From 135ff0532b1eee5a6edac4198dc40034c21fcf81 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Fri, 3 Sep 2021 15:05:00 +0000 Subject: [PATCH 1/7] ugen(4): Sprinkle KERNEL_LOCKED_P assertions around sc_is_open. --- sys/dev/usb/ugen.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index bb84b23cc7d1..a0699768b8c4 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -441,6 +441,8 @@ ugen_set_config(struct ugen_softc *sc, int configno, int chkopen) DPRINTFN(1,("ugen_set_config: %s to configno %d, sc=%p\n", device_xname(sc->sc_dev), configno, sc)); + KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ + if (chkopen) { /* * We start at 1, not 0, because we don't care whether the @@ -509,6 +511,8 @@ ugenopen(dev_t dev, int flag, int mode, struct lwp *l) int i, j; int error; + KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ + if ((sc = ugenif_acquire(unit)) == NULL) return ENXIO; @@ -675,6 +679,8 @@ ugenclose(dev_t dev, int flag, int mode, struct lwp *l) int i; int error; + KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ + if ((sc = ugenif_acquire(UGENUNIT(dev))) == NULL) return ENXIO; @@ -1530,6 +1536,8 @@ ugen_do_ioctl(struct ugen_softc *sc, int endpt, u_long cmd, int error; int dir; + KASSERT(KERNEL_LOCKED_P()); /* ugen_set_config */ + DPRINTFN(5, ("ugenioctl: cmd=%08lx\n", cmd)); switch (cmd) { From 98d4ca8da1819d87dc0200ddf166ec84985ac122 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Fri, 3 Sep 2021 15:06:27 +0000 Subject: [PATCH 2/7] ugen(4): Fix race of ugenopen against itself. Even though we have the kernel lock held, a sleep during kmem_alloc or usbd_open_pipe could allow another ugenopen to run concurrently before we have marked the endpoint opened. To avoid this, mark the endpoint open immediately (while we still have the kernel lock held and before any sleeps, so there is no TOCTOU error here), and then revert on unwind in the event of failure. --- sys/dev/usb/ugen.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index a0699768b8c4..92e9503a1954 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -530,6 +530,7 @@ ugenopen(dev_t dev, int flag, int mode, struct lwp *l) error = EBUSY; goto out; } + sc->sc_is_open[endpt] = 1; /* Make sure there are pipes for all directions. */ for (dir = OUT; dir <= IN; dir++) { @@ -663,9 +664,10 @@ ugenopen(dev_t dev, int flag, int mode, struct lwp *l) goto out; } } - sc->sc_is_open[endpt] = 1; error = 0; -out: ugenif_release(sc); +out: if (error) + sc->sc_is_open[endpt] = 0; + ugenif_release(sc); return error; } From 20560ab51de3beda2a1f67b9b335b5232fe60c46 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Fri, 3 Sep 2021 15:08:25 +0000 Subject: [PATCH 3/7] ugen(4): Refuse non-forced detach with EBUSY if endpoints are open. Sprinkle some comments. --- sys/dev/usb/ugen.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index 92e9503a1954..44b535e33a45 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -1148,9 +1148,27 @@ ugen_detach(device_t self, int flags) DPRINTF(("ugen_detach: sc=%p flags=%d\n", sc, flags)); + KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ + + /* + * Fail if we're not forced to detach and userland has any + * endpoints open. + */ + if ((flags & DETACH_FORCE) == 0) { + for (i = 0; i < USB_MAX_ENDPOINTS; i++) { + if (sc->sc_is_open[i]) + return EBUSY; + } + } + + /* Prevent new users. Prevent suspend/resume. */ sc->sc_dying = 1; pmf_device_deregister(self); + /* + * If we never finished attaching, skip nixing endpoints and + * users because there aren't any. + */ if (!sc->sc_attached) goto out; From 7d49684d27a11b655e3aebe50d2a99b4994b4202 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sat, 4 Sep 2021 09:57:49 +0000 Subject: [PATCH 4/7] ugen(4): Ensure we close pipes on detach. Calling vdevgone has the effect of VOP_REVOKE -> spec_node_revoke -> VOP_CLOSE -> spec_close -> cdev_close -> ugenclose, but: (a) the flags passed to VOP_CLOSE don't have FREAD or FWRITE, and (b) ugenclose has no effect when sc_dying is set anyway. So create another path into the close logic, ugen_do_close. We have to do this in detach _after_ the references have drained because we may free buffers that other users are still using while the reference count is nonzero. --- sys/dev/usb/ugen.c | 60 +++++++++++++++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 19 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index 44b535e33a45..a1cfb0108c63 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -671,30 +671,25 @@ out: if (error) return error; } -static int -ugenclose(dev_t dev, int flag, int mode, struct lwp *l) +static void +ugen_do_close(struct ugen_softc *sc, int flag, int endpt) { - int endpt = UGENENDPOINT(dev); - struct ugen_softc *sc; struct ugen_endpoint *sce; int dir; int i; - int error; KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ - if ((sc = ugenif_acquire(UGENUNIT(dev))) == NULL) - return ENXIO; - - DPRINTFN(5, ("ugenclose: flag=%d, mode=%d, unit=%d, endpt=%d\n", - flag, mode, UGENUNIT(dev), endpt)); - - KASSERT(sc->sc_is_open[endpt]); + if (!sc->sc_is_open[endpt]) { + KASSERT(sc->sc_endpoints[endpt][IN].pipeh == NULL); + KASSERT(sc->sc_endpoints[endpt][OUT].pipeh == NULL); + KASSERT(sc->sc_endpoints[endpt][IN].ibuf == NULL); + KASSERT(sc->sc_endpoints[endpt][OUT].ibuf == NULL); + return; + } if (endpt == USB_CONTROL_ENDPOINT) { DPRINTFN(5, ("ugenclose: close control\n")); - sc->sc_is_open[endpt] = 0; - error = 0; goto out; } @@ -739,11 +734,31 @@ ugenclose(dev_t dev, int flag, int mode, struct lwp *l) sce->ibuf = NULL; } } - sc->sc_is_open[endpt] = 0; - error = 0; -out: ugenif_release(sc); - return error; +out: sc->sc_is_open[endpt] = 0; +} + +static int +ugenclose(dev_t dev, int flag, int mode, struct lwp *l) +{ + int endpt = UGENENDPOINT(dev); + struct ugen_softc *sc; + + DPRINTFN(5, ("ugenclose: flag=%d, mode=%d, unit=%d, endpt=%d\n", + flag, mode, UGENUNIT(dev), endpt)); + + KASSERT(KERNEL_LOCKED_P()); /* ugen_do_close */ + + if ((sc = ugenif_acquire(UGENUNIT(dev))) == NULL) + return ENXIO; + + KASSERT(sc->sc_is_open[endpt]); + ugen_do_close(sc, flag, endpt); + KASSERT(!sc->sc_is_open[endpt]); + + ugenif_release(sc); + + return 0; } Static int @@ -1195,10 +1210,17 @@ ugen_detach(device_t self, int flags) /* locate the major number */ maj = cdevsw_lookup_major(&ugen_cdevsw); - /* Nuke the vnodes for any open instances (calls close). */ + /* + * Nuke the vnodes for any open instances (calls ugenclose, but + * with no effect because we already set sc_dying). + */ mn = sc->sc_unit * USB_MAX_ENDPOINTS; vdevgone(maj, mn, mn + USB_MAX_ENDPOINTS - 1, VCHR); + /* Actually close any lingering pipes. */ + for (i = 0; i < USB_MAX_ENDPOINTS; i++) + ugen_do_close(sc, FREAD|FWRITE, i); + usbd_add_drv_event(USB_EVENT_DRIVER_DETACH, sc->sc_udev, sc->sc_dev); ugenif_put_unit(sc); From 06ffb9648196dae8a54933296f163a33b3a5dd37 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sat, 4 Sep 2021 10:08:16 +0000 Subject: [PATCH 5/7] ugen(4): Issue explicit wakeup on detach for OUT endpoints too. Writers can be blocked in cv_timedwait_sig too. While here, fix comment: aborting the pipes does not cause all waiters to wake, because the xfer completion callbacks sometimes skip the notification. We should maybe change that, but this is a simpler fix to ensure everyone waiting on I/O is woken to notice sc_dying. --- sys/dev/usb/ugen.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index a1cfb0108c63..fdf9f316e4ea 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -1187,7 +1187,7 @@ ugen_detach(device_t self, int flags) if (!sc->sc_attached) goto out; - /* Abort all pipes. Causes processes waiting for transfer to wake. */ + /* Abort all pipes. */ for (i = 0; i < USB_MAX_ENDPOINTS; i++) { for (dir = OUT; dir <= IN; dir++) { sce = &sc->sc_endpoints[i][dir]; @@ -1199,8 +1199,10 @@ ugen_detach(device_t self, int flags) mutex_enter(&sc->sc_lock); if (--sc->sc_refcnt >= 0) { /* Wake everyone */ - for (i = 0; i < USB_MAX_ENDPOINTS; i++) - cv_signal(&sc->sc_endpoints[i][IN].cv); + for (i = 0; i < USB_MAX_ENDPOINTS; i++) { + for (dir = IN; dir <= OUT; dir++) + cv_signal(&sc->sc_endpoints[i][dir].cv); + } /* Wait for processes to go away. */ if (cv_timedwait(&sc->sc_detach_cv, &sc->sc_lock, hz * 60)) aprint_error_dev(self, ": didn't detach\n"); From 1815e5cf027428d5102e1d15bd63f231123481e5 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sat, 4 Sep 2021 10:13:00 +0000 Subject: [PATCH 6/7] ugen(4): Use cv_wait loop for draining reference count on detach. - Should be no need to use cv_timedwait because all users have now been given a wakeup (previously writers were not, so we relied on the timeouts to work out). - Need to run this in a loop or else a spurious wakeup could cause us to free data structures before the users have actually drained. --- sys/dev/usb/ugen.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index fdf9f316e4ea..0eb8506260d1 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -1196,6 +1196,12 @@ ugen_detach(device_t self, int flags) } } + /* + * Wait for users to drain. Before this point there can be no + * more I/O operations started because we set sc_dying; after + * this, there can be no more I/O operations in progress, so it + * will be safe to free things. + */ mutex_enter(&sc->sc_lock); if (--sc->sc_refcnt >= 0) { /* Wake everyone */ @@ -1204,8 +1210,9 @@ ugen_detach(device_t self, int flags) cv_signal(&sc->sc_endpoints[i][dir].cv); } /* Wait for processes to go away. */ - if (cv_timedwait(&sc->sc_detach_cv, &sc->sc_lock, hz * 60)) - aprint_error_dev(self, ": didn't detach\n"); + do { + cv_wait(&sc->sc_detach_cv, &sc->sc_lock); + } while (sc->sc_refcnt >= 0); } mutex_exit(&sc->sc_lock); From 02b520401c5fa28391d9a2d77a7e7af65cb92879 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Sun, 5 Sep 2021 13:48:35 +0000 Subject: [PATCH 7/7] ugen(4): Keep fields null when not allocated; kassert on close. --- sys/dev/usb/ugen.c | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c index 0eb8506260d1..89643973f4d1 100644 --- a/sys/dev/usb/ugen.c +++ b/sys/dev/usb/ugen.c @@ -650,8 +650,10 @@ ugenopen(dev_t dev, int flag, int mode, struct lwp *l) DPRINTFN(5, ("ugenopen: isoc open done\n")); break; bad: - while (--i >= 0) /* implicit buffer free */ + while (--i >= 0) { /* implicit buffer free */ usbd_destroy_xfer(sce->isoreqs[i].xfer); + sce->isoreqs[i].xfer = NULL; + } usbd_close_pipe(sce->pipeh); sce->pipeh = NULL; kmem_free(sce->ibuf, isize * UGEN_NISOFRAMES); @@ -680,13 +682,8 @@ ugen_do_close(struct ugen_softc *sc, int flag, int endpt) KASSERT(KERNEL_LOCKED_P()); /* sc_is_open */ - if (!sc->sc_is_open[endpt]) { - KASSERT(sc->sc_endpoints[endpt][IN].pipeh == NULL); - KASSERT(sc->sc_endpoints[endpt][OUT].pipeh == NULL); - KASSERT(sc->sc_endpoints[endpt][IN].ibuf == NULL); - KASSERT(sc->sc_endpoints[endpt][OUT].ibuf == NULL); - return; - } + if (!sc->sc_is_open[endpt]) + goto out; if (endpt == USB_CONTROL_ENDPOINT) { DPRINTFN(5, ("ugenclose: close control\n")); @@ -714,13 +711,16 @@ ugen_do_close(struct ugen_softc *sc, int flag, int endpt) msize = isize; break; case UE_ISOCHRONOUS: - for (i = 0; i < UGEN_NISOREQS; ++i) + for (i = 0; i < UGEN_NISOREQS; ++i) { usbd_destroy_xfer(sce->isoreqs[i].xfer); + sce->isoreqs[i].xfer = NULL; + } msize = isize * UGEN_NISOFRAMES; break; case UE_BULK: if (sce->state & (UGEN_BULK_RA | UGEN_BULK_WB)) { usbd_destroy_xfer(sce->ra_wb_xfer); + sce->ra_wb_xfer = NULL; msize = sce->ra_wb_bufsize; } break; @@ -736,6 +736,14 @@ ugen_do_close(struct ugen_softc *sc, int flag, int endpt) } out: sc->sc_is_open[endpt] = 0; + for (dir = IN; dir <= OUT; dir++) { + sce = &sc->sc_endpoints[endpt][dir]; + KASSERT(sce->pipeh == NULL); + KASSERT(sce->ibuf == NULL); + KASSERT(sce->ra_wb_xfer == NULL); + for (i = 0; i < UGEN_NISOREQS; i++) + KASSERT(sce->isoreqs[i].xfer == NULL); + } } static int @@ -1630,6 +1638,8 @@ ugen_do_ioctl(struct ugen_softc *sc, int endpt, u_long cmd, /* Only turn RA on if it's currently off. */ if (sce->state & UGEN_BULK_RA) return 0; + KASSERT(sce->ra_wb_xfer == NULL); + KASSERT(sce->ibuf == NULL); if (sce->ra_wb_bufsize == 0 || sce->ra_wb_reqsize == 0) /* shouldn't happen */ @@ -1655,6 +1665,7 @@ ugen_do_ioctl(struct ugen_softc *sc, int endpt, u_long cmd, kmem_free(sce->ibuf, sce->ra_wb_bufsize); sce->ibuf = NULL; usbd_destroy_xfer(sce->ra_wb_xfer); + sce->ra_wb_xfer = NULL; return EIO; } } else { @@ -1665,6 +1676,7 @@ ugen_do_ioctl(struct ugen_softc *sc, int endpt, u_long cmd, sce->state &= ~UGEN_BULK_RA; usbd_abort_pipe(sce->pipeh); usbd_destroy_xfer(sce->ra_wb_xfer); + sce->ra_wb_xfer = NULL; /* * XXX Discard whatever's in the buffer, but we * should keep it around and drain the buffer @@ -1688,12 +1700,15 @@ ugen_do_ioctl(struct ugen_softc *sc, int endpt, u_long cmd, /* Only turn WB on if it's currently off. */ if (sce->state & UGEN_BULK_WB) return 0; + KASSERT(sce->ra_wb_xfer == NULL); + KASSERT(sce->ibuf == NULL); if (sce->ra_wb_bufsize == 0 || sce->ra_wb_reqsize == 0) /* shouldn't happen */ return EINVAL; error = usbd_create_xfer(sce->pipeh, sce->ra_wb_reqsize, 0, 0, &sce->ra_wb_xfer); + /* XXX check error??? */ sce->ra_wb_xferlen = sce->ra_wb_reqsize; sce->ibuf = kmem_alloc(sce->ra_wb_bufsize, KM_SLEEP); sce->fill = sce->cur = sce->ibuf; @@ -1713,6 +1728,7 @@ ugen_do_ioctl(struct ugen_softc *sc, int endpt, u_long cmd, */ usbd_abort_pipe(sce->pipeh); usbd_destroy_xfer(sce->ra_wb_xfer); + sce->ra_wb_xfer = NULL; kmem_free(sce->ibuf, sce->ra_wb_bufsize); sce->ibuf = NULL; }