Message-ID: <1498755471.1935.55.camel@codethink.co.uk>
Subject: Re: [PATCH 4.4 22/30] USB: gadgetfs, dummy-hcd, net2280: fix
 locking for callbacks
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        Felipe Balbi <felipe.balbi@linux.intel.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 29 Jun 2017 17:57:51 +0100
In-Reply-To: <20170619152034.413971329@linuxfoundation.org>
References: <20170619152033.211450261@linuxfoundation.org>
         <20170619152034.413971329@linuxfoundation.org>
Organization: Codethink Ltd.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1197
Lines: 35

On Mon, 2017-06-19 at 23:20 +0800, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Alan Stern <stern@rowland.harvard.edu>
> 
> commit f16443a034c7aa359ddf6f0f9bc40d01ca31faea upstream.
[...]
> The result of this race, as seen above, is that set_link_state() can
> invoke a callback in gadgetfs even after gadgetfs has been unbound
> from dummy_hcd's UDC and its private data structures have been
> deallocated.
> 
> include/linux/usb/gadget.h documents that the ->reset, ->disconnect,
> ->suspend, and ->resume callbacks may be invoked in interrupt context.
> In general this is necessary, to prevent races with gadget driver
> removal.  This patch fixes dummy_hcd to retain the spinlock across
> these calls, and it adds a spinlock acquisition to dummy_udc_stop() to
> prevent the race.
> 
> The net2280 driver makes the same mistake of dropping the private
> spinlock for its ->disconnect and ->reset callback invocations.  The
> patch fixes it too.
[...]

Why only these two drivers?  Most of the other UDC drivers seem to do
the same thing.

Ben.

-- 
Ben Hutchings
Software Developer, Codethink Ltd.