From 7a333eac6a63d998bb5d3e656cc4905131ad2241 Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <riastradh@NetBSD.org>
Date: Tue, 7 Sep 2021 01:23:39 +0000
Subject: [PATCH] usb(4): Fix xfer race between software abort and hardware
 completion.

This fixes a bug in the API contract of usbd_abort_pipe: with the
change, the caller is guaranteed the xfer completion callbacks have
returned; without the change, completion callbacks could still be
running on the queued xfers while the caller of usbd_abort_pipe
proceeds to concurrently issue usbd_destroy_xfer.

This also fixes the following problem for interrupt pipes, whose
xfers stay on the queue until the pipe is aborted:

Thread 1: Hardware completion interrupt calls usb_transfer_complete.
Thread 1: pipe->up_repeat is 1, so usb_transfer_complete keeps xfer
  queued.
Thread 2: Calls usbd_abort_pipe (e.g., in detach).
Thread 2: usbd_abort_pipe waits for bus lock.
Thread 1: usb_transfer_complete releases bus lock to invoke callback.
Thread 2: Sets pipe->up_repeat := 0 (too late for thread 1 to see).
Thread 1: usb_transfer_complete waits to reacquire bus lock before
  resetting xfer status to USBD_NOT_STARTED.
Thread 2: Repeatdly calls upm_abort on the same xfer, which does
  nothing because upm_abort just does usbd_abort_xfer which does
  nothing because the xfer status is (e.g.) USBD_IOERROR and not
  USBD_IN_PROGRESS.

Thread 2 is now spinning forever with the bus lock held (and possibly
the kernel lock) waiting for queue or xfer status to change, which
will never happen as long as it holds the bus lock.

The resolution is for thread 2 to notice that thread 1 is busy
invoking a callback, and to wait until thread 1 has finished invoking
the callback and updated the xfer status to reset it to
USBD_NOT_STARTED at which point thread 1 can make progress again.

XXX pullup-9
---
 sys/dev/usb/usb_subr.c |  6 +++++-
 sys/dev/usb/usbdi.c    | 13 +++++++++++++
 sys/dev/usb/usbdivar.h |  3 +++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/sys/dev/usb/usb_subr.c b/sys/dev/usb/usb_subr.c
index 1e831d382fb4..8b97363a6514 100644
--- a/sys/dev/usb/usb_subr.c
+++ b/sys/dev/usb/usb_subr.c
@@ -946,6 +946,8 @@ usbd_setup_pipe_flags(struct usbd_device *dev, struct usbd_interface *iface,
 	p->up_interval = ival;
 	p->up_flags = flags;
 	SIMPLEQ_INIT(&p->up_queue);
+	p->up_callingxfer = NULL;
+	cv_init(&p->up_callingcv, "usbpipecb");
 
 	err = dev->ud_bus->ub_methods->ubm_open(p);
 	if (err) {
@@ -964,8 +966,10 @@ usbd_setup_pipe_flags(struct usbd_device *dev, struct usbd_interface *iface,
 	ep_acquired = false;	/* handed off to pipe */
 	err = USBD_NORMAL_COMPLETION;
 
-out:	if (p)
+out:	if (p) {
+		cv_destroy(&p->up_callingcv);
 		kmem_free(p, dev->ud_bus->ub_pipesize);
+	}
 	if (ep_acquired)
 		usbd_endpoint_release(dev, ep);
 	return err;
diff --git a/sys/dev/usb/usbdi.c b/sys/dev/usb/usbdi.c
index c34885e6768f..b2ad76a95dcb 100644
--- a/sys/dev/usb/usbdi.c
+++ b/sys/dev/usb/usbdi.c
@@ -340,6 +340,7 @@ usbd_close_pipe(struct usbd_pipe *pipe)
 	pipe->up_methods->upm_close(pipe);
 	usbd_unlock_pipe(pipe);
 
+	cv_destroy(&pipe->up_callingcv);
 	if (pipe->up_intrxfer)
 		usbd_destroy_xfer(pipe->up_intrxfer);
 	usb_rem_task_wait(pipe->up_dev, &pipe->up_async_task, USB_TASKQ_DRIVER,
@@ -991,6 +992,13 @@ usbd_ar_pipe(struct usbd_pipe *pipe)
 			/* Make the HC abort it (and invoke the callback). */
 			SDT_PROBE1(usb, device, xfer, abort,  xfer);
 			pipe->up_methods->upm_abort(xfer);
+			while (pipe->up_callingxfer == xfer) {
+				USBHIST_LOG(usbdebug, "wait for callback"
+				    "pipe = %#jx xfer = %#jx",
+				    (uintptr_t)pipe, (uintptr_t)xfer, 0, 0);
+				cv_wait(&pipe->up_callingcv,
+				    pipe->up_dev->ud_bus->ub_lock);
+			}
 			/* XXX only for non-0 usbd_clear_endpoint_stall(pipe); */
 		}
 	}
@@ -1092,6 +1100,8 @@ usb_transfer_complete(struct usbd_xfer *xfer)
 
 	if (xfer->ux_callback) {
 		if (!polling) {
+			KASSERT(pipe->up_callingxfer == NULL);
+			pipe->up_callingxfer = xfer;
 			mutex_exit(pipe->up_dev->ud_bus->ub_lock);
 			if (!(pipe->up_flags & USBD_MPSAFE))
 				KERNEL_LOCK(1, curlwp);
@@ -1103,6 +1113,9 @@ usb_transfer_complete(struct usbd_xfer *xfer)
 			if (!(pipe->up_flags & USBD_MPSAFE))
 				KERNEL_UNLOCK_ONE(curlwp);
 			mutex_enter(pipe->up_dev->ud_bus->ub_lock);
+			KASSERT(pipe->up_callingxfer == xfer);
+			pipe->up_callingxfer = NULL;
+			cv_broadcast(&pipe->up_callingcv);
 		}
 	}
 
diff --git a/sys/dev/usb/usbdivar.h b/sys/dev/usb/usbdivar.h
index 6ba2ca14296d..c6fb63bc1a32 100644
--- a/sys/dev/usb/usbdivar.h
+++ b/sys/dev/usb/usbdivar.h
@@ -249,6 +249,9 @@ struct usbd_pipe {
 	int			up_interval;
 	uint8_t			up_flags;
 
+	struct usbd_xfer       *up_callingxfer; /* currently in callback */
+	kcondvar_t		up_callingcv;
+
 	/* Filled by HC driver. */
 	const struct usbd_pipe_methods
 			       *up_methods;
-- 
2.28.0