On 25.03.23 16:47, Ye Xiang wrote: Hi,
+static int ljca_parse(struct ljca_dev *dev, struct ljca_msg *header) +{ + struct ljca_stub *stub; + + stub = ljca_stub_find(dev, header->type); + if (IS_ERR(stub)) + return PTR_ERR(stub); + + if (!(header->flags & LJCA_ACK_FLAG)) { + ljca_stub_notify(stub, header->cmd, header->data, header->len); + return 0; + } + + if (stub->cur_cmd != header->cmd) { + dev_err(&dev->intf->dev, "header and stub current command mismatch (%x vs %x)\n", + header->cmd, stub->cur_cmd); + return -EINVAL; + } + + if (stub->ipacket.ibuf && stub->ipacket.ibuf_len) {
Here you read those values from ipacket.
+ unsigned int newlen; + + newlen = min_t(unsigned int, header->len, *stub->ipacket.ibuf_len);
Here you read them again.
+ + *stub->ipacket.ibuf_len = newlen; + memcpy(stub->ipacket.ibuf, header->data, newlen);
And here you read them again. The compiler is free to generate a memory access for ipacket.ibuf, which may read a new value from RAM. That means here you have a window in which you can no longer guarantee stub->ipacket.ibuf != NULL, if you set it to NULL elsewhere.
+ } + + stub->acked = true; + wake_up(&dev->ack_wq); + + return 0; +} + +static int ljca_stub_write(struct ljca_stub *stub, u8 cmd, const void *obuf, unsigned int obuf_len, + void *ibuf, unsigned int *ibuf_len, bool wait_ack, unsigned long timeout) +{ + struct ljca_dev *dev = usb_get_intfdata(stub->intf); + u8 flags = LJCA_CMPL_FLAG; + struct ljca_msg *header; + unsigned int msg_len = sizeof(*header) + obuf_len; + int actual; + int ret; + + if (msg_len > LJCA_MAX_PACKET_SIZE) + return -EINVAL; + + if (wait_ack) + flags |= LJCA_ACK_FLAG; + + header = kmalloc(msg_len, GFP_KERNEL); + if (!header) + return -ENOMEM; + + header->type = stub->type; + header->cmd = cmd; + header->flags = flags; + header->len = obuf_len; + + if (obuf) + memcpy(header->data, obuf, obuf_len); + + dev_dbg(&dev->intf->dev, "send: type:%d cmd:%d flags:%d len:%d\n", header->type, + header->cmd, header->flags, header->len); + + usb_autopm_get_interface(dev->intf); + if (!dev->started) { + kfree(header); + ret = -ENODEV; + goto error_put; + } + + mutex_lock(&dev->mutex); + stub->cur_cmd = cmd; + stub->ipacket.ibuf = ibuf; + stub->ipacket.ibuf_len = ibuf_len; + stub->acked = false; + ret = usb_bulk_msg(interface_to_usbdev(dev->intf), + usb_sndbulkpipe(interface_to_usbdev(dev->intf), dev->out_ep), header, + msg_len, &actual, LJCA_USB_WRITE_TIMEOUT_MS); + kfree(header); + if (ret) { + dev_err(&dev->intf->dev, "bridge write failed ret:%d\n", ret); + goto error_unlock; + } + + if (actual != msg_len) { + dev_err(&dev->intf->dev, "bridge write length mismatch (%d vs %d)\n", msg_len, + actual); + ret = -EINVAL; + goto error_unlock; + } + + if (wait_ack) { + ret = wait_event_timeout(dev->ack_wq, stub->acked, msecs_to_jiffies(timeout)); + if (!ret) { + dev_err(&dev->intf->dev, "acked wait timeout\n"); + ret = -ETIMEDOUT; + goto error_unlock; + } + } + + ret = 0; +error_unlock: + stub->ipacket.ibuf = NULL; + stub->ipacket.ibuf_len = NULL;
And here you set stub->ipacket.ibuf to NULL. If you do that and want consistency, you'll need to use READ_ONCE and a local variable if you read this in interrupt.
+ mutex_unlock(&dev->mutex); +error_put: + usb_autopm_put_interface(dev->intf); + + return ret; +} +
HTH, Oliver