From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hovold <jhovold@gmail.com>
Subject: [ 028/102] USB: mos7840: fix race in led handling
Date: Thu, 8 Aug 2013 18:57:04 -0700 [thread overview]
Message-ID: <20130809015016.461001337@linuxfoundation.org> (raw)
In-Reply-To: <20130809015010.208118575@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
commit 05cf0dec5ccc696a7636c84b265b477173498156 upstream.
Fix race in LED handling introduced by commit 0eafe4de ("USB: serial:
mos7840: add support for MCS7810 devices") which reused the port control
urb for manipulating the LED without making sure that the urb is not
already in use. This could lead to the control urb being manipulated
while in flight.
Fix by adding a dedicated LED urb and ctrlrequest along with a LED-busy
flag to handle concurrency.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mos7840.c | 59 ++++++++++++++++++++++++++-----------------
1 file changed, 37 insertions(+), 22 deletions(-)
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -185,6 +185,7 @@
enum mos7840_flag {
MOS7840_FLAG_CTRL_BUSY,
+ MOS7840_FLAG_LED_BUSY,
};
static const struct usb_device_id id_table[] = {
@@ -240,9 +241,10 @@ struct moschip_port {
/* For device(s) with LED indicator */
bool has_led;
- bool led_flag;
struct timer_list led_timer1; /* Timer for LED on */
struct timer_list led_timer2; /* Timer for LED off */
+ struct urb *led_urb;
+ struct usb_ctrlrequest *led_dr;
unsigned long flags;
};
@@ -542,7 +544,7 @@ static void mos7840_set_led_async(struct
__u16 reg)
{
struct usb_device *dev = mcs->port->serial->dev;
- struct usb_ctrlrequest *dr = mcs->dr;
+ struct usb_ctrlrequest *dr = mcs->led_dr;
dr->bRequestType = MCS_WR_RTYPE;
dr->bRequest = MCS_WRREQ;
@@ -550,10 +552,10 @@ static void mos7840_set_led_async(struct
dr->wIndex = cpu_to_le16(reg);
dr->wLength = cpu_to_le16(0);
- usb_fill_control_urb(mcs->control_urb, dev, usb_sndctrlpipe(dev, 0),
+ usb_fill_control_urb(mcs->led_urb, dev, usb_sndctrlpipe(dev, 0),
(unsigned char *)dr, NULL, 0, mos7840_set_led_callback, NULL);
- usb_submit_urb(mcs->control_urb, GFP_ATOMIC);
+ usb_submit_urb(mcs->led_urb, GFP_ATOMIC);
}
static void mos7840_set_led_sync(struct usb_serial_port *port, __u16 reg,
@@ -579,7 +581,19 @@ static void mos7840_led_flag_off(unsigne
{
struct moschip_port *mcs = (struct moschip_port *) arg;
- mcs->led_flag = false;
+ clear_bit_unlock(MOS7840_FLAG_LED_BUSY, &mcs->flags);
+}
+
+static void mos7840_led_activity(struct usb_serial_port *port)
+{
+ struct moschip_port *mos7840_port = usb_get_serial_port_data(port);
+
+ if (test_and_set_bit_lock(MOS7840_FLAG_LED_BUSY, &mos7840_port->flags))
+ return;
+
+ mos7840_set_led_async(mos7840_port, 0x0301, MODEM_CONTROL_REGISTER);
+ mod_timer(&mos7840_port->led_timer1,
+ jiffies + msecs_to_jiffies(LED_ON_MS));
}
/*****************************************************************************
@@ -779,14 +793,8 @@ static void mos7840_bulk_in_callback(str
return;
}
- /* Turn on LED */
- if (mos7840_port->has_led && !mos7840_port->led_flag) {
- mos7840_port->led_flag = true;
- mos7840_set_led_async(mos7840_port, 0x0301,
- MODEM_CONTROL_REGISTER);
- mod_timer(&mos7840_port->led_timer1,
- jiffies + msecs_to_jiffies(LED_ON_MS));
- }
+ if (mos7840_port->has_led)
+ mos7840_led_activity(port);
mos7840_port->read_urb_busy = true;
retval = usb_submit_urb(mos7840_port->read_urb, GFP_ATOMIC);
@@ -1467,13 +1475,8 @@ static int mos7840_write(struct tty_stru
data1 = urb->transfer_buffer;
dev_dbg(&port->dev, "bulkout endpoint is %d\n", port->bulk_out_endpointAddress);
- /* Turn on LED */
- if (mos7840_port->has_led && !mos7840_port->led_flag) {
- mos7840_port->led_flag = true;
- mos7840_set_led_sync(port, MODEM_CONTROL_REGISTER, 0x0301);
- mod_timer(&mos7840_port->led_timer1,
- jiffies + msecs_to_jiffies(LED_ON_MS));
- }
+ if (mos7840_port->has_led)
+ mos7840_led_activity(port);
/* send it down the pipe */
status = usb_submit_urb(urb, GFP_ATOMIC);
@@ -2429,6 +2432,14 @@ static int mos7840_port_probe(struct usb
if (device_type == MOSCHIP_DEVICE_ID_7810) {
mos7840_port->has_led = true;
+ mos7840_port->led_urb = usb_alloc_urb(0, GFP_KERNEL);
+ mos7840_port->led_dr = kmalloc(sizeof(*mos7840_port->led_dr),
+ GFP_KERNEL);
+ if (!mos7840_port->led_urb || !mos7840_port->led_dr) {
+ status = -ENOMEM;
+ goto error;
+ }
+
init_timer(&mos7840_port->led_timer1);
mos7840_port->led_timer1.function = mos7840_led_off;
mos7840_port->led_timer1.expires =
@@ -2441,8 +2452,6 @@ static int mos7840_port_probe(struct usb
jiffies + msecs_to_jiffies(LED_OFF_MS);
mos7840_port->led_timer2.data = (unsigned long)mos7840_port;
- mos7840_port->led_flag = false;
-
/* Turn off LED */
mos7840_set_led_sync(port, MODEM_CONTROL_REGISTER, 0x0300);
}
@@ -2464,6 +2473,8 @@ out:
}
return 0;
error:
+ kfree(mos7840_port->led_dr);
+ usb_free_urb(mos7840_port->led_urb);
kfree(mos7840_port->dr);
kfree(mos7840_port->ctrl_buf);
usb_free_urb(mos7840_port->control_urb);
@@ -2484,6 +2495,10 @@ static int mos7840_port_remove(struct us
del_timer_sync(&mos7840_port->led_timer1);
del_timer_sync(&mos7840_port->led_timer2);
+
+ usb_kill_urb(mos7840_port->led_urb);
+ usb_free_urb(mos7840_port->led_urb);
+ kfree(mos7840_port->led_dr);
}
usb_kill_urb(mos7840_port->control_urb);
usb_free_urb(mos7840_port->control_urb);
next prev parent reply other threads:[~2013-08-09 2:18 UTC|newest]
Thread overview: 129+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-09 1:56 [ 000/102] 3.10.6-stable review Greg Kroah-Hartman
2013-08-09 1:56 ` [ 001/102] ARM: poison the vectors page Greg Kroah-Hartman
2013-08-09 1:56 ` [ 002/102] ARM: poison memory between kuser helpers Greg Kroah-Hartman
2013-08-09 1:56 ` [ 003/102] ARM: move vector stubs Greg Kroah-Hartman
2013-08-09 1:56 ` [ 004/102] ARM: use linker magic for vectors and " Greg Kroah-Hartman
2013-08-09 1:56 ` [ 005/102] ARM: update FIQ support for relocation of vectors Greg Kroah-Hartman
2013-08-09 1:56 ` [ 006/102] ARM: allow kuser helpers to be removed from the vector page Greg Kroah-Hartman
2013-08-09 1:56 ` [ 007/102] ARM: move signal handlers into a vdso-like page Greg Kroah-Hartman
2013-08-09 1:56 ` [ 008/102] ARM: make vectors page inaccessible from userspace Greg Kroah-Hartman
2013-08-09 4:29 ` Stefan Lippers-Hollmann
2013-08-09 4:46 ` Greg Kroah-Hartman
2013-08-09 1:56 ` [ 009/102] ARM: fix a cockup in 48be69a02 (ARM: move signal handlers into a vdso-like page) Greg Kroah-Hartman
2013-08-09 1:56 ` [ 010/102] ARM: fix nommu builds with " Greg Kroah-Hartman
2013-08-09 1:56 ` [ 011/102] powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31) Greg Kroah-Hartman
2013-08-09 1:56 ` [ 012/102] ARM: 7784/1: mm: ensure SMP alternates assemble to exactly 4 bytes with Thumb-2 Greg Kroah-Hartman
2013-08-09 1:56 ` [ 013/102] ARM: 7790/1: Fix deferred mm switch on VIVT processors Greg Kroah-Hartman
2013-08-09 1:56 ` [ 014/102] ARM: 7791/1: a.out: remove partial a.out support Greg Kroah-Hartman
2013-08-09 1:56 ` [ 015/102] powerpc: VPHN topology change updates all siblings Greg Kroah-Hartman
2013-08-09 1:56 ` [ 016/102] parisc: agp/parisc-agp: allow binding of user memory to the AGP GART Greg Kroah-Hartman
2013-08-09 1:56 ` [ 017/102] parisc: Fix cache routines to ignore vmas with an invalid pfn Greg Kroah-Hartman
2013-08-09 1:56 ` [ 018/102] parisc: Fix interrupt routing for C8000 serial ports Greg Kroah-Hartman
2013-08-09 1:56 ` [ 019/102] hwmon: (max6697) fix MAX6581 ideality Greg Kroah-Hartman
2013-08-09 1:56 ` [ 020/102] ALSA: hda - Fix missing fixup for Mac Mini with STAC9221 Greg Kroah-Hartman
2013-08-09 1:56 ` [ 021/102] ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION Greg Kroah-Hartman
2013-08-09 1:56 ` [ 022/102] serial/mxs-auart: fix race condition in interrupt handler Greg Kroah-Hartman
2013-08-09 1:56 ` [ 023/102] serial: arc_uart: Fix module alias Greg Kroah-Hartman
2013-08-09 1:57 ` [ 024/102] serial/mxs-auart: increase time to wait for transmitter to become idle Greg Kroah-Hartman
2013-08-09 1:57 ` [ 025/102] dma: pl330: Fix cyclic transfers Greg Kroah-Hartman
2013-08-09 1:57 ` [ 026/102] USB: mos7840: fix race in register handling Greg Kroah-Hartman
2013-08-09 1:57 ` [ 027/102] USB: mos7840: fix device-type detection Greg Kroah-Hartman
2013-08-09 1:57 ` Greg Kroah-Hartman [this message]
2013-08-09 1:57 ` [ 029/102] USB: mos7840: fix pointer casts Greg Kroah-Hartman
2013-08-09 1:57 ` [ 030/102] iwlwifi: mvm: fix L2P BA ressources leak Greg Kroah-Hartman
2013-08-09 1:57 ` [ 031/102] iwlwifi: mvm: fix bug in scan ssid Greg Kroah-Hartman
2013-08-09 1:57 ` [ 032/102] iwlwifi: mvm: refuse connection to APs with BI < 16 Greg Kroah-Hartman
2013-08-09 1:57 ` [ 033/102] iwlwifi: add DELL SKU for 5150 HMC Greg Kroah-Hartman
2013-08-09 1:57 ` [ 034/102] iwlwifi: mvm: fix flushing not started aggregation sessions Greg Kroah-Hartman
2013-08-09 1:57 ` [ 035/102] ath9k_htc: do some initial hardware configuration Greg Kroah-Hartman
2013-08-09 1:57 ` [ 036/102] ath9k_htc: reboot firmware if it was loaded Greg Kroah-Hartman
2013-08-09 1:57 ` [ 037/102] nl80211: fix mgmt tx status and testmode reporting for netns Greg Kroah-Hartman
2013-08-09 1:57 ` [ 038/102] mac80211/minstrel: fix NULL pointer dereference issue Greg Kroah-Hartman
2013-08-09 1:57 ` [ 039/102] mac80211/minstrel_ht: fix cck rate sampling Greg Kroah-Hartman
2013-08-09 1:57 ` [ 040/102] mac80211: fix duplicate retransmission detection Greg Kroah-Hartman
2013-08-09 1:57 ` [ 041/102] mac80211: fix ethtool stats for non-station interfaces Greg Kroah-Hartman
2013-08-09 1:57 ` [ 042/102] mac80211: fix monitor interface suspend crash regression Greg Kroah-Hartman
2013-08-09 1:57 ` [ 043/102] ixgbe: Fix Tx Hang issue with lldpad on 82598EB Greg Kroah-Hartman
2013-08-09 1:57 ` [ 044/102] ath: wil6210: Fix build error Greg Kroah-Hartman
2013-08-11 8:09 ` Vladimir Kondratiev
2013-08-11 8:15 ` Greg Kroah-Hartman
2013-08-09 1:57 ` [ 045/102] Bluetooth: Fix invalid length check in l2cap_information_rsp() Greg Kroah-Hartman
2013-08-09 7:54 ` Johan Hedberg
2013-08-09 19:12 ` Greg Kroah-Hartman
2013-08-09 1:57 ` [ 046/102] Bluetooth: ath3k: Add support for Fujitsu Lifebook UH5x2 [04c5:1330] Greg Kroah-Hartman
2013-08-09 1:57 ` [ 047/102] Bluetooth: ath3k: dont use stack memory for DMA Greg Kroah-Hartman
2013-08-09 1:57 ` [ 048/102] Bluetooth: ath3k: Add support for ID 0x13d3/0x3402 Greg Kroah-Hartman
2013-08-09 1:57 ` [ 049/102] Bluetooth: Add support for Atheros [0cf3:3121] Greg Kroah-Hartman
2013-08-09 1:57 ` [ 050/102] Bluetooth: Add support for Atheros [0cf3:e003] Greg Kroah-Hartman
2013-08-09 1:57 ` [ 051/102] Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f] Greg Kroah-Hartman
2013-08-09 1:57 ` [ 052/102] Bluetooth: fix wrong use of PTR_ERR() in btusb Greg Kroah-Hartman
2013-08-09 1:57 ` [ 053/102] svcrpc: fix gss-proxy xdr decoding oops Greg Kroah-Hartman
2013-08-09 1:57 ` [ 054/102] svcrpc: fix gss_rpc_upcall create error Greg Kroah-Hartman
2013-08-09 1:57 ` [ 055/102] svcrpc: fix kfree oops in gss-proxy code Greg Kroah-Hartman
2013-08-09 1:57 ` [ 056/102] rt2x00: fix stop queue Greg Kroah-Hartman
2013-08-09 1:57 ` [ 057/102] mwifiex: Add missing endian conversion Greg Kroah-Hartman
2013-08-09 1:57 ` [ 058/102] mwifiex: check for bss_role instead of bss_mode for STA operations Greg Kroah-Hartman
2013-08-09 1:57 ` [ 059/102] mwifiex: fix wrong data rates in P2P client Greg Kroah-Hartman
2013-08-09 1:57 ` [ 060/102] zram: avoid invalid memory access in zram_exit() Greg Kroah-Hartman
2013-08-09 1:57 ` [ 061/102] zram: use zram->lock to protect zram_free_page() in swap free notify path Greg Kroah-Hartman
2013-08-09 1:57 ` [ 062/102] zram: destroy all devices on error recovery path in zram_init() Greg Kroah-Hartman
2013-08-09 1:57 ` [ 063/102] zram: avoid double free in function zram_bvec_write() Greg Kroah-Hartman
2013-08-09 1:57 ` [ 064/102] zram: avoid access beyond the zram device Greg Kroah-Hartman
2013-08-09 1:57 ` [ 065/102] zram: protect sysfs handler from invalid memory access Greg Kroah-Hartman
2013-08-09 1:57 ` [ 066/102] ACPI / battery: Fix parsing _BIX return value Greg Kroah-Hartman
2013-08-09 1:57 ` [ 067/102] Revert "cpuidle: Quickly notice prediction failure in general case" Greg Kroah-Hartman
2013-08-09 1:57 ` [ 068/102] cpufreq: Fix cpufreq driver module refcount balance after suspend/resume Greg Kroah-Hartman
2013-08-09 1:57 ` [ 069/102] Revert "cpuidle: Quickly notice prediction failure for repeat mode" Greg Kroah-Hartman
2013-08-09 1:57 ` [ 070/102] PCI: pciehp: Fix null pointer deref when hot-removing SR-IOV device Greg Kroah-Hartman
2013-08-09 1:57 ` [ 071/102] PCI: Retry allocation of only the resource type that failed Greg Kroah-Hartman
2013-08-09 1:57 ` [ 072/102] drm/radeon: Disable dma rings for bo moves on r6xx Greg Kroah-Hartman
2013-08-09 1:57 ` [ 073/102] xen-blkfront: use a different scatterlist for each request Greg Kroah-Hartman
2013-08-09 1:57 ` [ 074/102] drm/i915: Preserve the DDI_A_4_LANES bit from the bios Greg Kroah-Hartman
2013-08-09 1:57 ` [ 075/102] fanotify: info leak in copy_event_to_user() Greg Kroah-Hartman
2013-08-09 1:57 ` [ 076/102] cgroup: fix umount vs cgroup_cfts_commit() race Greg Kroah-Hartman
2013-08-09 1:57 ` [ 077/102] drm/radeon: never unpin UVD bo v3 Greg Kroah-Hartman
2013-08-09 1:57 ` [ 078/102] x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz Greg Kroah-Hartman
2013-08-09 1:57 ` [ 079/102] Btrfs: fix crash regarding to ulist_add_merge Greg Kroah-Hartman
2013-08-09 1:57 ` [ 080/102] drm/i915: make SDVO TV-out work for multifunction devices Greg Kroah-Hartman
2013-08-09 1:57 ` [ 081/102] s390: add support for IBM zBC12 machine Greg Kroah-Hartman
2013-08-09 1:57 ` [ 082/102] s390/bitops: fix find_next_bit_left Greg Kroah-Hartman
2013-08-09 1:57 ` [ 083/102] workqueue: copy workqueue_attrs with all fields Greg Kroah-Hartman
2013-08-09 1:58 ` [ 084/102] userns: unshare_userns(&cred) should not populate cred on failure Greg Kroah-Hartman
2013-08-09 1:58 ` [ 085/102] x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset Greg Kroah-Hartman
2013-08-09 1:58 ` [ 086/102] spi: spi-davinci: Fix direction in dma_map_single() Greg Kroah-Hartman
2013-08-09 1:58 ` [ 087/102] arcnet: cleanup sizeof parameter Greg Kroah-Hartman
2013-08-09 1:58 ` [ 088/102] sysctl net: Keep tcp_syn_retries inside the boundary Greg Kroah-Hartman
2013-08-09 1:58 ` [ 089/102] sfc: Enable RX scatter for flows steered by RFS Greg Kroah-Hartman
2013-08-09 1:58 ` [ 090/102] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup Greg Kroah-Hartman
2013-08-09 1:58 ` [ 091/102] usbnet: do not pretend to support SG/TSO Greg Kroah-Hartman
2013-08-09 1:58 ` [ 092/102] genetlink: release cb_lock before requesting additional module Greg Kroah-Hartman
2013-08-09 1:58 ` [ 093/102] net_sched: Fix stack info leak in cbq_dump_wrr() Greg Kroah-Hartman
2013-08-09 1:58 ` [ 094/102] af_key: more info leaks in pfkey messages Greg Kroah-Hartman
2013-08-09 1:58 ` [ 095/102] atl1c: use custom skb allocator Greg Kroah-Hartman
2013-08-09 1:58 ` [ 096/102] net_sched: info leak in atm_tc_dump_class() Greg Kroah-Hartman
2013-08-09 1:58 ` [ 097/102] ndisc: Add missing inline to ndisc_addr_option_pad Greg Kroah-Hartman
2013-08-09 1:58 ` [ 098/102] 8139cp: Add dma_mapping_error checking Greg Kroah-Hartman
2013-08-09 1:58 ` [ 099/102] net/mlx4_core: Dont give VFs MAC addresses which are derived from the PF MAC Greg Kroah-Hartman
2013-08-09 1:58 ` [ 100/102] net/mlx4_core: VFs must ignore the enable_64b_cqe_eqe module param Greg Kroah-Hartman
2013-08-09 1:58 ` [ 101/102] iwlwifi: mvm: set SSID bits for passive channels Greg Kroah-Hartman
2013-08-09 1:58 ` [ 102/102] iwlwifi: dvm: dont send BT_CONFIG on devices w/o Bluetooth Greg Kroah-Hartman
2013-08-09 4:13 ` [ 000/102] 3.10.6-stable review Stefan Lippers-Hollmann
2013-08-09 4:27 ` Greg Kroah-Hartman
2013-08-09 6:57 ` Guenter Roeck
2013-08-09 19:11 ` Greg Kroah-Hartman
2013-08-09 23:21 ` Guenter Roeck
2013-08-09 23:29 ` Greg Kroah-Hartman
2013-08-09 14:42 ` Shuah Khan
2013-08-09 19:10 ` Greg Kroah-Hartman
2013-08-09 19:45 ` Shuah Khan
2013-08-09 19:50 ` Greg Kroah-Hartman
2013-08-10 22:07 ` Shuah Khan
2013-08-11 3:22 ` Greg Kroah-Hartman
2013-08-09 19:20 ` Willy Tarreau
2013-08-09 19:33 ` Greg Kroah-Hartman
2013-08-09 20:00 ` Willy Tarreau
2013-08-09 20:08 ` Greg Kroah-Hartman
2013-08-09 20:28 ` Willy Tarreau
2013-08-13 4:02 ` Guenter Roeck
2013-08-13 6:41 ` Greg Kroah-Hartman
2014-01-16 15:24 ` rahulk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130809015016.461001337@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jhovold@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).