public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Xin Dai <daixin_tkzc@163.com>
Cc: stern@rowland.harvard.edu, linux-usb@vger.kernel.org,
	usb-storage@lists.one-eyed-alien.net,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] usb: storage: Fix `us->iobuf` size for BOT transmission to prevent memory overflow
Date: Tue, 11 Mar 2025 10:48:11 +0100	[thread overview]
Message-ID: <2025031142-squealer-shaded-7ef7@gregkh> (raw)
In-Reply-To: <20250311084111.322351-1-daixin_tkzc@163.com>

On Tue, Mar 11, 2025 at 04:41:11PM +0800, Xin Dai wrote:
> When the DWC2 controller detects a packet Babble Error, where a device
> transmits more data over USB than the host controller anticipates for a
> transaction. It follows this process:
> 
> 1. The interrupt handler marks the transfer result of the URB as
>    `OVERFLOW` and returns it to the USB storage driver.
> 2. The USB storage driver interprets the data phase transfer result of
>    the BOT (Bulk-Only Transport) as `USB_STOR_XFER_LONG`.
> 3. The USB storage driver initiates the CSW (Command Status Wrapper)
>    phase of the BOT, requests an IN transaction, and retrieves the
>    execution status of the corresponding CBW (Command Block Wrapper)
>    command.
> 4. The USB storage driver evaluates the CSW and finds it does not meet
>    expectations. It marks the entire BOT transfer result as
>    `USB_STOR_XFER_ERROR` and notifies the SCSI layer that a `DID_ERROR`
>    has occurred during the transfer.
> 5. The USB storage driver requests the DWC2 controller to initiate a
>    port reset, notifying the device of an issue with the previous
>    transmission.
> 6. The SCSI layer implements a retransmission mechanism.
> 
> In step 3, the device remains unaware of the Babble Error until the
> connected port is reset. We observed that the device continues to send
> 512 bytes of data to the host (according to the BBB Transport protocol,
> it should send only 13 bytes). However, the USB storage driver
> pre-allocates a default buffer size of 64 bytes for CBW/CSW, posing a
> risk of memory overflow. To mitigate this risk, we have adjusted the
> buffer size to 512 bytes to prevent potential errors.

Where is this memory being overflowed?  I see it being used in the
usb_stor_CB_transport() call, should we just be checking the buffer size
there?

Your change just bumps the buffer up, it does not actually check any
tests for when the buffer is written to, which feels like it is not the
correct fix.  What's to prevent a device from sending a bigger message
to overflow it?

But again, where exactly is the overflow happening?

thanks,

greg k-h

  reply	other threads:[~2025-03-11  9:48 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-11  8:41 [PATCH] usb: storage: Fix `us->iobuf` size for BOT transmission to prevent memory overflow Xin Dai
2025-03-11  9:48 ` Greg KH [this message]
2025-03-11 14:12 ` Alan Stern
2025-03-12  1:09   ` [usb-storage] " Matthew Dharm
2025-03-13 12:12 ` daixin_tkzc
2025-03-13 14:36   ` Alan Stern
     [not found]     ` <1681f087.2727.195927b7ccb.Coremail.daixin_tkzc@163.com>
2025-03-14  5:37       ` [usb-storage] " Matthew Dharm
2025-03-14  5:43       ` Greg KH
2025-03-14  5:44       ` Greg KH
2025-03-14 14:16       ` [usb-storage] " Alan Stern
     [not found]         ` <6e125c5c.2541.195990d2daa.Coremail.daixin_tkzc@163.com>
2025-03-15  9:34           ` Greg KH
2025-03-15  9:37           ` Matthew Dharm
     [not found]             ` <265533ba.2e97.1959988d8b1.Coremail.daixin_tkzc@163.com>
2025-03-15 18:40               ` Alan Stern

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2025031142-squealer-shaded-7ef7@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=daixin_tkzc@163.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=usb-storage@lists.one-eyed-alien.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox