From: John Keeping <john@metanate.com>
To: Linyu Yuan <quic_linyyuan@quicinc.com>
Cc: Felipe Balbi <balbi@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org, Michael Wu <michael@allwinnertech.com>
Subject: Re: [PATCH v1 2/2] usb: gadget: ffs: change ep->ep safe in ffs_epfile_io()
Date: Tue, 31 May 2022 12:47:51 +0100 [thread overview]
Message-ID: <YpYAZ5Q0kYcHdq9T@donbot> (raw)
In-Reply-To: <1653989775-14267-3-git-send-email-quic_linyyuan@quicinc.com>
On Tue, May 31, 2022 at 05:36:15PM +0800, Linyu Yuan wrote:
> In ffs_epfile_io(), when read/write data in blocking mode, it will wait
> the completion in interruptible mode, if task receive a signal, it will
> terminate the wait, at same time, if function unbind occurs,
> ffs_func_unbind() will kfree all eps, ffs_epfile_io() still try to
> dequeue request by dereferencing ep which may become invalid.
>
> Fix it by add ep spinlock and will not dereference ep if it is not valid.
>
> Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com>
Reviewed-by: John Keeping <john@metanate.com>
> ---
> drivers/usb/gadget/function/f_fs.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index dcba835..b6c9b44 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -1077,6 +1077,11 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
> spin_unlock_irq(&epfile->ffs->eps_lock);
>
> if (wait_for_completion_interruptible(&io_data->done)) {
> + spin_lock_irq(&epfile->ffs->eps_lock);
> + if (epfile->ep != ep) {
> + ret = -ESHUTDOWN;
> + goto error_lock;
> + }
> /*
> * To avoid race condition with ffs_epfile_io_complete,
> * dequeue the request first then check
> @@ -1084,6 +1089,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
> * condition with req->complete callback.
> */
> usb_ep_dequeue(ep->ep, req);
> + spin_unlock_irq(&epfile->ffs->eps_lock);
> wait_for_completion(&io_data->done);
> interrupted = true;
> }
> --
> 2.7.4
>
prev parent reply other threads:[~2022-05-31 11:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-31 9:36 [PATCH v1 0/2] usb: f_fs: safe operation in ffs_epfile_io() Linyu Yuan
2022-05-31 9:36 ` [PATCH v1 1/2] usb: gadget: ffs: change ep->status safe " Linyu Yuan
2022-05-31 11:44 ` John Keeping
2022-05-31 13:06 ` Linyu Yuan
2022-05-31 9:36 ` [PATCH v1 2/2] usb: gadget: ffs: change ep->ep " Linyu Yuan
2022-05-31 11:47 ` John Keeping [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YpYAZ5Q0kYcHdq9T@donbot \
--to=john@metanate.com \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=michael@allwinnertech.com \
--cc=quic_linyyuan@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.