Commit 1826e9b1 fixes the use after free of "dev".
However if this is not the final call to dev_release()
and the state is not reset to STATE_DEV_DISABLED and
hence all further open() calls to the gadgetfs ep0
device will fail with EBUSY.
So this commit reverts 1826e9b1 and places the call
put_dev() after setting the state.
Signed-off-by: Marcus Nutzinger <[email protected]>
Reviewed-by: Christoph Muellner <[email protected]>
---
drivers/usb/gadget/inode.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index a925d0c..6330528 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1264,8 +1264,13 @@ dev_release (struct inode *inode, struct file *fd)
kfree (dev->buf);
dev->buf = NULL;
- put_dev (dev);
+ /* other endpoints were all decoupled from this device */
+ spin_lock_irq(&dev->lock);
+ dev->state = STATE_DEV_DISABLED;
+ spin_unlock_irq(&dev->lock);
+
+ put_dev (dev);
return 0;
}
--
1.9.0
Hello.
On 06/05/2014 05:08 PM, Marcus Nutzinger wrote:
> Commit 1826e9b1 fixes the use after free of "dev".
Please also specify that commit's summary line in parens.
> However if this is not the final call to dev_release()
> and the state is not reset to STATE_DEV_DISABLED and
> hence all further open() calls to the gadgetfs ep0
> device will fail with EBUSY.
> So this commit reverts 1826e9b1 and places the call
> put_dev() after setting the state.
> Signed-off-by: Marcus Nutzinger <[email protected]>
> Reviewed-by: Christoph Muellner <[email protected]>
> ---
> drivers/usb/gadget/inode.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
> diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
> index a925d0c..6330528 100644
> --- a/drivers/usb/gadget/inode.c
> +++ b/drivers/usb/gadget/inode.c
> @@ -1264,8 +1264,13 @@ dev_release (struct inode *inode, struct file *fd)
>
> kfree (dev->buf);
> dev->buf = NULL;
> - put_dev (dev);
>
> + /* other endpoints were all decoupled from this device */
> + spin_lock_irq(&dev->lock);
> + dev->state = STATE_DEV_DISABLED;
> + spin_unlock_irq(&dev->lock);
Not sure I understand why you need spinlock here... isn't the assignment
atomic already?
> +
> + put_dev (dev);
> return 0;
> }
WBR, Sergei
This reverts commit 1826e9b1 (usb: gadget: gadgetfs: use
after free in dev_release()) and places the call to
put_dev() after setting the state.
If this is not the final call to dev_release() and the
state is not reset to STATE_DEV_DISABLED and hence all
further open() calls to the gadgetfs ep0 device will
fail with EBUSY.
Signed-off-by: Marcus Nutzinger <[email protected]>
Reviewed-by: Christoph Muellner <[email protected]>
---
drivers/usb/gadget/inode.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index a925d0c..6330528 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1264,8 +1264,13 @@ dev_release (struct inode *inode, struct file *fd)
kfree (dev->buf);
dev->buf = NULL;
- put_dev (dev);
+ /* other endpoints were all decoupled from this device */
+ spin_lock_irq(&dev->lock);
+ dev->state = STATE_DEV_DISABLED;
+ spin_unlock_irq(&dev->lock);
+
+ put_dev (dev);
return 0;
}
--
1.9.0
Hi Sergei,
On Jun 5, 2014, at 4:18 PM, Sergei Shtylyov <[email protected]> wrote:
> Please also specify that commit's summary line in parens.
I'll resubmit the updated patch in a minute!
>> + /* other endpoints were all decoupled from this device */
>> + spin_lock_irq(&dev->lock);
>> + dev->state = STATE_DEV_DISABLED;
>> + spin_unlock_irq(&dev->lock);
>
> Not sure I understand why you need spinlock here... isn't the assignment atomic already?
Sure, an assignment might be atomic. However, following the policy of commit 7489d149
(USB: gadgetfs cleanups) all ep0 state changes shall be protected by spinlocks.
Thanks,
Marcus
On Thu, 5 Jun 2014, Marcus Nutzinger wrote:
> Hi Sergei,
>
> On Jun 5, 2014, at 4:18 PM, Sergei Shtylyov <[email protected]> wrote:
>
> > Please also specify that commit's summary line in parens.
>
> I'll resubmit the updated patch in a minute!
>
> >> + /* other endpoints were all decoupled from this device */
> >> + spin_lock_irq(&dev->lock);
> >> + dev->state = STATE_DEV_DISABLED;
> >> + spin_unlock_irq(&dev->lock);
> >
> > Not sure I understand why you need spinlock here... isn't the assignment atomic already?
>
>
> Sure, an assignment might be atomic. However, following the policy of commit 7489d149
> (USB: gadgetfs cleanups) all ep0 state changes shall be protected by spinlocks.
Sometimes an assignment needs to be protected by a lock, even though
the assignment itself is atomic. This happens, for example, when some
other code executes a lock-protected region that expects the variable
not to change.
I don't know if that's the case here. But this example shows that in
general, one sometimes needs locks in places where you wouldn't expect
them.
In fact, it may even be necessary to take and release a lock, without
doing anything in between!
Alan Stern