From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Huajun Li <huajun.li.lee@gmail.com>,
Alan Stern <stern@rowland.harvard.edu>,
Oncaphillis <oncaphillis@snafu.de>
Subject: [ 35/55] USB: Remove races in devio.c
Date: Sun, 27 May 2012 09:26:48 +0900 [thread overview]
Message-ID: <20120527002619.163601834@linuxfoundation.org> (raw)
In-Reply-To: <20120527005203.GA2146@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huajun Li <huajun.li.lee@gmail.com>
commit 4e09dcf20f7b5358615514c2ec8584b248ab8874 upstream.
There exist races in devio.c, below is one case,
and there are similar races in destroy_async()
and proc_unlinkurb(). Remove these races.
cancel_bulk_urbs() async_completed()
------------------- -----------------------
spin_unlock(&ps->lock);
list_move_tail(&as->asynclist,
&ps->async_completed);
wake_up(&ps->wait);
Lead to free_async() be triggered,
then urb and 'as' will be freed.
usb_unlink_urb(as->urb);
===> refer to the freed 'as'
Signed-off-by: Huajun Li <huajun.li.lee@gmail.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oncaphillis <oncaphillis@snafu.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/devio.c | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -292,17 +292,14 @@ static struct async *async_getcompleted(
static struct async *async_getpending(struct dev_state *ps,
void __user *userurb)
{
- unsigned long flags;
struct async *as;
- spin_lock_irqsave(&ps->lock, flags);
list_for_each_entry(as, &ps->async_pending, asynclist)
if (as->userurb == userurb) {
list_del_init(&as->asynclist);
- spin_unlock_irqrestore(&ps->lock, flags);
return as;
}
- spin_unlock_irqrestore(&ps->lock, flags);
+
return NULL;
}
@@ -357,6 +354,7 @@ static void cancel_bulk_urbs(struct dev_
__releases(ps->lock)
__acquires(ps->lock)
{
+ struct urb *urb;
struct async *as;
/* Mark all the pending URBs that match bulk_addr, up to but not
@@ -379,8 +377,11 @@ __acquires(ps->lock)
list_for_each_entry(as, &ps->async_pending, asynclist) {
if (as->bulk_status == AS_UNLINK) {
as->bulk_status = 0; /* Only once */
+ urb = as->urb;
+ usb_get_urb(urb);
spin_unlock(&ps->lock); /* Allow completions */
- usb_unlink_urb(as->urb);
+ usb_unlink_urb(urb);
+ usb_put_urb(urb);
spin_lock(&ps->lock);
goto rescan;
}
@@ -433,6 +434,7 @@ static void async_completed(struct urb *
static void destroy_async(struct dev_state *ps, struct list_head *list)
{
+ struct urb *urb;
struct async *as;
unsigned long flags;
@@ -440,10 +442,13 @@ static void destroy_async(struct dev_sta
while (!list_empty(list)) {
as = list_entry(list->next, struct async, asynclist);
list_del_init(&as->asynclist);
+ urb = as->urb;
+ usb_get_urb(urb);
/* drop the spinlock so the completion handler can run */
spin_unlock_irqrestore(&ps->lock, flags);
- usb_kill_urb(as->urb);
+ usb_kill_urb(urb);
+ usb_put_urb(urb);
spin_lock_irqsave(&ps->lock, flags);
}
spin_unlock_irqrestore(&ps->lock, flags);
@@ -1352,12 +1357,24 @@ static int proc_submiturb(struct dev_sta
static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
{
+ struct urb *urb;
struct async *as;
+ unsigned long flags;
+ spin_lock_irqsave(&ps->lock, flags);
as = async_getpending(ps, arg);
- if (!as)
+ if (!as) {
+ spin_unlock_irqrestore(&ps->lock, flags);
return -EINVAL;
- usb_kill_urb(as->urb);
+ }
+
+ urb = as->urb;
+ usb_get_urb(urb);
+ spin_unlock_irqrestore(&ps->lock, flags);
+
+ usb_kill_urb(urb);
+ usb_put_urb(urb);
+
return 0;
}
next prev parent reply other threads:[~2012-05-27 0:26 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-27 0:52 [ 00/55] 3.0.33-stable review Greg KH
2012-05-27 0:26 ` [ 01/55] tilegx: enable SYSCALL_WRAPPERS support Greg KH
2012-05-27 0:26 ` [ 02/55] block: fix buffer overflow when printing partition UUIDs Greg KH
2012-05-27 0:26 ` [ 03/55] block: dont mark buffers beyond end of disk as mapped Greg KH
2012-05-27 0:26 ` [ 04/55] PARISC: fix PA1.1 oops on boot Greg KH
2012-05-27 0:26 ` [ 05/55] PARISC: fix crash in flush_icache_page_asm on PA1.1 Greg KH
2012-05-27 0:26 ` [ 06/55] PARISC: fix panic on prefetch(NULL) on PA7300LC Greg KH
2012-05-27 0:26 ` [ 07/55] isdn/gigaset: ratelimit CAPI message dumps Greg KH
2012-05-27 0:26 ` [ 08/55] vfs: make AIO use the proper rw_verify_area() area helpers Greg KH
2012-05-27 0:26 ` [ 09/55] cfg80211: warn if db.txt is empty with CONFIG_CFG80211_INTERNAL_REGDB Greg KH
2012-05-27 0:26 ` [ 10/55] Fix blocking allocations called very early during bootup Greg KH
2012-05-27 0:26 ` [ 11/55] s390/pfault: fix task state race Greg KH
2012-05-27 0:26 ` [ 12/55] SCSI: mpt2sas: Fix for panic happening because of improper memory allocation Greg KH
2012-05-27 0:26 ` [ 13/55] RDMA/cxgb4: Drop peer_abort when no endpoint found Greg KH
2012-05-27 0:26 ` [ 14/55] KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat Greg KH
2012-05-27 0:26 ` [ 15/55] SELinux: if sel_make_bools errors dont leave inconsistent state Greg KH
2012-05-27 0:26 ` [ 16/55] drivers/staging/comedi/comedi_fops.c: add missing vfree Greg KH
2012-05-27 0:26 ` [ 17/55] perf/x86: Update event scheduling constraints for AMD family 15h models Greg KH
2012-05-27 0:26 ` [ 18/55] mtd: sm_ftl: fix typo in major number Greg KH
2012-05-27 0:26 ` [ 19/55] ahci: Detect Marvell 88SE9172 SATA controller Greg KH
2012-05-27 0:26 ` [ 20/55] um: Fix __swp_type() Greg KH
2012-05-27 0:26 ` [ 21/55] um: Implement a custom pte_same() function Greg KH
2012-05-27 0:26 ` [ 22/55] docs: update HOWTO for 2.6.x -> 3.x versioning Greg KH
2012-05-27 0:26 ` [ 23/55] USB: cdc-wdm: poll must return POLLHUP if device is gone Greg KH
2012-05-27 0:26 ` [ 24/55] workqueue: skip nr_running sanity check in worker_enter_idle() if trustee is active Greg KH
2012-05-27 0:26 ` [ 25/55] mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages Greg KH
2012-05-27 0:26 ` [ 26/55] md: using GFP_NOIO to allocate bio for flush request Greg KH
2012-05-27 0:26 ` [ 27/55] Add missing call to uart_update_timeout() Greg KH
2012-05-27 0:26 ` [ 28/55] tty: Allow uart_register/unregister/register Greg KH
2012-05-27 0:26 ` [ 29/55] USB: ftdi-sio: add support for Physik Instrumente E-861 Greg KH
2012-05-27 0:26 ` [ 30/55] usb-storage: unusual_devs entry for Yarvik PMP400 MP4 player Greg KH
2012-05-27 0:26 ` [ 31/55] USB: ffs-test: fix length argument of out function call Greg KH
2012-05-27 0:26 ` [ 32/55] drivers/rtc/rtc-pl031.c: configure correct wday for 2000-01-01 Greg KH
2012-05-27 0:26 ` [ 33/55] SCSI: hpsa: Fix problem with MSA2xxx devices Greg KH
2012-05-27 0:26 ` [ 34/55] usb: usbtest: two super speed fixes for usbtest Greg KH
2012-05-27 0:26 ` Greg KH [this message]
2012-05-27 0:26 ` [ 36/55] USB: serial: ti_usb_3410_5052: Add support for the FRI2 serial console Greg KH
2012-05-27 0:26 ` [ 37/55] usb: gadget: fsl_udc_core: dTDs next dtd pointer need to be updated once written Greg KH
2012-05-27 0:26 ` [ 38/55] usb: add USB_QUIRK_RESET_RESUME for M-Audio 88es Greg KH
2012-05-27 0:26 ` [ 39/55] xhci: Add Lynx Point to list of Intel switchable hosts Greg KH
2012-05-27 0:26 ` [ 40/55] usb-xhci: Handle COMP_TX_ERR for isoc tds Greg KH
2012-05-27 0:26 ` [ 41/55] xhci: Reset reserved command ring TRBs on cleanup Greg KH
2012-05-27 0:26 ` [ 42/55] xhci: Add new short TX quirk for Fresco Logic host Greg KH
2012-05-27 0:26 ` [ 43/55] drm/i915: Avoid a double-read of PCH_IIR during interrupt handling Greg KH
2012-05-27 0:26 ` [ 44/55] drm/i915: [GEN7] Use HW scheduler for fixed function shaders Greg KH
2012-05-27 0:26 ` [ 45/55] drm/i915: dont clobber the pipe param in sanitize_modesetting Greg KH
2012-05-27 0:26 ` [ 46/55] nouveau: nouveau_set_bo_placement takes TTM flags Greg KH
2012-05-27 0:27 ` [ 47/55] [media] smsusb: add autodetection support for USB ID 2040:c0a0 Greg KH
2012-05-27 0:27 ` [ 48/55] media: uvcvideo: Fix ENUMINPUT handling Greg KH
2012-05-27 0:27 ` [ 49/55] x86/mce: Fix check for processor context when machine check was taken Greg KH
2012-05-27 0:27 ` [ 50/55] mmc: sdio: avoid spurious calls to interrupt handlers Greg KH
2012-05-27 0:27 ` [ 51/55] tile: fix bug where fls(0) was not returning 0 Greg KH
2012-05-27 0:27 ` [ 52/55] isci: fix oem parameter validation on single controller skus Greg KH
2012-05-27 0:27 ` [ 53/55] ARM: 7365/1: drop unused parameter from flush_cache_user_range Greg KH
2012-05-27 0:27 ` [ 54/55] ARM: 7409/1: Do not call flush_cache_user_range with mmap_sem held Greg KH
2012-05-27 0:27 ` [ 55/55] i2c: davinci: Free requested IRQ in remove Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120527002619.163601834@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=huajun.li.lee@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oncaphillis@snafu.de \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).