From 9acdf4df2fc4680b08fa242b09717892cd687d4a Mon Sep 17 00:00:00 2001 From: "Felipe F. Tonello" Date: Tue, 8 Mar 2016 20:21:47 +0000 Subject: usb: gadget: f_midi: added spinlock on transmit function Since f_midi_transmit is called by both ALSA and USB sub-systems, it can potentially cause a race condition between both calls because f_midi_transmit is not reentrant nor thread-safe. This is due to an implementation detail that the transmit function looks for the next available usb request from the fifo and only enqueues it if there is data to send, otherwise just re-uses it. So, if both ALSA and USB frameworks calls this function at the same time, kfifo_seek() will return the same usb_request, which will cause a race condition. To solve this problem a syncronization mechanism is necessary. In this case it is used a spinlock since f_midi_transmit is also called by usb_request->complete callback in interrupt context. Cc: # v4.5+ Fixes: e1e3d7ec5da3 ("usb: gadget: f_midi: pre-allocate IN requests") Signed-off-by: Felipe F. Tonello Signed-off-by: Felipe Balbi --- drivers/usb/gadget/function/f_midi.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'drivers/usb/gadget/function/f_midi.c') diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 84c0ee5ebd1e..56e2dde99b03 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -89,6 +90,7 @@ struct f_midi { unsigned int buflen, qlen; /* This fifo is used as a buffer ring for pre-allocated IN usb_requests */ DECLARE_KFIFO_PTR(in_req_fifo, struct usb_request *); + spinlock_t transmit_lock; unsigned int in_last_port; struct gmidi_in_port in_ports_array[/* in_ports */]; @@ -597,17 +599,22 @@ static void f_midi_transmit(struct f_midi *midi) { struct usb_ep *ep = midi->in_ep; int ret; + unsigned long flags; /* We only care about USB requests if IN endpoint is enabled */ if (!ep || !ep->enabled) goto drop_out; + spin_lock_irqsave(&midi->transmit_lock, flags); + do { ret = f_midi_do_transmit(midi, ep); if (ret < 0) goto drop_out; } while (ret); + spin_unlock_irqrestore(&midi->transmit_lock, flags); + return; drop_out: @@ -1201,6 +1208,8 @@ static struct usb_function *f_midi_alloc(struct usb_function_instance *fi) if (status) goto setup_fail; + spin_lock_init(&midi->transmit_lock); + ++opts->refcnt; mutex_unlock(&opts->lock); -- cgit v1.2.3-59-g8ed1b From 03d27ade4941076b34c823d63d91dc895731a595 Mon Sep 17 00:00:00 2001 From: "Felipe F. Tonello" Date: Wed, 9 Mar 2016 19:39:30 +0000 Subject: usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed devices. That caused the OUT endpoint to freeze if the host send any data packet of length greater than 256 bytes. This is an example dump of what happended on that enpoint: HOST: [DATA][Length=260][...] DEVICE: [NAK] HOST: [PING] DEVICE: [NAK] HOST: [PING] DEVICE: [NAK] ... HOST: [PING] DEVICE: [NAK] This patch fixes this problem by setting the minimum usb_request's buffer size for the OUT endpoint as its wMaxPacketSize. Acked-by: Michal Nazarewicz Signed-off-by: Felipe F. Tonello Signed-off-by: Felipe Balbi --- drivers/usb/gadget/function/f_midi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers/usb/gadget/function/f_midi.c') diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 56e2dde99b03..9ad51dcab982 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -360,7 +360,9 @@ static int f_midi_set_alt(struct usb_function *f, unsigned intf, unsigned alt) /* allocate a bunch of read buffers and queue them all at once. */ for (i = 0; i < midi->qlen && err == 0; i++) { struct usb_request *req = - midi_alloc_ep_req(midi->out_ep, midi->buflen); + midi_alloc_ep_req(midi->out_ep, + max_t(unsigned, midi->buflen, + bulk_out_desc.wMaxPacketSize)); if (req == NULL) return -ENOMEM; -- cgit v1.2.3-59-g8ed1b From 4fc50ba5965ac2b360499d4a23eb10d04414dd36 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sat, 2 Apr 2016 07:51:08 +0300 Subject: usb: gadget: f_midi: unlock on error We added some new locking here, but missed an error path where we need to unlock. Fixes: 9acdf4df2fc4 ('usb: gadget: f_midi: added spinlock on transmit function') Acked-by: Michal Nazarewicz Acked-by: Felipe F. Tonello Signed-off-by: Dan Carpenter Signed-off-by: Felipe Balbi --- drivers/usb/gadget/function/f_midi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers/usb/gadget/function/f_midi.c') diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 9ad51dcab982..58fc199a18ec 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -611,8 +611,10 @@ static void f_midi_transmit(struct f_midi *midi) do { ret = f_midi_do_transmit(midi, ep); - if (ret < 0) + if (ret < 0) { + spin_unlock_irqrestore(&midi->transmit_lock, flags); goto drop_out; + } } while (ret); spin_unlock_irqrestore(&midi->transmit_lock, flags); -- cgit v1.2.3-59-g8ed1b