All of lore.kernel.org
 help / color / mirror / Atom feed
From: Christian Gromm <christian.gromm@microchip.com>
To: gregkh@linuxfoundation.org
Cc: Christian Gromm <christian.gromm@microchip.com>,
	driverdev-devel@linuxdriverproject.org
Subject: [PATCH 23/28] staging: most: fix race conditions
Date: Tue, 22 Dec 2015 10:53:04 +0100	[thread overview]
Message-ID: <1450777989-5551-24-git-send-email-christian.gromm@microchip.com> (raw)
In-Reply-To: <1450777989-5551-1-git-send-email-christian.gromm@microchip.com>

This patch fixes race conditions that might emerge from functions
aim_open, aim_close, aim_read, aim_write and aim_disconnect_channel
within module cdev.

Signed-off-by: Christian Gromm <christian.gromm@microchip.com>
---
This patch has been resent on behalf of Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/staging/most/aim-cdev/cdev.c |   89 +++++++++++++++++++++-------------
 1 file changed, 54 insertions(+), 35 deletions(-)

diff --git a/drivers/staging/most/aim-cdev/cdev.c b/drivers/staging/most/aim-cdev/cdev.c
index 5065139..ade7808 100644
--- a/drivers/staging/most/aim-cdev/cdev.c
+++ b/drivers/staging/most/aim-cdev/cdev.c
@@ -32,6 +32,7 @@ static struct most_aim cdev_aim;
 
 struct aim_channel {
 	wait_queue_head_t wq;
+	spinlock_t unlink;	/* synchronization lock to unlink channels */
 	struct cdev cdev;
 	struct device *dev;
 	struct mutex io_mutex;
@@ -55,6 +56,12 @@ static inline bool ch_has_mbo(struct aim_channel *c)
 	return channel_has_mbo(c->iface, c->channel_id, &cdev_aim) > 0;
 }
 
+static inline bool ch_get_mbo(struct aim_channel *c, struct mbo **mbo)
+{
+	*mbo = most_get_mbo(c->iface, c->channel_id, &cdev_aim);
+	return *mbo;
+}
+
 static struct aim_channel *get_channel(struct most_interface *iface, int id)
 {
 	struct aim_channel *c, *tmp;
@@ -82,6 +89,7 @@ static void stop_channel(struct aim_channel *c)
 		most_put_mbo(mbo);
 	if (c->stacked_mbo)
 		most_put_mbo(c->stacked_mbo);
+	c->stacked_mbo = NULL;
 	most_stop_channel(c->iface, c->channel_id, &cdev_aim);
 }
 
@@ -121,16 +129,25 @@ static int aim_open(struct inode *inode, struct file *filp)
 		pr_info("WARN: Access flags mismatch\n");
 		return -EACCES;
 	}
+
+	mutex_lock(&c->io_mutex);
+	if (!c->dev) {
+		pr_info("WARN: Device is destroyed\n");
+		mutex_unlock(&c->io_mutex);
+		return -EBUSY;
+	}
+
 	if (!atomic_inc_and_test(&c->access_ref)) {
 		pr_info("WARN: Device is busy\n");
 		atomic_dec(&c->access_ref);
+		mutex_unlock(&c->io_mutex);
 		return -EBUSY;
 	}
 
-	ret = most_start_channel(c->iface, c->channel_id,
-				 &cdev_aim);
+	ret = most_start_channel(c->iface, c->channel_id, &cdev_aim);
 	if (ret)
 		atomic_dec(&c->access_ref);
+	mutex_unlock(&c->io_mutex);
 	return ret;
 }
 
@@ -146,17 +163,17 @@ static int aim_close(struct inode *inode, struct file *filp)
 	struct aim_channel *c = to_channel(inode->i_cdev);
 
 	mutex_lock(&c->io_mutex);
-	if (!c->dev) {
+	spin_lock(&c->unlink);
+	atomic_dec(&c->access_ref);
+	spin_unlock(&c->unlink);
+	if (c->dev) {
+		stop_channel(c);
 		mutex_unlock(&c->io_mutex);
-		atomic_dec(&c->access_ref);
+	} else {
 		destroy_cdev(c);
+		mutex_unlock(&c->io_mutex);
 		kfree(c);
-		return 0;
 	}
-	mutex_unlock(&c->io_mutex);
-
-	stop_channel(c);
-	atomic_dec(&c->access_ref);
 	return 0;
 }
 
@@ -171,40 +188,27 @@ static ssize_t aim_write(struct file *filp, const char __user *buf,
 			 size_t count, loff_t *offset)
 {
 	int ret, err;
-	size_t actual_len = 0;
-	size_t max_len = 0;
+	size_t actual_len;
+	size_t max_len;
 	ssize_t retval;
-	struct mbo *mbo;
+	struct mbo *mbo = NULL;
 	struct aim_channel *c = filp->private_data;
 
 	mutex_lock(&c->io_mutex);
-	if (unlikely(!c->dev)) {
+	while (c->dev && !ch_get_mbo(c, &mbo)) {
 		mutex_unlock(&c->io_mutex);
-		return -EPIPE;
-	}
-	mutex_unlock(&c->io_mutex);
-
-	mbo = most_get_mbo(c->iface, c->channel_id, &cdev_aim);
 
-	if (!mbo) {
 		if ((filp->f_flags & O_NONBLOCK))
 			return -EAGAIN;
-		if (wait_event_interruptible(
-			    c->wq,
-			    (mbo = most_get_mbo(c->iface,
-						c->channel_id,
-						&cdev_aim)) ||
-			    (!c->dev)))
+		if (wait_event_interruptible(c->wq, ch_has_mbo(c) || !c->dev))
 			return -ERESTARTSYS;
+		mutex_lock(&c->io_mutex);
 	}
 
-	mutex_lock(&c->io_mutex);
 	if (unlikely(!c->dev)) {
-		mutex_unlock(&c->io_mutex);
 		err = -EPIPE;
 		goto error;
 	}
-	mutex_unlock(&c->io_mutex);
 
 	max_len = c->cfg->buffer_size;
 	actual_len = min(count, max_len);
@@ -222,9 +226,12 @@ static ssize_t aim_write(struct file *filp, const char __user *buf,
 		err = ret;
 		goto error;
 	}
+	mutex_unlock(&c->io_mutex);
 	return actual_len - retval;
 error:
-	most_put_mbo(mbo);
+	if (mbo)
+		most_put_mbo(mbo);
+	mutex_unlock(&c->io_mutex);
 	return err;
 }
 
@@ -242,23 +249,25 @@ aim_read(struct file *filp, char __user *buf, size_t count, loff_t *offset)
 	struct mbo *mbo;
 	struct aim_channel *c = filp->private_data;
 
+	mutex_lock(&c->io_mutex);
 	if (c->stacked_mbo) {
 		mbo = c->stacked_mbo;
 		goto start_copy;
 	}
 	while ((!kfifo_out(&c->fifo, &mbo, 1)) && (c->dev)) {
+		mutex_unlock(&c->io_mutex);
 		if (filp->f_flags & O_NONBLOCK)
 			return -EAGAIN;
 		if (wait_event_interruptible(c->wq,
 					     (!kfifo_is_empty(&c->fifo) ||
 					      (!c->dev))))
 			return -ERESTARTSYS;
+		mutex_lock(&c->io_mutex);
 	}
 	c->stacked_mbo = mbo;
 
 start_copy:
 	/* make sure we don't submit to gone devices */
-	mutex_lock(&c->io_mutex);
 	if (unlikely(!c->dev)) {
 		mutex_unlock(&c->io_mutex);
 		return -EIO;
@@ -335,14 +344,17 @@ static int aim_disconnect_channel(struct most_interface *iface, int channel_id)
 		return -ENXIO;
 
 	mutex_lock(&c->io_mutex);
+	spin_lock(&c->unlink);
 	c->dev = NULL;
-	mutex_unlock(&c->io_mutex);
-
-	if (atomic_read(&c->access_ref)) {
+	spin_unlock(&c->unlink);
+	if (!atomic_read(&c->access_ref)) {
+		stop_channel(c);
+		wake_up_interruptible(&c->wq);
+		mutex_unlock(&c->io_mutex);
+	} else {
 		destroy_cdev(c);
+		mutex_unlock(&c->io_mutex);
 		kfree(c);
-	} else {
-		wake_up_interruptible(&c->wq);
 	}
 	return 0;
 }
@@ -365,7 +377,13 @@ static int aim_rx_completion(struct mbo *mbo)
 	if (!c)
 		return -ENXIO;
 
+	spin_lock(&c->unlink);
+	if (atomic_read(&c->access_ref) || !c->dev) {
+		spin_unlock(&c->unlink);
+		return -EFAULT;
+	}
 	kfifo_in(&c->fifo, &mbo, 1);
+	spin_unlock(&c->unlink);
 #ifdef DEBUG_MESG
 	if (kfifo_is_full(&c->fifo))
 		pr_info("WARN: Fifo is full\n");
@@ -451,6 +469,7 @@ static int aim_probe(struct most_interface *iface, int channel_id,
 	c->channel_id = channel_id;
 	c->mbo_offs = 0;
 	atomic_set(&c->access_ref, -1);
+	spin_lock_init(&c->unlink);
 	INIT_KFIFO(c->fifo);
 	retval = kfifo_alloc(&c->fifo, cfg->num_buffers, GFP_KERNEL);
 	if (retval) {
-- 
1.7.9.5

_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

  parent reply	other threads:[~2015-12-22  9:54 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-22  9:52 [PATCH 00/28] staging: most: bug-fixes and clean-up Christian Gromm
2015-12-22  9:52 ` [PATCH 01/28] staging: most: remove unnecessary keep_mbo variable Christian Gromm
2015-12-22  9:52 ` [PATCH 02/28] staging: most: rename variables Christian Gromm
2015-12-22  9:52 ` [PATCH 03/28] staging: most: simplify expression Christian Gromm
2015-12-22  9:52 ` [PATCH 04/28] staging: most: unify types Christian Gromm
2015-12-22  9:52 ` [PATCH 05/28] staging: most: use min_t Christian Gromm
2015-12-22  9:52 ` [PATCH 06/28] staging: most: fix mbo leak Christian Gromm
2015-12-22  9:52 ` [PATCH 07/28] staging: most: fix tracking of MBO offset Christian Gromm
2015-12-22  9:52 ` [PATCH 08/28] staging: most: use readl and writel functions Christian Gromm
2015-12-22  9:52 ` [PATCH 09/28] staging: most: remove function destroy_most_c_obj Christian Gromm
2015-12-22  9:52 ` [PATCH 10/28] staging: most: add missing call to ida_simple_remove Christian Gromm
2015-12-22  9:52 ` [PATCH 11/28] staging: most: move call to disconnect_channel callback Christian Gromm
2015-12-22  9:52 ` [PATCH 12/28 v2] staging: most: move initialization of pointer Christian Gromm
2015-12-22  9:52 ` [PATCH 13/28] staging: most: move mutex Christian Gromm
2015-12-22  9:52 ` [PATCH 14/28] staging: most: move channel disconnect to function most_deregister_interface Christian Gromm
2015-12-22  9:52 ` [PATCH 15/28] staging: most: remove tainted flag Christian Gromm
2015-12-22  9:52 ` [PATCH 16/28] staging: most: remove reference counter Christian Gromm
2015-12-22  9:52 ` [PATCH 17/28] staging: most: remove code to destroy channel Christian Gromm
2015-12-22  9:52 ` [PATCH 18/28] staging: most: remove redundant mutexes Christian Gromm
2015-12-22  9:53 ` [PATCH 19/28] staging: most: remove redundant call to wake_up_interruptible Christian Gromm
2015-12-22  9:53 ` [PATCH 20/28] staging: most: encapsulate shared code Christian Gromm
2015-12-22  9:53 ` [PATCH 21/28] staging: most: fix retrieval of buffer availability Christian Gromm
2015-12-24 16:57   ` Sudip Mukherjee
2016-01-12 12:26     ` Christian Gromm
2015-12-22  9:53 ` [PATCH 22/28] staging: most: rename variable channel Christian Gromm
2015-12-22  9:53 ` Christian Gromm [this message]
2015-12-22  9:53 ` [PATCH 24/28] staging: most: change type of access_ref Christian Gromm
2015-12-22  9:53 ` [PATCH 25/28] staging: most: remove stacked_mbo Christian Gromm
2015-12-22  9:53 ` [PATCH 26/28 v2] staging: most: rearrange function aim_write Christian Gromm
2015-12-22  9:53 ` [PATCH 27/28 v2] staging: most: add statistics for dropped packets Christian Gromm
2015-12-22  9:53 ` [PATCH 28/28] staging: most: remove 2nd forward declaration of struct most_aim Christian Gromm
  -- strict thread matches above, loose matches on Subject: below --
2015-11-18 12:43 [PATCH 00/28] staging: most: bug-fixes and clean-up Christian Gromm
2015-11-18 12:43 ` [PATCH 23/28] staging: most: fix race conditions Christian Gromm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1450777989-5551-24-git-send-email-christian.gromm@microchip.com \
    --to=christian.gromm@microchip.com \
    --cc=driverdev-devel@linuxdriverproject.org \
    --cc=gregkh@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.