target/linux/generic-2.6/patches-2.6.30/981-backport_usb_thread_unsafe.patch

   1 commit b3e670443b7fb8a2d29831b62b44a039c283e351
   2 Author: Christian Lamparter <chunkeey@googlemail.com>
   3 Date:   Tue Aug 3 02:32:28 2010 +0200
   4
   5     USB: fix thread-unsafe anchor utiliy routines
   6
   7     This patch fixes a race condition in two utility routines
   8     related to the removal/unlinking of urbs from an anchor.
   9
  10     If two threads are concurrently accessing the same anchor,
  11     both could end up with the same urb - thinking they are
  12     the exclusive owner.
  13
  14     Alan Stern pointed out a related issue in
  15     usb_unlink_anchored_urbs:
  16
  17     "The URB isn't removed from the anchor until it completes
  18      (as a by-product of completion, in fact), which might not
  19      be for quite some time after the unlink call returns.
  20      In the meantime, the subroutine will keep trying to unlink
  21      it, over and over again."
  22
  23     Cc: stable <stable@kernel.org>
  24     Cc: Oliver Neukum <oneukum@suse.de>
  25     Cc: Greg Kroah-Hartman <greg@kroah.com>
  26     Acked-by: Alan Stern <stern@rowland.harvard.edu>
  27     Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
  28     Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  29
  30 --- a/drivers/usb/core/urb.c
  31 +++ b/drivers/usb/core/urb.c
  32 @@ -137,6 +137,16 @@ void usb_anchor_urb(struct urb *urb, str
  33  }
  34  EXPORT_SYMBOL_GPL(usb_anchor_urb);
  35
  36 +/* Callers must hold anchor->lock */
  37 +static void __usb_unanchor_urb(struct urb *urb, struct usb_anchor *anchor)
  38 +{
  39 +       urb->anchor = NULL;
  40 +       list_del(&urb->anchor_list);
  41 +       usb_put_urb(urb);
  42 +       if (list_empty(&anchor->urb_list))
  43 +               wake_up(&anchor->wait);
  44 +}
  45 +
  46  /**
  47   * usb_unanchor_urb - unanchors an URB
  48   * @urb: pointer to the urb to anchor
  49 @@ -156,17 +166,14 @@ void usb_unanchor_urb(struct urb *urb)
  50                 return;
  51
  52         spin_lock_irqsave(&anchor->lock, flags);
  53 -       if (unlikely(anchor != urb->anchor)) {
  54 -               /* we've lost the race to another thread */
  55 -               spin_unlock_irqrestore(&anchor->lock, flags);
  56 -               return;
  57 -       }
  58 -       urb->anchor = NULL;
  59 -       list_del(&urb->anchor_list);
  60 +       /*
  61 +        * At this point, we could be competing with another thread which
  62 +        * has the same intention. To protect the urb from being unanchored
  63 +        * twice, only the winner of the race gets the job.
  64 +        */
  65 +       if (likely(anchor == urb->anchor))
  66 +               __usb_unanchor_urb(urb, anchor);
  67         spin_unlock_irqrestore(&anchor->lock, flags);
  68 -       usb_put_urb(urb);
  69 -       if (list_empty(&anchor->urb_list))
  70 -               wake_up(&anchor->wait);
  71  }
  72  EXPORT_SYMBOL_GPL(usb_unanchor_urb);
  73
  74 @@ -713,20 +720,11 @@ EXPORT_SYMBOL_GPL(usb_unpoison_anchored_
  75  void usb_unlink_anchored_urbs(struct usb_anchor *anchor)
  76  {
  77         struct urb *victim;
  78 -       unsigned long flags;
  79
  80 -       spin_lock_irqsave(&anchor->lock, flags);
  81 -       while (!list_empty(&anchor->urb_list)) {
  82 -               victim = list_entry(anchor->urb_list.prev, struct urb,
  83 -                                   anchor_list);
  84 -               usb_get_urb(victim);
  85 -               spin_unlock_irqrestore(&anchor->lock, flags);
  86 -               /* this will unanchor the URB */
  87 +       while ((victim = usb_get_from_anchor(anchor)) != NULL) {
  88                 usb_unlink_urb(victim);
  89                 usb_put_urb(victim);
  90 -               spin_lock_irqsave(&anchor->lock, flags);
  91         }
  92 -       spin_unlock_irqrestore(&anchor->lock, flags);
  93  }
  94  EXPORT_SYMBOL_GPL(usb_unlink_anchored_urbs);
  95
  96 @@ -763,12 +761,11 @@ struct urb *usb_get_from_anchor(struct u
  97                 victim = list_entry(anchor->urb_list.next, struct urb,
  98                                     anchor_list);
  99                 usb_get_urb(victim);
 100 -               spin_unlock_irqrestore(&anchor->lock, flags);
 101 -               usb_unanchor_urb(victim);
 102 +               __usb_unanchor_urb(victim, anchor);
 103         } else {
 104 -               spin_unlock_irqrestore(&anchor->lock, flags);
 105                 victim = NULL;
 106         }
 107 +       spin_unlock_irqrestore(&anchor->lock, flags);
 108
 109         return victim;
 110  }
 111 @@ -790,12 +787,7 @@ void usb_scuttle_anchored_urbs(struct us
 112         while (!list_empty(&anchor->urb_list)) {
 113                 victim = list_entry(anchor->urb_list.prev, struct urb,
 114                                     anchor_list);
 115 -               usb_get_urb(victim);
 116 -               spin_unlock_irqrestore(&anchor->lock, flags);
 117 -               /* this may free the URB */
 118 -               usb_unanchor_urb(victim);
 119 -               usb_put_urb(victim);
 120 -               spin_lock_irqsave(&anchor->lock, flags);
 121 +               __usb_unanchor_urb(victim, anchor);
 122         }
 123         spin_unlock_irqrestore(&anchor->lock, flags);
 124  }