aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2012-04-17 15:22:39 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-04-17 18:54:57 -0400
commit8963c487a80b4688c9e68dcc504a90074aacc145 (patch)
tree5eb23254847d38fe3a20f48ab26f1b6f0b301153
parentedffaa031e50f913f0272516b39dd1cad7aa4aea (diff)
USB: fix deadlock in bConfigurationValue attribute method
This patch (as154) fixes a self-deadlock that occurs when userspace writes to the bConfigurationValue sysfs attribute for a hub with children. The task tries to lock the bandwidth_mutex at a time when it already owns the lock: The attribute's method calls usb_set_configuration(), which calls usb_disable_device() with the bandwidth_mutex held. usb_disable_device() unregisters the existing interfaces, which causes the hub driver to be unbound. The hub_disconnect() routine calls hub_quiesce(), which calls usb_disconnect() for each of the hub's children. usb_disconnect() attempts to acquire the bandwidth_mutex around a call to usb_disable_device(). The solution is to make usb_disable_device() acquire the mutex for itself instead of requiring the caller to hold it. Then the mutex can cover only the bandwidth deallocation operation and not the region where the interfaces are unregistered. This has the potential to change system behavior slightly when a config change races with another config or altsetting change. Some of the bandwidth released from the old config might get claimed by the other config or altsetting, make it impossible to restore the old config in case of a failure. But since we don't try to recover from config-change failures anyway, this doesn't matter. [This should be marked for stable kernels that contain the commit fccf4e86200b8f5edd9a65da26f150e32ba79808 "USB: Free bandwidth when usb_disable_device is called." That commit was marked for stable kernels as old as 2.6.32.] Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/usb/core/hub.c3
-rw-r--r--drivers/usb/core/message.c6
2 files changed, 3 insertions, 6 deletions
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index a2aa9d652c67..ec6c97dadbe4 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1667,7 +1667,6 @@ void usb_disconnect(struct usb_device **pdev)
1667{ 1667{
1668 struct usb_device *udev = *pdev; 1668 struct usb_device *udev = *pdev;
1669 int i; 1669 int i;
1670 struct usb_hcd *hcd = bus_to_hcd(udev->bus);
1671 1670
1672 /* mark the device as inactive, so any further urb submissions for 1671 /* mark the device as inactive, so any further urb submissions for
1673 * this device (and any of its children) will fail immediately. 1672 * this device (and any of its children) will fail immediately.
@@ -1690,9 +1689,7 @@ void usb_disconnect(struct usb_device **pdev)
1690 * so that the hardware is now fully quiesced. 1689 * so that the hardware is now fully quiesced.
1691 */ 1690 */
1692 dev_dbg (&udev->dev, "unregistering device\n"); 1691 dev_dbg (&udev->dev, "unregistering device\n");
1693 mutex_lock(hcd->bandwidth_mutex);
1694 usb_disable_device(udev, 0); 1692 usb_disable_device(udev, 0);
1695 mutex_unlock(hcd->bandwidth_mutex);
1696 usb_hcd_synchronize_unlinks(udev); 1693 usb_hcd_synchronize_unlinks(udev);
1697 1694
1698 usb_remove_ep_devs(&udev->ep0); 1695 usb_remove_ep_devs(&udev->ep0);
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index aed3e07942d4..ca717da3be95 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1136,8 +1136,6 @@ void usb_disable_interface(struct usb_device *dev, struct usb_interface *intf,
1136 * Deallocates hcd/hardware state for the endpoints (nuking all or most 1136 * Deallocates hcd/hardware state for the endpoints (nuking all or most
1137 * pending urbs) and usbcore state for the interfaces, so that usbcore 1137 * pending urbs) and usbcore state for the interfaces, so that usbcore
1138 * must usb_set_configuration() before any interfaces could be used. 1138 * must usb_set_configuration() before any interfaces could be used.
1139 *
1140 * Must be called with hcd->bandwidth_mutex held.
1141 */ 1139 */
1142void usb_disable_device(struct usb_device *dev, int skip_ep0) 1140void usb_disable_device(struct usb_device *dev, int skip_ep0)
1143{ 1141{
@@ -1190,7 +1188,9 @@ void usb_disable_device(struct usb_device *dev, int skip_ep0)
1190 usb_disable_endpoint(dev, i + USB_DIR_IN, false); 1188 usb_disable_endpoint(dev, i + USB_DIR_IN, false);
1191 } 1189 }
1192 /* Remove endpoints from the host controller internal state */ 1190 /* Remove endpoints from the host controller internal state */
1191 mutex_lock(hcd->bandwidth_mutex);
1193 usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL); 1192 usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL);
1193 mutex_unlock(hcd->bandwidth_mutex);
1194 /* Second pass: remove endpoint pointers */ 1194 /* Second pass: remove endpoint pointers */
1195 } 1195 }
1196 for (i = skip_ep0; i < 16; ++i) { 1196 for (i = skip_ep0; i < 16; ++i) {
@@ -1750,7 +1750,6 @@ free_interfaces:
1750 /* if it's already configured, clear out old state first. 1750 /* if it's already configured, clear out old state first.
1751 * getting rid of old interfaces means unbinding their drivers. 1751 * getting rid of old interfaces means unbinding their drivers.
1752 */ 1752 */
1753 mutex_lock(hcd->bandwidth_mutex);
1754 if (dev->state != USB_STATE_ADDRESS) 1753 if (dev->state != USB_STATE_ADDRESS)
1755 usb_disable_device(dev, 1); /* Skip ep0 */ 1754 usb_disable_device(dev, 1); /* Skip ep0 */
1756 1755
@@ -1763,6 +1762,7 @@ free_interfaces:
1763 * host controller will not allow submissions to dropped endpoints. If 1762 * host controller will not allow submissions to dropped endpoints. If
1764 * this call fails, the device state is unchanged. 1763 * this call fails, the device state is unchanged.
1765 */ 1764 */
1765 mutex_lock(hcd->bandwidth_mutex);
1766 ret = usb_hcd_alloc_bandwidth(dev, cp, NULL, NULL); 1766 ret = usb_hcd_alloc_bandwidth(dev, cp, NULL, NULL);
1767 if (ret < 0) { 1767 if (ret < 0) {
1768 mutex_unlock(hcd->bandwidth_mutex); 1768 mutex_unlock(hcd->bandwidth_mutex);