greybus: operation/esx: fix message-cancellation lifetime bugs
The current host-controller message-cancellation implementation suffer from a lifetime bug as dynamically allocated URBs would complete and be deallocated while being unlinked as part of cancellation. The current locking is also insufficient to prevent the related race where the URB is deallocated before being unlinked. Fix this by pushing the cancellation implementation from greybus core down to the host-controller drivers, and replace the "cookie" pointer with a hcpriv field that those drivers can use to maintain their state with the required locking and reference counting in place. Specifically the drivers need to acquire a reference to the URB under a lock before calling usb_kill_urb as part of cancellation. Note that this also removes the insufficient gb_message_mutex, which also effectively prevented us from implementing support for submissions from atomic context. Instead the host-controller drivers must now explicitly make sure that the pre-allocated URBs are not reused while cancellation is in progress. Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Showing
Please register or sign in to comment