The BKL conversion of this family of drivers seems to have gone wrong.
Opening cx88-blackbird will deadlock. Various other uses of the
sub-device and driver lists appear to be subject to race conditions.

For example: various functions access drvlist without a relevant
lock held, which will race against removal of drivers. Let's
start with that --- clean up by consistently protecting dev->drvlist
with dev->core->lock, noting driver functions that require the device
lock to be held or not held.

The only goal is to make the semantics clearer in preparation for
other changes. There are still some relevant races (noted in
comments) and the deadlock noticed by Andi remains; later patches
will address that.

Based-on-patch-by: Ben Hutchings <***@decadent.org.uk>
Signed-off-by: Jonathan Nieder <***@gmail.com>
Cc: Andi Huber <***@gmx.at>
Cc: ***@kernel.org
---
drivers/media/video/cx88/cx88-blackbird.c | 8 +++++++-
drivers/media/video/cx88/cx88-dvb.c | 8 ++++++++
drivers/media/video/cx88/cx88-mpeg.c | 11 +++++++----
drivers/media/video/cx88/cx88.h | 9 ++++++++-
4 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/drivers/media/video/cx88/cx88-blackbird.c b/drivers/media/video/cx88/cx88-blackbird.c
index bca307e..85910c6 100644
--- a/drivers/media/video/cx88/cx88-blackbird.c
+++ b/drivers/media/video/cx88/cx88-blackbird.c
@@ -1122,10 +1122,16 @@ static int mpeg_release(struct file *file)
mutex_lock(&dev->core->lock);
file->private_data = NULL;
kfree(fh);
- mutex_unlock(&dev->core->lock);

/* Make sure we release the hardware */
drv = cx8802_get_driver(dev, CX88_MPEG_BLACKBIRD);
+ mutex_unlock(&dev->core->lock);
+
+ /*
+ * NEEDSWORK: the driver can be yanked from under our feet.
+ * The following really ought to be protected with core->lock.
+ */
+
if (drv)
drv->request_release(drv);

diff --git a/drivers/media/video/cx88/cx88-dvb.c b/drivers/media/video/cx88/cx88-dvb.c
index 7b8c9d3..5d0f947 100644
--- a/drivers/media/video/cx88/cx88-dvb.c
+++ b/drivers/media/video/cx88/cx88-dvb.c
@@ -133,7 +133,15 @@ static int cx88_dvb_bus_ctrl(struct dvb_frontend* fe, int acquire)
return -EINVAL;
}

+ mutex_lock(&dev->core->lock);
drv = cx8802_get_driver(dev, CX88_MPEG_DVB);
+ mutex_unlock(&dev->core->lock);
+
+ /*
+ * NEEDSWORK: The driver can be yanked from under our feet now.
+ * We ought to keep holding core->lock during the below.
+ */
+
if (drv) {
if (acquire){
dev->frontends.active_fe_id = fe_id;
diff --git a/drivers/media/video/cx88/cx88-mpeg.c b/drivers/media/video/cx88/cx88-mpeg.c
index addf954..918172b 100644
--- a/drivers/media/video/cx88/cx88-mpeg.c
+++ b/drivers/media/video/cx88/cx88-mpeg.c
@@ -748,6 +748,8 @@ int cx8802_unregister_driver(struct cx8802_driver *drv)
dev->pci->subsystem_device, dev->core->board.name,
dev->core->boardnr);

+ mutex_lock(&dev->core->lock);
+
list_for_each_entry_safe(d, dtmp, &dev->drvlist, drvlist) {
/* only unregister the correct driver type */
if (d->type_id != drv->type_id)
@@ -755,15 +757,14 @@ int cx8802_unregister_driver(struct cx8802_driver *drv)

err = d->remove(d);
if (err == 0) {
- mutex_lock(&drv->core->lock);
list_del(&d->drvlist);
- mutex_unlock(&drv->core->lock);
kfree(d);
} else
printk(KERN_ERR "%s/2: cx8802 driver remove "
"failed (%d)\n", dev->core->name, err);
}

+ mutex_unlock(&dev->core->lock);
}

return err;
@@ -827,6 +828,8 @@ static void __devexit cx8802_remove(struct pci_dev *pci_dev)

flush_request_modules(dev);

+ mutex_lock(&dev->core->lock);
+
if (!list_empty(&dev->drvlist)) {
struct cx8802_driver *drv, *tmp;
int err;
@@ -838,9 +841,7 @@ static void __devexit cx8802_remove(struct pci_dev *pci_dev)
list_for_each_entry_safe(drv, tmp, &dev->drvlist, drvlist) {
err = drv->remove(drv);
if (err == 0) {
- mutex_lock(&drv->core->lock);
list_del(&drv->drvlist);
- mutex_unlock(&drv->core->lock);
} else
printk(KERN_ERR "%s/2: cx8802 driver remove "
"failed (%d)\n", dev->core->name, err);
@@ -848,6 +849,8 @@ static void __devexit cx8802_remove(struct pci_dev *pci_dev)
}
}

+ mutex_unlock(&dev->core->lock);
+
/* Destroy any 8802 reference. */
dev->core->dvbdev = NULL;

diff --git a/drivers/media/video/cx88/cx88.h b/drivers/media/video/cx88/cx88.h
index 9b3742a..e3d56c2 100644
--- a/drivers/media/video/cx88/cx88.h
+++ b/drivers/media/video/cx88/cx88.h
@@ -506,7 +506,11 @@ struct cx8802_driver {
int (*resume)(struct pci_dev *pci_dev);

/* MPEG 8802 -> mini driver - Driver probe and configuration */
+
+ /* Caller must _not_ hold core->lock */
int (*probe)(struct cx8802_driver *drv);
+
+ /* Caller must hold core->lock */
int (*remove)(struct cx8802_driver *drv);

/* MPEG 8802 -> mini driver - Access for hardware control */
@@ -561,8 +565,9 @@ struct cx8802_dev {
/* for switching modulation types */
unsigned char ts_gen_cntrl;

- /* List of attached drivers */
+ /* List of attached drivers; must hold core->lock to access */
struct list_head drvlist;
+
struct work_struct request_module_wk;
};

@@ -685,6 +690,8 @@ int cx88_audio_thread(void *data);

int cx8802_register_driver(struct cx8802_driver *drv);
int cx8802_unregister_driver(struct cx8802_driver *drv);
+
+/* Caller must hold core->lock */
struct cx8802_driver * cx8802_get_driver(struct cx8802_dev *dev, enum cx88_board_type btype);

/* ----------------------------------------------------------- */

From: Ben Hutchings <***@decadent.org.uk>
Date: Tue, 29 Mar 2011 03:25:15 +0100

The BKL conversion of this family of drivers seems to have gone wrong.
Opening cx88-blackbird will deadlock. Various other uses of the
sub-device and driver lists appear to be subject to race conditions.

In particular, mpeg_ops::open in the cx2388x blackbird driver acquires
the device lock and then calls the drivers' request_acquire, which
tries to acquire the lock again --- deadlock. Fix it by clarifying
the semantics of request_acquire, request_release, advise_acquire, and
advise_release: all require the caller to hold the device lock now.

[jn: split from a larger patch, with new commit message]

Reported-by: Andi Huber <***@gmx.at>
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=31962
Signed-off-by: Ben Hutchings <***@decadent.org.uk>
Signed-off-by: Jonathan Nieder <***@gmail.com>
Cc: ***@kernel.org
---
drivers/media/video/cx88/cx88-blackbird.c | 9 ++-------
drivers/media/video/cx88/cx88-dvb.c | 8 +-------
drivers/media/video/cx88/cx88-mpeg.c | 4 ----
drivers/media/video/cx88/cx88.h | 3 ++-
4 files changed, 5 insertions(+), 19 deletions(-)

diff --git a/drivers/media/video/cx88/cx88-blackbird.c b/drivers/media/video/cx88/cx88-blackbird.c
index 85910c6..a6f7d53 100644
--- a/drivers/media/video/cx88/cx88-blackbird.c
+++ b/drivers/media/video/cx88/cx88-blackbird.c
@@ -1125,18 +1125,13 @@ static int mpeg_release(struct file *file)

/* Make sure we release the hardware */
drv = cx8802_get_driver(dev, CX88_MPEG_BLACKBIRD);
- mutex_unlock(&dev->core->lock);
-
- /*
- * NEEDSWORK: the driver can be yanked from under our feet.
- * The following really ought to be protected with core->lock.
- */
-
if (drv)
drv->request_release(drv);

atomic_dec(&dev->core->mpeg_users);

+ mutex_unlock(&dev->core->lock);
+
return 0;
}

diff --git a/drivers/media/video/cx88/cx88-dvb.c b/drivers/media/video/cx88/cx88-dvb.c
index 5d0f947..c69df7e 100644
--- a/drivers/media/video/cx88/cx88-dvb.c
+++ b/drivers/media/video/cx88/cx88-dvb.c
@@ -135,13 +135,6 @@ static int cx88_dvb_bus_ctrl(struct dvb_frontend* fe, int acquire)

mutex_lock(&dev->core->lock);
drv = cx8802_get_driver(dev, CX88_MPEG_DVB);
- mutex_unlock(&dev->core->lock);
-
- /*
- * NEEDSWORK: The driver can be yanked from under our feet now.
- * We ought to keep holding core->lock during the below.
- */
-
if (drv) {
if (acquire){
dev->frontends.active_fe_id = fe_id;
@@ -151,6 +144,7 @@ static int cx88_dvb_bus_ctrl(struct dvb_frontend* fe, int acquire)
dev->frontends.active_fe_id = 0;
}
}
+ mutex_unlock(&dev->core->lock);

return ret;
}
diff --git a/drivers/media/video/cx88/cx88-mpeg.c b/drivers/media/video/cx88/cx88-mpeg.c
index 918172b..9147c16 100644
--- a/drivers/media/video/cx88/cx88-mpeg.c
+++ b/drivers/media/video/cx88/cx88-mpeg.c
@@ -624,13 +624,11 @@ static int cx8802_request_acquire(struct cx8802_driver *drv)

if (drv->advise_acquire)
{
- mutex_lock(&drv->core->lock);
core->active_ref++;
if (core->active_type_id == CX88_BOARD_NONE) {
core->active_type_id = drv->type_id;
drv->advise_acquire(drv);
}
- mutex_unlock(&drv->core->lock);

mpeg_dbg(1,"%s() Post acquire GPIO=%x\n", __func__, cx_read(MO_GP0_IO));
}
@@ -643,14 +641,12 @@ static int cx8802_request_release(struct cx8802_driver *drv)
{
struct cx88_core *core = drv->core;

- mutex_lock(&drv->core->lock);
if (drv->advise_release && --core->active_ref == 0)
{
drv->advise_release(drv);
core->active_type_id = CX88_BOARD_NONE;
mpeg_dbg(1,"%s() Post release GPIO=%x\n", __func__, cx_read(MO_GP0_IO));
}
- mutex_unlock(&drv->core->lock);

return 0;
}
diff --git a/drivers/media/video/cx88/cx88.h b/drivers/media/video/cx88/cx88.h
index e3d56c2..9731daa 100644
--- a/drivers/media/video/cx88/cx88.h
+++ b/drivers/media/video/cx88/cx88.h
@@ -510,7 +510,8 @@ struct cx8802_driver {
/* Caller must _not_ hold core->lock */
int (*probe)(struct cx8802_driver *drv);

- /* Caller must hold core->lock */
+ /* Callers to the following functions must hold core->lock */
+
int (*remove)(struct cx8802_driver *drv);

/* MPEG 8802 -> mini driver - Access for hardware control */

From: Ben Hutchings <***@decadent.org.uk>
Date: Tue, 29 Mar 2011 03:25:15 +0100

Add and use a mutex to protect the cx88-mpeg device list. Previously
the BKL prevented races.

[jn: split from a larger patch, with new commit message; also protect
use in cx8802_probe]

Signed-off-by: Ben Hutchings <***@decadent.org.uk>
Signed-off-by: Jonathan Nieder <***@gmail.com>
---
That's the end of the series. Hopefully I haven't mangled the patches
too much --- if we're lucky they might even still work, though I
wouldn't bet on it. Bug reports and improvements welcome.

Good night,
Jonathan

drivers/media/video/cx88/cx88-mpeg.c | 20 +++++++++++++++++---
1 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/drivers/media/video/cx88/cx88-mpeg.c b/drivers/media/video/cx88/cx88-mpeg.c
index 9147c16..6b58647 100644
--- a/drivers/media/video/cx88/cx88-mpeg.c
+++ b/drivers/media/video/cx88/cx88-mpeg.c
@@ -78,6 +78,7 @@ static void flush_request_modules(struct cx8802_dev *dev)


static LIST_HEAD(cx8802_devlist);
+static DEFINE_MUTEX(cx8802_mutex);
/* ------------------------------------------------------------------ */

static int cx8802_start_dma(struct cx8802_dev *dev,
@@ -689,6 +690,8 @@ int cx8802_register_driver(struct cx8802_driver *drv)
return err;
}

+ mutex_lock(&cx8802_mutex);
+
list_for_each_entry(dev, &cx8802_devlist, devlist) {
printk(KERN_INFO
"%s/2: subsystem: %04x:%04x, board: %s [card=%d]\n",
@@ -698,8 +701,10 @@ int cx8802_register_driver(struct cx8802_driver *drv)

/* Bring up a new struct for each driver instance */
driver = kzalloc(sizeof(*drv),GFP_KERNEL);
- if (driver == NULL)
- return -ENOMEM;
+ if (driver == NULL) {
+ err = -ENOMEM;
+ goto out;
+ }

/* Snapshot of the driver registration data */
drv->core = dev->core;
@@ -723,7 +728,10 @@ int cx8802_register_driver(struct cx8802_driver *drv)

}

- return i ? 0 : -ENODEV;
+ err = i ? 0 : -ENODEV;
+out:
+ mutex_unlock(&cx8802_mutex);
+ return err;
}

int cx8802_unregister_driver(struct cx8802_driver *drv)
@@ -737,6 +745,8 @@ int cx8802_unregister_driver(struct cx8802_driver *drv)
drv->type_id == CX88_MPEG_DVB ? "dvb" : "blackbird",
drv->hw_access == CX8802_DRVCTL_SHARED ? "shared" : "exclusive");

+ mutex_lock(&cx8802_mutex);
+
list_for_each_entry(dev, &cx8802_devlist, devlist) {
printk(KERN_INFO
"%s/2: subsystem: %04x:%04x, board: %s [card=%d]\n",
@@ -763,6 +773,8 @@ int cx8802_unregister_driver(struct cx8802_driver *drv)
mutex_unlock(&dev->core->lock);
}

+ mutex_unlock(&cx8802_mutex);
+
return err;
}

@@ -800,7 +812,9 @@ static int __devinit cx8802_probe(struct pci_dev *pci_dev,
goto fail_free;

INIT_LIST_HEAD(&dev->drvlist);
+ mutex_lock(&cx8802_mutex);
list_add_tail(&dev->devlist,&cx8802_devlist);
+ mutex_unlock(&cx8802_mutex);

/* now autoload cx88-dvb or cx88-blackbird */
request_modules(dev);

Since you have split up and otherwise modified the patch I sent, please
remove the 'From' and 'Signed-off-by' lines with my name and address.
Just state that the patches are based on my work.

Ben.

Hi again,
A reroll. As before, the goals are: (1) eliminate deadlock, (2)
eliminate races, (3) introduce some clarity. The same caveats as
last time apply --- this is only compile-tested. Thanks again to Andi
for testing the previous series and for other useful feedback.

Patch 1 is meant to protect dev->drvlist against data races.
Since v1, I removed some clutter in the patch itself and clarified the
change description to match.

Patch 2 addresses the original deadlock. The only changes are the
description and declared authorship of the patch (at Ben's request).

Patch 3 is new. It fixes the reference count breakage Andi noticed
(another race previously protected against by the BKL).

Patch 4 fixes a data race noticed by Ben (also from his patch). It's
unchanged.

Patches 5, 6, and 7 are cleanups.

Bugs? Thoughts?
Jonathan Nieder (7):
[media] cx88: protect per-device driver list with device lock
[media] cx88: fix locking of sub-driver operations
[media] cx88: hold device lock during sub-driver initialization
[media] cx88: use a mutex to protect cx8802_devlist
[media] cx88: handle attempts to use unregistered cx88-blackbird
driver
[media] cx88: don't use atomic_t for core->mpeg_users
[media] cx88: don't use atomic_t for core->users

drivers/media/video/cx88/cx88-blackbird.c | 41 +++++++++++++++-------------
drivers/media/video/cx88/cx88-dvb.c | 2 +
drivers/media/video/cx88/cx88-mpeg.c | 40 ++++++++++++++++++----------
drivers/media/video/cx88/cx88-video.c | 5 ++-
drivers/media/video/cx88/cx88.h | 11 +++++--
5 files changed, 61 insertions(+), 38 deletions(-)