From: Oliver Neukum <oneukum@suse.com>
To: Anton Volkov <avolkov@ispras.ru>,
koyama@firstlight.net, dignome@gmail.com, johan@kernel.org
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>,
gregkh@linuxfoundation.org, ldv-project@linuxtesting.org,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
Subject: Re: Possible bug in cypress_m8.ko
Date: Tue, 22 Aug 2017 16:18:43 +0200 [thread overview]
Message-ID: <1503411523.6831.6.camel@suse.com> (raw)
In-Reply-To: <fcbc78fa-7b76-cad1-9a66-041f793df4a7@ispras.ru>
Am Dienstag, den 22.08.2017, 15:11 +0300 schrieb Anton Volkov:
> Hello.
>
> Judging by the code of cypress_m8.c some functions are considered to be
> capable of working concurrently with other functions, e.g. cypress_open.
> There are, however, entities that are protected by the locks at one
> place and not protected in another. Lines are given using the info from
> Linux kernel v4.12. Example:
>
> cypress_send
> spin_lock_irqsave
> priv->write_urb_in_use = 1;
> spin_lock_irqrestore
> (cypress_m8.c: lines 761-763)
> ...
> if (result) {
> priv->write_urb_in_use = 0; //without lock protection
> (cypress_m8.c: line 783)
> }
>
> Is it a bug?
Yes, but not of the kind you describe.
The transition from "not in use" to "in use" must be guarded by
a lock, because it may be contended.
But if that transition is properly guarded, you already know
that there can be only user. He can theoretically give up
the resource without locking.
Yet there is a bug:
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 702) spin_lock_irqsave(&priv->lock, flags);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 703) if (priv->write_urb_in_use) {
441b62c1edb98 (Harvey Harrison 2008-03-03 16:08:34 -0800 704) dbg("%s - can't write, urb in use", __func__);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 705) spin_unlock_irqrestore(&priv->lock, flags);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 706) return;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 707) }
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 708) spin_unlock_irqrestore(&priv->lock, flags);
The flag is checked is checked under a lock. But then the lock is dropped.
And here:
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 759) spin_lock_irqsave(&priv->lock, flags);
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 760) priv->write_urb_in_use = 1;
^1da177e4c3f4 (Linus Torvalds 2005-04-16 15:20:36 -0700 761) spin_unlock_irqrestore(&priv->lock, flags);
The flag is set under lock, but unconditionally.
The code just makes no sense.
In addition, when you drop the flag without a lock you need to worry
about memory ordering.
HTH
Oliver
prev parent reply other threads:[~2017-08-22 14:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-22 12:11 Possible bug in cypress_m8.ko Anton Volkov
2017-08-22 14:18 ` Oliver Neukum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503411523.6831.6.camel@suse.com \
--to=oneukum@suse.com \
--cc=avolkov@ispras.ru \
--cc=dignome@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=khoroshilov@ispras.ru \
--cc=koyama@firstlight.net \
--cc=ldv-project@linuxtesting.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox