greybus: operation/esx: fix message-cancellation lifetime bugs
authorJohan Hovold <johan@hovoldconsulting.com>
Wed, 1 Jul 2015 10:37:21 +0000 (12:37 +0200)
committerGreg Kroah-Hartman <gregkh@google.com>
Wed, 1 Jul 2015 23:43:02 +0000 (16:43 -0700)
commit3e136cc9e05e1a34d8602a4d4e31c9d93ccbbdf7
treec5e33b5a43625317b9e4213e296328fd1ecbdeac
parent5677d48b9735ca43f546d8e21dd36a993b770090
greybus: operation/esx: fix message-cancellation lifetime bugs

The current host-controller message-cancellation implementation suffer
from a lifetime bug as dynamically allocated URBs would complete and be
deallocated while being unlinked as part of cancellation.

The current locking is also insufficient to prevent the related race
where the URB is deallocated before being unlinked.

Fix this by pushing the cancellation implementation from greybus core
down to the host-controller drivers, and replace the "cookie" pointer
with a hcpriv field that those drivers can use to maintain their state
with the required locking and reference counting in place.

Specifically the drivers need to acquire a reference to the URB under a
lock before calling usb_kill_urb as part of cancellation.

Note that this also removes the insufficient gb_message_mutex, which
also effectively prevented us from implementing support for submissions
from atomic context.

Instead the host-controller drivers must now explicitly make sure that
the pre-allocated URBs are not reused while cancellation is in progress.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
drivers/staging/greybus/es1.c
drivers/staging/greybus/es2.c
drivers/staging/greybus/greybus.h
drivers/staging/greybus/operation.c
drivers/staging/greybus/operation.h