[PATCH] usbip: avoid deadlock in vhci_device_unlink_cleanup()

Bernard Blackham <b-linuxgit@xxxxxxxxxxxxxxxx> · Thu, 6 Sep 2012 20:25:04 +1000

Almost all of usbip assumes that the_controller->lock is acquired
before vdev->priv_lock. The exception is in
vhci_device_unlink_cleanup(), where locks are acquired in the
reverse order. This leads to occasional deadlocks.

Fixing this is a bit fiddly, as the_controller->lock can't be held
when calling usb_hcd_unlink_urb_from_ep() in the middle of the list
traversal. As I can't rule out concurrent callers to this function
(perhaps it is safe?), the code here becomes slightly uglier - when
locks are dropped in the middle so the list may have emptied itself
(not even list_for_each_entry_safe is safe here).

Signed-off-by: Bernard Blackham <b-linuxgit@xxxxxxxxxxxxxxxx>

diff --git a/drivers/staging/usbip/vhci_hcd.c b/drivers/staging/usbip/vhci_hcd.c
index 12a9a5f..dfeb492 100644
--- a/drivers/staging/usbip/vhci_hcd.c
+++ b/drivers/staging/usbip/vhci_hcd.c
@@ -749,6 +749,7 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
 {
 	struct vhci_unlink *unlink, *tmp;
 
+	spin_lock(&the_controller->lock);
 	spin_lock(&vdev->priv_lock);
 
 	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
@@ -757,9 +758,12 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
 		kfree(unlink);
 	}
 
-	list_for_each_entry_safe(unlink, tmp, &vdev->unlink_rx, list) {
+	while (!list_empty(&vdev->unlink_rx)) {
 		struct urb *urb;
 
+		unlink = list_first_entry(&vdev->unlink_rx, struct vhci_unlink,
+			list);
+
 		/* give back URB of unanswered unlink request */
 		pr_info("unlink cleanup rx %lu\n", unlink->unlink_seqnum);
 
@@ -774,18 +778,24 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
 
 		urb->status = -ENODEV;
 
-		spin_lock(&the_controller->lock);
 		usb_hcd_unlink_urb_from_ep(vhci_to_hcd(the_controller), urb);
+
+		list_del(&unlink->list);
+
+		spin_unlock(&vdev->priv_lock);
 		spin_unlock(&the_controller->lock);
 
 		usb_hcd_giveback_urb(vhci_to_hcd(the_controller), urb,
 				     urb->status);
 
-		list_del(&unlink->list);
+		spin_lock(&the_controller->lock);
+		spin_lock(&vdev->priv_lock);
+
 		kfree(unlink);
 	}
 
 	spin_unlock(&vdev->priv_lock);
+	spin_unlock(&the_controller->lock);
 }
 
 /*
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





