From cde217a556ec552d28ac9e136c5a94684a69ae94 Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Tue, 21 Oct 2008 15:28:46 -0400 Subject: USB: fix crash when URBs are unlinked after the device is gone This patch (as1151) protects usbcore against drivers that try to unlink an URB after the URB's device or bus have been removed. The core does not currently check for this, and certain drivers can cause a crash if they are running while an HCD is unloaded. Certainly it would be best to fix the guilty drivers. But a little defensive programming doesn't hurt, especially since it appears that quite a few drivers need to be fixed. The patch prevents the problem by grabbing a reference to the device while an unlink is in progress and using a new spinlock to synchronize unlinks with device removal. (There's no need to acquire a reference to the bus as well, since the device structure itself keeps a reference to the bus.) In addition, the kerneldoc is updated to indicate that URBs should not be unlinked after the disconnect method returns. Signed-off-by: Alan Stern Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/hcd.c | 35 ++++++++++++++++++++++++++++++++--- drivers/usb/core/hcd.h | 1 + drivers/usb/core/hub.c | 1 + drivers/usb/core/urb.c | 22 ++++++++++++++++++++++ 4 files changed, 56 insertions(+), 3 deletions(-) (limited to 'drivers/usb') diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c index fc9018e72a0..e1b42626d04 100644 --- a/drivers/usb/core/hcd.c +++ b/drivers/usb/core/hcd.c @@ -106,6 +106,9 @@ static DEFINE_SPINLOCK(hcd_root_hub_lock); /* used when updating an endpoint's URB list */ static DEFINE_SPINLOCK(hcd_urb_list_lock); +/* used to protect against unlinking URBs after the device is gone */ +static DEFINE_SPINLOCK(hcd_urb_unlink_lock); + /* wait queue for synchronous unlinks */ DECLARE_WAIT_QUEUE_HEAD(usb_kill_urb_queue); @@ -1376,10 +1379,25 @@ static int unlink1(struct usb_hcd *hcd, struct urb *urb, int status) int usb_hcd_unlink_urb (struct urb *urb, int status) { struct usb_hcd *hcd; - int retval; + int retval = -EIDRM; + unsigned long flags; - hcd = bus_to_hcd(urb->dev->bus); - retval = unlink1(hcd, urb, status); + /* Prevent the device and bus from going away while + * the unlink is carried out. If they are already gone + * then urb->use_count must be 0, since disconnected + * devices can't have any active URBs. + */ + spin_lock_irqsave(&hcd_urb_unlink_lock, flags); + if (atomic_read(&urb->use_count) > 0) { + retval = 0; + usb_get_dev(urb->dev); + } + spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags); + if (retval == 0) { + hcd = bus_to_hcd(urb->dev->bus); + retval = unlink1(hcd, urb, status); + usb_put_dev(urb->dev); + } if (retval == 0) retval = -EINPROGRESS; @@ -1528,6 +1546,17 @@ void usb_hcd_disable_endpoint(struct usb_device *udev, hcd->driver->endpoint_disable(hcd, ep); } +/* Protect against drivers that try to unlink URBs after the device + * is gone, by waiting until all unlinks for @udev are finished. + * Since we don't currently track URBs by device, simply wait until + * nothing is running in the locked region of usb_hcd_unlink_urb(). + */ +void usb_hcd_synchronize_unlinks(struct usb_device *udev) +{ + spin_lock_irq(&hcd_urb_unlink_lock); + spin_unlock_irq(&hcd_urb_unlink_lock); +} + /*-------------------------------------------------------------------------*/ /* called in any context */ diff --git a/drivers/usb/core/hcd.h b/drivers/usb/core/hcd.h index 2dcde61c465..9465e70f4dd 100644 --- a/drivers/usb/core/hcd.h +++ b/drivers/usb/core/hcd.h @@ -232,6 +232,7 @@ extern void usb_hcd_flush_endpoint(struct usb_device *udev, struct usb_host_endpoint *ep); extern void usb_hcd_disable_endpoint(struct usb_device *udev, struct usb_host_endpoint *ep); +extern void usb_hcd_synchronize_unlinks(struct usb_device *udev); extern int usb_hcd_get_frame_number(struct usb_device *udev); extern struct usb_hcd *usb_create_hcd(const struct hc_driver *driver, diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 9b3f16bd12c..37ff8aed256 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -1429,6 +1429,7 @@ void usb_disconnect(struct usb_device **pdev) */ dev_dbg (&udev->dev, "unregistering device\n"); usb_disable_device(udev, 0); + usb_hcd_synchronize_unlinks(udev); usb_unlock_device(udev); diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c index f2638009a46..4342bd9c3bb 100644 --- a/drivers/usb/core/urb.c +++ b/drivers/usb/core/urb.c @@ -474,6 +474,12 @@ EXPORT_SYMBOL_GPL(usb_submit_urb); * indicating that the request has been canceled (rather than any other * code). * + * Drivers should not call this routine or related routines, such as + * usb_kill_urb() or usb_unlink_anchored_urbs(), after their disconnect + * method has returned. The disconnect function should synchronize with + * a driver's I/O routines to insure that all URB-related activity has + * completed before it returns. + * * This request is always asynchronous. Success is indicated by * returning -EINPROGRESS, at which time the URB will probably not yet * have been given back to the device driver. When it is eventually @@ -550,6 +556,9 @@ EXPORT_SYMBOL_GPL(usb_unlink_urb); * This routine may not be used in an interrupt context (such as a bottom * half or a completion handler), or when holding a spinlock, or in other * situations where the caller can't schedule(). + * + * This routine should not be called by a driver after its disconnect + * method has returned. */ void usb_kill_urb(struct urb *urb) { @@ -588,6 +597,9 @@ EXPORT_SYMBOL_GPL(usb_kill_urb); * This routine may not be used in an interrupt context (such as a bottom * half or a completion handler), or when holding a spinlock, or in other * situations where the caller can't schedule(). + * + * This routine should not be called by a driver after its disconnect + * method has returned. */ void usb_poison_urb(struct urb *urb) { @@ -622,6 +634,9 @@ EXPORT_SYMBOL_GPL(usb_unpoison_urb); * * this allows all outstanding URBs to be killed starting * from the back of the queue + * + * This routine should not be called by a driver after its disconnect + * method has returned. */ void usb_kill_anchored_urbs(struct usb_anchor *anchor) { @@ -651,6 +666,9 @@ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); * this allows all outstanding URBs to be poisoned starting * from the back of the queue. Newly added URBs will also be * poisoned + * + * This routine should not be called by a driver after its disconnect + * method has returned. */ void usb_poison_anchored_urbs(struct usb_anchor *anchor) { @@ -672,6 +690,7 @@ void usb_poison_anchored_urbs(struct usb_anchor *anchor) spin_unlock_irq(&anchor->lock); } EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs); + /** * usb_unlink_anchored_urbs - asynchronously cancel transfer requests en masse * @anchor: anchor the requests are bound to @@ -680,6 +699,9 @@ EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs); * from the back of the queue. This function is asynchronous. * The unlinking is just tiggered. It may happen after this * function has returned. + * + * This routine should not be called by a driver after its disconnect + * method has returned. */ void usb_unlink_anchored_urbs(struct usb_anchor *anchor) { -- cgit v1.2.3 From b361a6e348a5de9e18eb17542663d34a57740e87 Mon Sep 17 00:00:00 2001 From: Chris Malley Date: Sat, 25 Oct 2008 22:07:32 +0100 Subject: USB: usbtmc: Use explicit unsigned type for input buffer instead of char* MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Silences compiler warning about comparison with 0x80, and type now matches the corresponding _bulk_out function. drivers/usb/class/usbtmc.c: In function ‘usbtmc_ioctl_abort_bulk_in’: drivers/usb/class/usbtmc.c:163: warning: comparison is always false due to limited range of data type Signed-off-by: Chris Malley Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/usbtmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 543811f6e6e..8e74657f106 100644 --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -133,7 +133,7 @@ static int usbtmc_release(struct inode *inode, struct file *file) static int usbtmc_ioctl_abort_bulk_in(struct usbtmc_device_data *data) { - char *buffer; + u8 *buffer; struct device *dev; int rv; int n; -- cgit v1.2.3 From 74511bb340059be5a3fceb032213c7f325344694 Mon Sep 17 00:00:00 2001 From: Jens Taprogge Date: Sun, 26 Oct 2008 18:16:09 +0100 Subject: USB: Unusual dev for the "Kyocera / Contax SL300R T*" digital camera. The camera reports an incorrect size and fails to handle PREVENT-ALLOW MEDIUM REMOVAL commands. The patch marks the camera as an unusual dev and adds the flags to enable the workarounds for both shortcomings. Signed-off-by: Jens Taprogge Cc: Alan Stern Cc: Phil Dibowitz Signed-off-by: Greg Kroah-Hartman --- drivers/usb/storage/unusual_devs.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'drivers/usb') diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h index a2b9ebbef38..fb9e20e624c 100644 --- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -333,6 +333,13 @@ UNUSUAL_DEV( 0x0482, 0x0103, 0x0100, 0x0100, "Finecam S5", US_SC_DEVICE, US_PR_DEVICE, NULL, US_FL_FIX_INQUIRY), +/* Patch submitted by Jens Taprogge */ +UNUSUAL_DEV( 0x0482, 0x0107, 0x0100, 0x0100, + "Kyocera", + "CONTAX SL300R T*", + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_FIX_CAPACITY | US_FL_NOT_LOCKABLE), + /* Reported by Paul Stewart * This entry is needed because the device reports Sub=ff */ UNUSUAL_DEV( 0x04a4, 0x0004, 0x0001, 0x0001, -- cgit v1.2.3 From 61fbeba11c553c489ba5284c0ed67067dc7b7c0f Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Mon, 27 Oct 2008 12:07:44 -0400 Subject: USB: prevent autosuspend during hub initialization This patch (as1153) fixes a potential problem in hub initialization. Starting in 2.6.28, initialization was split into several tasks to help speed up booting. This opens the possibility that the hub may be autosuspended before all the initialization tasks can complete. Normally that wouldn't matter, but with incomplete initialization there is a risk that the hub would never autoresume -- especially if devices were plugged into the hub beforehand. The solution is a simple one-line change to suppress autosuspend until the initialization is finished. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/hub.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers/usb') diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 37ff8aed256..b19cbfcd51d 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -659,6 +659,9 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) PREPARE_DELAYED_WORK(&hub->init_work, hub_init_func2); schedule_delayed_work(&hub->init_work, msecs_to_jiffies(delay)); + + /* Suppress autosuspend until init is done */ + to_usb_interface(hub->intfdev)->pm_usage_cnt = 1; return; /* Continues at init2: below */ } else { hub_power_on(hub, true); -- cgit v1.2.3 From fce4877a6792ad72b88f6fd7556d19da5f20364d Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Thu, 30 Oct 2008 15:54:12 +0000 Subject: tty: Fix USB kref leak When we close we must clear the extra reference we got when we read port->tty. Setting the port tty NULL will clear the kref held by the driver but not the one we obtained ourselves while doing the lookup. Signed-off-by: Alan Cox Tested-by: Helge Hafting Signed-off-by: Linus Torvalds --- drivers/usb/serial/usb-serial.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/usb') diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c index 8be3f39891c..794b5ffe439 100644 --- a/drivers/usb/serial/usb-serial.c +++ b/drivers/usb/serial/usb-serial.c @@ -281,6 +281,7 @@ static void serial_close(struct tty_struct *tty, struct file *filp) if (tty->driver_data) tty->driver_data = NULL; tty_port_tty_set(&port->port, NULL); + tty_kref_put(tty); } } -- cgit v1.2.3 From 233e70f4228e78eb2f80dc6650f65d3ae3dbf17c Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 31 Oct 2008 23:28:30 +0000 Subject: saner FASYNC handling on file close As it is, all instances of ->release() for files that have ->fasync() need to remember to evict file from fasync lists; forgetting that creates a hole and we actually have a bunch that *does* forget. So let's keep our lives simple - let __fput() check FASYNC in file->f_flags and call ->fasync() there if it's been set. And lose that crap in ->release() instances - leaving it there is still valid, but we don't have to bother anymore. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds --- drivers/usb/gadget/inode.c | 1 - 1 file changed, 1 deletion(-) (limited to 'drivers/usb') diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c index f4585d3e90d..eeb26c0f88e 100644 --- a/drivers/usb/gadget/inode.c +++ b/drivers/usb/gadget/inode.c @@ -1251,7 +1251,6 @@ dev_release (struct inode *inode, struct file *fd) * alternatively, all host requests will time out. */ - fasync_helper (-1, fd, 0, &dev->fasync); kfree (dev->buf); dev->buf = NULL; put_dev (dev); -- cgit v1.2.3