aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/hid/usbhid
diff options
context:
space:
mode:
authorOliver Neukum <oliver@neukum.org>2008-03-31 10:27:30 -0400
committerJiri Kosina <jkosina@suse.cz>2008-04-22 05:34:58 -0400
commit69626f23bce6521367ac1e6a2a6e8fba8f0a848a (patch)
tree46342a02c79e0e69a1c1eed1239944c4f952b13c /drivers/hid/usbhid
parentabdff0f7749a6696ba2a4238b675cbc55abcdb7a (diff)
HID: fix race between open() and disconnect() in usbhid
There is a window: task A task B spin_lock_irq(&usbhid->inlock); /* Sync with error handler */ usb_set_intfdata(intf, NULL); spin_unlock_irq(&usbhid->inlock); usb_kill_urb(usbhid->urbin); usb_kill_urb(usbhid->urbout); usb_kill_urb(usbhid->urbctrl); del_timer_sync(&usbhid->io_retry); cancel_work_sync(&usbhid->reset_work); if (!hid->open++) { res = usb_autopm_get_interface(usbhid->intf); if (res < 0) { hid->open--; return -EIO; } } if (hid_start_in(hid)) if (hid->claimed & HID_CLAIMED_INPUT) hidinput_disconnect(hid); in which an open() to an already disconnected device will submit an URB to an undead device. In case disconnect() was called by an ioctl, this'll oops. Fix by introducing a new flag and checking it in hid_start_in(). Signed-off-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers/hid/usbhid')
-rw-r--r--drivers/hid/usbhid/hid-core.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index f6a5d8930348..e0d805f1b2bf 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -82,6 +82,7 @@ static int hid_start_in(struct hid_device *hid)
82 82
83 spin_lock_irqsave(&usbhid->inlock, flags); 83 spin_lock_irqsave(&usbhid->inlock, flags);
84 if (hid->open > 0 && !test_bit(HID_SUSPENDED, &usbhid->iofl) && 84 if (hid->open > 0 && !test_bit(HID_SUSPENDED, &usbhid->iofl) &&
85 !test_bit(HID_DISCONNECTED, &usbhid->iofl) &&
85 !test_and_set_bit(HID_IN_RUNNING, &usbhid->iofl)) { 86 !test_and_set_bit(HID_IN_RUNNING, &usbhid->iofl)) {
86 rc = usb_submit_urb(usbhid->urbin, GFP_ATOMIC); 87 rc = usb_submit_urb(usbhid->urbin, GFP_ATOMIC);
87 if (rc != 0) 88 if (rc != 0)
@@ -155,7 +156,7 @@ static void hid_io_error(struct hid_device *hid)
155 spin_lock_irqsave(&usbhid->inlock, flags); 156 spin_lock_irqsave(&usbhid->inlock, flags);
156 157
157 /* Stop when disconnected */ 158 /* Stop when disconnected */
158 if (usb_get_intfdata(usbhid->intf) == NULL) 159 if (test_bit(HID_DISCONNECTED, &usbhid->iofl))
159 goto done; 160 goto done;
160 161
161 /* If it has been a while since the last error, we'll assume 162 /* If it has been a while since the last error, we'll assume
@@ -941,6 +942,7 @@ static void hid_disconnect(struct usb_interface *intf)
941 942
942 spin_lock_irq(&usbhid->inlock); /* Sync with error handler */ 943 spin_lock_irq(&usbhid->inlock); /* Sync with error handler */
943 usb_set_intfdata(intf, NULL); 944 usb_set_intfdata(intf, NULL);
945 set_bit(HID_DISCONNECTED, &usbhid->iofl);
944 spin_unlock_irq(&usbhid->inlock); 946 spin_unlock_irq(&usbhid->inlock);
945 usb_kill_urb(usbhid->urbin); 947 usb_kill_urb(usbhid->urbin);
946 usb_kill_urb(usbhid->urbout); 948 usb_kill_urb(usbhid->urbout);