Fund: Kernel: Potential infinite loop in USB transfer polling

An infinite loop was observed when attaching a (physical) custom device with an FTDI USB UART IC. The following snippet is the offending code:

size_t UHCIController::poll_transfer_queue(QueueHead& transfer_queue)
{
    Transfer* transfer = transfer_queue.transfer();
    TransferDescriptor* descriptor = transfer_queue.get_first_td();
    bool transfer_still_in_progress = false;
    size_t transfer_size = 0;

    while (descriptor) {
        u32 status = descriptor->status();

        if (status & TransferDescriptor::StatusBits::Active) {
            transfer_still_in_progress = true;
            break;
        }

        if (status & TransferDescriptor::StatusBits::ErrorMask) {
            transfer->set_complete();
            transfer->set_error_occurred();
            dbgln_if(UHCI_DEBUG, "UHCIController: Transfer failed! Reason: {:08x}", status);
            return 0;
        }

        transfer_size += descriptor->actual_packet_length();
        descriptor = descriptor->next_td();
    }

    if (!transfer_still_in_progress)
        transfer->set_complete();

    return transfer_size;
}

If the transfer is for whatever reason always Active, then the caller of this function which waits on transfer.complete() to be true never exits. This results in the UHCI Hotplug kernel daemon chewing up 100% of the CPU until the device is removed, in which case an assertion is thrown (transfer_size > 0) as the transfer obviously fails. I haven't gone over the datasheet for the IC yet to see what spec it is compliant too, but it should be USB 2.0 from memory (probably Full-speed). The best way to debug this would be to turn on QEMU tracing, which will show the data inside of the descriptors currently being executed by the UHCI controller.

Offending Device information

ID 0403:6001 Future Technology Devices International, Ltd FT232 Serial (UART) IC

SerenityOS/serenity

Kernel: Potential infinite loop in USB transfer polling

How does funding with Polar work?

Backer

Contributor

Maintainer

SerenityOS/serenity

Kernel: Potential infinite loop in USB transfer polling

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?