Re: [PATCH 11/11] usb: core: fix a race with usb_queue_reset_device()

[PATCH 00/11] hso: fix some problems with reset/disconnect path · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 01/11] hso: remove useless header file timer.h · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 02/11] hso: fix crash when device disappears while serial port is open · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 03/11] hso: fix memory leak when device disconnects · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 04/11] hso: fix memory leak in hso_create_rfkill() · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 05/11] hso: fix small indentation error · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 06/11] hso: rename hso_dev into serial in hso_free_interface() · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 07/11] hso: replace reset_device work by usb_queue_reset_device() · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 08/11] hso: move tty_unregister outside hso_serial_common_free() · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 09/11] hso: update serial_table in usb disconnect method · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 10/11] hso: add missing cancel_work_sync in disconnect() · Olivier Sobrie <hidden> · 2015-01-20
[PATCH 11/11] usb: core: fix a race with usb_queue_reset_device() · Olivier Sobrie <hidden> · 2015-01-20
Re: [PATCH 11/11] usb: core: fix a race with usb_queue_reset_device() · Oliver Neukum <hidden> · 2015-01-20
Re: [PATCH 11/11] usb: core: fix a race with usb_queue_reset_device() · Olivier Sobrie <hidden> · 2015-01-20
Re: [PATCH 11/11] usb: core: fix a race with usb_queue_reset_device() · Alan Stern <stern@rowland.harvard.edu> · 2015-01-20
Re: [PATCH 11/11] usb: core: fix a race with usb_queue_reset_device() · Olivier Sobrie <hidden> · 2015-01-20
Re: [PATCH 11/11] usb: core: fix a race with usb_queue_reset_device() · Olivier Sobrie <hidden> · 2015-01-21
Re: [PATCH 11/11] usb: core: fix a race with usb_queue_reset_device() · Alan Stern <stern@rowland.harvard.edu> · 2015-01-21
Re: [PATCH 04/11] hso: fix memory leak in hso_create_rfkill() · Oliver Neukum <hidden> · 2015-01-20
Re: [PATCH 04/11] hso: fix memory leak in hso_create_rfkill() · Olivier Sobrie <hidden> · 2015-01-20
Re: [PATCH 04/11] hso: fix memory leak in hso_create_rfkill() · Dan Williams <hidden> · 2015-01-20
[PATCH v2 00/11] hso: fix some problems in the disconnect path · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 01/11] hso: remove useless header file timer.h · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 02/11] hso: fix crash when device disappears while serial port is open · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 03/11] hso: fix memory leak when device disconnects · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 04/11] hso: fix memory leak in hso_create_rfkill() · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 05/11] hso: fix small indentation error · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 06/11] hso: rename hso_dev into serial in hso_free_interface() · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 07/11] hso: replace reset_device work by usb_queue_reset_device() · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 08/11] hso: move tty_unregister outside hso_serial_common_free() · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 09/11] hso: update serial_table in usb disconnect method · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 10/11] hso: add missing cancel_work_sync in disconnect() · Olivier Sobrie <hidden> · 2015-01-30
[PATCH v2 11/11] hso: fix rfkill name conflicts · Olivier Sobrie <hidden> · 2015-01-30
Re: [PATCH v2 11/11] hso: fix rfkill name conflicts · Dan Williams <hidden> · 2015-01-30
Re: [PATCH v2 11/11] hso: fix rfkill name conflicts · Olivier Sobrie <hidden> · 2015-01-30
Re: [PATCH v2 11/11] hso: fix rfkill name conflicts · Dan Williams <hidden> · 2015-01-30
Re: [PATCH v2 00/11] hso: fix some problems in the disconnect path · David Miller <davem@davemloft.net> · 2015-02-01

From: Oliver Neukum <hidden>
Date: 2015-01-20 13:48:52
Also in: lkml

On Tue, 2015-01-20 at 13:29 +0100, Olivier Sobrie wrote:

When usb_queue_reset() is called it schedules a work in view of
resetting the usb interface. When the reset work is running, it
can be scheduled again (e.g. by the usb disconnect method of
the driver).

Consider that the reset work is queued again while the reset work
is running and that this work leads to a forced unbinding of the
usb interface (e.g. because a driver is bound to the interface
and has no pre/post_reset methods - see usb_reset_device()).
In such condition, usb_unbind_interface() gets called and this
function calls usb_cancel_queued_reset() which does nothing
because the flag "reset_running" is set to 1. The second reset
work that has been scheduled is therefore not cancelled.
Later, the usb_reset_device() tries to rebind the interface.
If it fails, then the usb interface context which contain the
reset work struct is freed and it most likely crash when the
second reset work tries to be run.

The following flow shows the problem:
* usb_queue_reset_device()
* __usb_queue_reset_device() <- If the reset work is queued after here, then
    reset_running = 1           it will never be cancelled.
    usb_reset_device()
      usb_forced_unbind_intf()
        usb_driver_release_interface()
          usb_unbind_interface()
            driver->disconnect()
              usb_queue_reset_device() <- second reset

That is the sledgehammer approach. Wouldn't it be better to guarantee
that usb_queue_reset_device() be a nop when reset_running==1 ?

            usb_cancel_queued_reset() <- does nothing because
                                         the flag reset_running
                                         is set
      usb_unbind_and_rebind_marked_interfaces()
        usb_rebind_intf()
          device_attach()
            driver->probe() <- fails (no more drivers hold a reference to
				      the usb interface)
    reset_running = 0
* hub_event()
    usb_disconnect()
      usb_disable_device()
        kobject_release()
          device_release()
            usb_release_interface()
              kfree(intf) <- usb interface context is released
                             while we still have a pending reset
                             work that should be run

To avoid this problem, we use a delayed work so that if the reset
work is currently run, we can avoid further call to
__usb_queue_reset_device() work by using cancel_delayed_work().
Unfortunately it increases the size of the usb_interface structure...

	Regards
		Oliver

-- 
Oliver Neukum [off-list ref]

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help