From: Oliver Neukum Date: Mon, 31 Mar 2008 14:27:30 +0000 (+0200) Subject: HID: fix race between open() and disconnect() in usbhid X-Git-Tag: firefly_0821_release~21584^2~6 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=69626f23bce6521367ac1e6a2a6e8fba8f0a848a;p=firefly-linux-kernel-4.4.55.git HID: fix race between open() and disconnect() in usbhid There is a window: task A task B spin_lock_irq(&usbhid->inlock); /* Sync with error handler */ usb_set_intfdata(intf, NULL); spin_unlock_irq(&usbhid->inlock); usb_kill_urb(usbhid->urbin); usb_kill_urb(usbhid->urbout); usb_kill_urb(usbhid->urbctrl); del_timer_sync(&usbhid->io_retry); cancel_work_sync(&usbhid->reset_work); if (!hid->open++) { res = usb_autopm_get_interface(usbhid->intf); if (res < 0) { hid->open--; return -EIO; } } if (hid_start_in(hid)) if (hid->claimed & HID_CLAIMED_INPUT) hidinput_disconnect(hid); in which an open() to an already disconnected device will submit an URB to an undead device. In case disconnect() was called by an ioctl, this'll oops. Fix by introducing a new flag and checking it in hid_start_in(). Signed-off-by: Oliver Neukum Signed-off-by: Jiri Kosina --- diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c index f6a5d8930348..e0d805f1b2bf 100644 --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -82,6 +82,7 @@ static int hid_start_in(struct hid_device *hid) spin_lock_irqsave(&usbhid->inlock, flags); if (hid->open > 0 && !test_bit(HID_SUSPENDED, &usbhid->iofl) && + !test_bit(HID_DISCONNECTED, &usbhid->iofl) && !test_and_set_bit(HID_IN_RUNNING, &usbhid->iofl)) { rc = usb_submit_urb(usbhid->urbin, GFP_ATOMIC); if (rc != 0) @@ -155,7 +156,7 @@ static void hid_io_error(struct hid_device *hid) spin_lock_irqsave(&usbhid->inlock, flags); /* Stop when disconnected */ - if (usb_get_intfdata(usbhid->intf) == NULL) + if (test_bit(HID_DISCONNECTED, &usbhid->iofl)) goto done; /* If it has been a while since the last error, we'll assume @@ -941,6 +942,7 @@ static void hid_disconnect(struct usb_interface *intf) spin_lock_irq(&usbhid->inlock); /* Sync with error handler */ usb_set_intfdata(intf, NULL); + set_bit(HID_DISCONNECTED, &usbhid->iofl); spin_unlock_irq(&usbhid->inlock); usb_kill_urb(usbhid->urbin); usb_kill_urb(usbhid->urbout); diff --git a/include/linux/hid.h b/include/linux/hid.h index fe4ac31eced2..d951ec411241 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -424,6 +424,7 @@ struct hid_control_fifo { #define HID_RESET_PENDING 4 #define HID_SUSPENDED 5 #define HID_CLEAR_HALT 6 +#define HID_DISCONNECTED 7 struct hid_input { struct list_head list;