commit 7bc80cd935a4d5fd8574f6994bd95d0aad273d56 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

usbfs: fix deadlock on 'usbfs_mutex', clean up poll

The caller of usbfs_conn_disc_event() in some cases (but not always)
already holds usbfs_mutex, so trying to protect the event counter with
that lock causes nasty deadlocks.

The problem was introduced by commit 554f76962d ("USB: Remove BKL from
poll()") when the BLK protection was turned into using the mutex instead.

So fix this by using an atomic variable instead. And while we're at it,
get rid of the atrocious naming of said variable and the waitqueue it is
associated with.

This also cleans up the unnecessary locking in the poll routine, since
the whole point of how the pollwait table works is that you can just add
yourself to the waiting list, and then check the condition you're
waiting for afterwards - avoiding all races.

It also gets rid of the unnecessary dynamic allocation of the device
status that just contained a single word. We should use f_version for
this, as Dmitry Torokhov points out. That simplifies everything
further.

Reported-and-tested-by: Jeff Chua <jeff.chua.linux@gmail.com>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oliver@neukum.org>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 16 years ago 7bc80cd9 66b89159

+23 -41

1 changed file

expand all

unified split

drivers

usb

core

devices.c

+23 -41

drivers/usb/core/devices.c

··· 117 117 * However, these will come from functions that return ptrs to each of them. 118 118 */ 119 119 120 - static DECLARE_WAIT_QUEUE_HEAD(deviceconndiscwq); 121 - /* guarded by usbfs_mutex */ 122 - static unsigned int conndiscevcnt; 120 + /* 121 + * Wait for an connect/disconnect event to happen. We initialize 122 + * the event counter with an odd number, and each event will increment 123 + * the event counter by two, so it will always _stay_ odd. That means 124 + * that it will never be zero, so "event 0" will never match a current 125 + * event, and thus 'poll' will always trigger as readable for the first 126 + * time it gets called. 127 + */ 128 + static struct device_connect_event { 129 + atomic_t count; 130 + wait_queue_head_t wait; 131 + } device_event = { 132 + .count = ATOMIC_INIT(1), 133 + .wait = __WAIT_QUEUE_HEAD_INITIALIZER(device_event.wait) 134 + }; 123 135 124 136 /* this struct stores the poll state for <mountpoint>/devices pollers */ 125 137 struct usb_device_status { ··· 169 157 170 158 void usbfs_conn_disc_event(void) 171 159 { 172 - mutex_lock(&usbfs_mutex); 173 - conndiscevcnt++; 174 - mutex_unlock(&usbfs_mutex); 175 - wake_up(&deviceconndiscwq); 160 + atomic_add(2, &device_event.count); 161 + wake_up(&device_event.wait); 176 162 } 177 163 178 164 static const char *class_decode(const int class) ··· 642 632 static unsigned int usb_device_poll(struct file *file, 643 633 struct poll_table_struct *wait) 644 634 { 645 - struct usb_device_status *st; 646 - unsigned int mask = 0; 635 + unsigned int event_count; 647 636 648 - mutex_lock(&usbfs_mutex); 649 - st = file->private_data; 650 - if (!st) { 651 - st = kmalloc(sizeof(struct usb_device_status), GFP_KERNEL); 652 - if (!st) { 653 - mutex_unlock(&usbfs_mutex); 654 - return POLLIN; 655 - } 637 + poll_wait(file, &device_event.wait, wait); 656 638 657 - st->lastev = conndiscevcnt; 658 - file->private_data = st; 659 - mask = POLLIN; 639 + event_count = atomic_read(&device_event.count); 640 + if (file->f_version != event_count) { 641 + file->f_version = event_count; 642 + return POLLIN | POLLRDNORM; 660 643 } 661 644 662 - if (file->f_mode & FMODE_READ) 663 - poll_wait(file, &deviceconndiscwq, wait); 664 - if (st->lastev != conndiscevcnt) 665 - mask |= POLLIN; 666 - st->lastev = conndiscevcnt; 667 - mutex_unlock(&usbfs_mutex); 668 - return mask; 669 - } 670 - 671 - static int usb_device_open(struct inode *inode, struct file *file) 672 - { 673 - file->private_data = NULL; 674 - return 0; 675 - } 676 - 677 - static int usb_device_release(struct inode *inode, struct file *file) 678 - { 679 - kfree(file->private_data); 680 - file->private_data = NULL; 681 645 return 0; 682 646 } 683 647 ··· 683 699 .llseek = usb_device_lseek, 684 700 .read = usb_device_read, 685 701 .poll = usb_device_poll, 686 - .open = usb_device_open, 687 - .release = usb_device_release, 688 702 };