From owner-svn-src-all@FreeBSD.ORG Wed Nov 4 01:50:26 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B35F1065693; Wed, 4 Nov 2009 01:50:26 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id D43C58FC1E; Wed, 4 Nov 2009 01:50:25 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nA41oPL5013290; Wed, 4 Nov 2009 01:50:25 GMT (envelope-from thompsa@svn.freebsd.org) Received: (from thompsa@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id nA41oPZ3013287; Wed, 4 Nov 2009 01:50:25 GMT (envelope-from thompsa@svn.freebsd.org) Message-Id: <200911040150.nA41oPZ3013287@svn.freebsd.org> From: Andrew Thompson Date: Wed, 4 Nov 2009 01:50:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r198869 - stable/8/sys/dev/usb X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2009 01:50:26 -0000 Author: thompsa Date: Wed Nov 4 01:50:25 2009 New Revision: 198869 URL: http://svn.freebsd.org/changeset/base/198869 Log: MFC r198775 Fix a corner case where usbd_transfer_drain() can return too early if the callback has dropped the mutex, leading to a panic. Submitted by: HPS Modified: stable/8/sys/dev/usb/usb_core.h stable/8/sys/dev/usb/usb_transfer.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/amd64/include/xen/ (props changed) stable/8/sys/cddl/contrib/opensolaris/ (props changed) stable/8/sys/contrib/dev/acpica/ (props changed) stable/8/sys/contrib/pf/ (props changed) stable/8/sys/dev/xen/xenpci/ (props changed) Modified: stable/8/sys/dev/usb/usb_core.h ============================================================================== --- stable/8/sys/dev/usb/usb_core.h Wed Nov 4 01:32:59 2009 (r198868) +++ stable/8/sys/dev/usb/usb_core.h Wed Nov 4 01:50:25 2009 (r198869) @@ -112,6 +112,7 @@ struct usb_xfer_flags_int { uint8_t curr_dma_set:1; /* used by USB HC/DC driver */ uint8_t can_cancel_immed:1; /* set if USB transfer can be * cancelled immediately */ + uint8_t doing_callback:1; /* set if executing the callback */ }; /* Modified: stable/8/sys/dev/usb/usb_transfer.c ============================================================================== --- stable/8/sys/dev/usb/usb_transfer.c Wed Nov 4 01:32:59 2009 (r198868) +++ stable/8/sys/dev/usb/usb_transfer.c Wed Nov 4 01:50:25 2009 (r198869) @@ -1797,8 +1797,18 @@ usbd_transfer_drain(struct usb_xfer *xfe usbd_transfer_stop(xfer); - while (usbd_transfer_pending(xfer)) { + while (usbd_transfer_pending(xfer) || + xfer->flags_int.doing_callback) { + + /* + * It is allowed that the callback can drop its + * transfer mutex. In that case checking only + * "usbd_transfer_pending()" is not enough to tell if + * the USB transfer is fully drained. We also need to + * check the internal "doing_callback" flag. + */ xfer->flags_int.draining = 1; + /* * Wait until the current outstanding USB * transfer is complete ! @@ -2043,6 +2053,9 @@ usbd_callback_wrapper(struct usb_xfer_qu /* get next USB transfer in the queue */ info->done_q.curr = NULL; + /* set flag in case of drain */ + xfer->flags_int.doing_callback = 1; + USB_BUS_UNLOCK(info->bus); USB_BUS_LOCK_ASSERT(info->bus, MA_NOTOWNED); @@ -2095,12 +2108,17 @@ usbd_callback_wrapper(struct usb_xfer_qu if ((!xfer->flags_int.open) && (xfer->flags_int.started) && (xfer->usb_state == USB_ST_ERROR)) { + /* clear flag in case of drain */ + xfer->flags_int.doing_callback = 0; /* try to loop, but not recursivly */ usb_command_wrapper(&info->done_q, xfer); return; } done: + /* clear flag in case of drain */ + xfer->flags_int.doing_callback = 0; + /* * Check if we are draining. */