From 135ff0532b1eee5a6edac4198dc40034c21fcf81 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Fri, 3 Sep 2021 15:05:00 +0000 Subject: [PATCH 1/6] ugen(4): Sprinkle KERNEL_LOCKED_P assertions around sc_is_open. --- sys/dev/usb/ugen.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index bb84b23cc7d1..a0699768b8c4 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -441,6 +441,8 @@ ugen_set_config(struct ugen_softc *sc, int configno, int chkopen) DPRINTFN(1,("ugen_set_config: %s to configno %d, sc=%p\n", device_xname(sc->sc_dev), configno, sc)); + KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ + if (chkopen) { /* * We start at 1, not 0, because we don't care whether the @@ -509,6 +511,8 @@ ugenopen(dev_t dev, int flag, int mode, struct lwp *l) int i, j; int error; + KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ + if ((sc = ugenif_acquire(unit)) == NULL) return ENXIO; @@ -675,6 +679,8 @@ ugenclose(dev_t dev, int flag, int mode, struct lwp *l) int i; int error; + KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ + if ((sc = ugenif_acquire(UGENUNIT(dev))) == NULL) return ENXIO; @@ -1530,6 +1536,8 @@ ugen_do_ioctl(struct ugen_softc *sc, int endpt, u_long cmd, int error; int dir; + KASSERT(KERNEL_LOCKED_P()); /* ugen_set_config */ + DPRINTFN(5, ("ugenioctl: cmd=%08lx\n", cmd)); switch (cmd) { From 98d4ca8da1819d87dc0200ddf166ec84985ac122 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Fri, 3 Sep 2021 15:06:27 +0000 Subject: [PATCH 2/6] ugen(4): Fix race of ugenopen against itself. Even though we have the kernel lock held, a sleep during kmem_alloc or usbd_open_pipe could allow another ugenopen to run concurrently before we have marked the endpoint opened. To avoid this, mark the endpoint open immediately (while we still have the kernel lock held and before any sleeps, so there is no TOCTOU error here), and then revert on unwind in the event of failure. --- sys/dev/usb/ugen.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index a0699768b8c4..92e9503a1954 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -530,6 +530,7 @@ ugenopen(dev_t dev, int flag, int mode, struct lwp *l) error = EBUSY; goto out; } + sc->sc_is_open[endpt] = 1; /* Make sure there are pipes for all directions. */ for (dir = OUT; dir <= IN; dir++) { @@ -663,9 +664,10 @@ ugenopen(dev_t dev, int flag, int mode, struct lwp *l) goto out; } } - sc->sc_is_open[endpt] = 1; error = 0; -out: ugenif_release(sc); +out: if (error) + sc->sc_is_open[endpt] = 0; + ugenif_release(sc); return error; } From 20560ab51de3beda2a1f67b9b335b5232fe60c46 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Fri, 3 Sep 2021 15:08:25 +0000 Subject: [PATCH 3/6] ugen(4): Refuse non-forced detach with EBUSY if endpoints are open. Sprinkle some comments. --- sys/dev/usb/ugen.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index 92e9503a1954..44b535e33a45 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -1148,9 +1148,27 @@ ugen_detach(device_t self, int flags) DPRINTF(("ugen_detach: sc=%p flags=%d\n", sc, flags)); + KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ + + /* + * Fail if we're not forced to detach and userland has any + * endpoints open. + */ + if ((flags & DETACH_FORCE) == 0) { + for (i = 0; i < USB_MAX_ENDPOINTS; i++) { + if (sc->sc_is_open[i]) + return EBUSY; + } + } + + /* Prevent new users. Prevent suspend/resume. */ sc->sc_dying = 1; pmf_device_deregister(self); + /* + * If we never finished attaching, skip nixing endpoints and + * users because there aren't any. + */ if (!sc->sc_attached) goto out; From 918521507b4df2b8ba380f67b953c902ac1b1dfc Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sat, 4 Sep 2021 09:57:49 +0000 Subject: [PATCH 4/6] ugen(4): Ensure we close pipes on detach. Calling vdevgone has the effect of VOP_REVOKE -> spec_node_revoke -> VOP_CLOSE -> spec_close -> cdev_close -> ugenclose, but: (a) the flags passed to VOP_CLOSE don't have FREAD or FWRITE, and (b) ugenclose has no effect when sc_dying is set anyway. So create another path into the close logic, ugen_do_close. We have to do this in detach _after_ the references have drained because we may free buffers that other users are still using while the reference count is nonzero. --- sys/dev/usb/ugen.c | 53 +++++++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 19 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index 44b535e33a45..7ff17e1d0830 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -671,30 +671,18 @@ out: if (error) return error; } -static int -ugenclose(dev_t dev, int flag, int mode, struct lwp *l) +static void +ugen_do_close(struct ugen_softc *sc, int flag, int endpt) { - int endpt = UGENENDPOINT(dev); - struct ugen_softc *sc; struct ugen_endpoint *sce; int dir; int i; - int error; KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ - - if ((sc = ugenif_acquire(UGENUNIT(dev))) == NULL) - return ENXIO; - - DPRINTFN(5, ("ugenclose: flag=%d, mode=%d, unit=%d, endpt=%d\n", - flag, mode, UGENUNIT(dev), endpt)); - KASSERT(sc->sc_is_open[endpt]); if (endpt == USB_CONTROL_ENDPOINT) { DPRINTFN(5, ("ugenclose: close control\n")); - sc->sc_is_open[endpt] = 0; - error = 0; goto out; } @@ -739,11 +727,31 @@ ugenclose(dev_t dev, int flag, int mode, struct lwp *l) sce->ibuf = NULL; } } - sc->sc_is_open[endpt] = 0; - error = 0; -out: ugenif_release(sc); - return error; +out: sc->sc_is_open[endpt] = 0; +} + +static int +ugenclose(dev_t dev, int flag, int mode, struct lwp *l) +{ + int endpt = UGENENDPOINT(dev); + struct ugen_softc *sc; + + DPRINTFN(5, ("ugenclose: flag=%d, mode=%d, unit=%d, endpt=%d\n", + flag, mode, UGENUNIT(dev), endpt)); + + KASSERT(KERNEL_LOCKED_P()); /* ugen_do_close */ + + if ((sc = ugenif_acquire(UGENUNIT(dev))) == NULL) + return ENXIO; + + KASSERT(sc->sc_is_open[endpt]); + ugen_do_close(sc, flag, endpt); + KASSERT(!sc->sc_is_open[endpt]); + + ugenif_release(sc); + + return 0; } Static int @@ -1195,10 +1203,17 @@ ugen_detach(device_t self, int flags) /* locate the major number */ maj = cdevsw_lookup_major(&ugen_cdevsw); - /* Nuke the vnodes for any open instances (calls close). */ + /* + * Nuke the vnodes for any open instances (calls ugenclose, but + * with no effect because we already set sc_dying). + */ mn = sc->sc_unit * USB_MAX_ENDPOINTS; vdevgone(maj, mn, mn + USB_MAX_ENDPOINTS - 1, VCHR); + /* Actually close any lingering pipes. */ + for (i = 0; i < USB_MAX_ENDPOINTS; i++) + ugen_do_close(sc, FREAD|FWRITE, i); + usbd_add_drv_event(USB_EVENT_DRIVER_DETACH, sc->sc_udev, sc->sc_dev); ugenif_put_unit(sc); From c2015b6b07f98322236efb100c8193955fd179e8 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sat, 4 Sep 2021 10:08:16 +0000 Subject: [PATCH 5/6] ugen(4): Issue explicit wakeup on detach for OUT endpoints too. Writers can be blocked in cv_timedwait_sig too. While here, fix comment: aborting the pipes does not cause all waiters to wake, because the xfer completion callbacks sometimes skip the notification. We should maybe change that, but this is a simpler fix to ensure everyone waiting on I/O is woken to notice sc_dying. --- sys/dev/usb/ugen.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index 7ff17e1d0830..a06ed73f4778 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -1180,7 +1180,7 @@ ugen_detach(device_t self, int flags) if (!sc->sc_attached) goto out; - /* Abort all pipes. Causes processes waiting for transfer to wake. */ + /* Abort all pipes. */ for (i = 0; i < USB_MAX_ENDPOINTS; i++) { for (dir = OUT; dir <= IN; dir++) { sce = &sc->sc_endpoints[i][dir]; @@ -1192,8 +1192,10 @@ ugen_detach(device_t self, int flags) mutex_enter(&sc->sc_lock); if (--sc->sc_refcnt >= 0) { /* Wake everyone */ - for (i = 0; i < USB_MAX_ENDPOINTS; i++) - cv_signal(&sc->sc_endpoints[i][IN].cv); + for (i = 0; i < USB_MAX_ENDPOINTS; i++) { + for (dir = IN; dir <= OUT; dir++) + cv_signal(&sc->sc_endpoints[i][dir].cv); + } /* Wait for processes to go away. */ if (cv_timedwait(&sc->sc_detach_cv, &sc->sc_lock, hz * 60)) aprint_error_dev(self, ": didn't detach\n"); From 14d265554bfca883d74b8ac473c4651f4542a0fa Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sat, 4 Sep 2021 10:13:00 +0000 Subject: [PATCH 6/6] ugen(4): Use cv_wait loop for draining reference count on detach. - Should be no need to use cv_timedwait because all users have now been given a wakeup (previously writers were not, so we relied on the timeouts to work out). - Need to run this in a loop or else a spurious wakeup could cause us to free data structures before the users have actually drained. --- sys/dev/usb/ugen.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index a06ed73f4778..8b878558af88 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -1189,6 +1189,12 @@ ugen_detach(device_t self, int flags) } } + /* + * Wait for users to drain. Before this point there can be no + * more I/O operations started because we set sc_dying; after + * this, there can be no more I/O operations in progress, so it + * will be safe to free things. + */ mutex_enter(&sc->sc_lock); if (--sc->sc_refcnt >= 0) { /* Wake everyone */ @@ -1197,8 +1203,9 @@ ugen_detach(device_t self, int flags) cv_signal(&sc->sc_endpoints[i][dir].cv); } /* Wait for processes to go away. */ - if (cv_timedwait(&sc->sc_detach_cv, &sc->sc_lock, hz * 60)) - aprint_error_dev(self, ": didn't detach\n"); + do { + cv_wait(&sc->sc_detach_cv, &sc->sc_lock); + } while (sc->sc_refcnt >= 0); } mutex_exit(&sc->sc_lock);