Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp886620pxt; Fri, 6 Aug 2021 17:01:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxVxomPbXbSMm9tBqpPLi/F9+zlBCs/NtahxjMdkjY+H4n9M156cim8tvBGCja6BjGklAzd X-Received: by 2002:a05:6402:1487:: with SMTP id e7mr16362042edv.285.1628294492997; Fri, 06 Aug 2021 17:01:32 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1628294492; cv=pass; d=google.com; s=arc-20160816; b=NVgcDJx+erMq0BLDpzPPvzinhWGEqGFsLzXaKdzYyeXelc2xFgLxlr146tX3+uwPZo elelYi1OzHHtp+Q8zyfrMZ1f1lLoaWpEpWFdPMf5Keyq5QgKd58J5gnIYWwhVn6GkvKl ZZObUf6bJS1mEl7/g9ahGKr5YjITeWtECEBZ+1l3qZrALLhX67QC8v8eBHM8k8Ao4NQm YKTHPxzs7iDlj5j1a1upsGJ2k7VP4QfzXzVB64++UfyX21XJkvB8ZnH0E3iF8n38MThe p7w0+S4IJHuPH7SDJo+dwpPpm5t20Bgbw7iXPcFtKbbadPu47yC4D4jJ1zrP2x0Y/e0W dBcg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=wIZHSlWXbrNe2rwmZf7eFgX/iCxTUKxDTVlcmAcr1Ag=; b=KYZzEXl3Ajp82KLVcdZnNm4amUTc8XouQ9bUIREZYqD0jZ7eAGnUTOqaHXAX6tmHGS N90KBxFIOa94HgBC/NR8u4JsdqyUD0cM/u14GgiyAPxbfc7FkOeKvwm2hAK/VfTML+rj FRCnssOc7DJHxS1TVyYLzo8tPnWUl5+GGfOSM7zs4MJfzLMCaF+GuIbFx1m4Po/5qSlH OulPXqGPbpY62jAMTeEb8jtpQIjYh8tm/GfAP1CGAn+jF9FzdsnEOIrnznRA6sae5DKW rzYNxPuXnsJ+bfYRQEXLx1GkuYzCE5YChGY+p2nA4z8/XskDSeOBZk6vUEkLCPmUJLf7 FPfA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@anirudhrb.com header.s=zoho header.b=QsuCH48B; arc=pass (i=1 spf=pass spfdomain=anirudhrb.com dkim=pass dkdomain=anirudhrb.com dmarc=pass fromdomain=anirudhrb.com>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k15si9417654eds.12.2021.08.06.17.01.09; Fri, 06 Aug 2021 17:01:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@anirudhrb.com header.s=zoho header.b=QsuCH48B; arc=pass (i=1 spf=pass spfdomain=anirudhrb.com dkim=pass dkdomain=anirudhrb.com dmarc=pass fromdomain=anirudhrb.com>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242732AbhHFSRp (ORCPT + 99 others); Fri, 6 Aug 2021 14:17:45 -0400 Received: from sender4-of-o53.zoho.com ([136.143.188.53]:21356 "EHLO sender4-of-o53.zoho.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237391AbhHFSRn (ORCPT ); Fri, 6 Aug 2021 14:17:43 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1628273841; cv=none; d=zohomail.com; s=zohoarc; b=j1uYsaOnVwADfra9cAnq1vMPUty/IN1OdWi/u2netOYaVLS8WfP2KBJFo7UQx0siKzSsjrC1MVlQtcWyML/2OgFhdswroFpl27xbkn82wgyyFBbce9kGsZEfEQJFMjlz4rtSGdlTIQ8kh/6oXjDfrHL/sRBUHPJ/3Bfz21eW1yU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1628273841; h=Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To; bh=wIZHSlWXbrNe2rwmZf7eFgX/iCxTUKxDTVlcmAcr1Ag=; b=nma5a8PyUCS3ocmPm6C/WjSTrHhl2XXHDTstVYNVUz4ZBbG5S4/MznzmlYXk6ro99EBaUtCoDVQIO8RCCS8XXO9vVuD+5qDb2UCk47B2ja0YN1XEu7NRk8XTkxN7RbRxvg1PvS9GqlLBSzjQl3e9F/cnKHHEB4EENuo5IhYzY3E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=anirudhrb.com; spf=pass smtp.mailfrom=mail@anirudhrb.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1628273841; s=zoho; d=anirudhrb.com; i=mail@anirudhrb.com; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Transfer-Encoding; bh=wIZHSlWXbrNe2rwmZf7eFgX/iCxTUKxDTVlcmAcr1Ag=; b=QsuCH48BF/59cBuyk0eqrt3VnhHOPFggMFrkZ/m+GdQyW8kffBK7azmr5vwQsEoV KrmZ5+LuCws00vtGJXqfC4c9c6hsSEIgeqyxXO3u5MBs3T/h33++/W8Oy2y2NITKi5T nWGcokZKzxdo4Dw3adojlSj4K/5oJ8Wu6T1DSyMU= Received: from localhost.localdomain (106.51.104.154 [106.51.104.154]) by mx.zohomail.com with SMTPS id 16282738279641019.1462176919549; Fri, 6 Aug 2021 11:17:07 -0700 (PDT) From: Anirudh Rayabharam To: Valentina Manea , Shuah Khan , Greg Kroah-Hartman Cc: linux-kernel-mentees@lists.linuxfoundation.org, Anirudh Rayabharam , syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] usbip: give back URBs for unsent unlink requests during cleanup Date: Fri, 6 Aug 2021 23:43:35 +0530 Message-Id: <20210806181335.2078-1-mail@anirudhrb.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-ZohoMailClient: External Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are not given back. This sometimes causes usb_kill_urb to wait indefinitely for that urb to be given back. syzbot has reported a hung task issue [1] for this. To fix this, give back the urbs corresponding to unsent unlink requests (unlink_tx list) similar to how urbs corresponding to unanswered unlink requests (unlink_rx list) are given back. Since the code is almost the same, extract it into a new function and call it for both unlink_rx and unlink_tx lists. [1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76 Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com Signed-off-by: Anirudh Rayabharam --- Changes in v2: Use WARN_ON() instead of BUG() when unlink_list is neither unlink_tx nor unlink_rx. v1: https://lore.kernel.org/lkml/20210806164015.25263-1-mail@anirudhrb.com/ --- drivers/usb/usbip/vhci_hcd.c | 45 +++++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 13 deletions(-) diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index 4ba6bcdaa8e9..67e638f4c455 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -945,7 +945,8 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) return 0; } -static void vhci_device_unlink_cleanup(struct vhci_device *vdev) +static void __vhci_cleanup_unlink_list(struct vhci_device *vdev, + struct list_head *unlink_list) { struct vhci_hcd *vhci_hcd = vdev_to_vhci_hcd(vdev); struct usb_hcd *hcd = vhci_hcd_to_hcd(vhci_hcd); @@ -953,23 +954,23 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev) struct vhci_unlink *unlink, *tmp; unsigned long flags; + if (WARN(unlink_list != &vdev->unlink_tx + && unlink_list != &vdev->unlink_rx, + "Invalid list passed to __vhci_cleanup_unlink_list\n")) + return; + spin_lock_irqsave(&vhci->lock, flags); spin_lock(&vdev->priv_lock); - list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) { - pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum); - list_del(&unlink->list); - kfree(unlink); - } - - while (!list_empty(&vdev->unlink_rx)) { + list_for_each_entry_safe(unlink, tmp, unlink_list, list) { struct urb *urb; - unlink = list_first_entry(&vdev->unlink_rx, struct vhci_unlink, - list); - - /* give back URB of unanswered unlink request */ - pr_info("unlink cleanup rx %lu\n", unlink->unlink_seqnum); + if (unlink_list == &vdev->unlink_tx) + pr_info("unlink cleanup tx %lu\n", + unlink->unlink_seqnum); + else + pr_info("unlink cleanup rx %lu\n", + unlink->unlink_seqnum); urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum); if (!urb) { @@ -1001,6 +1002,24 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev) spin_unlock_irqrestore(&vhci->lock, flags); } +static inline void vhci_cleanup_unlink_tx(struct vhci_device *vdev) +{ + __vhci_cleanup_unlink_list(vdev, &vdev->unlink_tx); +} + +static inline void vhci_cleanup_unlink_rx(struct vhci_device *vdev) +{ + __vhci_cleanup_unlink_list(vdev, &vdev->unlink_rx); +} + +static void vhci_device_unlink_cleanup(struct vhci_device *vdev) +{ + /* give back URBs of unsent unlink requests */ + vhci_cleanup_unlink_tx(vdev); + /* give back URBs of unanswered unlink requests */ + vhci_cleanup_unlink_rx(vdev); +} + /* * The important thing is that only one context begins cleanup. * This is why error handling and cleanup become simple. -- 2.26.2