
2019-12-12  5:28 ` [PATCH 2/2] usbip: Fix error path of vhci_recv_ret_submit() Suwan Kim
2019-12-12 11:45   ` Marek Marczykowski-Górecki
2019-12-12 15:54   ` Alan Stern [this message]
2019-12-13  2:03     ` Suwan Kim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.44L0.1912121050130.14053-100000@netrider.rowland.org \
    --to=stern@rowland.harvard.edu \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=marmarek@invisiblethingslab.com \
    --cc=shuah@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=suwan.kim027@gmail.com \
    --cc=valentina.manea.m@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).