CVS commit: src/sys/dev/usb

Taylor R Campbell Sat, 12 Jun 2021 06:58:12 -0700

Module Name:    src
Committed By:   riastradh
Date:           Sat Jun 12 13:58:06 UTC 2021


Modified Files:
        src/sys/dev/usb: usb_subr.c usbdi.c usbdivar.h xhci.c

Log Message:
usb(4): Fix racy endpoint reference counting.

Rules:

1. After usbd_setup_pipe*, must usbd_kill_pipe.
2. After usbd_open_pipe*, must usbd_close_pipe.

Still haven't merged the logic in usbd_kill_pipe and usbd_close_pipe,
but getting closer.


To generate a diff of this commit:
cvs rdiff -u -r1.254 -r1.255 src/sys/dev/usb/usb_subr.c
cvs rdiff -u -r1.206 -r1.207 src/sys/dev/usb/usbdi.c
cvs rdiff -u -r1.124 -r1.125 src/sys/dev/usb/usbdivar.h
cvs rdiff -u -r1.145 -r1.146 src/sys/dev/usb/xhci.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/usb/usb_subr.c
diff -u src/sys/dev/usb/usb_subr.c:1.254 src/sys/dev/usb/usb_subr.c:1.255
--- src/sys/dev/usb/usb_subr.c:1.254	Sat Jun 12 12:13:23 2021
+++ src/sys/dev/usb/usb_subr.c	Sat Jun 12 13:58:05 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: usb_subr.c,v 1.254 2021/06/12 12:13:23 riastradh Exp $	*/
+/*	$NetBSD: usb_subr.c,v 1.255 2021/06/12 13:58:05 riastradh Exp $	*/
 /*	$FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.254 2021/06/12 12:13:23 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.255 2021/06/12 13:58:05 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -775,12 +775,15 @@ usbd_setup_pipe_flags(struct usbd_device
 	struct usbd_pipe *p;
 	usbd_status err;
 
+	err = usbd_endpoint_acquire(dev, ep, flags & USBD_EXCLUSIVE_USE);
+	if (err)
+		return err;
+
 	p = kmem_alloc(dev->ud_bus->ub_pipesize, KM_SLEEP);
 	DPRINTFN(1, "pipe=%#jx", (uintptr_t)p, 0, 0, 0);
 	p->up_dev = dev;
 	p->up_iface = iface;
 	p->up_endpoint = ep;
-	ep->ue_refcnt++;
 	p->up_intrxfer = NULL;
 	p->up_running = 0;
 	p->up_aborting = 0;
@@ -794,6 +797,7 @@ usbd_setup_pipe_flags(struct usbd_device
 		DPRINTF("endpoint=%#jx failed, error=%jd",
 		    (uintptr_t)ep->ue_edesc->bEndpointAddress, err, 0, 0);
 		kmem_free(p, dev->ud_bus->ub_pipesize);
+		usbd_endpoint_release(dev, ep);
 		return err;
 	}
 
@@ -806,6 +810,36 @@ usbd_setup_pipe_flags(struct usbd_device
 	return USBD_NORMAL_COMPLETION;
 }
 
+usbd_status
+usbd_endpoint_acquire(struct usbd_device *dev, struct usbd_endpoint *ep,
+    int flags)
+{
+	usbd_status err;
+
+	mutex_enter(dev->ud_bus->ub_lock);
+	if (ep->ue_refcnt == INT_MAX) {
+		err = USBD_IN_USE; /* XXX rule out or switch to 64-bit */
+	} else if ((flags & USBD_EXCLUSIVE_USE) && ep->ue_refcnt) {
+		err = USBD_IN_USE;
+	} else {
+		ep->ue_refcnt++;
+		err = 0;
+	}
+	mutex_exit(dev->ud_bus->ub_lock);
+
+	return err;
+}
+
+void
+usbd_endpoint_release(struct usbd_device *dev, struct usbd_endpoint *ep)
+{
+
+	mutex_enter(dev->ud_bus->ub_lock);
+	KASSERT(ep->ue_refcnt);
+	ep->ue_refcnt--;
+	mutex_exit(dev->ud_bus->ub_lock);
+}
+
 /* Abort the device control pipe. */
 void
 usbd_kill_pipe(struct usbd_pipe *pipe)
@@ -816,7 +850,7 @@ usbd_kill_pipe(struct usbd_pipe *pipe)
 	usbd_unlock_pipe(pipe);
 	usb_rem_task_wait(pipe->up_dev, &pipe->up_async_task, USB_TASKQ_DRIVER,
 	    NULL);
-	pipe->up_endpoint->ue_refcnt--;
+	usbd_endpoint_release(pipe->up_dev, pipe->up_endpoint);
 	kmem_free(pipe, pipe->up_dev->ud_bus->ub_pipesize);
 }
 

Index: src/sys/dev/usb/usbdi.c
diff -u src/sys/dev/usb/usbdi.c:1.206 src/sys/dev/usb/usbdi.c:1.207
--- src/sys/dev/usb/usbdi.c:1.206	Sat Jun 12 13:57:51 2021
+++ src/sys/dev/usb/usbdi.c	Sat Jun 12 13:58:05 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: usbdi.c,v 1.206 2021/06/12 13:57:51 riastradh Exp $	*/
+/*	$NetBSD: usbdi.c,v 1.207 2021/06/12 13:58:05 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1998, 2012, 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usbdi.c,v 1.206 2021/06/12 13:57:51 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usbdi.c,v 1.207 2021/06/12 13:58:05 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -241,8 +241,6 @@ usbd_open_pipe_ival(struct usbd_interfac
 	}
 	return USBD_BAD_ADDRESS;
  found:
-	if ((flags & USBD_EXCLUSIVE_USE) && ep->ue_refcnt != 0)
-		return USBD_IN_USE;
 	err = usbd_setup_pipe_flags(iface->ui_dev, iface, ep, ival, &p, flags);
 	if (err)
 		return err;
@@ -316,7 +314,6 @@ usbd_close_pipe(struct usbd_pipe *pipe)
 	KASSERT(SIMPLEQ_EMPTY(&pipe->up_queue));
 
 	LIST_REMOVE(pipe, up_next);
-	pipe->up_endpoint->ue_refcnt--;
 
 	pipe->up_methods->upm_close(pipe);
 
@@ -325,6 +322,7 @@ usbd_close_pipe(struct usbd_pipe *pipe)
 		usbd_destroy_xfer(pipe->up_intrxfer);
 	usb_rem_task_wait(pipe->up_dev, &pipe->up_async_task, USB_TASKQ_DRIVER,
 	    NULL);
+	usbd_endpoint_release(pipe->up_dev, pipe->up_endpoint);
 	kmem_free(pipe, pipe->up_dev->ud_bus->ub_pipesize);
 
 	return USBD_NORMAL_COMPLETION;

Index: src/sys/dev/usb/usbdivar.h
diff -u src/sys/dev/usb/usbdivar.h:1.124 src/sys/dev/usb/usbdivar.h:1.125
--- src/sys/dev/usb/usbdivar.h:1.124	Fri Jun  5 17:20:56 2020
+++ src/sys/dev/usb/usbdivar.h	Sat Jun 12 13:58:05 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: usbdivar.h,v 1.124 2020/06/05 17:20:56 maxv Exp $	*/
+/*	$NetBSD: usbdivar.h,v 1.125 2021/06/12 13:58:05 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1998, 2012 The NetBSD Foundation, Inc.
@@ -354,6 +354,11 @@ usbd_status	usb_insert_transfer(struct u
 void		usb_transfer_complete(struct usbd_xfer *);
 int		usb_disconnect_port(struct usbd_port *, device_t, int);
 
+usbd_status	usbd_endpoint_acquire(struct usbd_device *,
+		    struct usbd_endpoint *, int);
+void		usbd_endpoint_release(struct usbd_device *,
+		    struct usbd_endpoint *);
+
 void		usbd_kill_pipe(struct usbd_pipe *);
 usbd_status	usbd_attach_roothub(device_t, struct usbd_device *);
 usbd_status	usbd_probe_and_attach(device_t, struct usbd_device *, int, int);

Index: src/sys/dev/usb/xhci.c
diff -u src/sys/dev/usb/xhci.c:1.145 src/sys/dev/usb/xhci.c:1.146
--- src/sys/dev/usb/xhci.c:1.145	Sat Jun 12 12:13:10 2021
+++ src/sys/dev/usb/xhci.c	Sat Jun 12 13:58:05 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: xhci.c,v 1.145 2021/06/12 12:13:10 riastradh Exp $	*/
+/*	$NetBSD: xhci.c,v 1.146 2021/06/12 13:58:05 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2013 Jonathan A. Kollasch
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.145 2021/06/12 12:13:10 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xhci.c,v 1.146 2021/06/12 13:58:05 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -2968,6 +2968,8 @@ xhci_new_device(device_t parent, struct 
 	err = usbd_probe_and_attach(parent, dev, port, dev->ud_addr);
  bad:
 	if (err != USBD_NORMAL_COMPLETION) {
+		if (depth == 0 && port == 0 && dev->ud_pipe0)
+			usbd_kill_pipe(dev->ud_pipe0);
 		usbd_remove_device(dev, up);
 	}

CVS commit: src/sys/dev/usb

Reply via email to