On Sat, 31 Jul 2010, Christian Lamparter wrote:
> This patch fixes a race condition in two utility routines
> related removal of urbs from an anchor.
>
> If two threads are concurrently accessing the same anchor,
> both could end up with the same urb - thinking they are
> the exclusive owner.
>
> Cc: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> Cc: Greg Kroah-Hartman <greg@xxxxxxxxx>
> Signed-off-by: Christian Lamparter <chunkeey@xxxxxxxxxxxxxx>
> ---
> v0 -> v1
> - Alan Stern's comments.
>
> BTW, what about usb_{unlink,kill,poison)_anchored_urbs?
> At first glance, these functions seem to be immune to this
> bug (delisting is done elsewhere), or is there something
> I've missed?
You're right about that. However there is an issue in
usb_unlink_anchored_urbs. The URB isn't removed from the anchor until
it completes (as a by-product of completion, in fact), which might not
be for quite some time after the unlink call returns. In the meantime,
the subroutine will keep trying to unlink it, over and over again. I
think it would be best to unanchor the URB before calling
usb_unlink_urb.
Alan Stern
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
