[src/trunk]: src/sys/dev/usb usb(4): Fix racy endpoint reference counting.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/dev/usb usb(4): Fix racy endpoint reference counting.
From: riastradh <riastradh%NetBSD.org@localhost>
Date: Sun, 30 Jul 2023 20:57:52 +0000

details:   https://anonhg.NetBSD.org/src/rev/9fb555f8b65e
branches:  trunk
changeset: 379621:9fb555f8b65e
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sat Jun 12 13:58:05 2021 +0000

description:
usb(4): Fix racy endpoint reference counting.

Rules:

1. After usbd_setup_pipe*, must usbd_kill_pipe.
2. After usbd_open_pipe*, must usbd_close_pipe.

Still haven't merged the logic in usbd_kill_pipe and usbd_close_pipe,
but getting closer.

diffstat:

 sys/dev/usb/usb_subr.c |  42 ++++++++++++++++++++++++++++++++++++++----
 sys/dev/usb/usbdi.c    |   8 +++-----
 sys/dev/usb/usbdivar.h |   7 ++++++-
 sys/dev/usb/xhci.c     |   6 ++++--
 4 files changed, 51 insertions(+), 12 deletions(-)

diffs (180 lines):

diff -r 106b9302f6c2 -r 9fb555f8b65e sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c    Sat Jun 12 13:57:51 2021 +0000
+++ b/sys/dev/usb/usb_subr.c    Sat Jun 12 13:58:05 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: usb_subr.c,v 1.254 2021/06/12 12:13:23 riastradh Exp $ */
+/*     $NetBSD: usb_subr.c,v 1.255 2021/06/12 13:58:05 riastradh Exp $ */
 /*     $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $   */
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.254 2021/06/12 12:13:23 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.255 2021/06/12 13:58:05 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -775,12 +775,15 @@ usbd_setup_pipe_flags(struct usbd_device
        struct usbd_pipe *p;
        usbd_status err;
 
+       err = usbd_endpoint_acquire(dev, ep, flags & USBD_EXCLUSIVE_USE);
+       if (err)
+               return err;
+
        p = kmem_alloc(dev->ud_bus->ub_pipesize, KM_SLEEP);
        DPRINTFN(1, "pipe=%#jx", (uintptr_t)p, 0, 0, 0);
        p->up_dev = dev;
        p->up_iface = iface;
        p->up_endpoint = ep;
-       ep->ue_refcnt++;
        p->up_intrxfer = NULL;
        p->up_running = 0;
        p->up_aborting = 0;
@@ -794,6 +797,7 @@ usbd_setup_pipe_flags(struct usbd_device
                DPRINTF("endpoint=%#jx failed, error=%jd",
                    (uintptr_t)ep->ue_edesc->bEndpointAddress, err, 0, 0);
                kmem_free(p, dev->ud_bus->ub_pipesize);
+               usbd_endpoint_release(dev, ep);
                return err;
        }
 
@@ -806,6 +810,36 @@ usbd_setup_pipe_flags(struct usbd_device
        return USBD_NORMAL_COMPLETION;
 }
 
+usbd_status
+usbd_endpoint_acquire(struct usbd_device *dev, struct usbd_endpoint *ep,
+    int flags)
+{
+       usbd_status err;
+
+       mutex_enter(dev->ud_bus->ub_lock);
+       if (ep->ue_refcnt == INT_MAX) {
+               err = USBD_IN_USE; /* XXX rule out or switch to 64-bit */
+       } else if ((flags & USBD_EXCLUSIVE_USE) && ep->ue_refcnt) {
+               err = USBD_IN_USE;
+       } else {
+               ep->ue_refcnt++;
+               err = 0;
+       }
+       mutex_exit(dev->ud_bus->ub_lock);
+
+       return err;
+}
+
+void
+usbd_endpoint_release(struct usbd_device *dev, struct usbd_endpoint *ep)
+{
+
+       mutex_enter(dev->ud_bus->ub_lock);
+       KASSERT(ep->ue_refcnt);
+       ep->ue_refcnt--;
+       mutex_exit(dev->ud_bus->ub_lock);
+}
+
 /* Abort the device control pipe. */
 void
 usbd_kill_pipe(struct usbd_pipe *pipe)
@@ -816,7 +850,7 @@ usbd_kill_pipe(struct usbd_pipe *pipe)
        usbd_unlock_pipe(pipe);
        usb_rem_task_wait(pipe->up_dev, &pipe->up_async_task, USB_TASKQ_DRIVER,
            NULL);
-       pipe->up_endpoint->ue_refcnt--;
+       usbd_endpoint_release(pipe->up_dev, pipe->up_endpoint);
        kmem_free(pipe, pipe->up_dev->ud_bus->ub_pipesize);
 }
 
diff -r 106b9302f6c2 -r 9fb555f8b65e sys/dev/usb/usbdi.c
--- a/sys/dev/usb/usbdi.c       Sat Jun 12 13:57:51 2021 +0000
+++ b/sys/dev/usb/usbdi.c       Sat Jun 12 13:58:05 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: usbdi.c,v 1.206 2021/06/12 13:57:51 riastradh Exp $    */
+/*     $NetBSD: usbdi.c,v 1.207 2021/06/12 13:58:05 riastradh Exp $    */
 
 /*
  * Copyright (c) 1998, 2012, 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usbdi.c,v 1.206 2021/06/12 13:57:51 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usbdi.c,v 1.207 2021/06/12 13:58:05 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -241,8 +241,6 @@ usbd_open_pipe_ival(struct usbd_interfac
        }
        return USBD_BAD_ADDRESS;
  found:
-       if ((flags & USBD_EXCLUSIVE_USE) && ep->ue_refcnt != 0)
-               return USBD_IN_USE;
        err = usbd_setup_pipe_flags(iface->ui_dev, iface, ep, ival, &p, flags);
        if (err)
                return err;
@@ -316,7 +314,6 @@ usbd_close_pipe(struct usbd_pipe *pipe)
        KASSERT(SIMPLEQ_EMPTY(&pipe->up_queue));
 
        LIST_REMOVE(pipe, up_next);
-       pipe->up_endpoint->ue_refcnt--;
 
        pipe->up_methods->upm_close(pipe);
 
@@ -325,6 +322,7 @@ usbd_close_pipe(struct usbd_pipe *pipe)
                usbd_destroy_xfer(pipe->up_intrxfer);
        usb_rem_task_wait(pipe->up_dev, &pipe->up_async_task, USB_TASKQ_DRIVER,
            NULL);
+       usbd_endpoint_release(pipe->up_dev, pipe->up_endpoint);
        kmem_free(pipe, pipe->up_dev->ud_bus->ub_pipesize);
 
        return USBD_NORMAL_COMPLETION;
diff -r 106b9302f6c2 -r 9fb555f8b65e sys/dev/usb/usbdivar.h
--- a/sys/dev/usb/usbdivar.h    Sat Jun 12 13:57:51 2021 +0000
+++ b/sys/dev/usb/usbdivar.h    Sat Jun 12 13:58:05 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: usbdivar.h,v 1.124 2020/06/05 17:20:56 maxv Exp $      */
+/*     $NetBSD: usbdivar.h,v 1.125 2021/06/12 13:58:05 riastradh Exp $ */
 
 /*
  * Copyright (c) 1998, 2012 The NetBSD Foundation, Inc.
@@ -354,6 +354,11 @@ usbd_status        usb_insert_transfer(struct u
 void           usb_transfer_complete(struct usbd_xfer *);
 int            usb_disconnect_port(struct usbd_port *, device_t, int);
 
+usbd_status    usbd_endpoint_acquire(struct usbd_device *,
+                   struct usbd_endpoint *, int);
+void           usbd_endpoint_release(struct usbd_device *,
+                   struct usbd_endpoint *);
+
 void           usbd_kill_pipe(struct usbd_pipe *);
 usbd_status    usbd_attach_roothub(device_t, struct usbd_device *);
 usbd_status    usbd_probe_and_attach(device_t, struct usbd_device *, int, int);
diff -r 106b9302f6c2 -r 9fb555f8b65e sys/dev/usb/xhci.c
--- a/sys/dev/usb/xhci.c        Sat Jun 12 13:57:51 2021 +0000
+++ b/sys/dev/usb/xhci.c        Sat Jun 12 13:58:05 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xhci.c,v 1.145 2021/06/12 12:13:10 riastradh Exp $     */
+/*     $NetBSD: xhci.c,v 1.146 2021/06/12 13:58:05 riastradh Exp $     */
 
 /*
  * Copyright (c) 2013 Jonathan A. Kollasch
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.145 2021/06/12 12:13:10 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.146 2021/06/12 13:58:05 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -2968,6 +2968,8 @@ xhci_new_device(device_t parent, struct 
        err = usbd_probe_and_attach(parent, dev, port, dev->ud_addr);
  bad:
        if (err != USBD_NORMAL_COMPLETION) {
+               if (depth == 0 && port == 0 && dev->ud_pipe0)
+                       usbd_kill_pipe(dev->ud_pipe0);
                usbd_remove_device(dev, up);
        }

Prev by Date: [src/trunk]: src/sys/dev/usb usb(4): Omit needless lock/unlock cycle in usbd_...
Next by Date: [src/trunk]: src/sys/dev/usb usb(4): Fix races between usbd_open_pipe* and us...
Previous by Thread: [src/trunk]: src/sys/dev/usb usb(4): Omit needless lock/unlock cycle in usbd_...
Next by Thread: [src/trunk]: src/sys/dev/usb usb(4): Fix races between usbd_open_pipe* and us...
Indexes:

Home | Main Index | Thread Index | Old Index