USB: Remove races in devio.c

author Huajun Li <huajun.li.lee@gmail.com>

Fri, 18 May 2012 12:12:51 +0000 (20:12 +0800)

committer Ben Hutchings <ben@decadent.org.uk>

Wed, 30 May 2012 23:43:45 +0000 (00:43 +0100)
author Huajun Li <huajun.li.lee@gmail.com>
Fri, 18 May 2012 12:12:51 +0000 (20:12 +0800)
committer Ben Hutchings <ben@decadent.org.uk>
Wed, 30 May 2012 23:43:45 +0000 (00:43 +0100)
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c

index 7abf060..f6ff837 100644 (file)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -295,17 +295,14 @@ static struct async *async_getcompleted(struct dev_state *ps)
  static struct async *async_getpending(struct dev_state *ps,
                                              void __user *userurb)
  {
-       unsigned long flags;
         struct async *as;
  
-       spin_lock_irqsave(&ps->lock, flags);
         list_for_each_entry(as, &ps->async_pending, asynclist)
                 if (as->userurb == userurb) {
                         list_del_init(&as->asynclist);
-                       spin_unlock_irqrestore(&ps->lock, flags);
                         return as;
                 }
-       spin_unlock_irqrestore(&ps->lock, flags);
+
         return NULL;
  }
  
@@ -360,6 +357,7 @@ static void cancel_bulk_urbs(struct dev_state *ps, unsigned bulk_addr)
  __releases(ps->lock)
  __acquires(ps->lock)
  {
+       struct urb *urb;
         struct async *as;
  
         /* Mark all the pending URBs that match bulk_addr, up to but not
@@ -382,8 +380,11 @@ __acquires(ps->lock)
         list_for_each_entry(as, &ps->async_pending, asynclist) {
                 if (as->bulk_status == AS_UNLINK) {
                         as->bulk_status = 0;            /* Only once */
+                       urb = as->urb;
+                       usb_get_urb(urb);
                         spin_unlock(&ps->lock);         /* Allow completions */
-                       usb_unlink_urb(as->urb);
+                       usb_unlink_urb(urb);
+                       usb_put_urb(urb);
                         spin_lock(&ps->lock);
                         goto rescan;
                 }
@@ -434,6 +435,7 @@ static void async_completed(struct urb *urb)
  
  static void destroy_async(struct dev_state *ps, struct list_head *list)
  {
+       struct urb *urb;
         struct async *as;
         unsigned long flags;
  
@@ -441,10 +443,13 @@ static void destroy_async(struct dev_state *ps, struct list_head *list)
         while (!list_empty(list)) {
                 as = list_entry(list->next, struct async, asynclist);
                 list_del_init(&as->asynclist);
+               urb = as->urb;
+               usb_get_urb(urb);
  
                 /* drop the spinlock so the completion handler can run */
                 spin_unlock_irqrestore(&ps->lock, flags);
-               usb_kill_urb(as->urb);
+               usb_kill_urb(urb);
+               usb_put_urb(urb);
                 spin_lock_irqsave(&ps->lock, flags);
         }
         spin_unlock_irqrestore(&ps->lock, flags);
@@ -1350,12 +1355,24 @@ static int proc_submiturb(struct dev_state *ps, void __user *arg)
  
  static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
  {
+       struct urb *urb;
         struct async *as;
+       unsigned long flags;
  
+       spin_lock_irqsave(&ps->lock, flags);
         as = async_getpending(ps, arg);
-       if (!as)
+       if (!as) {
+               spin_unlock_irqrestore(&ps->lock, flags);
                 return -EINVAL;
-       usb_kill_urb(as->urb);
+       }
+
+       urb = as->urb;
+       usb_get_urb(urb);
+       spin_unlock_irqrestore(&ps->lock, flags);
+
+       usb_kill_urb(urb);
+       usb_put_urb(urb);
+
         return 0;
  }
author	Huajun Li <huajun.li.lee@gmail.com>
	Fri, 18 May 2012 12:12:51 +0000 (20:12 +0800)
committer	Ben Hutchings <ben@decadent.org.uk>
	Wed, 30 May 2012 23:43:45 +0000 (00:43 +0100)