Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/usb usb(4): Fix racy endpoint reference counting.
details: https://anonhg.NetBSD.org/src/rev/d33f7be7b9fa
branches: trunk
changeset: 1021652:d33f7be7b9fa
user: riastradh <riastradh%NetBSD.org@localhost>
date: Sat Jun 12 13:58:05 2021 +0000
description:
usb(4): Fix racy endpoint reference counting.
Rules:
1. After usbd_setup_pipe*, must usbd_kill_pipe.
2. After usbd_open_pipe*, must usbd_close_pipe.
Still haven't merged the logic in usbd_kill_pipe and usbd_close_pipe,
but getting closer.
diffstat:
sys/dev/usb/usb_subr.c | 42 ++++++++++++++++++++++++++++++++++++++----
sys/dev/usb/usbdi.c | 8 +++-----
sys/dev/usb/usbdivar.h | 7 ++++++-
sys/dev/usb/xhci.c | 6 ++++--
4 files changed, 51 insertions(+), 12 deletions(-)
diffs (180 lines):
diff -r 1e667eb7aac1 -r d33f7be7b9fa sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c Sat Jun 12 13:57:51 2021 +0000
+++ b/sys/dev/usb/usb_subr.c Sat Jun 12 13:58:05 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: usb_subr.c,v 1.254 2021/06/12 12:13:23 riastradh Exp $ */
+/* $NetBSD: usb_subr.c,v 1.255 2021/06/12 13:58:05 riastradh Exp $ */
/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */
/*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.254 2021/06/12 12:13:23 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.255 2021/06/12 13:58:05 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
@@ -775,12 +775,15 @@
struct usbd_pipe *p;
usbd_status err;
+ err = usbd_endpoint_acquire(dev, ep, flags & USBD_EXCLUSIVE_USE);
+ if (err)
+ return err;
+
p = kmem_alloc(dev->ud_bus->ub_pipesize, KM_SLEEP);
DPRINTFN(1, "pipe=%#jx", (uintptr_t)p, 0, 0, 0);
p->up_dev = dev;
p->up_iface = iface;
p->up_endpoint = ep;
- ep->ue_refcnt++;
p->up_intrxfer = NULL;
p->up_running = 0;
p->up_aborting = 0;
@@ -794,6 +797,7 @@
DPRINTF("endpoint=%#jx failed, error=%jd",
(uintptr_t)ep->ue_edesc->bEndpointAddress, err, 0, 0);
kmem_free(p, dev->ud_bus->ub_pipesize);
+ usbd_endpoint_release(dev, ep);
return err;
}
@@ -806,6 +810,36 @@
return USBD_NORMAL_COMPLETION;
}
+usbd_status
+usbd_endpoint_acquire(struct usbd_device *dev, struct usbd_endpoint *ep,
+ int flags)
+{
+ usbd_status err;
+
+ mutex_enter(dev->ud_bus->ub_lock);
+ if (ep->ue_refcnt == INT_MAX) {
+ err = USBD_IN_USE; /* XXX rule out or switch to 64-bit */
+ } else if ((flags & USBD_EXCLUSIVE_USE) && ep->ue_refcnt) {
+ err = USBD_IN_USE;
+ } else {
+ ep->ue_refcnt++;
+ err = 0;
+ }
+ mutex_exit(dev->ud_bus->ub_lock);
+
+ return err;
+}
+
+void
+usbd_endpoint_release(struct usbd_device *dev, struct usbd_endpoint *ep)
+{
+
+ mutex_enter(dev->ud_bus->ub_lock);
+ KASSERT(ep->ue_refcnt);
+ ep->ue_refcnt--;
+ mutex_exit(dev->ud_bus->ub_lock);
+}
+
/* Abort the device control pipe. */
void
usbd_kill_pipe(struct usbd_pipe *pipe)
@@ -816,7 +850,7 @@
usbd_unlock_pipe(pipe);
usb_rem_task_wait(pipe->up_dev, &pipe->up_async_task, USB_TASKQ_DRIVER,
NULL);
- pipe->up_endpoint->ue_refcnt--;
+ usbd_endpoint_release(pipe->up_dev, pipe->up_endpoint);
kmem_free(pipe, pipe->up_dev->ud_bus->ub_pipesize);
}
diff -r 1e667eb7aac1 -r d33f7be7b9fa sys/dev/usb/usbdi.c
--- a/sys/dev/usb/usbdi.c Sat Jun 12 13:57:51 2021 +0000
+++ b/sys/dev/usb/usbdi.c Sat Jun 12 13:58:05 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: usbdi.c,v 1.206 2021/06/12 13:57:51 riastradh Exp $ */
+/* $NetBSD: usbdi.c,v 1.207 2021/06/12 13:58:05 riastradh Exp $ */
/*
* Copyright (c) 1998, 2012, 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usbdi.c,v 1.206 2021/06/12 13:57:51 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usbdi.c,v 1.207 2021/06/12 13:58:05 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -241,8 +241,6 @@
}
return USBD_BAD_ADDRESS;
found:
- if ((flags & USBD_EXCLUSIVE_USE) && ep->ue_refcnt != 0)
- return USBD_IN_USE;
err = usbd_setup_pipe_flags(iface->ui_dev, iface, ep, ival, &p, flags);
if (err)
return err;
@@ -316,7 +314,6 @@
KASSERT(SIMPLEQ_EMPTY(&pipe->up_queue));
LIST_REMOVE(pipe, up_next);
- pipe->up_endpoint->ue_refcnt--;
pipe->up_methods->upm_close(pipe);
@@ -325,6 +322,7 @@
usbd_destroy_xfer(pipe->up_intrxfer);
usb_rem_task_wait(pipe->up_dev, &pipe->up_async_task, USB_TASKQ_DRIVER,
NULL);
+ usbd_endpoint_release(pipe->up_dev, pipe->up_endpoint);
kmem_free(pipe, pipe->up_dev->ud_bus->ub_pipesize);
return USBD_NORMAL_COMPLETION;
diff -r 1e667eb7aac1 -r d33f7be7b9fa sys/dev/usb/usbdivar.h
--- a/sys/dev/usb/usbdivar.h Sat Jun 12 13:57:51 2021 +0000
+++ b/sys/dev/usb/usbdivar.h Sat Jun 12 13:58:05 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: usbdivar.h,v 1.124 2020/06/05 17:20:56 maxv Exp $ */
+/* $NetBSD: usbdivar.h,v 1.125 2021/06/12 13:58:05 riastradh Exp $ */
/*
* Copyright (c) 1998, 2012 The NetBSD Foundation, Inc.
@@ -354,6 +354,11 @@
void usb_transfer_complete(struct usbd_xfer *);
int usb_disconnect_port(struct usbd_port *, device_t, int);
+usbd_status usbd_endpoint_acquire(struct usbd_device *,
+ struct usbd_endpoint *, int);
+void usbd_endpoint_release(struct usbd_device *,
+ struct usbd_endpoint *);
+
void usbd_kill_pipe(struct usbd_pipe *);
usbd_status usbd_attach_roothub(device_t, struct usbd_device *);
usbd_status usbd_probe_and_attach(device_t, struct usbd_device *, int, int);
diff -r 1e667eb7aac1 -r d33f7be7b9fa sys/dev/usb/xhci.c
--- a/sys/dev/usb/xhci.c Sat Jun 12 13:57:51 2021 +0000
+++ b/sys/dev/usb/xhci.c Sat Jun 12 13:58:05 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xhci.c,v 1.145 2021/06/12 12:13:10 riastradh Exp $ */
+/* $NetBSD: xhci.c,v 1.146 2021/06/12 13:58:05 riastradh Exp $ */
/*
* Copyright (c) 2013 Jonathan A. Kollasch
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.145 2021/06/12 12:13:10 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.146 2021/06/12 13:58:05 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -2968,6 +2968,8 @@
err = usbd_probe_and_attach(parent, dev, port, dev->ud_addr);
bad:
if (err != USBD_NORMAL_COMPLETION) {
+ if (depth == 0 && port == 0 && dev->ud_pipe0)
+ usbd_kill_pipe(dev->ud_pipe0);
usbd_remove_device(dev, up);
}
Home |
Main Index |
Thread Index |
Old Index