Commit fa96b8ed authored by Christian Gromm's avatar Christian Gromm Committed by Greg Kroah-Hartman

staging: most: fix race conditions

This patch fixes race conditions that might emerge from functions
aim_open, aim_close, aim_read, aim_write and aim_disconnect_channel
within module cdev.
Signed-off-by: default avatarChristian Gromm <christian.gromm@microchip.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent d8b082e6
...@@ -32,6 +32,7 @@ static struct most_aim cdev_aim; ...@@ -32,6 +32,7 @@ static struct most_aim cdev_aim;
struct aim_channel { struct aim_channel {
wait_queue_head_t wq; wait_queue_head_t wq;
spinlock_t unlink; /* synchronization lock to unlink channels */
struct cdev cdev; struct cdev cdev;
struct device *dev; struct device *dev;
struct mutex io_mutex; struct mutex io_mutex;
...@@ -55,6 +56,12 @@ static inline bool ch_has_mbo(struct aim_channel *c) ...@@ -55,6 +56,12 @@ static inline bool ch_has_mbo(struct aim_channel *c)
return channel_has_mbo(c->iface, c->channel_id, &cdev_aim) > 0; return channel_has_mbo(c->iface, c->channel_id, &cdev_aim) > 0;
} }
static inline bool ch_get_mbo(struct aim_channel *c, struct mbo **mbo)
{
*mbo = most_get_mbo(c->iface, c->channel_id, &cdev_aim);
return *mbo;
}
static struct aim_channel *get_channel(struct most_interface *iface, int id) static struct aim_channel *get_channel(struct most_interface *iface, int id)
{ {
struct aim_channel *c, *tmp; struct aim_channel *c, *tmp;
...@@ -82,6 +89,7 @@ static void stop_channel(struct aim_channel *c) ...@@ -82,6 +89,7 @@ static void stop_channel(struct aim_channel *c)
most_put_mbo(mbo); most_put_mbo(mbo);
if (c->stacked_mbo) if (c->stacked_mbo)
most_put_mbo(c->stacked_mbo); most_put_mbo(c->stacked_mbo);
c->stacked_mbo = NULL;
most_stop_channel(c->iface, c->channel_id, &cdev_aim); most_stop_channel(c->iface, c->channel_id, &cdev_aim);
} }
...@@ -121,16 +129,25 @@ static int aim_open(struct inode *inode, struct file *filp) ...@@ -121,16 +129,25 @@ static int aim_open(struct inode *inode, struct file *filp)
pr_info("WARN: Access flags mismatch\n"); pr_info("WARN: Access flags mismatch\n");
return -EACCES; return -EACCES;
} }
mutex_lock(&c->io_mutex);
if (!c->dev) {
pr_info("WARN: Device is destroyed\n");
mutex_unlock(&c->io_mutex);
return -EBUSY;
}
if (!atomic_inc_and_test(&c->access_ref)) { if (!atomic_inc_and_test(&c->access_ref)) {
pr_info("WARN: Device is busy\n"); pr_info("WARN: Device is busy\n");
atomic_dec(&c->access_ref); atomic_dec(&c->access_ref);
mutex_unlock(&c->io_mutex);
return -EBUSY; return -EBUSY;
} }
ret = most_start_channel(c->iface, c->channel_id, ret = most_start_channel(c->iface, c->channel_id, &cdev_aim);
&cdev_aim);
if (ret) if (ret)
atomic_dec(&c->access_ref); atomic_dec(&c->access_ref);
mutex_unlock(&c->io_mutex);
return ret; return ret;
} }
...@@ -146,17 +163,17 @@ static int aim_close(struct inode *inode, struct file *filp) ...@@ -146,17 +163,17 @@ static int aim_close(struct inode *inode, struct file *filp)
struct aim_channel *c = to_channel(inode->i_cdev); struct aim_channel *c = to_channel(inode->i_cdev);
mutex_lock(&c->io_mutex); mutex_lock(&c->io_mutex);
if (!c->dev) { spin_lock(&c->unlink);
mutex_unlock(&c->io_mutex);
atomic_dec(&c->access_ref); atomic_dec(&c->access_ref);
spin_unlock(&c->unlink);
if (c->dev) {
stop_channel(c);
mutex_unlock(&c->io_mutex);
} else {
destroy_cdev(c); destroy_cdev(c);
mutex_unlock(&c->io_mutex);
kfree(c); kfree(c);
return 0;
} }
mutex_unlock(&c->io_mutex);
stop_channel(c);
atomic_dec(&c->access_ref);
return 0; return 0;
} }
...@@ -171,40 +188,27 @@ static ssize_t aim_write(struct file *filp, const char __user *buf, ...@@ -171,40 +188,27 @@ static ssize_t aim_write(struct file *filp, const char __user *buf,
size_t count, loff_t *offset) size_t count, loff_t *offset)
{ {
int ret, err; int ret, err;
size_t actual_len = 0; size_t actual_len;
size_t max_len = 0; size_t max_len;
ssize_t retval; ssize_t retval;
struct mbo *mbo; struct mbo *mbo = NULL;
struct aim_channel *c = filp->private_data; struct aim_channel *c = filp->private_data;
mutex_lock(&c->io_mutex); mutex_lock(&c->io_mutex);
if (unlikely(!c->dev)) { while (c->dev && !ch_get_mbo(c, &mbo)) {
mutex_unlock(&c->io_mutex);
return -EPIPE;
}
mutex_unlock(&c->io_mutex); mutex_unlock(&c->io_mutex);
mbo = most_get_mbo(c->iface, c->channel_id, &cdev_aim);
if (!mbo) {
if ((filp->f_flags & O_NONBLOCK)) if ((filp->f_flags & O_NONBLOCK))
return -EAGAIN; return -EAGAIN;
if (wait_event_interruptible( if (wait_event_interruptible(c->wq, ch_has_mbo(c) || !c->dev))
c->wq,
(mbo = most_get_mbo(c->iface,
c->channel_id,
&cdev_aim)) ||
(!c->dev)))
return -ERESTARTSYS; return -ERESTARTSYS;
mutex_lock(&c->io_mutex);
} }
mutex_lock(&c->io_mutex);
if (unlikely(!c->dev)) { if (unlikely(!c->dev)) {
mutex_unlock(&c->io_mutex);
err = -EPIPE; err = -EPIPE;
goto error; goto error;
} }
mutex_unlock(&c->io_mutex);
max_len = c->cfg->buffer_size; max_len = c->cfg->buffer_size;
actual_len = min(count, max_len); actual_len = min(count, max_len);
...@@ -222,9 +226,12 @@ static ssize_t aim_write(struct file *filp, const char __user *buf, ...@@ -222,9 +226,12 @@ static ssize_t aim_write(struct file *filp, const char __user *buf,
err = ret; err = ret;
goto error; goto error;
} }
mutex_unlock(&c->io_mutex);
return actual_len - retval; return actual_len - retval;
error: error:
if (mbo)
most_put_mbo(mbo); most_put_mbo(mbo);
mutex_unlock(&c->io_mutex);
return err; return err;
} }
...@@ -242,23 +249,25 @@ aim_read(struct file *filp, char __user *buf, size_t count, loff_t *offset) ...@@ -242,23 +249,25 @@ aim_read(struct file *filp, char __user *buf, size_t count, loff_t *offset)
struct mbo *mbo; struct mbo *mbo;
struct aim_channel *c = filp->private_data; struct aim_channel *c = filp->private_data;
mutex_lock(&c->io_mutex);
if (c->stacked_mbo) { if (c->stacked_mbo) {
mbo = c->stacked_mbo; mbo = c->stacked_mbo;
goto start_copy; goto start_copy;
} }
while ((!kfifo_out(&c->fifo, &mbo, 1)) && (c->dev)) { while ((!kfifo_out(&c->fifo, &mbo, 1)) && (c->dev)) {
mutex_unlock(&c->io_mutex);
if (filp->f_flags & O_NONBLOCK) if (filp->f_flags & O_NONBLOCK)
return -EAGAIN; return -EAGAIN;
if (wait_event_interruptible(c->wq, if (wait_event_interruptible(c->wq,
(!kfifo_is_empty(&c->fifo) || (!kfifo_is_empty(&c->fifo) ||
(!c->dev)))) (!c->dev))))
return -ERESTARTSYS; return -ERESTARTSYS;
mutex_lock(&c->io_mutex);
} }
c->stacked_mbo = mbo; c->stacked_mbo = mbo;
start_copy: start_copy:
/* make sure we don't submit to gone devices */ /* make sure we don't submit to gone devices */
mutex_lock(&c->io_mutex);
if (unlikely(!c->dev)) { if (unlikely(!c->dev)) {
mutex_unlock(&c->io_mutex); mutex_unlock(&c->io_mutex);
return -EIO; return -EIO;
...@@ -335,14 +344,17 @@ static int aim_disconnect_channel(struct most_interface *iface, int channel_id) ...@@ -335,14 +344,17 @@ static int aim_disconnect_channel(struct most_interface *iface, int channel_id)
return -ENXIO; return -ENXIO;
mutex_lock(&c->io_mutex); mutex_lock(&c->io_mutex);
spin_lock(&c->unlink);
c->dev = NULL; c->dev = NULL;
spin_unlock(&c->unlink);
if (!atomic_read(&c->access_ref)) {
stop_channel(c);
wake_up_interruptible(&c->wq);
mutex_unlock(&c->io_mutex); mutex_unlock(&c->io_mutex);
} else {
if (atomic_read(&c->access_ref)) {
destroy_cdev(c); destroy_cdev(c);
mutex_unlock(&c->io_mutex);
kfree(c); kfree(c);
} else {
wake_up_interruptible(&c->wq);
} }
return 0; return 0;
} }
...@@ -365,7 +377,13 @@ static int aim_rx_completion(struct mbo *mbo) ...@@ -365,7 +377,13 @@ static int aim_rx_completion(struct mbo *mbo)
if (!c) if (!c)
return -ENXIO; return -ENXIO;
spin_lock(&c->unlink);
if (atomic_read(&c->access_ref) || !c->dev) {
spin_unlock(&c->unlink);
return -EFAULT;
}
kfifo_in(&c->fifo, &mbo, 1); kfifo_in(&c->fifo, &mbo, 1);
spin_unlock(&c->unlink);
#ifdef DEBUG_MESG #ifdef DEBUG_MESG
if (kfifo_is_full(&c->fifo)) if (kfifo_is_full(&c->fifo))
pr_info("WARN: Fifo is full\n"); pr_info("WARN: Fifo is full\n");
...@@ -451,6 +469,7 @@ static int aim_probe(struct most_interface *iface, int channel_id, ...@@ -451,6 +469,7 @@ static int aim_probe(struct most_interface *iface, int channel_id,
c->channel_id = channel_id; c->channel_id = channel_id;
c->mbo_offs = 0; c->mbo_offs = 0;
atomic_set(&c->access_ref, -1); atomic_set(&c->access_ref, -1);
spin_lock_init(&c->unlink);
INIT_KFIFO(c->fifo); INIT_KFIFO(c->fifo);
retval = kfifo_alloc(&c->fifo, cfg->num_buffers, GFP_KERNEL); retval = kfifo_alloc(&c->fifo, cfg->num_buffers, GFP_KERNEL);
if (retval) { if (retval) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment