From: Oliver Neukum <oneukum@suse.de>
To: Ming Lei <ming.lei@canonical.com>
Cc: Alan Stern <stern@rowland.harvard.edu>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Kosina <jkosina@suse.cz>,
linux-usb@vger.kernel.org, linux-input@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] hid: usbhid: fix possible deadlock in __usbhid_submit_report
Date: Fri, 20 Apr 2012 09:57:34 +0200 [thread overview]
Message-ID: <201204200957.34154.oneukum@suse.de> (raw)
In-Reply-To: <CACVXFVPZQNNvGk0cn4XWDTKd_s71V0Yd9nZJ3nkEg1Qh7W+B5g@mail.gmail.com>
Am Freitag, 20. April 2012, 04:10:09 schrieb Ming Lei:
> On Fri, Apr 20, 2012 at 12:11 AM, Oliver Neukum <oneukum@suse.de> wrote:
> > Am Donnerstag, 19. April 2012, 15:51:04 schrieb Ming Lei:
> >> The URB complete handler may be called by usb_unlink_urb directly,
> >> so deadlock will be triggered in __usbhid_submit_report since
> >> usbhid->lock is to be acquired in ctrl/out URB complete handler
> >> but it is hold before calling usb_unlink_urb.
> >>
> >> This patch avoids the deadlock by releasing the lock before
> >> calling usb_unlink_urb.
> >>
> >> CC: <stable@vger.kernel.org>
> >> Signed-off-by: Ming Lei <ming.lei@canonical.com>
> >> ---
> >> drivers/hid/usbhid/hid-core.c | 16 ++++++++++------
> >> 1 file changed, 10 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> >> index aa1c503..b5d07da 100644
> >> --- a/drivers/hid/usbhid/hid-core.c
> >> +++ b/drivers/hid/usbhid/hid-core.c
> >> @@ -543,11 +543,13 @@ static void __usbhid_submit_report(struct hid_device *hid, struct hid_report *re
> >> * the queue is known to run
> >> * but an earlier request may be stuck
> >> * we may need to time out
> >> - * no race because this is called under
> >> - * spinlock
> >> + * release spinlock to avoid deadlock.
> >> */
> >> - if (time_after(jiffies, usbhid->last_out + HZ * 5))
> >> + if (time_after(jiffies, usbhid->last_out + HZ * 5)) {
> >> + spin_unlock(&usbhid->lock);
> >> usb_unlink_urb(usbhid->urbout);
> >> + spin_lock(&usbhid->lock);
> >
> > The problem indeed exists on some HCDs.
> > I am afraid if you drop the lock there you introduce a race whereby
> > you might unlink the wrong request.
>
> The complete handler is called just one time per one submit in either
Indeed.
> irq path or unlink path. Secondly, usb_unlink_urb itself is race free.
> Finally, usb_unlink_urb was always the last function called inside
> __usbhid_submit_report.
But under spinlock.
> So I don't see any races can be introduced by the patch.
You are racing with hid_irq_out(). It calls hid_submit_out()
under lock. So if hid_irq_out() is running between dropping
the lock and usb_unlink_urb() you may kill the newly submitted
urb, not the old urb that has timed out.
You must make sure that between the times you check usbhid->last_out
and calling unlink hid_submit_out() cannot be called.
You can't just drop the lock (at least on SMP)
Regards
Oliver
next prev parent reply other threads:[~2012-04-20 8:01 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-19 13:51 [PATCH] hid: usbhid: fix possible deadlock in __usbhid_submit_report Ming Lei
[not found] ` <1334843464-1585-1-git-send-email-ming.lei-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2012-04-19 16:11 ` Oliver Neukum
2012-04-20 2:10 ` Ming Lei
2012-04-20 7:57 ` Oliver Neukum [this message]
[not found] ` <201204200957.34154.oneukum-l3A5Bk7waGM@public.gmane.org>
2012-04-20 10:17 ` Ming Lei
2012-04-20 10:45 ` Oliver Neukum
2012-04-20 12:53 ` Ming Lei
2012-04-20 14:07 ` Oliver Neukum
[not found] ` <201204201245.44981.oneukum-l3A5Bk7waGM@public.gmane.org>
2012-04-20 13:30 ` Ming Lei
2012-04-21 0:37 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.1204202032530.19313-100000-pYrvlCTfrz9XsRXLowluHWD2FQJk+8+b@public.gmane.org>
2012-04-21 10:25 ` Oliver Neukum
2012-04-21 13:40 ` Ming Lei
2012-04-21 17:31 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.1204211327090.475-100000-pYrvlCTfrz9XsRXLowluHWD2FQJk+8+b@public.gmane.org>
2012-04-21 19:28 ` Oliver Neukum
2012-04-21 21:49 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.1204211717310.3981-100000-pYrvlCTfrz9XsRXLowluHWD2FQJk+8+b@public.gmane.org>
2012-04-22 10:51 ` Ming Lei
2012-04-22 12:50 ` Alan Stern
2012-04-22 13:52 ` Ming Lei
2012-04-23 15:42 ` Alan Stern
2012-04-24 4:19 ` Ming Lei
2012-04-24 14:22 ` Oliver Neukum
2012-04-24 15:46 ` Ming Lei
2012-04-24 18:57 ` Oliver Neukum
2012-04-25 1:27 ` Ming Lei
2012-04-25 6:19 ` Oliver Neukum
2012-04-25 6:32 ` Oliver Neukum
2012-04-25 7:02 ` Ming Lei
[not found] ` <CACVXFVMEttnWo34ZxBsm4vdW1y5f5mBjY1s6BVbbsjck-4cSbA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-25 8:08 ` Oliver Neukum
[not found] ` <CACVXFVNhPKbFZN5AjT3BNdNP+3bZP7miJZrBEER97scMR5nNAQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-24 15:20 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.1204241110160.1511-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2012-04-25 0:27 ` Ming Lei
[not found] ` <Pine.LNX.4.44L0.1204231121200.1612-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2012-04-24 14:35 ` Oliver Neukum
2012-04-24 15:10 ` Alan Stern
2012-04-25 8:06 ` Oliver Neukum
2012-04-25 9:14 ` Ming Lei
[not found] ` <CACVXFVM6KMeMcXy549x9XqhqvCzq73pXvhLki363=KjQu2Nfsg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-25 10:52 ` Oliver Neukum
2012-04-25 11:24 ` Huajun Li
[not found] ` <CA+v9cxYi-LC-gXMbP7J81ArCjwQJZQ=9ceu66W0QQe+6UD_LvQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-25 11:33 ` Oliver Neukum
2012-04-25 13:18 ` Ming Lei
[not found] ` <201204251252.55901.oneukum-l3A5Bk7waGM@public.gmane.org>
2012-04-25 15:19 ` Alan Stern
2012-04-26 22:44 ` Jiri Kosina
2012-04-26 23:40 ` Greg Kroah-Hartman
2012-04-23 8:21 ` Oliver Neukum
2012-04-22 11:53 ` Ming Lei
2012-04-22 12:54 ` Alan Stern
[not found] ` <CACVXFVOQpYcHUj3XApyCVWDuvUEKi+RSWC8Ly4Dnj7vrun68cg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-23 8:24 ` Oliver Neukum
[not found] ` <CACVXFVP42WL2aVDGSn0BF0NJbg824VsU=Fs30XKEif6siOrQvw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-04-20 21:59 ` Dmitry Torokhov
2012-04-21 1:06 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201204200957.34154.oneukum@suse.de \
--to=oneukum@suse.de \
--cc=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=linux-input@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.