Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1861916lqa; Tue, 30 Apr 2024 01:04:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVJzmP5yHLClbTYwA02Wp3HDfhjZAbgM3byhi9JRChAkRnvK2bVMPoV6r41rIzVzLPTqk/zBkaeBwXCSIjS2MmR+VP6Qa+u2XINeu5ncg== X-Google-Smtp-Source: AGHT+IFo05WC0WHHb22/uh3h5T1FHQNWxBvCHWaAEzX5sLLASCjnGO1OAENkkZ8A7QmAGnAPQvUc X-Received: by 2002:a05:620a:45a1:b0:78e:fcf0:40a5 with SMTP id bp33-20020a05620a45a100b0078efcf040a5mr2194768qkb.76.1714464265234; Tue, 30 Apr 2024 01:04:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714464265; cv=pass; d=google.com; s=arc-20160816; b=M4Lcv7/vTR+YsI/19id9Dfkoc5w6tMioIziuwY/gyY0xE/6611/GEmJn944Sqzkn2p poB1v61ysEITaOBaIy9awN4IvXalYFwDSYaBH5jt7M9Ev3MZOAn8j47JqltzunBIXl81 NyfFdYViFDJxOzmIx6soCaGazcab8aA2xyKdnTTlkoDTTFzoPLVlWi6nCXwxX636D/ks buJZp1FtnJgpGqJOYxv+yuxftfd4bFuuFVVAj7RQEnwBhXXIksPhISlPULISU5smb4Hs DUTKJdjaCx/Vs7yk9bH/SeUgy+vRVbATnNxFKq/LKDuzNRC4/692GC+xe/GbbcIApe4P bWjg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=ZLDHTwqQKTpNcdbMQgE14RtSjmJQ9IbjIvaDUXvp7oA=; fh=y1pyUhSVyYHjRmoBJ2lgvRfhJddSnepQTs4phW+mh64=; b=oj6Ezs8wX+q8sMIXM0LKDt4a0X7cUbXxPRPbBCRr91wLKcHTZt+otGdU0eOhSvSR0f e7t7wI3tLUMS9KL6syJx6YByGHlram1qkVt7cHJZiK1LXFcmUZT6uou0Soszu/6vgk8x 57/azjyyPhQTWxFazyVbzk7G22L7JHEz0asyTvVI69rG5QR2F1dH1qSWocBLMeLcKa2V qjf2GRKBd6UBq5QqMRdqaBV2DQJ7IpE6muE4NUiv/QJ12+1i/yQ+sXyNgDTNBFVapYIU 58amIk2KwtliYTXrH/uekZMsfk20ERSZ0SlGBCu/RUktNIib5LQ6kedsUEpIAdytOq+9 WfWg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@mess.org header.s=2020 header.b=eP2MHSQe; arc=pass (i=1 spf=pass spfdomain=mess.org dkim=pass dkdomain=mess.org dmarc=pass fromdomain=mess.org); spf=pass (google.com: domain of linux-kernel+bounces-163517-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-163517-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mess.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id wh13-20020a05620a56cd00b00790f6c6a1b7si3694237qkn.772.2024.04.30.01.04.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 01:04:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-163517-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@mess.org header.s=2020 header.b=eP2MHSQe; arc=pass (i=1 spf=pass spfdomain=mess.org dkim=pass dkdomain=mess.org dmarc=pass fromdomain=mess.org); spf=pass (google.com: domain of linux-kernel+bounces-163517-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-163517-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mess.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D015E1C22314 for ; Tue, 30 Apr 2024 08:04:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2EAA74594D; Tue, 30 Apr 2024 08:04:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mess.org header.i=@mess.org header.b="eP2MHSQe" Received: from gofer.mess.org (gofer.mess.org [88.97.38.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 79E9A41232; Tue, 30 Apr 2024 08:04:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=88.97.38.141 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714464257; cv=none; b=CfsjXm8qeLkmENIV6JzMti8c9ql/ZqmqLTvIiU9XP6Pd6cFJKqX5MQdAZ0n2CtAg5+R1marLNo1ETrj6aqZ85sdyHXPZ0EL/XlowS4TxxCMRb1wxf2BLPb4aHA+f5v7Ip2tXKlJNx+9d7ifGH2yEmoQsy6mGJZnmq3K8GyeRzU8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714464257; c=relaxed/simple; bh=Z1D2LTONy2JcTIil02F/WJtl0DUhIpE4YgdNGJBPS08=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=mk2pUJ7//7s8FB6wYcuaiQTEnt/TCENRAPNkpkLhqxALaE3vjeTALMoE6LTjAIkW8o72/7ee/LL/d9oybMRTBvH3FIPSht+2auebWHKXSn55p15e/u7sP0z+qBM2PqQ3y2B/BumTuPb8ypqp8fntgzuQMZD29uQ8MfT/IXExGFg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mess.org; spf=pass smtp.mailfrom=mess.org; dkim=pass (2048-bit key) header.d=mess.org header.i=@mess.org header.b=eP2MHSQe; arc=none smtp.client-ip=88.97.38.141 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mess.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mess.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mess.org; s=2020; t=1714464247; bh=Z1D2LTONy2JcTIil02F/WJtl0DUhIpE4YgdNGJBPS08=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=eP2MHSQekscdLBQR9ayy1ukTur6fu0LwVRGn2jcmA9mD2g7V6pgbVvu0f60x1s0dc Y3wpZQOuYCuVqUQUT8vzpsiqReRbPya9cO/H9Yw/HORuptiOX3WQPiTTfZbGaWV2kG mhHSuUKupHdKTwT9e7k6r28PUi+H2fLIIya80m3G8TzMloWrm9orXdHPXym8IzV+Oo 6E4VnQfmlhr8i0aIV9fNXWm1SgDH6a7Tfpp5yPv6Wx+js8yVQlikHn2V7Nr0rITNuT /Jrt/x4pNhwtoH1rb86cW3ZWaopy2/OMpuGthJ3Vx7a2PH3RdCqBykevJOjLIIQmcB Q+1ijHFLxeJKw== Received: by gofer.mess.org (Postfix, from userid 1000) id 499A110005E; Tue, 30 Apr 2024 09:04:07 +0100 (BST) Date: Tue, 30 Apr 2024 09:04:07 +0100 From: Sean Young To: Zheng Yejian Cc: mchehab@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control() Message-ID: References: <20240412135256.1546051-1-zhengyejian1@huawei.com> <5c0359c7-502f-fe8b-c1ee-3470b36b586c@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5c0359c7-502f-fe8b-c1ee-3470b36b586c@huawei.com> On Mon, Apr 29, 2024 at 07:24:21PM +0800, Zheng Yejian wrote: > On 2024/4/12 21:52, Zheng Yejian wrote: > > Infinite log printing occurs during fuzz test: > > > > rc rc1: DViCO FusionHDTV DVB-T USB (LGZ201) as ... > > ... > > dvb-usb: schedule remote query interval to 100 msecs. > > dvb-usb: DViCO FusionHDTV DVB-T USB (LGZ201) successfully initialized ... > > dvb-usb: bulk message failed: -22 (1/0) > > dvb-usb: bulk message failed: -22 (1/0) > > dvb-usb: bulk message failed: -22 (1/0) > > ... > > dvb-usb: bulk message failed: -22 (1/0) > > > > Looking into the codes, there is a loop in dvb_usb_read_remote_control(), > > that is in rc_core_dvb_usb_remote_init() create a work that will call > > dvb_usb_read_remote_control(), and this work will reschedule itself at > > 'rc_interval' intervals to recursively call dvb_usb_read_remote_control(), > > see following code snippet: > > > > rc_core_dvb_usb_remote_init() { > > ... > > INIT_DELAYED_WORK(&d->rc_query_work, dvb_usb_read_remote_control); > > schedule_delayed_work(&d->rc_query_work, > > msecs_to_jiffies(rc_interval)); > > ... > > } > > > > dvb_usb_read_remote_control() { > > ... > > err = d->props.rc.core.rc_query(d); > > if (err) > > err(...) // Did not return even if query failed > > schedule_delayed_work(&d->rc_query_work, > > msecs_to_jiffies(rc_interval)); > > } > > > > When the infinite log printing occurs, the query callback > > 'd->props.rc.core.rc_query' is cxusb_rc_query(). And the log is due to > > the failure of finding a valid 'generic_bulk_ctrl_endpoint' > > in usb_bulk_msg(), see following code snippet: > > > > cxusb_rc_query() { > > cxusb_ctrl_msg() { > > dvb_usb_generic_rw() { > > ret = usb_bulk_msg(d->udev, usb_sndbulkpipe(d->udev, > > d->props.generic_bulk_ctrl_endpoint),...); > > if (ret) > > err("bulk message failed: %d (%d/%d)",ret,wlen,actlen); > > ... > > } > > ... > > } > > > > By analyzing the corresponding USB descriptor, it shows that the > > bNumEndpoints is 0 in its interface descriptor, but > > the 'generic_bulk_ctrl_endpoint' is 1, that means user don't configure > > a valid endpoint for 'generic_bulk_ctrl_endpoint', therefore this > > 'invalid' USB device should be rejected before it calls into > > dvb_usb_read_remote_control(). > > > > To fix it, iiuc, we can add endpoint check in dvb_usb_adapter_init(). > > > > Signed-off-by: Zheng Yejian > > --- > > drivers/media/usb/dvb-usb/dvb-usb-init.c | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > Hi, I'm not very familiar with USB driver, and I'm not sure the > > type check is appropriate or not here. Would be any device properties > > that allow 'generic_bulk_ctrl_endpoint' not being configured, or would > > it be configured late after init ? :) > > > > Kindly ping :) > Hi, Mauro, would you mind taking a look at this code ? > > -- > Thanks, > Zheng Yejian > > > diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c > > index fbf58012becd..48e7b9fb93dd 100644 > > --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c > > +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c > > @@ -104,6 +104,14 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) > > * sometimes a timeout occurs, this helps > > */ > > if (d->props.generic_bulk_ctrl_endpoint != 0) { > > + ret = usb_pipe_type_check(d->udev, usb_sndbulkpipe(d->udev, > > + d->props.generic_bulk_ctrl_endpoint)); > > + if (ret) > > + goto frontend_init_err; > > + ret = usb_pipe_type_check(d->udev, usb_rcvbulkpipe(d->udev, > > + d->props.generic_bulk_ctrl_endpoint)); > > + if (ret) > > + goto frontend_init_err; > > usb_clear_halt(d->udev, usb_sndbulkpipe(d->udev, d->props.generic_bulk_ctrl_endpoint)); > > usb_clear_halt(d->udev, usb_rcvbulkpipe(d->udev, d->props.generic_bulk_ctrl_endpoint)); > > } > Thank you for your patch. I think your change looks good. The only comment I have is that the same check should be done for generic_bulk_ctrl_endpoint_response as well; the usb_clear_halt() should be done as well, I think. Thanks Sean