From 2a6da97ff530650d26570a6a1ec0ac1deac927bd Mon Sep 17 00:00:00 2001 From: Thomas Pugliese Date: Tue, 4 Mar 2014 11:24:55 -0600 Subject: usb: wusbcore: fix potential double list_del on urb dequeue This patch locks rpipe->seg_lock around the entire transfer segment cleanup loop in wa_urb_dequeue instead of just one case of the switch statement. This fixes a race between __wa_xfer_delayed_run and wa_urb_dequeue where a transfer segment in the WA_SEG_DELAYED state could be removed from the rpipe seg_list twice leading to memory corruption. It also switches the spin_lock call to use the non-irqsave version since the xfer->lock is already held and irqs already disabled. Signed-off-by: Thomas Pugliese Signed-off-by: Greg Kroah-Hartman diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c index 404ce81..6e0d377 100644 --- a/drivers/usb/wusbcore/wa-xfer.c +++ b/drivers/usb/wusbcore/wa-xfer.c @@ -1974,6 +1974,11 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status) goto out_unlock; /* setup(), enqueue_b() completes */ /* Ok, the xfer is in flight already, it's been setup and submitted.*/ xfer_abort_pending = __wa_xfer_abort(xfer) >= 0; + /* + * grab the rpipe->seg_lock here to prevent racing with + * __wa_xfer_delayed_run. + */ + spin_lock(&rpipe->seg_lock); for (cnt = 0; cnt < xfer->segs; cnt++) { seg = xfer->seg[cnt]; pr_debug("%s: xfer id 0x%08X#%d status = %d\n", @@ -1994,10 +1999,8 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status) */ seg->status = WA_SEG_ABORTED; seg->result = -ENOENT; - spin_lock_irqsave(&rpipe->seg_lock, flags2); list_del(&seg->list_node); xfer->segs_done++; - spin_unlock_irqrestore(&rpipe->seg_lock, flags2); break; case WA_SEG_DONE: case WA_SEG_ERROR: @@ -2026,6 +2029,7 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb, int status) break; } } + spin_unlock(&rpipe->seg_lock); xfer->result = urb->status; /* -ENOENT or -ECONNRESET */ done = __wa_xfer_is_done(xfer); spin_unlock_irqrestore(&xfer->lock, flags); -- cgit v0.10.2