Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1287458lqa; Mon, 29 Apr 2024 04:24:46 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWKrSSaeH06qySXwMZJiBfivvM6RHWj0V7qj3n8gLIIas77C6zXBxjnJAzCq8Qv6qJBbXvynqIDHfnpNScyg6iMyIjQ4/sXn0hxSsXr3w== X-Google-Smtp-Source: AGHT+IFbC94mvLGRvGQI/h4FL87kj4tZMDocwQkpvQeNuGQnjEw6cmQhOO8aXJGJFX2dvcQR0FzD X-Received: by 2002:a17:906:480f:b0:a58:8a33:1a39 with SMTP id w15-20020a170906480f00b00a588a331a39mr9288774ejq.3.1714389886326; Mon, 29 Apr 2024 04:24:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714389886; cv=pass; d=google.com; s=arc-20160816; b=NP9YdVcD8clhwYp22Zm96TOxtslyrFIcXbcll5ePIlhngmS+N2H3bUwgJX/aV0DmIc VO+TZiG3g9A2aGha+9458qU8cWJxy4L3aZB+ll+8J+J6KLbbuJzaBCp9OCm2n6vlldoF 1/oWdm5hG14mQImcXZMxnzFEwlLY9mGu+ZpfG5rkIG9o0mTO3R8SF5+gLwCB3iklZj1b Sn3jXxZ2RYe35PeOOgnUod4qi8DXZUs4KnUUvdVTtfh/5nkNWtzMsPKC5FnhS1qLucN9 li4wMLqLrGL7Qeja5wp4UQMen+dwCxH7H2INOK+vMMcJBN9ldNAqTJfIAJ5a8JoGbpPK M0dw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=sb5Pkg6W+OOPt1JBfskSYYm3OwsIcbVN7zEWgtB36e4=; fh=470tNh+W5jGnAUw7fbOw0GC6lnP4Qkmn3meIK2G6PNk=; b=BbfTjrMKSEdAGAXzInzhS6qbbwR0/whN1UjdGqC590+Hh8feze4zW2toYu9YUwEl5C /eo2yLc8JXDWy2nlXRyP9ogXOkwN+7LYLDEf+AyDGFl+OMZFKwo4nkQxBKDc9pl4fesK WAMCUbcEIl0o3Eh/9WxWcrQ5EzS8Z0erWiWp27TMAyW4yg9pscQxhlrRLM3qxtm4ogFg 8CYNXOcNtdVVEdDNU1TnK+CG5p5wYnUoDFE1atYF9S+hO+vDUDOnGpIXj3wXAVbhYtn9 0rYiiaVYWI5c+HZy/JNC3evxWK6j8UMwQX3fnqlRl6GQx12mSv0le0NZ4sHbi5HsMfRf hl+g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-162135-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-162135-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id bi23-20020a170906a25700b00a46dedc140esi13182009ejb.658.2024.04.29.04.24.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Apr 2024 04:24:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-162135-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-162135-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-162135-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 14D981F22F9C for ; Mon, 29 Apr 2024 11:24:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 794B740C09; Mon, 29 Apr 2024 11:24:36 +0000 (UTC) Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 483E73FB84; Mon, 29 Apr 2024 11:24:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.255 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714389876; cv=none; b=TnCpeBaQHq8Njj330vov8Q93pqNuh7bFowZ1D//vXT6wuOex7C5ou2QvzLkiR7uwVVwURlOCfrF7kSIefJ57gEDsvuznV+LH9lwdFCgWZOK5kqVMfPSTU8alRx1NBrntejzMUcjSJlHHtHc/pgvu8xzXpwGg74h5oYQylKDuW3I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714389876; c=relaxed/simple; bh=GGk8NpWnVKyXH0ro+J0lf0GfBw6k69PSAkEgfc9+Me4=; h=Message-ID:Date:MIME-Version:Subject:To:CC:References:From: In-Reply-To:Content-Type; b=L9YShDgKAR53AJagJc6jzxmHUtivSb9LhxTzHiNYkAEf3WEWBUnJa3BSfrgU6e6I23HvESsYd9lTQL7Qgj058SPNfxmvIlA/vcwVgltof0wzdsxFvYMapR0+RoknivlnwspX828d9f2MDm6ctEHIy0aTlerAtp/m5dH3tnBvilo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.255 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.162.254]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4VSgr96mvFz1R9wY; Mon, 29 Apr 2024 19:21:13 +0800 (CST) Received: from dggpeml500012.china.huawei.com (unknown [7.185.36.15]) by mail.maildlp.com (Postfix) with ESMTPS id 0D5E018007C; Mon, 29 Apr 2024 19:24:22 +0800 (CST) Received: from [10.67.111.172] (10.67.111.172) by dggpeml500012.china.huawei.com (7.185.36.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 29 Apr 2024 19:24:21 +0800 Message-ID: <5c0359c7-502f-fe8b-c1ee-3470b36b586c@huawei.com> Date: Mon, 29 Apr 2024 19:24:21 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH] media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control() To: CC: , , Zheng Yejian References: <20240412135256.1546051-1-zhengyejian1@huawei.com> Content-Language: en-US From: Zheng Yejian In-Reply-To: <20240412135256.1546051-1-zhengyejian1@huawei.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To dggpeml500012.china.huawei.com (7.185.36.15) On 2024/4/12 21:52, Zheng Yejian wrote: > Infinite log printing occurs during fuzz test: > > rc rc1: DViCO FusionHDTV DVB-T USB (LGZ201) as ... > ... > dvb-usb: schedule remote query interval to 100 msecs. > dvb-usb: DViCO FusionHDTV DVB-T USB (LGZ201) successfully initialized ... > dvb-usb: bulk message failed: -22 (1/0) > dvb-usb: bulk message failed: -22 (1/0) > dvb-usb: bulk message failed: -22 (1/0) > ... > dvb-usb: bulk message failed: -22 (1/0) > > Looking into the codes, there is a loop in dvb_usb_read_remote_control(), > that is in rc_core_dvb_usb_remote_init() create a work that will call > dvb_usb_read_remote_control(), and this work will reschedule itself at > 'rc_interval' intervals to recursively call dvb_usb_read_remote_control(), > see following code snippet: > > rc_core_dvb_usb_remote_init() { > ... > INIT_DELAYED_WORK(&d->rc_query_work, dvb_usb_read_remote_control); > schedule_delayed_work(&d->rc_query_work, > msecs_to_jiffies(rc_interval)); > ... > } > > dvb_usb_read_remote_control() { > ... > err = d->props.rc.core.rc_query(d); > if (err) > err(...) // Did not return even if query failed > schedule_delayed_work(&d->rc_query_work, > msecs_to_jiffies(rc_interval)); > } > > When the infinite log printing occurs, the query callback > 'd->props.rc.core.rc_query' is cxusb_rc_query(). And the log is due to > the failure of finding a valid 'generic_bulk_ctrl_endpoint' > in usb_bulk_msg(), see following code snippet: > > cxusb_rc_query() { > cxusb_ctrl_msg() { > dvb_usb_generic_rw() { > ret = usb_bulk_msg(d->udev, usb_sndbulkpipe(d->udev, > d->props.generic_bulk_ctrl_endpoint),...); > if (ret) > err("bulk message failed: %d (%d/%d)",ret,wlen,actlen); > ... > } > ... > } > > By analyzing the corresponding USB descriptor, it shows that the > bNumEndpoints is 0 in its interface descriptor, but > the 'generic_bulk_ctrl_endpoint' is 1, that means user don't configure > a valid endpoint for 'generic_bulk_ctrl_endpoint', therefore this > 'invalid' USB device should be rejected before it calls into > dvb_usb_read_remote_control(). > > To fix it, iiuc, we can add endpoint check in dvb_usb_adapter_init(). > > Signed-off-by: Zheng Yejian > --- > drivers/media/usb/dvb-usb/dvb-usb-init.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > Hi, I'm not very familiar with USB driver, and I'm not sure the > type check is appropriate or not here. Would be any device properties > that allow 'generic_bulk_ctrl_endpoint' not being configured, or would > it be configured late after init ? :) > Kindly ping :) Hi, Mauro, would you mind taking a look at this code ? -- Thanks, Zheng Yejian > diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c > index fbf58012becd..48e7b9fb93dd 100644 > --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c > +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c > @@ -104,6 +104,14 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) > * sometimes a timeout occurs, this helps > */ > if (d->props.generic_bulk_ctrl_endpoint != 0) { > + ret = usb_pipe_type_check(d->udev, usb_sndbulkpipe(d->udev, > + d->props.generic_bulk_ctrl_endpoint)); > + if (ret) > + goto frontend_init_err; > + ret = usb_pipe_type_check(d->udev, usb_rcvbulkpipe(d->udev, > + d->props.generic_bulk_ctrl_endpoint)); > + if (ret) > + goto frontend_init_err; > usb_clear_halt(d->udev, usb_sndbulkpipe(d->udev, d->props.generic_bulk_ctrl_endpoint)); > usb_clear_halt(d->udev, usb_rcvbulkpipe(d->udev, d->props.generic_bulk_ctrl_endpoint)); > }