From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Oliver Neukum <oneukum@suse.de>,
Greg Kroah-Hartman <greg@kroah.com>,
Alan Stern <stern@rowland.harvard.edu>,
Christian Lamparter <chunkeey@googlemail.com>
Subject: [55/67] USB: fix thread-unsafe anchor utiliy routines
Date: Wed, 11 Aug 2010 17:06:10 -0700 [thread overview]
Message-ID: <20100812000617.736350512@clark.site> (raw)
In-Reply-To: <20100812000641.GA6348@kroah.com>
2.6.35-stable review patch. If anyone has any objections, please let us know.
------------------
From: Christian Lamparter <chunkeey@googlemail.com>
commit b3e670443b7fb8a2d29831b62b44a039c283e351 upstream.
This patch fixes a race condition in two utility routines
related to the removal/unlinking of urbs from an anchor.
If two threads are concurrently accessing the same anchor,
both could end up with the same urb - thinking they are
the exclusive owner.
Alan Stern pointed out a related issue in
usb_unlink_anchored_urbs:
"The URB isn't removed from the anchor until it completes
(as a by-product of completion, in fact), which might not
be for quite some time after the unlink call returns.
In the meantime, the subroutine will keep trying to unlink
it, over and over again."
Cc: Oliver Neukum <oneukum@suse.de>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/core/urb.c | 50 ++++++++++++++++++++-----------------------------
1 file changed, 21 insertions(+), 29 deletions(-)
--- a/drivers/usb/core/urb.c
+++ b/drivers/usb/core/urb.c
@@ -137,6 +137,16 @@ void usb_anchor_urb(struct urb *urb, str
}
EXPORT_SYMBOL_GPL(usb_anchor_urb);
+/* Callers must hold anchor->lock */
+static void __usb_unanchor_urb(struct urb *urb, struct usb_anchor *anchor)
+{
+ urb->anchor = NULL;
+ list_del(&urb->anchor_list);
+ usb_put_urb(urb);
+ if (list_empty(&anchor->urb_list))
+ wake_up(&anchor->wait);
+}
+
/**
* usb_unanchor_urb - unanchors an URB
* @urb: pointer to the urb to anchor
@@ -156,17 +166,14 @@ void usb_unanchor_urb(struct urb *urb)
return;
spin_lock_irqsave(&anchor->lock, flags);
- if (unlikely(anchor != urb->anchor)) {
- /* we've lost the race to another thread */
- spin_unlock_irqrestore(&anchor->lock, flags);
- return;
- }
- urb->anchor = NULL;
- list_del(&urb->anchor_list);
+ /*
+ * At this point, we could be competing with another thread which
+ * has the same intention. To protect the urb from being unanchored
+ * twice, only the winner of the race gets the job.
+ */
+ if (likely(anchor == urb->anchor))
+ __usb_unanchor_urb(urb, anchor);
spin_unlock_irqrestore(&anchor->lock, flags);
- usb_put_urb(urb);
- if (list_empty(&anchor->urb_list))
- wake_up(&anchor->wait);
}
EXPORT_SYMBOL_GPL(usb_unanchor_urb);
@@ -749,20 +756,11 @@ EXPORT_SYMBOL_GPL(usb_unpoison_anchored_
void usb_unlink_anchored_urbs(struct usb_anchor *anchor)
{
struct urb *victim;
- unsigned long flags;
- spin_lock_irqsave(&anchor->lock, flags);
- while (!list_empty(&anchor->urb_list)) {
- victim = list_entry(anchor->urb_list.prev, struct urb,
- anchor_list);
- usb_get_urb(victim);
- spin_unlock_irqrestore(&anchor->lock, flags);
- /* this will unanchor the URB */
+ while ((victim = usb_get_from_anchor(anchor)) != NULL) {
usb_unlink_urb(victim);
usb_put_urb(victim);
- spin_lock_irqsave(&anchor->lock, flags);
}
- spin_unlock_irqrestore(&anchor->lock, flags);
}
EXPORT_SYMBOL_GPL(usb_unlink_anchored_urbs);
@@ -799,12 +797,11 @@ struct urb *usb_get_from_anchor(struct u
victim = list_entry(anchor->urb_list.next, struct urb,
anchor_list);
usb_get_urb(victim);
- spin_unlock_irqrestore(&anchor->lock, flags);
- usb_unanchor_urb(victim);
+ __usb_unanchor_urb(victim, anchor);
} else {
- spin_unlock_irqrestore(&anchor->lock, flags);
victim = NULL;
}
+ spin_unlock_irqrestore(&anchor->lock, flags);
return victim;
}
@@ -826,12 +823,7 @@ void usb_scuttle_anchored_urbs(struct us
while (!list_empty(&anchor->urb_list)) {
victim = list_entry(anchor->urb_list.prev, struct urb,
anchor_list);
- usb_get_urb(victim);
- spin_unlock_irqrestore(&anchor->lock, flags);
- /* this may free the URB */
- usb_unanchor_urb(victim);
- usb_put_urb(victim);
- spin_lock_irqsave(&anchor->lock, flags);
+ __usb_unanchor_urb(victim, anchor);
}
spin_unlock_irqrestore(&anchor->lock, flags);
}
next prev parent reply other threads:[~2010-08-12 0:12 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-12 0:06 [00/67] 2.6.35.2 stable review Greg KH
2010-08-12 0:05 ` [01/67] x86, vmware: Preset lpj values when on VMware Greg KH
2010-08-12 0:05 ` [02/67] ata_piix: fix locking around SIDPR access Greg KH
2010-08-12 0:05 ` [03/67] perf, powerpc: fsl_emb: Restore setting perf_sample_data.period Greg KH
2010-08-12 0:05 ` [04/67] powerpc: fix build with make 3.82 Greg KH
[not found] ` <20100812000641.GA6348-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2010-08-12 0:05 ` [05/67] x86, kmmio/mmiotrace: Fix double free of kmmio_fault_pages Greg KH
2010-08-12 0:05 ` Greg KH
2010-08-12 0:05 ` [06/67] x86/PCI: use host bridge _CRS info on ASRock ALiveSATA2-GLAN Greg KH
2010-08-12 0:05 ` [07/67] pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq Greg KH
2010-08-12 0:05 ` [08/67] x86: Add memory modify constraints to xchg() and cmpxchg() Greg KH
2010-08-12 0:05 ` [09/67] staging: rt2870: Add USB ID for Belkin F6D4050 v2 Greg KH
2010-08-12 0:05 ` [10/67] Staging: line6: needs to select SND_PCM Greg KH
2010-08-12 0:05 ` [11/67] Staging: panel: Prevent double-calling of parport_release - fix oops Greg KH
2010-08-12 0:05 ` [12/67] staging: hv: Fix Kconfig dependency of hv_blkvsc Greg KH
2010-08-12 0:05 ` [13/67] serial: add support for OX16PCI958 card Greg KH
2010-08-12 0:05 ` [14/67] PCI: Do not run NVidia quirks related to MSI with MSI disabled Greg KH
2010-08-12 0:05 ` [15/67] PCI: disable MSI on VIA K8M800 Greg KH
2010-08-12 0:05 ` [16/67] solos-pci: Fix race condition in tasklet RX handling Greg KH
2010-08-12 0:05 ` [17/67] x86, mtrr: Use stop machine context to rendezvous all the cpus Greg KH
2010-08-12 0:05 ` [18/67] ALSA: hda - Add PC-beep whitelist for an Intel board Greg KH
2010-08-12 0:05 ` [19/67] Char: nozomi, fix tty->count counting Greg KH
2010-08-12 0:05 ` [20/67] Char: nozomi, set tty->driver_data appropriately Greg KH
2010-08-12 0:05 ` [21/67] mm: fix corruption of hibernation caused by reusing swap during image saving Greg KH
2010-08-12 0:05 ` [22/67] drivers/video/w100fb.c: ignore void return value / fix build failure Greg KH
2010-08-12 0:05 ` [23/67] iwlwifi: fix TX tracer Greg KH
2010-08-12 0:05 ` [24/67] rtl8180: avoid potential NULL deref in rtl8180_beacon_work Greg KH
2010-08-12 0:05 ` [25/67] ipmi: fix ACPI detection with regspacing Greg KH
2010-08-12 0:05 ` [26/67] ide-cd: Do not access completed requests in the irq handler Greg KH
2010-08-12 0:05 ` [27/67] md: move revalidate_disk() back outside open_mutex Greg KH
2010-08-12 0:05 ` [28/67] md: fix another deadlock with removing sysfs attributes Greg KH
2010-08-12 0:05 ` [29/67] md/raid10: fix deadlock with unaligned read during resync Greg KH
2010-08-12 0:05 ` [30/67] e100/e1000*/igb*/ixgb*: Add missing read memory barrier Greg KH
2010-08-12 0:05 ` [31/67] ioat2: catch and recover from broken vtd configurations v6 Greg KH
2010-08-12 0:05 ` [32/67] Fix sget() race with failing mount Greg KH
2010-08-12 0:05 ` [33/67] blkdev: cgroup whitelist permission fix Greg KH
2010-08-12 0:05 ` [34/67] eCryptfs: Handle ioctl calls with unlocked and compat functions Greg KH
2010-08-12 0:05 ` [35/67] ecryptfs: release reference to lower mount if interpose fails Greg KH
2010-08-12 0:05 ` [36/67] fs/ecryptfs/file.c: introduce missing free Greg KH
2010-08-12 0:05 ` [37/67] drbd: Initialize all members of sync_conf to their defaults [Bugz 315] Greg KH
2010-08-12 0:05 ` [38/67] drbd: Disable delay probes for the upcomming release Greg KH
2010-08-12 3:15 ` [Stable-review] " Ben Hutchings
2010-08-12 10:24 ` Lars Ellenberg
2010-08-12 0:05 ` [39/67] bio, fs: update RWA_MASK, READA and SWRITE to match the corresponding BIO_RW_* bits Greg KH
2010-08-12 0:05 ` [40/67] signalfd: fill in ssi_int for posix timers and message queues Greg KH
2010-08-12 0:05 ` [41/67] [ARM] pxa/cm-x300: fix ffuart registration Greg KH
2010-08-12 0:05 ` [42/67] smsc911x: Add spinlocks around registers access Greg KH
2010-08-12 0:05 ` [43/67] ARM: 6299/1: errata: TLBIASIDIS and TLBIMVAIS operations can broadcast a faulty ASID Greg KH
2010-08-12 0:05 ` [44/67] ARM: 6280/1: imx: Fix build failure when including <mach/gpio.h> without <linux/spinlock.h> Greg KH
2010-08-12 0:06 ` [45/67] USB: musb: use correct register widths in register dumps Greg KH
2010-08-12 0:06 ` [46/67] USB: EHCI: remove PCI assumption Greg KH
2010-08-12 0:06 ` [47/67] USB: resizing usbmon binary interface buffer causes protection faults Greg KH
2010-08-12 0:06 ` [48/67] USB delay init quirk for logitech Harmony 700-series devices Greg KH
2010-08-12 0:06 ` [49/67] USB: serial: enabling support for Segway RMP in ftdi_sio Greg KH
2010-08-12 0:06 ` [50/67] USB: option: Huawei ETS 1220 support added Greg KH
2010-08-12 0:06 ` [51/67] USB: option: add huawei k3765 k4505 devices to work properly Greg KH
2010-08-12 0:06 ` [52/67] USB: ftdi_sio: device id for Navitator Greg KH
2010-08-12 0:06 ` [53/67] USB: cp210x: Add four new device IDs Greg KH
2010-08-12 0:06 ` [54/67] USB: usbtest: avoid to free coherent buffer in atomic context Greg KH
2010-08-12 0:06 ` Greg KH [this message]
2010-08-12 0:06 ` [56/67] USB: serial: fix stalled writes Greg KH
2010-08-12 0:06 ` [57/67] Bluetooth: Added support for controller shipped with iMac i5 Greg KH
2010-08-12 0:06 ` [58/67] sched: Revert nohz_ratelimit() for now Greg KH
2010-08-12 0:06 ` [59/67] mtd: mxc_nand: fix unbalanced enable for IRQ Greg KH
2010-08-12 0:06 ` [60/67] mtd: gen_nand: fix support for multiple chips Greg KH
2010-08-12 1:07 ` Marek Vasut
2010-08-12 0:06 ` [61/67] l2tp: fix export of header file for userspace Greg KH
2010-08-12 0:06 ` [62/67] jfs: dont allow os2 xattr namespace overlap with others Greg KH
2010-08-12 0:06 ` [63/67] net: Fix NETDEV_NOTIFY_PEERS to not conflict with NETDEV_BONDING_DESLAVE Greg KH
2010-08-12 0:06 ` [64/67] irq: Add new IRQ flag IRQF_NO_SUSPEND Greg KH
2010-08-12 0:06 ` Greg KH
2010-08-12 0:06 ` [65/67] xen: Do not suspend IPI IRQs Greg KH
2010-08-12 0:06 ` Greg KH
2010-08-12 0:06 ` [66/67] crypto: testmgr - add an option to disable cryptoalgos self-tests Greg KH
2010-08-12 0:06 ` [67/67] ext4: fix freeze deadlock under IO Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100812000617.736350512@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chunkeey@googlemail.com \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oneukum@suse.de \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.