diff options
author | Oliver Neukum <oliver@neukum.org> | 2008-03-31 10:27:30 -0400 |
---|---|---|
committer | Jiri Kosina <jkosina@suse.cz> | 2008-04-22 05:34:58 -0400 |
commit | 69626f23bce6521367ac1e6a2a6e8fba8f0a848a (patch) | |
tree | 46342a02c79e0e69a1c1eed1239944c4f952b13c | |
parent | abdff0f7749a6696ba2a4238b675cbc55abcdb7a (diff) |
HID: fix race between open() and disconnect() in usbhid
There is a window:
task A task B
spin_lock_irq(&usbhid->inlock); /* Sync with error handler */
usb_set_intfdata(intf, NULL);
spin_unlock_irq(&usbhid->inlock);
usb_kill_urb(usbhid->urbin);
usb_kill_urb(usbhid->urbout);
usb_kill_urb(usbhid->urbctrl);
del_timer_sync(&usbhid->io_retry);
cancel_work_sync(&usbhid->reset_work);
if (!hid->open++) {
res = usb_autopm_get_interface(usbhid->intf);
if (res < 0) {
hid->open--;
return -EIO;
}
}
if (hid_start_in(hid))
if (hid->claimed & HID_CLAIMED_INPUT)
hidinput_disconnect(hid);
in which an open() to an already disconnected device will submit an URB
to an undead device. In case disconnect() was called by an ioctl, this'll
oops. Fix by introducing a new flag and checking it in hid_start_in().
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-rw-r--r-- | drivers/hid/usbhid/hid-core.c | 4 | ||||
-rw-r--r-- | include/linux/hid.h | 1 |
2 files changed, 4 insertions, 1 deletions
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c index f6a5d8930348..e0d805f1b2bf 100644 --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c | |||
@@ -82,6 +82,7 @@ static int hid_start_in(struct hid_device *hid) | |||
82 | 82 | ||
83 | spin_lock_irqsave(&usbhid->inlock, flags); | 83 | spin_lock_irqsave(&usbhid->inlock, flags); |
84 | if (hid->open > 0 && !test_bit(HID_SUSPENDED, &usbhid->iofl) && | 84 | if (hid->open > 0 && !test_bit(HID_SUSPENDED, &usbhid->iofl) && |
85 | !test_bit(HID_DISCONNECTED, &usbhid->iofl) && | ||
85 | !test_and_set_bit(HID_IN_RUNNING, &usbhid->iofl)) { | 86 | !test_and_set_bit(HID_IN_RUNNING, &usbhid->iofl)) { |
86 | rc = usb_submit_urb(usbhid->urbin, GFP_ATOMIC); | 87 | rc = usb_submit_urb(usbhid->urbin, GFP_ATOMIC); |
87 | if (rc != 0) | 88 | if (rc != 0) |
@@ -155,7 +156,7 @@ static void hid_io_error(struct hid_device *hid) | |||
155 | spin_lock_irqsave(&usbhid->inlock, flags); | 156 | spin_lock_irqsave(&usbhid->inlock, flags); |
156 | 157 | ||
157 | /* Stop when disconnected */ | 158 | /* Stop when disconnected */ |
158 | if (usb_get_intfdata(usbhid->intf) == NULL) | 159 | if (test_bit(HID_DISCONNECTED, &usbhid->iofl)) |
159 | goto done; | 160 | goto done; |
160 | 161 | ||
161 | /* If it has been a while since the last error, we'll assume | 162 | /* If it has been a while since the last error, we'll assume |
@@ -941,6 +942,7 @@ static void hid_disconnect(struct usb_interface *intf) | |||
941 | 942 | ||
942 | spin_lock_irq(&usbhid->inlock); /* Sync with error handler */ | 943 | spin_lock_irq(&usbhid->inlock); /* Sync with error handler */ |
943 | usb_set_intfdata(intf, NULL); | 944 | usb_set_intfdata(intf, NULL); |
945 | set_bit(HID_DISCONNECTED, &usbhid->iofl); | ||
944 | spin_unlock_irq(&usbhid->inlock); | 946 | spin_unlock_irq(&usbhid->inlock); |
945 | usb_kill_urb(usbhid->urbin); | 947 | usb_kill_urb(usbhid->urbin); |
946 | usb_kill_urb(usbhid->urbout); | 948 | usb_kill_urb(usbhid->urbout); |
diff --git a/include/linux/hid.h b/include/linux/hid.h index fe4ac31eced2..d951ec411241 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h | |||
@@ -424,6 +424,7 @@ struct hid_control_fifo { | |||
424 | #define HID_RESET_PENDING 4 | 424 | #define HID_RESET_PENDING 4 |
425 | #define HID_SUSPENDED 5 | 425 | #define HID_SUSPENDED 5 |
426 | #define HID_CLEAR_HALT 6 | 426 | #define HID_CLEAR_HALT 6 |
427 | #define HID_DISCONNECTED 7 | ||
427 | 428 | ||
428 | struct hid_input { | 429 | struct hid_input { |
429 | struct list_head list; | 430 | struct list_head list; |