From: Alan Stern <stern@rowland.harvard.edu>
To: Suwan Kim <suwan.kim027@gmail.com>
Cc: shuah@kernel.org, <valentina.manea.m@gmail.com>,
<gregkh@linuxfoundation.org>, <marmarek@invisiblethingslab.com>,
<linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<stable@vger.kernel.org>
Subject: Re: [PATCH 2/2] usbip: Fix error path of vhci_recv_ret_submit()
Date: Thu, 12 Dec 2019 10:54:08 -0500 (EST) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1912121050130.14053-100000@netrider.rowland.org> (raw)
In-Reply-To: <20191212052841.6734-3-suwan.kim027@gmail.com>
On Thu, 12 Dec 2019, Suwan Kim wrote:
> If a transaction error happens in vhci_recv_ret_submit(), event
> handler closes connection and changes port status to kick hub_event.
> Then hub tries to flush the endpoint URBs, but that causes infinite
> loop between usb_hub_flush_endpoint() and vhci_urb_dequeue() because
> "vhci_priv" in vhci_urb_dequeue() was already released by
> vhci_recv_ret_submit() before a transmission error occurred. Thus,
> vhci_urb_dequeue() terminates early and usb_hub_flush_endpoint()
> continuously calls vhci_urb_dequeue().
>
> The root cause of this issue is that vhci_recv_ret_submit()
> terminates early without giving back URB when transaction error
> occurs in vhci_recv_ret_submit(). That causes the error URB to still
> be linked at endpoint list without “vhci_priv".
>
> So, in the case of trasnaction error in vhci_recv_ret_submit(),
> unlink URB from the endpoint, insert proper error code in
> urb->status and give back URB.
>
> Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
> Signed-off-by: Suwan Kim <suwan.kim027@gmail.com>
> ---
> drivers/usb/usbip/vhci_rx.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c
> index 33f8972ba842..dc26acad6baf 100644
> --- a/drivers/usb/usbip/vhci_rx.c
> +++ b/drivers/usb/usbip/vhci_rx.c
> @@ -77,16 +77,21 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
> usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0);
>
> /* recv transfer buffer */
> - if (usbip_recv_xbuff(ud, urb) < 0)
> - return;
> + if (usbip_recv_xbuff(ud, urb) < 0) {
> + urb->status = -EPIPE;
> + goto error;
> + }
>
> /* recv iso_packet_descriptor */
> - if (usbip_recv_iso(ud, urb) < 0)
> - return;
> + if (usbip_recv_iso(ud, urb) < 0) {
> + urb->status = -EPIPE;
> + goto error;
> + }
-EPIPE is used for STALL. The appropriate error code for transaction
error would be -EPROTO (or -EILSEQ or -ETIME, but people seem to be
settling on -EPROTO).
Alan Stern
next prev parent reply other threads:[~2019-12-12 15:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-12 5:28 [PATCH 0/2] usbip: Fix infinite loop in vhci rx Suwan Kim
2019-12-12 5:28 ` [PATCH 1/2] usbip: Fix receive error in vhci-hcd when using scatter-gather Suwan Kim
2019-12-12 11:45 ` Marek Marczykowski-Górecki
2019-12-12 5:28 ` [PATCH 2/2] usbip: Fix error path of vhci_recv_ret_submit() Suwan Kim
2019-12-12 11:45 ` Marek Marczykowski-Górecki
2019-12-12 15:54 ` Alan Stern [this message]
2019-12-13 2:03 ` Suwan Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1912121050130.14053-100000@netrider.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=marmarek@invisiblethingslab.com \
--cc=shuah@kernel.org \
--cc=stable@vger.kernel.org \
--cc=suwan.kim027@gmail.com \
--cc=valentina.manea.m@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).