Re: [PATCH] usb: gadget: dummy_hcd: fix data corruption with queued requests

Next message: Shengwen Cheng: "[PATCH] virtio_ring: reject NULL recycle callback in reset/resize helpers"
Previous message: Daniel Golle: "[PATCH net-next v2] net: phy: mxl-gpy: add PHY-level statistics via ethtool"
In reply to: Sebastian Urban: "Re: [PATCH] usb: gadget: dummy_hcd: fix data corruption with queued requests"
Next in thread: Alan Stern: "Re: [PATCH] usb: gadget: dummy_hcd: fix data corruption with queued requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alan Stern

Date: Sun Mar 15 2026 - 11:21:40 EST

On Sun, Mar 15, 2026 at 03:06:21PM +0000, Sebastian Urban wrote:
> On 3/15/26 15:44, Alan Stern wrote:
> > if (unlikely(len == 0))
> > is_short = 1;
> > else {
> > /* not enough bandwidth left? */
> > if (limit < ep->ep.maxpacket && limit < len)
> > break;
> >
> > It does break out of the loop when there is not enough space remaining
> > in the bandwidth budget for another transaction. But it does so at the
> > start of the iteration following the last allowed transfer, rather than
> > at the end of last transfer's iteration (as your patch does).
> >
> You're right that the existing bandwidth check at line 1444 handles the
> general case of a non-zero request following a partial transfer.
>
> However, if a ZLP follows a partially-transferred request, the check is
> skipped because of the unlikely(len == 0) branch, leading to a false
> complete of the transfer with a shortened length.

How can a ZLP follow a partially transferred request? What follows a
partially transferred request is always the remainder of that request,
which by definition must have length > 0.

Alan Stern

> Thus the bug can only be triggered by a ZLP. I will resubmit the patch
> with an updated commit message.
>