Re: [PATCH] usb: storage: Fix `us->iobuf` size for BOT transmission to prevent memory overflow

From: Alan Stern
Date: Tue Mar 11 2025 - 10:12:58 EST

Next message: Venkat Rao Bagalkote: "Re: [bpf-next] selftests/bpf fails to compile"
Previous message: Andrew Lunn: "Re: [PATCH] net: macb: Truncate TX1519CNT for trailing NUL"
In reply to: Greg KH: "Re: [PATCH] usb: storage: Fix `us->iobuf` size for BOT transmission to prevent memory overflow"
Next in thread: Matthew Dharm: "Re: [usb-storage] Re: [PATCH] usb: storage: Fix `us->iobuf` size for BOT transmission to prevent memory overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 11, 2025 at 04:41:11PM +0800, Xin Dai wrote:
> When the DWC2 controller detects a packet Babble Error, where a device
> transmits more data over USB than the host controller anticipates for a
> transaction. It follows this process:
>
> 1. The interrupt handler marks the transfer result of the URB as
> `OVERFLOW` and returns it to the USB storage driver.
> 2. The USB storage driver interprets the data phase transfer result of
> the BOT (Bulk-Only Transport) as `USB_STOR_XFER_LONG`.
> 3. The USB storage driver initiates the CSW (Command Status Wrapper)
> phase of the BOT, requests an IN transaction, and retrieves the
> execution status of the corresponding CBW (Command Block Wrapper)
> command.
> 4. The USB storage driver evaluates the CSW and finds it does not meet
> expectations. It marks the entire BOT transfer result as
> `USB_STOR_XFER_ERROR` and notifies the SCSI layer that a `DID_ERROR`
> has occurred during the transfer.
> 5. The USB storage driver requests the DWC2 controller to initiate a
> port reset, notifying the device of an issue with the previous
> transmission.
> 6. The SCSI layer implements a retransmission mechanism.
>
> In step 3, the device remains unaware of the Babble Error until the
> connected port is reset. We observed that the device continues to send
> 512 bytes of data to the host (according to the BBB Transport protocol,
> it should send only 13 bytes). However, the USB storage driver
> pre-allocates a default buffer size of 64 bytes for CBW/CSW, posing a
> risk of memory overflow. To mitigate this risk, we have adjusted the
> buffer size to 512 bytes to prevent potential errors.

There is no risk of memory overflow. The length of the transfer for the
CSW is limited to US_BULK_CS_WRAP_LEN, which is 13. And the length of a
CBW transfer is limited to US_BULK_CB_WRAP_LEN, which is 31 (or to 32
if the US_FL_BULK32 quirk flag is set). Therefore a 64-byte buffer is
more than enough.

Alan Stern

Next message: Venkat Rao Bagalkote: "Re: [bpf-next] selftests/bpf fails to compile"
Previous message: Andrew Lunn: "Re: [PATCH] net: macb: Truncate TX1519CNT for trailing NUL"
In reply to: Greg KH: "Re: [PATCH] usb: storage: Fix `us->iobuf` size for BOT transmission to prevent memory overflow"
Next in thread: Matthew Dharm: "Re: [usb-storage] Re: [PATCH] usb: storage: Fix `us->iobuf` size for BOT transmission to prevent memory overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]