aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Machek <pavel@suse.cz>2008-05-02 19:45:10 -0400
committerDavid S. Miller <davem@davemloft.net>2008-05-02 19:45:10 -0400
commit026672d0997c911c9bef9aabe862884fc0add106 (patch)
tree6867e7e256f23102e5f73e267aa8a8b790717467
parent84994e16f25dabe234be4fc2d323ec9db95b87cb (diff)
hci_usb.h: fix hard-to-trigger race
If someone tries to _urb_unlink while _urb_queue_head is running, he'll see _urb->queue == NULL and fail to do any locking. Prevent that from happening by strategically placed barriers. Signed-off-by: Pavel Machek <pavel@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/bluetooth/hci_usb.h21
1 files changed, 13 insertions, 8 deletions
diff --git a/drivers/bluetooth/hci_usb.h b/drivers/bluetooth/hci_usb.h
index 414080a4e8ff..1790cc8e431e 100644
--- a/drivers/bluetooth/hci_usb.h
+++ b/drivers/bluetooth/hci_usb.h
@@ -70,7 +70,8 @@ static inline void _urb_queue_head(struct _urb_queue *q, struct _urb *_urb)
70{ 70{
71 unsigned long flags; 71 unsigned long flags;
72 spin_lock_irqsave(&q->lock, flags); 72 spin_lock_irqsave(&q->lock, flags);
73 list_add(&_urb->list, &q->head); _urb->queue = q; 73 /* _urb_unlink needs to know which spinlock to use, thus mb(). */
74 _urb->queue = q; mb(); list_add(&_urb->list, &q->head);
74 spin_unlock_irqrestore(&q->lock, flags); 75 spin_unlock_irqrestore(&q->lock, flags);
75} 76}
76 77
@@ -78,19 +79,23 @@ static inline void _urb_queue_tail(struct _urb_queue *q, struct _urb *_urb)
78{ 79{
79 unsigned long flags; 80 unsigned long flags;
80 spin_lock_irqsave(&q->lock, flags); 81 spin_lock_irqsave(&q->lock, flags);
81 list_add_tail(&_urb->list, &q->head); _urb->queue = q; 82 /* _urb_unlink needs to know which spinlock to use, thus mb(). */
83 _urb->queue = q; mb(); list_add_tail(&_urb->list, &q->head);
82 spin_unlock_irqrestore(&q->lock, flags); 84 spin_unlock_irqrestore(&q->lock, flags);
83} 85}
84 86
85static inline void _urb_unlink(struct _urb *_urb) 87static inline void _urb_unlink(struct _urb *_urb)
86{ 88{
87 struct _urb_queue *q = _urb->queue; 89 struct _urb_queue *q;
88 unsigned long flags; 90 unsigned long flags;
89 if (q) { 91
90 spin_lock_irqsave(&q->lock, flags); 92 mb();
91 list_del(&_urb->list); _urb->queue = NULL; 93 q = _urb->queue;
92 spin_unlock_irqrestore(&q->lock, flags); 94 /* If q is NULL, it will die at easy-to-debug NULL pointer dereference.
93 } 95 No need to BUG(). */
96 spin_lock_irqsave(&q->lock, flags);
97 list_del(&_urb->list); _urb->queue = NULL;
98 spin_unlock_irqrestore(&q->lock, flags);
94} 99}
95 100
96struct hci_usb { 101struct hci_usb {