git.hungrycats.org Git - linux/commit

author	Johan Hovold <johan@kernel.org>
	Thu, 25 Apr 2019 16:05:36 +0000 (18:05 +0200)
committer	Ben Hutchings <ben@decadent.org.uk>
	Mon, 23 Sep 2019 20:11:57 +0000 (21:11 +0100)
commit	df48f1bc39827e750a9490b3c4abd6fdbfed8bb6
tree	2f57486bcd73cce0a42d88566dbf8b49533c51e6	tree \| snapshot
parent	650ef8048e3fdedab690e771ec456b417bb7cf3b	commit \| diff

USB: serial: fix unthrottle races

commit 3f5edd58d040bfa4b74fb89bc02f0bc6b9cd06ab upstream.

Fix two long-standing bugs which could potentially lead to memory
corruption or leave the port throttled until it is reopened (on weakly
ordered systems), respectively, when read-URB completion races with
unthrottle().

First, the URB must not be marked as free before processing is complete
to prevent it from being submitted by unthrottle() on another CPU.

CPU 1 CPU 2
================ ================
complete() unthrottle()
  process_urb();
  smp_mb__before_atomic();
  set_bit(i, free);   if (test_and_clear_bit(i, free))
     submit_urb();

Second, the URB must be marked as free before checking the throttled
flag to prevent unthrottle() on another CPU from failing to observe that
the URB needs to be submitted if complete() sees that the throttled flag
is set.

CPU 1 CPU 2
================ ================
complete() unthrottle()
  set_bit(i, free);   throttled = 0;
  smp_mb__after_atomic();   smp_mb();
  if (throttled)   if (test_and_clear_bit(i, free))
     return;   submit_urb();

Note that test_and_clear_bit() only implies barriers when the test is
successful. To handle the case where the URB is still in use an explicit
barrier needs to be added to unthrottle() for the second race condition.

Fixes: d83b405383c9 ("USB: serial: add support for multiple read urbs")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>