From: John Keeping <john@metanate.com>
To: Michael Wu <michael@allwinnertech.com>
Cc: Linyu Yuan <quic_linyyuan@quicinc.com>,
Felipe Balbi <balbi@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org
Subject: Re: [PATCH v3 2/2] usb: gadget: f_fs: change ep->ep safe in ffs_epfile_io()
Date: Thu, 2 Jun 2022 14:06:24 +0100 [thread overview]
Message-ID: <Ypi10OWth6Rd08n9@donbot> (raw)
In-Reply-To: <0732d4f3-5359-0d9d-94b9-66a7403dc7d8@allwinnertech.com>
On Thu, Jun 02, 2022 at 06:39:30PM +0800, Michael Wu wrote:
> On 6/1/2022 12:15 PM, Linyu Yuan wrote:
> > In ffs_epfile_io(), when read/write data in blocking mode, it will wait
> > the completion in interruptible mode, if task receive a signal, it will
> > terminate the wait, at same time, if function unbind occurs,
> > ffs_func_unbind() will kfree all eps, ffs_epfile_io() still try to
> > dequeue request by dereferencing ep which may become invalid.
> >
> > Fix it by add ep spinlock and will not dereference ep if it is not valid.
> >
> > Reported-by: Michael Wu <michael@allwinnertech.com>
> > Reviewed-by: John Keeping <john@metanate.com>
> > Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com>
> > ---
> > v2: add Reviewed-by from John keeping
> > v3: add Reported-by from Michael Wu
> >
> > drivers/usb/gadget/function/f_fs.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> > index d4d8940..9bf9287 100644
> > --- a/drivers/usb/gadget/function/f_fs.c
> > +++ b/drivers/usb/gadget/function/f_fs.c
> > @@ -1077,6 +1077,11 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
> > spin_unlock_irq(&epfile->ffs->eps_lock);
> > if (wait_for_completion_interruptible(&io_data->done)) {
> > + spin_lock_irq(&epfile->ffs->eps_lock);
> > + if (epfile->ep != ep) {
> > + ret = -ESHUTDOWN;
> > + goto error_lock;
> > + }
> > /*
> > * To avoid race condition with ffs_epfile_io_complete,
> > * dequeue the request first then check
> > @@ -1084,6 +1089,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
> > * condition with req->complete callback.
> > */
> > usb_ep_dequeue(ep->ep, req);
> > + spin_unlock_irq(&epfile->ffs->eps_lock);
> > wait_for_completion(&io_data->done);
> > interrupted = io_data->status < 0;
> > }
>
> Tested-by: Michael Wu <michael@allwinnertech.com>
>
> I've tested Linyu's patches [PATCH v3 1/2] [PATCH v3 2/2]. I believe it
> fixes the bug I reported.
>
> What's more, John's solution [1] also works in my tests. It looks simpler.
> I'm not sure if it's as complete as Linyu's solution.
It's not as comprehensive, let's focus on this thread.
> [1] https://lore.kernel.org/linux-usb/YpUJkxWBNuZiW7Xk@donbot/
next prev parent reply other threads:[~2022-06-02 13:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-01 4:15 [PATCH v3 0/2] usb: f_fs: safe operation in ffs_epfile_io() Linyu Yuan
2022-06-01 4:15 ` [PATCH v3 1/2] usb: gadget: f_fs: change ep->status safe " Linyu Yuan
2022-06-01 4:15 ` [PATCH v3 2/2] usb: gadget: f_fs: change ep->ep " Linyu Yuan
2022-06-02 10:39 ` Michael Wu
2022-06-02 13:06 ` John Keeping [this message]
2022-06-06 4:49 ` Michael Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ypi10OWth6Rd08n9@donbot \
--to=john@metanate.com \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=michael@allwinnertech.com \
--cc=quic_linyyuan@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.