[PATCH] usb: gadget: f_fs: edit epfile->ep under lock
From: Michal Nazarewicz
Date: Wed Sep 28 2016 - 12:10:42 EST
epfile->ep is protected by ffs->eps_lock (not epfile->mutex) so clear it
while holding the spin lock.
Signed-off-by: Michal Nazarewicz <mina86@xxxxxxxxxx>
Fixes: 9353afbbfa7b ("buffer data from =E2=80=98oversized=E2=80=99 OUT requ=
ests")
---
drivers/usb/gadget/function/f_fs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/functi=
on/f_fs.c
index 0aeed85..759f5d4 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1725,17 +1725,17 @@ static void ffs_func_eps_disable(struct ffs_functio=
n *func)
unsigned long flags;
=20
do {
- if (epfile)
- mutex_lock(&epfile->mutex);
spin_lock_irqsave(&func->ffs->eps_lock, flags);
/* pending requests get nuked */
if (likely(ep->ep))
usb_ep_disable(ep->ep);
++ep;
+ if (epfile)
+ epfile->ep =3D NULL;
spin_unlock_irqrestore(&func->ffs->eps_lock, flags);
=20
if (epfile) {
- epfile->ep =3D NULL;
+ mutex_lock(&epfile->mutex);
kfree(epfile->read_buffer);
epfile->read_buffer =3D NULL;
mutex_unlock(&epfile->mutex);
------- >8 -------------------------------------------------------------
With that done, the only thing which needs a mutex is
epfile->read_buffer.
The read_buffer pointer shouldn=E2=80=99t be that big of an issue (it could=
be
protected by the same eps_lock). The real problem is freeing the
memory.
We cannot do it while __ffs_epfile_read_buffered is reading data from
it. We cannot blindly schedule it to happen later either since in the
meanwhile __ffs_epfile_read_buffered could have freed it.
--=20
Best regards
=E3=83=9F=E3=83=8F=E3=82=A6 =E2=80=9C=F0=9D=93=B6=F0=9D=93=B2=F0=9D=93=B7=
=F0=9D=93=AA86=E2=80=9D =E3=83=8A=E3=82=B6=E3=83=AC=E3=83=B4=E3=82=A4=E3=83=
=84
=C2=ABIf at first you don=E2=80=99t succeed, give up skydiving=C2=BB