[usb][ums] UMS integration test race condition

samhansen · Fuchsia Internal LUCI · commit a05c6d9f6f02 · 2022-05-16T22:57:50.000Z
There currently exists a race in the ums-function (backing VirtualBus) driver. The worker thread assumes DdkUnbind() will always be invoked while it's awaiting a cnd_t condvar. The unbind hook sets active=False, and under the assumption it will unblock the waiting worker thread, calls cnd_signal(). Normally this wakes up the thread, which makes an active=True check and bails, exiting the thread. In the very unlikely event that the unbind hook is called while the worker thread is servicing a prior request's completion callback (a very fast operation), the cnd_signal() will go unnoticed (because there's no thread to actually wake up), the thread's while(1) loop will whip back around and block on cnd_wait(). However, in this state, there's nothing left to actually signal the cnd_t and the subsequent call to thrd_join() will hang as the thread is stuck in cnd_wait(). This adds the active state to the worker thread's loop check causing the thread to bail on whipback if the unbind hook is called while the worker thread happens to be doing actual work. Bug: 98566 Bug: 83563 Change-Id: If5a67b03087ab2135595612742506a495be0a574 Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/679993 Reviewed-by: Ruby Zhuang <rdzhuang@google.com> Commit-Queue: Sam Hansen <hansens@google.com>
diff --git a/src/devices/block/drivers/ums-function/ums-function.c b/src/devices/block/drivers/ums-function/ums-function.c
@@ -624,7 +624,8 @@ static zx_handle_t vmo = 0;
 
 static int usb_ums_thread(void* ctx) {
   usb_ums_t* ums = (usb_ums_t*)ctx;
-  while (1) {
+  ZX_ASSERT(ums->active);
+  while (ums->active) {
     mtx_lock(&ums->mtx);
     if (!(ums->cbw_req_complete || ums->csw_req_complete || ums->data_req_complete ||
           (!ums->active))) {
diff --git a/src/devices/block/drivers/usb-mass-storage/tests/ums-test.cc b/src/devices/block/drivers/usb-mass-storage/tests/ums-test.cc
@@ -317,7 +317,7 @@ TEST_F(UmsTest, DISABLED_UncachedWriteShouldBePersistedToBlockDevice) {
 }
 
 // TODO(fxbug.dev/98566) re-enable when the race is resolved.
-TEST_F(UmsTest, DISABLED_BlkdevTest) {
+TEST_F(UmsTest, BlkdevTest) {
   char errmsg[1024];
   fdio_spawn_action_t actions[1];
   actions[0] = {};

Original file line number	Diff line number	Diff line change
`@@ -317,7 +317,7 @@ TEST_F(UmsTest, DISABLED_UncachedWriteShouldBePersistedToBlockDevice) {`
`317`	`317`	`}`
`318`	`318`
`319`	`319`	`// TODO(fxbug.dev/98566) re-enable when the race is resolved.`
`320`		`-TEST_F(UmsTest, DISABLED_BlkdevTest) {`
	`320`	`+TEST_F(UmsTest, BlkdevTest) {`
`321`	`321`	`char errmsg[1024];`
`322`	`322`	`fdio_spawn_action_t actions[1];`
`323`	`323`	`actions[0] = {};`