Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp330536ybl; Thu, 12 Dec 2019 19:20:37 -0800 (PST) X-Google-Smtp-Source: APXvYqwKwDGl/XcDW5iQHze8LasDGlBEPK1kaGKIBBzEg1lP3mklOsyzmgzT+IkaLBbQegleA6ty X-Received: by 2002:a05:6830:56a:: with SMTP id f10mr11638382otc.368.1576207237268; Thu, 12 Dec 2019 19:20:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576207237; cv=none; d=google.com; s=arc-20160816; b=jrL4ldVHi8I+3KSfzbBZyt8mRKbR/FailtIqikV+9zJ/Nj6BbyHlgmn1RJkWbRW2vH CSHwcGxarYgrq3Prhex8EYzJU6JHVDEEDUuGobBGQ2QraRkPdfEvTIfetVR3RyODd9SS PGWZJcEutXWIiH8o+Audjmp7pGnsdB6ugfIeBLaObwm7OqUc7YlcdQxUAW5F9LasGEdG PpVMFH/KeRDNljLFmwTdho1D5E4GnvwdT3UTFGeljJZZ/X9wssyX1HL3tKOgPxwUrErp n/svXt8BXUtAGG+5mh+ZWif8tqpMllZKtFG4BHW3nQNR6muJxt8JO72apstiUiYYnbz1 BwiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=VU8W+29VAE6jFbK7qOuEkNtChestID0TQVv19tl4TzA=; b=0B6PalMZTLixo9EMPEeu+S27A2zN6b61CJfqFbhEL7LJ11pnmelIEEldnfc/RTlS7d XfoVkveYOF9yJkq6DLNGm7eNPJigyLus+gZ1KnMsPsSlk2UUnC/+UrYCcDDBlX9UFMVt N/faTGsbBaJB9l1UhJJ0H5w21grXqDEuboiphYqg46o5mRWU6gW8o6GG3VYjZClwW/c4 SqeFXROBdA7AlQzkIPPutonrmaCVo2DOpOYxQvoBoQJQoi9GBc4i75rPoRYUKGuYm7k6 vYHsd6MkT1VmdxGihTQJzRVjcrAGOKakqW1nhlF4tsz66u9gKqG9ia1LeI5bpewQNO2u nVCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=BsX91WyJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j13si4448976otk.9.2019.12.12.19.20.23; Thu, 12 Dec 2019 19:20:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=BsX91WyJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731972AbfLMCbu (ORCPT + 99 others); Thu, 12 Dec 2019 21:31:50 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:34834 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727202AbfLMCbu (ORCPT ); Thu, 12 Dec 2019 21:31:50 -0500 Received: by mail-pf1-f194.google.com with SMTP id b19so636663pfo.2; Thu, 12 Dec 2019 18:31:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=VU8W+29VAE6jFbK7qOuEkNtChestID0TQVv19tl4TzA=; b=BsX91WyJ3Nk1wK5jIB4BZeo+UIaW3MvOPtwkDUqOsQ7lBFFvKxxAEngBlmSfQoZNLa 5tTxwd2JMnKzYHwFt5RLW5YLKoKtPful9Qjbf56CnidI3ksFOI6obT2UrvLw1d1hI1nr w4AXDGo/hKt9EIswYATHIDAdg/2asKTWA5TMiaWYYW8Nd8Rwjq5alAj1ggM7TIMCK/+0 TYSuNCnEnbad767SJtJTjEdwbmAffLWOozv+D93+zwhkdsDXf31KdF1HvesQ0o7o57Qo c9v5DGmWj3rURVqZwESr+6hDCSFDM5+73ZoZTSyaBHM49GcBVtZlS8LVMELxVR2wKIf3 UKyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VU8W+29VAE6jFbK7qOuEkNtChestID0TQVv19tl4TzA=; b=WpbBA7mrdLgp5w70+13p1XFDYB/s6VwsRxCcZYRYIWnzjKOoVj3X21gDBtFJDyxa57 ReIabrjtKEKiO73iEoSXcK0XQcK2Mqz2v0gAF9JmKgBuHMV+r2qwhqvY/kFQDh6pORxd 4PJLOH0XMecoqV9Ph6rLnBwW8u+siY/uUs+g1cRTYJO9i0qxLTlu0Quk6rsKsEJn1jHV QMZ9P0lI78J8sSB8BuUCFb0iNr+Nj99WUa6RQcPHdxm6PFX1LJC8gI6YMkbjBfK00JIO Eawx6gHVgKmIm5yNM2W4HBFMHplvY30KZbCECa8ihiOL3ZeNOok9Aj4tN/fqremF9oaD mP7Q== X-Gm-Message-State: APjAAAX8+ME4kTYCRj27/NYNlFdrQtPqr9TFIhttC/KXykY6h8YZ2L96 TMTkav/Fs7B6RRFR3L+kjGk= X-Received: by 2002:aa7:8007:: with SMTP id j7mr13594737pfi.73.1576204309272; Thu, 12 Dec 2019 18:31:49 -0800 (PST) Received: from localhost.localdomain ([163.152.162.99]) by smtp.gmail.com with ESMTPSA id h68sm9443654pfe.162.2019.12.12.18.31.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Dec 2019 18:31:48 -0800 (PST) From: Suwan Kim To: shuah@kernel.org, valentina.manea.m@gmail.com, gregkh@linuxfoundation.org, marmarek@invisiblethingslab.com Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, stern@rowland.harvard.edu, Suwan Kim Subject: [PATCH v2 2/2] usbip: Fix error path of vhci_recv_ret_submit() Date: Fri, 13 Dec 2019 11:30:55 +0900 Message-Id: <20191213023055.19933-3-suwan.kim027@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191213023055.19933-1-suwan.kim027@gmail.com> References: <20191213023055.19933-1-suwan.kim027@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If a transaction error happens in vhci_recv_ret_submit(), event handler closes connection and changes port status to kick hub_event. Then hub tries to flush the endpoint URBs, but that causes infinite loop between usb_hub_flush_endpoint() and vhci_urb_dequeue() because "vhci_priv" in vhci_urb_dequeue() was already released by vhci_recv_ret_submit() before a transmission error occurred. Thus, vhci_urb_dequeue() terminates early and usb_hub_flush_endpoint() continuously calls vhci_urb_dequeue(). The root cause of this issue is that vhci_recv_ret_submit() terminates early without giving back URB when transaction error occurs in vhci_recv_ret_submit(). That causes the error URB to still be linked at endpoint list without “vhci_priv". So, in the case of transaction error in vhci_recv_ret_submit(), unlink URB from the endpoint, insert proper error code in urb->status and give back URB. Reported-by: Marek Marczykowski-Górecki Tested-by: Marek Marczykowski-Górecki Signed-off-by: Suwan Kim --- drivers/usb/usbip/vhci_rx.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c index 33f8972ba842..00fc98741c5d 100644 --- a/drivers/usb/usbip/vhci_rx.c +++ b/drivers/usb/usbip/vhci_rx.c @@ -77,16 +77,21 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0); /* recv transfer buffer */ - if (usbip_recv_xbuff(ud, urb) < 0) - return; + if (usbip_recv_xbuff(ud, urb) < 0) { + urb->status = -EPROTO; + goto error; + } /* recv iso_packet_descriptor */ - if (usbip_recv_iso(ud, urb) < 0) - return; + if (usbip_recv_iso(ud, urb) < 0) { + urb->status = -EPROTO; + goto error; + } /* restore the padding in iso packets */ usbip_pad_iso(ud, urb); +error: if (usbip_dbg_flag_vhci_rx) usbip_dump_urb(urb); -- 2.20.1