Dave,
Sorry, I did not look carefully enough! usbtmc_probe() seems to be correct.
@Lv Yunglong: If you think you can provoke an error then you can send us instructions or a kernel dump with a private mail.
-Guido
Hi Dave,
I just found this patch, which does not seem to be a correct solution to solve a race.
Maybe there is really an issue with the refcounting of data->kref, but currently I do not have time to check this in home office.
At least I see a problem in usbtmc_probe()
After calling:
/* Protect interrupt in endpoint data until iin_urb is freed */
kref_get(&data->kref);
the refcounter is incremented again and if usbtmc_probe() fails, the counter is only decremented with a single kref_put(..).
I don't know if this is the reason of Lv Yunglong's problem, but let me know if you have time to track down this issue, and we will work on a correct and tested patch.
Regards,
Guido
> -----Original Message-----
> From: Greg KH
> Sent: Tuesday, March 23, 2021 10:44 AM
> To: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> Cc: linux-usb@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
> Subject: Re: [PATCH v2] usb: Add a lock when freeing data in
> usbtmc_disconnect
>
> On Tue, Mar 23, 2021 at 02:28:54AM -0700, Lv Yunlong wrote:
>> In usbtmc_disconnect, data is got from intf with the initial reference.
>> There is no refcount inc operation before usbmc_free_int(data). In
>> usbmc_free_int(data), the data may be freed.
>>
>> But later in usbtmc_disconnect, there is another put function of data.
>> It could cause errors in race.
>>
>> My patch adds a lock to protect kref from changing in race.
>>
>> Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
>> ---
>> drivers/usb/class/usbtmc.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
>> index 74d5a9c5238a..44f1fcabbb1e 100644
>> --- a/drivers/usb/class/usbtmc.c
>> +++ b/drivers/usb/class/usbtmc.c
>> @@ -2493,8 +2493,13 @@ static void usbtmc_disconnect(struct
>> usb_interface *intf)
>> usb_scuttle_anchored_urbs(&file_data->in_anchor);
>> }
>> mutex_unlock(&data->io_mutex);
>> +
>> + spinlock_t *dev_lock = &data->dev_lock;
>> +
>> + spin_lock_irq(dev_lock);
>> usbtmc_free_int(data);
>> kref_put(&data->kref, usbtmc_delete);
>> + spin_unlock_irq(dev_lock);
>> }
>>
>> static void usbtmc_draw_down(struct usbtmc_file_data *file_data)
>> --
>> 2.25.1
>
> You obviously did not even build this patch, let alone test it :(
>
> Please do not waste maintainer's time by not doing the proper steps
> when submitting patches.
>
> thanks,
>
> greg k-h
