aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb
diff options
context:
space:
mode:
authorMichal Nazarewicz <m.nazarewicz@samsung.com>2010-06-25 10:29:28 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2010-06-30 11:16:07 -0400
commitb894f60a232d552fc18b018271c2893f0b0c1c15 (patch)
treebfe023045f34f7af982bbde73a90f7b562976a2a /drivers/usb
parente5fd39d9b80aaa0b8a16dd570fa55009905d6af4 (diff)
USB: gadget: f_mass_storage: stale common->fsg value bug fix
On fsg_unbind the common->fsg pointer was not NULLed if the unbound fsg_dev instance was the current one. As an effect, the incorrect pointer was preserved in all further operations which caused do_set_interface to reference an invalid region. This commit fixes this by raising an exception in fsg_bind which will change the common->fsg pointer. This also requires an wait queue so that the thread in fsg_bind can wait till the worker thread handles the exception. This commit removes also a config and new_config fields of fsg_common as they are no longer needed since fsg can be used to determine whether function is active or not. Moreover, this commit removes possible race condition where the fsg field was modified in both the worker thread and form various other contexts. This is fixed by replacing prev_fsg with new_fsg. At this point, fsg is assigned only in worker thread. Signed-off-by: Michal Nazarewicz <m.nazarewicz@samsung.com> Cc: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb')
-rw-r--r--drivers/usb/gadget/f_mass_storage.c160
1 files changed, 61 insertions, 99 deletions
diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c
index f866b7e72a28..4ce899c9b165 100644
--- a/drivers/usb/gadget/f_mass_storage.c
+++ b/drivers/usb/gadget/f_mass_storage.c
@@ -321,8 +321,8 @@ struct fsg_dev;
321/* Data shared by all the FSG instances. */ 321/* Data shared by all the FSG instances. */
322struct fsg_common { 322struct fsg_common {
323 struct usb_gadget *gadget; 323 struct usb_gadget *gadget;
324 struct fsg_dev *fsg; 324 struct fsg_dev *fsg, *new_fsg;
325 struct fsg_dev *prev_fsg; 325 wait_queue_head_t fsg_wait;
326 326
327 /* filesem protects: backing files in use */ 327 /* filesem protects: backing files in use */
328 struct rw_semaphore filesem; 328 struct rw_semaphore filesem;
@@ -351,7 +351,6 @@ struct fsg_common {
351 enum fsg_state state; /* For exception handling */ 351 enum fsg_state state; /* For exception handling */
352 unsigned int exception_req_tag; 352 unsigned int exception_req_tag;
353 353
354 u8 config, new_config;
355 enum data_direction data_dir; 354 enum data_direction data_dir;
356 u32 data_size; 355 u32 data_size;
357 u32 data_size_from_cmnd; 356 u32 data_size_from_cmnd;
@@ -595,7 +594,7 @@ static int fsg_setup(struct usb_function *f,
595 u16 w_value = le16_to_cpu(ctrl->wValue); 594 u16 w_value = le16_to_cpu(ctrl->wValue);
596 u16 w_length = le16_to_cpu(ctrl->wLength); 595 u16 w_length = le16_to_cpu(ctrl->wLength);
597 596
598 if (!fsg->common->config) 597 if (!fsg_is_set(fsg->common))
599 return -EOPNOTSUPP; 598 return -EOPNOTSUPP;
600 599
601 switch (ctrl->bRequest) { 600 switch (ctrl->bRequest) {
@@ -2303,24 +2302,20 @@ static int alloc_request(struct fsg_common *common, struct usb_ep *ep,
2303 return -ENOMEM; 2302 return -ENOMEM;
2304} 2303}
2305 2304
2306/* 2305/* Reset interface setting and re-init endpoint state (toggle etc). */
2307 * Reset interface setting and re-init endpoint state (toggle etc). 2306static int do_set_interface(struct fsg_common *common, struct fsg_dev *new_fsg)
2308 * Call with altsetting < 0 to disable the interface. The only other
2309 * available altsetting is 0, which enables the interface.
2310 */
2311static int do_set_interface(struct fsg_common *common, int altsetting)
2312{ 2307{
2313 int rc = 0; 2308 const struct usb_endpoint_descriptor *d;
2314 int i; 2309 struct fsg_dev *fsg;
2315 const struct usb_endpoint_descriptor *d; 2310 int i, rc = 0;
2316 2311
2317 if (common->running) 2312 if (common->running)
2318 DBG(common, "reset interface\n"); 2313 DBG(common, "reset interface\n");
2319 2314
2320reset: 2315reset:
2321 /* Deallocate the requests */ 2316 /* Deallocate the requests */
2322 if (common->prev_fsg) { 2317 if (common->fsg) {
2323 struct fsg_dev *fsg = common->prev_fsg; 2318 fsg = common->fsg;
2324 2319
2325 for (i = 0; i < FSG_NUM_BUFFERS; ++i) { 2320 for (i = 0; i < FSG_NUM_BUFFERS; ++i) {
2326 struct fsg_buffhd *bh = &common->buffhds[i]; 2321 struct fsg_buffhd *bh = &common->buffhds[i];
@@ -2345,88 +2340,53 @@ reset:
2345 fsg->bulk_out_enabled = 0; 2340 fsg->bulk_out_enabled = 0;
2346 } 2341 }
2347 2342
2348 common->prev_fsg = 0; 2343 common->fsg = NULL;
2344 wake_up(&common->fsg_wait);
2349 } 2345 }
2350 2346
2351 common->running = 0; 2347 common->running = 0;
2352 if (altsetting < 0 || rc != 0) 2348 if (!new_fsg || rc)
2353 return rc; 2349 return rc;
2354 2350
2355 DBG(common, "set interface %d\n", altsetting); 2351 common->fsg = new_fsg;
2352 fsg = common->fsg;
2356 2353
2357 if (fsg_is_set(common)) { 2354 /* Enable the endpoints */
2358 struct fsg_dev *fsg = common->fsg; 2355 d = fsg_ep_desc(common->gadget,
2359 common->prev_fsg = common->fsg; 2356 &fsg_fs_bulk_in_desc, &fsg_hs_bulk_in_desc);
2357 rc = enable_endpoint(common, fsg->bulk_in, d);
2358 if (rc)
2359 goto reset;
2360 fsg->bulk_in_enabled = 1;
2361
2362 d = fsg_ep_desc(common->gadget,
2363 &fsg_fs_bulk_out_desc, &fsg_hs_bulk_out_desc);
2364 rc = enable_endpoint(common, fsg->bulk_out, d);
2365 if (rc)
2366 goto reset;
2367 fsg->bulk_out_enabled = 1;
2368 common->bulk_out_maxpacket = le16_to_cpu(d->wMaxPacketSize);
2369 clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags);
2370
2371 /* Allocate the requests */
2372 for (i = 0; i < FSG_NUM_BUFFERS; ++i) {
2373 struct fsg_buffhd *bh = &common->buffhds[i];
2360 2374
2361 /* Enable the endpoints */ 2375 rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2362 d = fsg_ep_desc(common->gadget,
2363 &fsg_fs_bulk_in_desc, &fsg_hs_bulk_in_desc);
2364 rc = enable_endpoint(common, fsg->bulk_in, d);
2365 if (rc) 2376 if (rc)
2366 goto reset; 2377 goto reset;
2367 fsg->bulk_in_enabled = 1; 2378 rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2368
2369 d = fsg_ep_desc(common->gadget,
2370 &fsg_fs_bulk_out_desc, &fsg_hs_bulk_out_desc);
2371 rc = enable_endpoint(common, fsg->bulk_out, d);
2372 if (rc) 2379 if (rc)
2373 goto reset; 2380 goto reset;
2374 fsg->bulk_out_enabled = 1; 2381 bh->inreq->buf = bh->outreq->buf = bh->buf;
2375 common->bulk_out_maxpacket = le16_to_cpu(d->wMaxPacketSize); 2382 bh->inreq->context = bh->outreq->context = bh;
2376 clear_bit(IGNORE_BULK_OUT, &fsg->atomic_bitflags); 2383 bh->inreq->complete = bulk_in_complete;
2377 2384 bh->outreq->complete = bulk_out_complete;
2378 /* Allocate the requests */
2379 for (i = 0; i < FSG_NUM_BUFFERS; ++i) {
2380 struct fsg_buffhd *bh = &common->buffhds[i];
2381
2382 rc = alloc_request(common, fsg->bulk_in, &bh->inreq);
2383 if (rc)
2384 goto reset;
2385 rc = alloc_request(common, fsg->bulk_out, &bh->outreq);
2386 if (rc)
2387 goto reset;
2388 bh->inreq->buf = bh->outreq->buf = bh->buf;
2389 bh->inreq->context = bh->outreq->context = bh;
2390 bh->inreq->complete = bulk_in_complete;
2391 bh->outreq->complete = bulk_out_complete;
2392 }
2393
2394 common->running = 1;
2395 for (i = 0; i < common->nluns; ++i)
2396 common->luns[i].unit_attention_data = SS_RESET_OCCURRED;
2397 return rc;
2398 } else {
2399 return -EIO;
2400 } 2385 }
2401}
2402 2386
2403 2387 common->running = 1;
2404/* 2388 for (i = 0; i < common->nluns; ++i)
2405 * Change our operational configuration. This code must agree with the code 2389 common->luns[i].unit_attention_data = SS_RESET_OCCURRED;
2406 * that returns config descriptors, and with interface altsetting code.
2407 *
2408 * It's also responsible for power management interactions. Some
2409 * configurations might not work with our current power sources.
2410 * For now we just assume the gadget is always self-powered.
2411 */
2412static int do_set_config(struct fsg_common *common, u8 new_config)
2413{
2414 int rc = 0;
2415
2416 /* Disable the single interface */
2417 if (common->config != 0) {
2418 DBG(common, "reset config\n");
2419 common->config = 0;
2420 rc = do_set_interface(common, -1);
2421 }
2422
2423 /* Enable the interface */
2424 if (new_config != 0) {
2425 common->config = new_config;
2426 rc = do_set_interface(common, 0);
2427 if (rc != 0)
2428 common->config = 0; /* Reset on errors */
2429 }
2430 return rc; 2390 return rc;
2431} 2391}
2432 2392
@@ -2437,9 +2397,7 @@ static int do_set_config(struct fsg_common *common, u8 new_config)
2437static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt) 2397static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2438{ 2398{
2439 struct fsg_dev *fsg = fsg_from_func(f); 2399 struct fsg_dev *fsg = fsg_from_func(f);
2440 fsg->common->prev_fsg = fsg->common->fsg; 2400 fsg->common->new_fsg = fsg;
2441 fsg->common->fsg = fsg;
2442 fsg->common->new_config = 1;
2443 raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE); 2401 raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2444 return 0; 2402 return 0;
2445} 2403}
@@ -2447,9 +2405,7 @@ static int fsg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
2447static void fsg_disable(struct usb_function *f) 2405static void fsg_disable(struct usb_function *f)
2448{ 2406{
2449 struct fsg_dev *fsg = fsg_from_func(f); 2407 struct fsg_dev *fsg = fsg_from_func(f);
2450 fsg->common->prev_fsg = fsg->common->fsg; 2408 fsg->common->new_fsg = NULL;
2451 fsg->common->fsg = fsg;
2452 fsg->common->new_config = 0;
2453 raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE); 2409 raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2454} 2410}
2455 2411
@@ -2459,19 +2415,17 @@ static void fsg_disable(struct usb_function *f)
2459static void handle_exception(struct fsg_common *common) 2415static void handle_exception(struct fsg_common *common)
2460{ 2416{
2461 siginfo_t info; 2417 siginfo_t info;
2462 int sig;
2463 int i; 2418 int i;
2464 struct fsg_buffhd *bh; 2419 struct fsg_buffhd *bh;
2465 enum fsg_state old_state; 2420 enum fsg_state old_state;
2466 u8 new_config;
2467 struct fsg_lun *curlun; 2421 struct fsg_lun *curlun;
2468 unsigned int exception_req_tag; 2422 unsigned int exception_req_tag;
2469 int rc;
2470 2423
2471 /* Clear the existing signals. Anything but SIGUSR1 is converted 2424 /* Clear the existing signals. Anything but SIGUSR1 is converted
2472 * into a high-priority EXIT exception. */ 2425 * into a high-priority EXIT exception. */
2473 for (;;) { 2426 for (;;) {
2474 sig = dequeue_signal_lock(current, &current->blocked, &info); 2427 int sig =
2428 dequeue_signal_lock(current, &current->blocked, &info);
2475 if (!sig) 2429 if (!sig)
2476 break; 2430 break;
2477 if (sig != SIGUSR1) { 2431 if (sig != SIGUSR1) {
@@ -2482,7 +2436,7 @@ static void handle_exception(struct fsg_common *common)
2482 } 2436 }
2483 2437
2484 /* Cancel all the pending transfers */ 2438 /* Cancel all the pending transfers */
2485 if (fsg_is_set(common)) { 2439 if (likely(common->fsg)) {
2486 for (i = 0; i < FSG_NUM_BUFFERS; ++i) { 2440 for (i = 0; i < FSG_NUM_BUFFERS; ++i) {
2487 bh = &common->buffhds[i]; 2441 bh = &common->buffhds[i];
2488 if (bh->inreq_busy) 2442 if (bh->inreq_busy)
@@ -2523,7 +2477,6 @@ static void handle_exception(struct fsg_common *common)
2523 common->next_buffhd_to_fill = &common->buffhds[0]; 2477 common->next_buffhd_to_fill = &common->buffhds[0];
2524 common->next_buffhd_to_drain = &common->buffhds[0]; 2478 common->next_buffhd_to_drain = &common->buffhds[0];
2525 exception_req_tag = common->exception_req_tag; 2479 exception_req_tag = common->exception_req_tag;
2526 new_config = common->new_config;
2527 old_state = common->state; 2480 old_state = common->state;
2528 2481
2529 if (old_state == FSG_STATE_ABORT_BULK_OUT) 2482 if (old_state == FSG_STATE_ABORT_BULK_OUT)
@@ -2573,12 +2526,12 @@ static void handle_exception(struct fsg_common *common)
2573 break; 2526 break;
2574 2527
2575 case FSG_STATE_CONFIG_CHANGE: 2528 case FSG_STATE_CONFIG_CHANGE:
2576 rc = do_set_config(common, new_config); 2529 do_set_interface(common, common->new_fsg);
2577 break; 2530 break;
2578 2531
2579 case FSG_STATE_EXIT: 2532 case FSG_STATE_EXIT:
2580 case FSG_STATE_TERMINATED: 2533 case FSG_STATE_TERMINATED:
2581 do_set_config(common, 0); /* Free resources */ 2534 do_set_interface(common, NULL); /* Free resources */
2582 spin_lock_irq(&common->lock); 2535 spin_lock_irq(&common->lock);
2583 common->state = FSG_STATE_TERMINATED; /* Stop the thread */ 2536 common->state = FSG_STATE_TERMINATED; /* Stop the thread */
2584 spin_unlock_irq(&common->lock); 2537 spin_unlock_irq(&common->lock);
@@ -2863,6 +2816,7 @@ buffhds_first_it:
2863 goto error_release; 2816 goto error_release;
2864 } 2817 }
2865 init_completion(&common->thread_notifier); 2818 init_completion(&common->thread_notifier);
2819 init_waitqueue_head(&common->fsg_wait);
2866#undef OR 2820#undef OR
2867 2821
2868 2822
@@ -2957,9 +2911,17 @@ static void fsg_common_release(struct kref *ref)
2957static void fsg_unbind(struct usb_configuration *c, struct usb_function *f) 2911static void fsg_unbind(struct usb_configuration *c, struct usb_function *f)
2958{ 2912{
2959 struct fsg_dev *fsg = fsg_from_func(f); 2913 struct fsg_dev *fsg = fsg_from_func(f);
2914 struct fsg_common *common = fsg->common;
2960 2915
2961 DBG(fsg, "unbind\n"); 2916 DBG(fsg, "unbind\n");
2962 fsg_common_put(fsg->common); 2917 if (fsg->common->fsg == fsg) {
2918 fsg->common->new_fsg = NULL;
2919 raise_exception(fsg->common, FSG_STATE_CONFIG_CHANGE);
2920 /* FIXME: make interruptible or killable somehow? */
2921 wait_event(common->fsg_wait, common->fsg != fsg);
2922 }
2923
2924 fsg_common_put(common);
2963 usb_free_descriptors(fsg->function.descriptors); 2925 usb_free_descriptors(fsg->function.descriptors);
2964 usb_free_descriptors(fsg->function.hs_descriptors); 2926 usb_free_descriptors(fsg->function.hs_descriptors);
2965 kfree(fsg); 2927 kfree(fsg);