Re: [linux-usb-devel] USB: FIx locks and urb->status in adutux

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <linux-usb-devel@...>

Cc: Pete Zaitcev <zaitcev@...>, <greg@...>, <linux-kernel@...>, <vitalivanov@...>, <netwiz@...>

Subject: Re: [linux-usb-devel] USB: FIx locks and urb->status in adutux

Date: Tuesday, October 23, 2007 - 5:38 am

Am Dienstag 23 Oktober 2007 schrieb Pete Zaitcev:
quoted text> Two main issues fixed here are:
>  - An improper use of in-struct lock to protect an open count
>  - Use of urb status for -EINPROGRESS

quoted text> +	/* XXX Anchor these instead */
> +	spin_lock_irqsave(&dev->buflock, flags);
> +	if (!dev->read_urb_finished) {
> +		spin_unlock_irqrestore(&dev->buflock, flags);
> +		usb_kill_urb(dev->interrupt_in_urb);
> +	} else
> +		spin_unlock_irqrestore(&dev->buflock, flags);
> +
> +	spin_lock_irqsave(&dev->buflock, flags);
> +	if (!dev->out_urb_finished) {
> +		spin_unlock_irqrestore(&dev->buflock, flags);
> +		usb_kill_urb(dev->interrupt_out_urb);
> +	} else
> +		spin_unlock_irqrestore(&dev->buflock, flags);

Why bother? Simply call usb_kill_urb() unconditionally.
  
quoted text>  exit:
> +	mutex_unlock(&dev->mtx);
>  	dbg(2," %s : leave", __FUNCTION__);
>  }
>  
> @@ -162,8 +182,6 @@ static void adu_delete(struct adu_device *dev)
>  {
>  	dbg(2, "%s enter", __FUNCTION__);
>  
> -	adu_abort_transfers(dev);
> -
>  	/* free data structures */
>  	usb_free_urb(dev->interrupt_in_urb);
>  	usb_free_urb(dev->interrupt_out_urb);
> @@ -239,7 +257,10 @@ static void adu_interrupt_out_callback(struct urb *urb)
>  		goto exit;
>  	}
>  
> +	spin_lock(&dev->buflock);
> +	dev->out_urb_finished = 1;
>  	wake_up_interruptible(&dev->write_wait);
> +	spin_unlock(&dev->buflock);

This leaves a race here:

	while (count > 0) {
		spin_lock_irqsave(&dev->buflock, flags);
		if (!dev->out_urb_finished) {
			spin_unlock_irqrestore(&dev->buflock, flags);

			timeout = COMMAND_TIMEOUT;
			while (timeout > 0) {
				if (signal_pending(current)) {
					dbg(1," %s : interrupted", __FUNCTION__);
					retval = -EINTR;
					goto exit;
				}
				mutex_unlock(&dev->mtx);
				timeout = interruptible_sleep_on_timeout(&dev->write_wait, timeout);

You can detect that the urb has not finished but the notification happens before
you go to sleep.

quoted text>  exit:
>  
>  	adu_debug_data(5, __FUNCTION__, urb->actual_length,
> @@ -272,13 +293,11 @@ static int adu_open(struct inode *inode, struct file *file)
>  		goto exit_no_device;
>  	}
>  
> -	/* lock this device */
> -	if ((retval = mutex_lock_interruptible(&dev->mtx))) {
> +	if ((retval = mutex_lock_interruptible(&adutux_mutex))) {
>  		dbg(2, "%s : mutex lock failed", __FUNCTION__);
>  		goto exit_no_device;
>  	}

This is racy:
	dev = usb_get_intfdata(interface);
	if (!dev) {
		retval = -ENODEV;
		goto exit_no_device;
	}

	if ((retval = mutex_lock_interruptible(&adutux_mutex))) {
		dbg(2, "%s : mutex lock failed", __FUNCTION__);
		goto exit_no_device;
	}

You need to manipulate intfdata under lock, or disconnect will
happily free the datastructures.

quoted text>  
> -	/* increment our usage count for the device */
>  	++dev->open_count;
>  	dbg(2,"%s : open count %d", __FUNCTION__, dev->open_count);
>  
> @@ -297,13 +316,14 @@ static int adu_open(struct inode *inode, struct file *file)
>  				 le16_to_cpu(dev->interrupt_in_endpoint->wMaxPacketSize),
>  				 adu_interrupt_in_callback, dev,
>  				 dev->interrupt_in_endpoint->bInterval);
> -		/* dev->interrupt_in_urb->transfer_flags |= URB_ASYNC_UNLINK; */
>  		dev->read_urb_finished = 0;
>  		retval = usb_submit_urb(dev->interrupt_in_urb, GFP_KERNEL);
> -		if (retval)
> +		if (retval) {
> +			dev->read_urb_finished = 1;
>  			--dev->open_count;
> +		}

You should set file->private_data to NULL in the error case.

[..]
quoted text> @@ -486,10 +495,14 @@ static ssize_t adu_read(struct file *file, __user char *buffer, size_t count,
>  				/* we wait for I/O to complete */
>  				set_current_state(TASK_INTERRUPTIBLE);
>  				add_wait_queue(&dev->read_wait, &wait);
> -				if (!dev->read_urb_finished)
> +				spin_lock_irqsave(&dev->buflock, flags);
> +				if (!dev->read_urb_finished) {
> +					spin_unlock_irqrestore(&dev->buflock, flags);
>  					timeout = schedule_timeout(COMMAND_TIMEOUT);

I find it a bit silly to bother with _irqsave if you call schedule_timeout() in the
next line.

	Regards
		Oliver
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Mon Oct 22, 11:34 pm)

Re: [linux-usb-devel] USB: FIx locks and urb->status in adutux, Oliver Neukum, (Tue Oct 23, 5:38 am)

Re: USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Tue Oct 23, 9:53 pm)

Re: USB: FIx locks and urb->status in adutux, Oliver Neukum, (Wed Oct 24, 10:49 am)

Re: USB: FIx locks and urb->status in adutux, Greg KH, (Wed Oct 24, 5:25 pm)

Re: USB: FIx locks and urb->status in adutux, Vitaliy Ivanov, (Fri Oct 26, 5:57 am)

Re: USB: FIx locks and urb->status in adutux, Vitaliy Ivanov, (Wed Oct 24, 10:09 am)

Re: USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Wed Oct 24, 11:25 pm)

Re: USB: FIx locks and urb->status in adutux, Vitaliy Ivanov, (Mon Oct 29, 2:04 pm)

Re: USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Tue Oct 30, 12:24 am)

Re: USB: FIx locks and urb->status in adutux, Vitaliy Ivanov, (Tue Oct 30, 9:09 am)

Re: USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Tue Oct 30, 5:54 pm)

Re: USB: FIx locks and urb->status in adutux, Vitaliy Ivanov, (Wed Oct 31, 7:54 am)

Re: USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Wed Oct 31, 6:01 pm)

Re: USB: FIx locks and urb->status in adutux, Vitaliy Ivanov, (Thu Nov 1, 5:06 am)

Re: USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Thu Nov 1, 1:28 pm)

Re: USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Wed Oct 24, 11:20 pm)

Re: USB: FIx locks and urb->status in adutux, Pete Zaitcev, (Tue Oct 23, 5:38 pm)

Re: USB: FIx locks and urb->status in adutux, Oliver Neukum, (Wed Oct 24, 10:04 am)


linux-kernel:
Greg KH	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Heiko Carstens	Re: -mm merge plans for 2.6.23 -- sys_fallocate
Tony Lindgren	[PATCH 37/90] ARM: OMAP: MPUIO wake updates
Greg Kroah-Hartman	[PATCH 001/196] Chinese: Add the known_regression URI to the HOWTO
git:

linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	[GIT]: Networking
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Benjamin Herrenschmidt	Re: powerpc allmodconfig
openbsd-misc: